ARCHIVED - Limited Annual Assurance Compliance Audit – Contracts Under $25,000 and Acquisition Card Purchases 2006-07

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

ARCHIVED - Limited Annual Assurance Compliance Audit – Contracts Under $25,000 and Acquisition Card Purchases 2006-07 (PDF, 344 KB)

Executive Summary

Background

This audit report presents the findings of the National Research Council (NRC) of Canada's annual limited assurance compliance audits for contracts under $25,000 and acquisition card purchases. The decision to conduct these audits was approved by the President following the recommendation of the Audit, Evaluation and Risk Management Committee on September 25, 2006 as part of the NRC 2006-07 to 2008-09 Risk-Based Internal Audit Plan. Expenditures in 2006-07 for contracts under $25,000 were $74.2 million and $12.1 million for acquisition cards.

Audit objective, scope and methodology

The single objective of both audits was to provide limited assurance that NRC is compliant with Government of Canada and NRC policies and directives for contracts under $25,000 and acquisition card purchases. For each audit a sample of five institutes, branches or programs (I/B/Ps) were selected. The individual I/B/Ps were selected for detailed testing based upon risk and control analyses performed during the planning stage of each audit as well as on the basis to ensure that no one I/B/P was audited more so than others or conversely that smaller entities would be ignored entirely in NRC's five year audit cycle (2006-07 to 2010-11), and finally, to ensure coverage across NRC's different sectors.

Ten transactions for contracts under $25,000 were selected at random and tested for compliance at each I/B/P for a total sample of 50 contracts. The same process was used for acquisition card purchases for a total sample of 50 acquisition card purchases in five I/B/Ps.

The audit was conducted using a series of detailed audit criteria that addressed the audit objective, against which we drew our observations, assessments and conclusions. These audit criteria (see Appendices A and B) were derived primarily from the TB Policy on Contracts and TB Policy on Acquisition Cards and the Financial Administration Act.

Audit opinion and statement of assurance

Within the limitations of the samples drawn, we found that NRC is compliant overall with Government of Canada and National Research Council contracting under $25,000 and acquisition card policies and regulations. However, for both we found areas requiring improvement in Financial Administration Act Section 32, 34 and 33 approvals with respect to establishing a verifiable audit trail to the actual budget holder and ensuring the appropriate segregation of duties.

For both types of procurement we found difficulties establishing a verifiable audit trail to the actual budget holder. In accordance with the Treasury Board Policy on Delegation of Authorities, we expected to find that NRC has delegated spending authority to responsibility centre managers in relation to their budgetary responsibilities in order to ensure they have adequate authority and full responsibility for their decisions. The policy also makes provisions for the use of central staff to record commitments and confirm price and performance in conformance with sections 32 and 34 of the Financial Administration Act (FAA) when this is more effective and economical or in support of the manager who has budgetary responsibility. NRC's delegation document, "Financial Signing Authorities", makes use of these provisions by delegating this authority, among others, to Invoice Clerks and Administrative Coordinators. However, in our opinion this does not negate the necessity to have an adequate audit trail that can be traced back to the actual budget holder.

For acquisition card purchases, we noted in some instances the practice of acquisition card holders authorizing their own card purchases. We find this to be inconsistent with the FAA's fundamental principle of the segregation of duties between those executing and those approving transactions.

Finally, we noted some inconsistencies with obtaining appropriate exemptions when not using Public Works and Government Services Canada (PWGSC) mandatory standing offers, problems with respect to potential contract splitting and that there may be cost-efficiencies to be gained in using acquisition card purchases in place of most contracts under $5,000.

In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations as they existed at the time against the audit criteria. The evidence was gathered in accordance with the Treasury Board Policy, directives and standards on Internal Audit, and the procedures used to meet the professional standards of the Institute of Internal Auditors.

Conclusions and recommendations

Within the limitations of the samples drawn, we found that overall NRC is compliant with the Treasury Board and NRC policies and directives pertaining to contracting under $25,000 and acquisition card purchases. However, improvements are necessary with respect to establishing a verifiable audit trail to the actual budget holder and ensuring the appropriate segregation of duties for authorizing, verifying and paying for contracts under $25,000 and acquisition card purchases – FAA Sections 32, 34, and 33.

For both types of procurement we found difficulties establishing a verifiable audit trail to the actual budget holder. In accordance with the Treasury Board Policy on Delegation of Authorities, we expected to find that NRC has delegated spending authority to responsibility centre managers in relation to their budgetary responsibilities in order to ensure they have adequate authority and full responsibility for their decisions. (Throughout this audit report we refer to these managers as the 'actual budget holder'.) The policy also makes provisions for the use of central staff to record commitments and confirm price and performance in conformance with sections 32 and 34 of the Financial Administration Act (FAA) when this is more effective and economical or in support of the manager who has budgetary responsibility. NRC's delegation document, "Financial Signing Authorities", makes use of these provisions by delegating this authority, among others, to Invoice Clerks and Administrative Coordinators. However, in our opinion this does not negate the necessity to have an adequate audit trail that can be traced back to the actual budget holder.

For both types of procurement, we found difficulties in finding in the procurement files held either centrally or at the I/B/P level the appropriate authorizing certifications by the actual budget holders in support of authorizations made electronically. Management informed us that as of June 2007, for contracts under $25,000 and for goods procured using the standard purchase order method for procurement but paid using an acquisition card, it is now a requirement to have the actual budget holder's signature on file for verifying FAA Section 32.

For acquisition card purchases, we noted in some instances the practice of acquisition cardholders who authorize their own card purchases. We find this to be inconsistent with the FAA's fundamental principle of the segregation of duties between those executing and those approving transactions. We also found some instances whereby there was no verifiable audit trail to requests for purchases made by the actual budget holders.

In our opinion, given the level of error rates noted with respect to FAA Section 34 for both contract and acquisition card procurement methods at 20 percent and 54 percent respectively, the system of controls employed by NRC aren't working as well as they should. While it may be tempting to suggest that individually low value contracts below $25,000 are low risk, collectively they account for 38 percent or $74.2 million of total NRC contract expenditures in 2006-07. Collectively, acquisition card expenditures accounted for $12 million and are expected to rise for 2007-08 and subsequent years. In our opinion, a quality assurance process or post-payment review process should be able to isolate and correct those areas of control that aren't working as well as they should.

We found high compliance with respect to the use of PWGSC mandatory standing offers and no evidence of contract splitting in the 100 transactions examined for both contracts under $25,000 and acquisition card purchases. However, data mining audit techniques that took into consideration all 2006-07 transactions for the five I/B/Ps examined indicate there may be potential non-compliance.

Finally, there may be opportunities for greater cost-efficiencies by using acquisition card purchases in place of most contracts under $5,000. In 2006-07, there were over 26,000 contracts for goods and services less than $5,000 valued at $28.1 million.

Key recommendations

  1. Senior management should communicate to all NRC staff that FAA Section 32 authority must have a verifiable link to the actual budget holder for all contracts and acquisition card purchases regardless of their value. Where the electronic signature in SIGMA is not completed by the actual budget holder, the procurement files must contain for verification purposes, evidence that the actual budget holder authorized it. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 and acquisition card purchases of this requirement.
  2. Senior Management should communicate to all NRC staff responsible for initiating contracts under $25,000 and acquisition card purchases that where the actual budget holder does not generate the electronic Goods Receipt, hardcopy evidence of the FAA Section 34 by the actual budget holder in the form of a verifiable signature or an email should be retained on the procurement file as an adequate audit trail for verification purposes. As well, acquisition cardholders should not be providing FAA Section 34 verification and certification for goods or services that they purchased. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 and acquisition card purchases of these requirements.
  3. Finance Branch should document its risk assessment approach and strategy for implementing post-audit quality review processes for contracts under $25,000 and acquisition card purchases. Consideration should be given to expanding its quality review procedures beyond what it presently provides.
  4. Senior management should communicate to all NRC staff initiating contracts under $25,000 and acquisition card purchases of the requirement to use PWGSC mandatory standing offer arrangements and, if not used the necessity to obtain a formal exemption from PWGSC and to place this document on the procurement file. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 or acquisition card purchases of this requirement.
  5. Senior management should communicate to all acquisition cardholders those purchases that are disallowed by TB and NRC policies and directives. Consideration should be given to providing training on disallowed purchases to all NRC acquisition cardholders.
  6. For all acquisition card purchases, Finance Branch should employ more rigorous data mining audit techniques and follow-up with cardholders on an ongoing basis to identify potentially inappropriate charges. Consideration should be given to withdrawing acquisition cards from repeat violators.

NRC Audit Team MembersFootnote 1:
Irina Nikolova, F.C.C.A., CIA, CISA
Jean Paradis, CA, CIA, Audit Manager

Introduction

2.1 Background and context

The decision to conduct annual audits for Limited Assurance Compliance Audit of Procurement and Contracting and Acquisition Cards was approved by NRC's President following the recommendation of the Audit, Evaluation and Risk Management Committee on September 25, 2006 as part of the NRC 2006-07 to 2008-09 Risk-Based Internal Audit Plan.

Government procurement is highly regulated and is based on a strong legislative, regulatory and policy framework, including but not limited to:

  • The Financial Administration Act (FAA);
  • Government Contracts Regulations;
  • Public Works and Government Services Canada (PWGSC) Act;
  • Canadian International Trade Tribunal Act;
  • North American Free Trade Agreement;
  • The Agreement on Internal Trade; and
  • World Trade Organization — Agreement on Government Procurement.

While there are many different acts, policies, and programs that affect government procurement and contracting activities that must be considered, the Treasury Board (TB) Contracting Policy which is supplemented by the Government Contracts Regulations provides, for the most part, the directives that NRC and other government departments must follow. There are no special contracting provisions for NRC resulting from its status as a departmental corporation.

Government acquisition cards are credit cards that enable departments to purchase and pay for goods and services. They were initially approved for use in government departments and agencies in 1991 and are now offered through contracts with two Canadian banks. The Bank of Montreal (BMO) provides MasterCard credit card services, and the Canadian Imperial Bank of Commerce (CIBC) provides Visa credit card services. Departments can use either or both of these acquisition card services, depending on their operational needs. The contracts with the service providers offer a rebate program, payable directly to the departments. Rebates are based on variables such as the level of expenditures on the cards and how quickly departments pay the balance owing.

The TB Policy on Acquisition Card details the requirements and procedures to be followed by departments in their use of acquisition cards for procurement and payment of goods and services where it is efficient, economical and operationally feasible to do so. The TB Acquisition Cards Program – Management Guide and Acquisition Cards Program – Best Practices Guide provide further guidance on the use of acquisition cards. There are no special acquisition card provisions for NRC resulting from its status as a departmental corporation.

Like other departments, NRC also has in place procurement and contracting policies that NRC employees must follow. It is within the authority of each government department to establish its own policies and guidelines as long as they continue to comply with the government established policies and guidelines. In other words, departments can define policies that are more restrictive than government policies but not the reverse.

NRC's Management Control Framework for Procurement and Contracting

In fiscal-year 2006-2007 NRC purchased close to $200 million in goods and services excluding purchases paid by acquisition cards. Exhibit 1 below presents these purchases by category of contracting procedures. In accordance with government policy and directives, NRC has full contracting authority for goods up to $25,000, services up to $2 million and construction up to $6 million.

At NRC, the contracting authority has been delegated for the most part to Procurement Officers in Administrative Services and Property Management (ASPM) and in the regional Material Management offices. Whereas all purchases under $25,000 can be non-competitive or sole-sourced and controlled at the Institute, Branch or Program (I/B/P) level, all purchases over $25,000 must be made on a competitive basis with limited exceptions. Regional Material Management offices have contracting authority that is limited to $25,000 for goods and services, as well as all call-ups against standing offers below a certain value.

NRC Procurement Officers can contract directly with some suppliers through call-ups against standing offers. Standing offers are agreements that have been pre-negotiated by PWGSC for goods and services or by NRC Procurement Services for specialized services. The call-up limit varies but is usually around $40,000. Other than call-ups against standing offers, PWGSC is responsible for goods contracts over $25,000. Buyers must forward all goods requirements above this value to PWGSC. If requestors want to deal with a particular supplier they must include a sole source justification with their requisition.

Exhibit 1
NRC Procurement and Contracting Transactions for 2006-07

Type of Contracts CONTRACT VALUE ($) PERCENTAGE ($) NUMBER OF CONTRACTS PERCENTAGE (#) AVERAGE VALUE ($)
Under $25K $74,226,879 37.7% 30,868 97.7% $2,405
PWGSC over $25K $96,719,727 49.1% 492 1.5% $196,585
Services $25K to $84K $3,762,072 1.9% 81 0.2% $46,445
Services above $84K $5,614,919 2.9% 22 0.7% $255,224
Construction $25k to $100k $3,946,017 2.0% 69 0.2% $57,189
Construction over $100K $12,180,221 6.2% 48 0.2% $253,755
Goods over $25KFootnote 2 $490,541 0.3% 17 0.1% $28,855
Total $196,940,376 100.0% 31,597 100.0% $6,233

Exhibit 1 does not include those expenditures valued between $5,000 and $25,000 that did not use Purchase Orders. These transactions, which are valued at $12.7 million and totalled 1,262 separate transactions for 2006-07, consist mostly of operational expenditures such as telephone, utilities and rental of university and other lab services. However, we also found some limited instances of purchases for goods and services such as computer software and professional consulting. These transactions will be the subject of a separate review.

NRC's Management Control Framework for Acquisition Cards

NRC's Financial Management Manual (FMM) Chapter 10 outlines NRC's policy and procedures for the use of acquisition cards. Additional guidance is provided by NRC Memoranda on Acquisition cards dated November 2000 and May 2005.

NRC uses acquisition cards that are Master card credit cards issued under the Government of Canada service contract with Bank of Montreal. Acquisition cards are used at NRC to reduce and simplify the process for procurement of goods and services. In fiscal year 2006-2007 NRC spent $12.1 million for purchases made with acquisition cards.

NRC acquisition cards are generally issued with a limit per transaction of $5,000 including all taxes and a total monthly credit limit of $25,000. Cardholders must sign a written acknowledgement of responsibilities and obligations before receiving the acquisition card. Exhibit two below presents the credit limits of acquisition cards at NRC as of February 2007.

Key controls for acquisition cards are primarily based on the Financial Administration Actand associated TB policies. The FAA requires that fundamental controls for procuring and paying for goods and services be respected for all purchases regardless of the procurement method used. Under a traditional contracting model approach, the process of procuring, verifying receipt and paying for it involve applying FAA Sections 32, 34, and 33 before the invoice is paid. With acquisition card purchases, the money is paid to the vendors before all these controls can be implemented. However, they must be applied retroactively.

In addition to limitations explicitly stated in TB Policy on Acquisition Cards, NRC's policies limit acquisition card usage to single purchases not more than $5,000 and disallowing purchases, among others, such as hospitality, personnel services, temporary help services, memberships that have not been pre-approved by Finance Branch, computer equipment over $5,000 (excluding Procurement Officers), and all media placements.

Exhibit 2
NRC Credit Card Distribution by Credit Limit

Monthly Credit Limit Number of Cards
$500 1
$600 2
$2,000 2
$3,000 2
$5,000 9
$8,000 1
$10,000 3
$13,000 1
$15,000 3
$25,000 359
$30,000 1
$40,000 3
$50,000 1
$60,000 1
$75,000 3
$100,000 9
$200,000 4
Total Acquisition Cards 405

Those with credit card limits above $25,000 are ASPM and regional Material and Management office buyers.

NRC pays the central bill for acquisition card transactions on a monthly basis within four days of issuance of the BMO's electronic statement. In accordance with the terms of the service contract, NRC receives a cash rebate of 0.845 percent. For 2006-07, this approximated $102,000.

2.2 About the Audit

Objective

The single objective of these annual audits is to provide limited assurance that NRC is compliant with Government of Canada and NRC Contracting and Acquisition Card policies and regulations as well as make observations with respect to the extent to which NRC procurement and contracting directives and policies correspond to TB requirements; and the adequacy of the management control framework for procurement and contracting that has been established at NRC.

Scope

The audit was limited to two types of procurement: contracts under $25,000 using the traditional Purchase Order approach and all acquisition card purchases. The audit did not examine those expenditures between $5,000 and $25,000 that did not use a Purchase Order. These transactions which are valued at $12.7 million and totalled 1,262 separate transactions for 2006-07 will be the subject of a separate review.

An analysis of those total goods and services population of transactions using Purchase Orders and the various procurement and contracting categories reveals that it can be roughly divided into two groups: those below $25,000 (38 percent of the dollar value and 98 percent of the total number of transactions) and those above $25,000 (62 percent of the dollar value and 2 percent of the total number of transactions). Added to the fact that the procedures are substantially different for these two broad categories, it was determined that each group could be reasonably audited in alternate years. For 2006-07, transactions under $25,000 would be examined and every other year thereafter; for 2007-08, transactions over $25,000 would be examined and every other year thereafter. Due to their unique nature and requirements, construction contracting transactions were excluded from annual compliance work and will continue to be audited on five-year audit cycle as identified in the NRC 2007-08 to 2009-10 Internal Audit Plan.

Given the current availability of audit resources and the fact that these audits will be undertaken on an annual basis, it was determined that sufficient coverage over a five-year period could be provided by an annual audit sample of 50 procurement and contracting transactions and 50 acquisition card transactions – 10 transactions for each I/B/P selected. It was determined that a sample size of 10 transactions for each selected I/B/P would be sufficiently robust to determine whether there are any systemic problems with respect to compliance that may exist at the I/B/P level as well as at the corporate level. A total of five I/B/Ps were selected to examine contracts under $25,000 and another five I/B/Ps were selected to examine acquisition card purchases.

Approach and Methodology

In order to control for audit burden being placed unfairly on any one sector or I/B/P, a random selection approach informed by judgment was used. For example, in 2006-07 the Industrial Research Assistance Program has been the subject of much audit and evaluation activity both internally by NRC and by the Office of the Auditor General. Therefore it was excluded this year from selection. For both contracts under $25,000 and acquisition card purchases, once five of the eight sectors (i.e., Executive Offices including Council, Life Sciences, Physical Sciences, Engineering, Technology and Industry Support, Corporate Services, Finance and Human Resources) had been randomly selected, individual I/B/Ps were then randomly selected – one within each sector – after eliminating those that had been subject to recent audit and evaluation activity.

In summary, the individual I/B/Ps were selected for detailed testing based upon risk and control analyses performed during the planning stage of each audit as well as on the basis to ensure that no one I/B/P was audited more so than others or conversely that smaller entities would be ignored entirely in NRC's five year audit cycle (2006-07 to 2010-11). For acquisition card purchases, this resulted in the selection of two I/B/Ps from Life Sciences when ordinarily only one I/B/P is selected for each NRC sector.

Interviews were conducted with key personnel in order to examine program processes, procedures, and practices. These included managers and staff in Finance Branch, Human Resources Branch, Administrative Services and Property Management Branch and Institutes selected for audit.

We reviewed relevant program documentation, which included, but was not limited to, Treasury Board and NRC policies and guidelines vis-à-vis the detailed transactions recorded in the paper files and SIGMA – NRC's integrated management information system (based on SAP) that is used to collect financial, human resources, payroll, asset and real property information.

The audit was conducted using a series of detailed audit criteria that addressed the audit objective, against which we drew our observations, assessments and conclusions. Prior to finalizing the audit criteria, walkthroughs of several transactions for both contracts under $25,000 and acquisition cards were conducted to assess the areas of greatest risk. These audit criteria (see Appendices A and B) were derived primarily from the TB Policy on Contracts and TB Policy on Acquisition Cards and the Financial Administration Act.

Audit Findings

3.1 Audit Objective: To determine if NRC is compliant with Government of Canada and NRC contracting and acquisition card policies and regulations

Overall Conclusion

Within the limitations of the samples drawn, we found that NRC is compliant overall with Government of Canada and NRC Contracting and Acquisition Card policies and regulations. However we found areas requiring improvement in the following areas:

  • FAA Section 32 , 34 and 33 approvals with respect to establishing a verifiable audit trail to the actual holder and ensuring the appropriate segregation of duties;
  • Exemptions from PWGSC Mandatory Standing Offers;
  • Allowable acquisition card purchases;
  • Appearance of contract splitting; and
  • More cost-efficient use of acquisition cards.

Detailed findings for the entire sample of transactions by audit criterion can be found in Appendix A for contracts under $25,000 and Appendix B for acquisition card purchases.

Findings

The audit team noted a number of strengths with respect to compliance with government and NRC policies and directives for contracts under $25,000 and acquisition card purchases. For contracts under $25,000, we observed very high compliance rates for the following:

  • The contract or Purchase Order was signed by the delegated contracting authority (98 percent);
  • The work commenced or the goods were received only after the contract or purchase order were signed (100 percent);
  • Payment was made in accordance with the contract or purchase order (100 percent); and
  • Contract amendments did not exceed the acceptable monetary value and were made before contract expiry (100 percent).

For acquisition cards, we observed very high compliance rates for the following:

  • There was appropriate authorization and issuance of acquisition cards (100 percent);
  • All changes to cardholders' limits were appropriately documented and authorized (100 percent);
  • Transactions were for the most part appropriately supported by invoices (90 percent); and
  • Provincial Sales Tax exemptions were for the most part obtained (92 percent).

Delegation of Authority

Key government controls for procuring, verifying and paying for purchases rest with FAAsection 32, 34, and 33 approvals. These three sections require the following:

  • That funds be available and committed for the purchase (section 32);
  • That verification of the purchase of goods or services had been performed, supplied, or rendered, and the price was as stated in the contract and that the person with delegated financial authority certifies (via signature) that the verification has been completed (section 34); and
  • That no payment for a purchase be made unless it has been properly requisitioned and certified (section 33).

For contracts, sections 32 and 34 take place when a purchase is formally requisitioned and approved and before the invoice is paid. However, with acquisition card purchases, the money is paid before all these controls can be implemented. This is the case for NRC. Single monthly payments to the Bank of Montreal are made centrally by Finance Branch only after following reconciliation procedures in order to reduce the risk of fraudulent transactions.

In accordance with the TB Policy on Delegation of Authorities, we expected to find that NRC has delegated spending authority to responsibility centre managers in relation to their budgetary responsibilities in order to ensure they have adequate authority and full responsibility for their decisions. (Throughout this audit report we refer to these managers as the 'actual budget holder'.) The policy also makes provisions for the use of central staff to record commitments and confirm price and performance in conformance with sections 32 and 34 of the Financial Administration Act (FAA) when this is more effective and economical or in support of the manager who has budgetary responsibility. NRC's delegation document, "Financial Signing Authorities", makes use of these provisions by delegating this authority, among others, to Invoice Clerks and Administrative Coordinators. However, in our opinion this does not negate the necessity to have an adequate audit trail that can be traced back to the actual budget holder.

FAA Section 32 Commitment

Treasury Board Policy on Commitment Control requires approval from officers who have been "delegated the responsibility to control commitments" and that these approvals "must be in a form that allows for an adequate audit trail back to the originator". In addition, the Treasury Board Policy on Contracting states: "procurement files shall be established and structured to facilitate management oversight with a complete audit trail that contains contracting details related to relevant communication and decisions including the identification of involved officials and contracting approval authorities."

Contracts under $25,000.
For contracts under $25,000 administered electronically, FAA Section 32 approval at NRC should be exercised by the actual budget holder through a Release Indicator in SIGMA. While access to SIGMA is password protected, it lacks the full implementation of electronic signatures using token or other appropriate technologyFootnote 3. Hence, one would expect that this process would be backed up with a paper copy of the Purchase Requisition signed by the actual budget holder in order that an appropriate audit trail be maintained to verify the signature and authority of the person committing the funds. However, following consultation with government central authorities, we limited our expectations to verifying that in the absence of the actual budget holder exercising the Release Indicator in SIGMA, there should be some form of written communications for verification purposes from the actual budget holder to the person completing the electronic transaction. This is the case for NRC and has been communicated to all institutes, branches and programs on several occasions and included in training but not the fact they must be completed by the actual budget holder.

We found in only 18 of 50 cases (36 percent) that there was an appropriate FAASection 32 certification by the actual budget holders whether it was completed electronically or paper-based.

Of the five I/B/Ps examined, only three make use of SIGMA for processing FAA Section 32 certifications. For 16 of 30 cases we found that either the electronic Release Indicator was completed by the actual budget holder or there was appropriate evidence on file that the actual budget holder communicated their request to the person completing the electronic signature.

The fourth I/B/P in our sample uses a completely paper-based approach and had on file signed Purchase Requisitions for all of the contracts examined; however, only two of the 10 were completed by the actual budget holders. Rather the FAA Section 32 was completed by another NRC official such as the Group Leader, Project Manager or Administrative Coordinator with delegated authority in accordance with NRC's "Financial Signing Authorities". However, there wasn't sufficient evidence to make that link to the person who actually has budgetary responsibility, i.e., the actual budget holder.

For the last I/BP we learned that it had no requirement for a Purchase Requisition to be completed or for their budget holders to commit funds under FAA Section 32 in light of the fact that these are low dollar value transactions and therefore low risk. As a direct result of this audit, we have been since informed that it has been made a requirement.

Of note is that as of June 2007, for contracts under $25,000, it is now an NRC-wide requirement to have the actual budget holder's signature on file for verification purposes.

Acquisition Cards.
Both the Treasury Board Policy on Acquisition Cards and the NRC Policy for Acquisition Cards identifies that all acquisition card purchases must be authorized by employees with expenditure initiation authority (i.e., FAA Section 32). The TB Management Guide for the Acquisition Cards Program states "traditionally, this has meant that the budget manager must pre-authorize each and every purchase that will be charged to his or her budget. With an acquisition card, it is recommended that the cardholder exercise this authority on behalf of the manager with the manager reviewing each transaction on a post purchase basis". However, the more strict NRC policy states purchases must be authorized by the employee with the appropriate expenditure initiation authority and that it must be documented either by "a signed requisition or authorization reflected in an automated procurement system".

We observed that acquisition card purchases can be made with or without a Purchase Requisition or Purchase Order which traditionally serve as the FAA Section 32 authority for purchases. Those purchases that use a Purchase Order process are using the acquisition card for payment purposes only and not for procurementFootnote 4.

In our sample of 50 transactions, eight of them were made with Purchase Orders. For one transaction, the electronic Release Indicator in SIGMA was not completed by the actual budget holder and nor could we find a paper copy of the Purchase Requisition signed by the actual budget holder – necessary for providing an appropriate audit trail for verifying the signature and authority of the person committing the funds. In the other seven cases, either the actual budget holder generated the electronic Release Indicator or signed the hardcopy of the Purchase Requisition.

Management informed us that as of June 2007, for goods procured using the standard purchase order method for procurement but paid using an acquisition card, it is now a requirement to have the actual budget holder's signature on file for verification purposes.

We observed that in 13 of the remaining 42 acquisition card transactions that used the card for both procurement and payment there was no documentary evidence on file of the actual budget holder authorizing the purchase – either in the form of an authorizing signature or by other written means such as an email. Overall, a total non-compliance rate of 14 of 49Footnote 5 (29 percent) was observed.

For one of the five I/B/Ps that maintains a separate database for procurement, we did not note any cases of non-compliance.

Recommendation 1:

Senior management should communicate to all NRC staff that FAA Section 32 authority must have a verifiable link to the actual budget holder for all contracts and acquisition card purchases regardless of their value. Where the electronic signature in SIGMA is not completed by the actual budget holder, the procurement files must contain for verification purposes, evidence that the actual budget holder authorized it. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 and acquisition card purchases of this requirement.

NRC Management Response:

The President will send a communications to all NRC staff involved in contracting and procurement informing them of the audit's results and remind them of the necessity to comply with all government and NRC policies and guidelines. The importance of understanding and applying the principles of FAA Sections 32, 34 and 33 approvals will be emphasized.

The Chief Financial Officer and the Director General Administrative Services and Property Management (ASPM) will provide in follow-up communications and training, specific guidance on their application including FAA Section 32 commitment requirements and the fact that the procurement files must contain for verification purposes an appropriate audit trail to the actual budget holder.

Finance Branch, in conjunction with ASPM, has already begun mandatory training for all staff that have been delegated FAA Sections 32 and / or 34 authority for contracts and acquisition card purchases. This training will include specific guidance on the appropriate application of FAA Section 32 and is expected to be completed by March 31, 2008. Individuals who do not take the required training will have their authority suspended.

FAA Section 34 Verification and Certification

Contracts under $25,000.

For all purchases of goods and services under $25,000, NRC's "Financial Signing Authorities" delegates FAA Section 34 authority to the Invoice Clerks at the regional offices and to the ASPM Invoice and Central Shipping Clerks for purchases made in the national capital region and to the actual budget holders. In our opinion, authority exercised by the non-budget holder should be exercised only upon the receipt of a Goods Receipt transaction that has been generated in SIGMA by the actual budget holder directly via a protected password or by written means such as an email. We believe this system of control respects the spirit of the FAA while ensuring the practicalities of a central billing system for large volumes of purchases. However, NRC may wish to consider undertaking a risk analysis in order to determine those cases where the actual budget holder's authorization should be backed up with a hard copy signature.

We observed that in 10 of 50 files (20 percent) examined, the invoices did not contain a hardcopy of the clerks' FAA Section 34 in accordance with NRC's "Financial Signing Authorities" document. These cases were found in three of five I/B/Ps examined. Prior to November 2006, the clerks were not required to stamp and certify the FAA Section 34 on all invoices processed for verification purposes. In all 10 cases, these transactions were found before November 2006. However, we also noted that only five contracts examined had a Goods Receipt that was generated by the actual budget holder or there was documentation on the procurement files from them to the shipping and invoice clerks certifying that the goods or services had been received.

Acquisition Cards.

For government acquisition card purchases, the segregation of duties between expenditure initiation and verification and certification of purchases can be blurred due to the speed of the transaction. The Treasury Board policy states that "No person shall exercise spending authority (FAA Section 34) with respect to a payment from which he or she personally can benefit, directly or indirectly". As noted in the TB Management Guide for Acquisition Cards Program, this becomes an issue when the cardholder is the manager with the FAA Section 34 authority. It recommends that it be addressed in several ways. First, for any goods purchased for the direct use of the cardholder, the cardholder's supervisor should verify and certify the purchase. Among others, these can be purchases for the cardholder such as conference fees, training fees and any computer hardware for their own use. Second, "cardholders should not be those individuals signing under section 34 where the situation permits. The most popular method for ensuring this is to ensure that no budget holder with section 34 authority is the cardholder." In our opinion, this would be the simplest means for ensuring the appropriate segregation of duties. Failing that it would be a good management practice for all purchases made by the budget holder's acquisition card be approved by the cardholder's supervisor.

At NRC, the principles of these controls are respected for acquisition card purchases in much the same manner as for contracts under $25,000 in that the electronic FAASection 34 is provided centrally but they take one of two forms: (1) where the acquisition card is used strictly for payment; and (2) where the acquisition card is used for procurement and payment.

The ASPM Supervisor, Invoice Payment and Administrative Services provides the verification and certification for purchases procured using the traditional Purchase Order process when an acquisition card is used strictly as a means of payment. This approach is used to control and track larger volume purchases made by Purchasing Officers who are responsible for making purchases with many multiple units and recipients. The ASPM Supervisor must match the SIGMA system generated Goods Receipt to the NRC Financial Dashboard printout of the monthly BMO purchase statement and manually perform theFAA Section 34 certification. We noted that for the eight transactions of the 50 examined that used the acquisition card for payment purposes only, the certification was in accordance with NRC's "Financial Signing Authorities" document in that they were certified by a person with delegated FAA Section 34 approval.

However, in our opinion, an appropriate audit trail must include the actual budget holder's electronic authorization or written verification either in the form of a hardcopy signature or in another written form such as an email. We observed that for seven of the eight transactions in our sample that used the acquisition card for payment purposes only, there was no verifiable audit trail of the FAA Section 34 certification to the actual budget holder thereby reducing the compliance rate. For 2006-07, these types of purchases accounted for approximately $2 million.

The Centralized Billing Accounts located in Finance Branch will reconcile the FAA Section 34 for acquisition card purchases that use the card for both procurement (i.e., a Purchase Order is not used) and payment. The majority of acquisition card purchases are made in this manner accounting for approximately $10 million in expenditures for 2006-07. In this case, the cardholder will print a hardcopy of the monthly purchase statement located on NRC's Financial Dashboard, and provide their signature for those goods and services that were purchased. The actual budget holder will either provide a signature that the goods were received on that same document or forward to the cardholder by other written means such as an email their verification and certification of goods or services received. We noted for the 42 of 50 transactions that used the acquisition card for both procurement and payment, the receipts for goods and services were also authorized in accordance with "Financial Signing Authorities" document in that they were certified by a person with delegated FAA Section 34 approval.

However, in our opinion, 20 of the 42 procurement and payment transactions that theFAA Section 34 authority provided were inconsistent with the spirit of the FAA. For eight of these transactions, we observed there was no verifiable audit trail of the FAA Section 34 certification on file from the actual budget holder certifying the receipt of goods or services. In three of five of the I/B/Ps examined, we further noted that 12 of the 20 transactions were instances whereby the cardholder authorized their own card purchases. We share the opinion of the Office of the Auditor General stated in their May 2007 report regarding the use of acquisition cards that "this practice is not consistent with the fundamental control principle that there be a division of duties between those executing and those approving transactions". Therefore, in our opinion there is an overall non-compliance rate of 27 of 50 transactions (54 percent) with respect to FAASection 34 verification of acquisition card purchases.

Recommendation 2:

Senior Management should communicate to all NRC staff responsible for initiating contracts under $25,000 and acquisition card purchases that where the actual budget holder does not generate the electronic Goods Receipt, hardcopy evidence of the FAASection 34 by the actual budget holder in the form of a verifiable signature or an email should be retained on the procurement file as an adequate audit trail for verification purposes. As well, acquisition cardholders should not be providing FAA Section 34 verification and certification for goods or services that they purchased. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 and acquisition card purchases of these requirements.

NRC Management Response:

The President will send a communications to all NRC staff involved in contracting and procurement informing them of the audit's results and remind them of the necessity to comply with all government and NRC policies and guidelines. The importance of understanding and applying the principles of FAA Section 32, 34 and 33 approvals will be emphasized.

The Chief Financial Officer and the Director General Administrative Services and Property Management will provide in follow-up communications and training, specific guidance on their application. This will include direction to acquisition cardholders, with a copy to their supervisor that they should not be providing FAA Section 34 verification and certification for goods or services that they purchase.

Finance Branch, in conjunction with ASPM, has already begun mandatory training for all staff that have been delegated FAA Sections 32 and / or 34 authority for contracts and acquisition card purchases. This training will include specific guidance on the appropriate application of FAA Section 34 and is expected to be completed by March 31, 2008. Individuals who do not take the required training will have their authority suspended.

FAA Section 33 Payment

As per the Treasury Board Policy for Account Verification, "financial officers with payment authority pursuant to FAA Section 33, must provide assurance of the adequacy of the section 34 account verification and be in a position to state that the process is in place and is being properly and conscientiously followed." As well, "the account verification process must provide for auditable evidence of verification including identifying the various individuals who performed the verification." Departments when developing their specific policies and procedures for the verification of accounts pursuant to FAA Section 34 and for the quality assurance review of the adequacy of section 34 account verification should take into account risk factors such as the level of decentralization and the use of automated expenditure management systems. It's key that invoices are reviewed for accuracy to ensure payment is not duplicated, discounts have been deducted and amounts correctly calculated.

For contracts under $25,000, a Good Receipt allows the invoice clerks to request payment by entering an Invoice Receipt transaction in SIGMA. The system conducts an automatic edit by matching the Purchase Order and Invoice Receipt transactions. Finance Branch exercises FAA Section 33 payments under $25,000 based on a Daily Proposal Report which contains the requests for payments without seeing the source documentation and a hard copy of the FAA Section 34 certification. In our opinion, this is acceptable provided that there is a post-audit quality assurance process that verifies on a sample basis that the controls are respected in the manner they are designed to be working.

For acquisition card purchases, Finance Branch exercises FAA Section 33 verification on a daily basis to ensure that financial institution rebates are realized as well as minimize the risk (and charges) for late payments. Because the threshold limit for single purchases is $5,000 (and most are often considerably less), the risk for inappropriate payment on a transaction by transaction basis is considered to be low. In our opinion, because in effect, purchase and payment occur prior to the formal exercise of FAASections 32 and 34, quality assurance of the adequacy of FAA Section 34 via FAASection 33 account verification activities becomes even more important.

We found that NRC Finance Branch does not perform post quality assurance of purchases under $25,000 whether they are made using contracts or acquisition cards. No documented assessment could be provided to the auditors outlining their assessment of risk in support of this decision. In our opinion, given the level of error rates noted with respect to FAA Section 34 for both contract and acquisition card procurement methods at 20 percent and 54 percent respectively, the system of controls employed by NRC aren't working as well as they should. While it may be tempting to suggest that individually low value contracts below $25,000 are low risk, collectively they account for 38 percent or $74.2 million of total NRC contract expenditures in 2006-07. Collectively, acquisition card expenditures accounted for $12 million and are expected to rise for 2007-08 and subsequent years. In our opinion, a quality assurance process or post-payment review process should be able to isolate and correct those areas of control that aren't working as well as they should.

Recommendation 3:

Finance Branch should document its risk assessment approach and strategy for implementing post-audit quality review processes for contracts under $25,000 and acquisition card purchases. Consideration should be given to expanding its quality review procedures beyond what it presently provides.

NRC Management Response:

We agree that Finance Branch should document NRC's risk assessment process and strategy for implementing post audit quality review processes for contracts less than $25,000, including acquisition card purchases. This is expected to be completed by March 31, 2008.

Finance Branch is in the process of implementing a monitoring unit for financial oversight including a Statistical Sampling Officer in the Accounts Payable section of Accounting Operations. This unit will review all of NRC's transactions based on a risk model approach. Finance Branch employees have been assigned on a full-time basis to this function, and a consultant has been engaged to assist in structuring the new unit. This function should be fully operational by March 31, 2008.

PWGSC Mandatory Standing Offer Arrangements

It is a government requirement that departments use PWGSC Standing Offer arrangements for certain purchases (e.g., computers, software, etc.) unless an exemption is provided for reasons such as a lower price that can be obtained for an equivalent product or service. This applies to all purchases regardless of what method is used for procurement and payment – either by contract or acquisition card.

The PWGSC Standing Offer Index User Manual (June 2007) is clear on the requirement that exemptions be obtained through them alone: "Where PWGSC has put in place a method of supply such as a standing offer or supply arrangement, for any commodity and identified that method of supply as being mandatory, the purchaser shall use that method of supply to meet their operational requirements. Where there is such a mandatory method of supply in place, but the purchaser cannot or does not wish to use it, exception procedures will be promulgated by PWGSC. Unless such exception procedures are used, there is no delegation of authority to acquire it using other procurement approaches. Rather, the requirement must be submitted to PWGSC for procurement action." It goes on to specify that departments must "Contact the PWGSC contracting officer responsible for the standing offer. The contracting officer will make the decision as to whether the exception rule applies."

Contracts under $25,000.
For contracts under $25,000, we found only one case in the 50 transactions sampled where a mandatory standing offer was required; however, a formal exemption from PWGSC was on file in this one case.

Employing data mining audit techniques we identified 151 contracts for three of the five I/B/Ps examined, where it may have been appropriate to use standing offers. For these I/B/Ps, we confirmed with ASPM that formal exemptions were not requested and that NRC personnel used their professional judgement to make this determination. However, as noted above, only PWGSC can make that determination.

In the fourth I/B/P examined, we sampled 10 additional transactions where it was necessary to use PWGSC mandatory standing offer arrangements. In all ten cases, we found the required PWGSC formal exemptions on file and noted that all of the exemptions were obtained within two to 48 hours of being requested by NRC. In our opinion, this demonstrates the ease and timeliness for which exemptions can be obtained and therefore should not be perceived as a barrier. It was brought to our attention that this I/B/P benefited from the expertise of the local NRC Procurement Officer – a practice that in our opinion should be made use of NRC-wide.

For the fifth I/B/P examined, we did not identify any purchases that should have made use of PWGSC mandatory standing offers.

Acquisition Cards.

For acquisition card purchases, we observed five of seven cases (71 percent) where PWGSC mandatory standing offer arrangements should have been used or exemptions from doing so obtained. These findings were noted in only three of the five I/B/Ps examined. Data mining audit techniques identified three cases where it may have been appropriate to use standing offers in two of the five I/B/Ps examined.

Recommendation 4:

Senior management should communicate to all NRC staff initiating contracts under $25,000 and acquisition card purchases of the requirement to use PWGSC mandatory standing offer arrangements and, if not used the necessity to obtain a formal exemption from PWGSC and to place this document on the procurement file. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 or acquisition card purchases of this requirement.

NRC Management Response:

The President will send a communications to all NRC staff involved in contracting and procurement informing them of the audit's results and remind them of the necessity to comply with all government and NRC policies and guidelines.

The Director General Administrative Services and Property Management will provide in follow-up communications and training, specific guidance on their application including the requirement they use PWGSC mandatory standing offer arrangements or obtain exemptions from PWGSC. Staff will be encouraged to solicit assistance from Procurement Officers in determining whether standing offer arrangements should be used. ASPM will coordinate and conduct training for all staff involved in contracting and procurement on the use of PWGSC standing offers by December 31, 2008. ASPM will monitor this compliance requirement on an ongoing basis.

Disallowed Acquisition Card Purchases

For acquisition card purchases, certain categories of purchases are specifically disallowed. As per the Treasury Board Policy on Acquisition Cards, these include travel-related expenses, vehicle operating and maintenance expenses, cash advances and inter-departmental transactions. The NRC Policy for Acquisition Cards further disallows purchases for hospitality, personnel services, temporary help services, software licences including operating systems and applications bundled with new computer equipment (with the exception of one non-departmental individual standing offer with a supplier), personal expenses, memberships not pre-approved by Finance Branch, computer equipment over $5,000 (except for Procurement or Supply Officers) and all media placements. Purchases of a single item must not be valued at more than $5,000 (including all taxes) and should not be circumvented by splitting purchases into subsets.

Both during the planning phase of the audit and conduct of the audit, we found acquisition card purchases that are disallowed by TB and NRC policies. For the five I/B/Ps included in our sample, we found only three of 50 disallowed purchases (six percent) that were specific to one I/B/P only. This finding was inconsistent with the planning phase of our audit where we noted four of 10 transactions (40 percent) sampled where the purchases are disallowed. We therefore employed data mining audit techniques to all acquisition card transactions in the five I/B/Ps examined in order to identify potentially inappropriate expenditures. We did so by isolating the vendor types such as hotels, travel companies and restaurants as an indicator of travel or hospitality, vehicle service centres as an indication of vehicle expenses, and computer vendors as an indication of software purchases or computers greater than $5,000. In this manner, we found that for four of the I/B/Ps examined, there were 11 purchases that were disallowed.

Also disallowed is the practice of non-cardholders using acquisition cards to make purchases. We found one purchase of 49 transactions (2 percent) that was purchased by a person other than the acquisition cardholder. We did however note in our planning sample of two of 10 transactions where the purchases were made by other than the cardholder.

Recommendation 5:

Senior management should communicate to all acquisition cardholders those purchases that are disallowed by TB and NRC policies and directives. Consideration should be given to providing training on disallowed purchases to all NRC acquisition cardholders.

NRC Management Response:

The President will send a communications to all NRC staff involved in contracting and procurement informing them of the audit's results and remind them of the necessity to comply with all government and NRC policies and guidelines.

The Director General Administrative Services and Property Management and the Chief Financial Officer will provide in follow-up communications and training, specific guidance on those acquisition card purchases that are specifically disallowed by TB and NRC policies and directives.

ASPM and Finance Branch will coordinate and conduct training for all cardholders and their supervisors by March 31, 2008. ASPM will monitor this requirement on an ongoing basis.

Recommendation 6:

For all acquisition card purchases, Finance Branch should employ more rigorous data mining audit techniques and follow-up with cardholders on an ongoing basis to identify potentially inappropriate charges. Consideration should be given to withdrawing acquisition cards from repeat violators.

NRC Management Response:

Finance Branch agrees that as part of the Finance Branch statistical sampling process identified above in the response to recommendation three, acquisition cards purchases will be part of the representative sample of expenditures and appropriate actions will be taken where policy non-compliance is evident. This will be in place by March 31, 2008.

Contract Splitting

For both contracts and acquisition card purchases, the practice of creating more than one contract or card purchase for essentially the same service is specifically prohibited by Treasury Board and NRC policies and guidelines. Specifically, the Treasury Board Policy on Contracting defines contract splitting as "the practice of unnecessarily dividing an aggregate requirement into a number of smaller contracts, thereby avoiding controls on the duration of assignments or contract approval authorities."

To test for adherence to this requirement, we used data mining audit techniques to survey the expenditures recorded in SIGMA by vendor and date for each of the 10 institutes examined – five for contracts under $25,000 and five for acquisition card purchases. In cases where it was identified that the same vendor was paid multiple payments over the course of several days amounting to more than $25,000 in the case of contracts or more than $5,000 in the case of acquisition card purchases, we requested documentation that demonstrated the payments were made for sufficiently different goods and services.

Contracts under $25,000.
In the 50 transactions sampled for contracts under $25,000 we found no evidence of contract splitting. However, employing data mining audit techniques for the five I/B/Ps examined, we identified two contracts in one I/B/P, where it appears there may have been contract splitting. One I/B/P made 21 purchases from the same service provider for the same product for a total value of $469,000. Seventeen contracts were just under the $25,000 limit for sole sourcing and had the same delivery point and accounting cost centre. In this case, PWGSC was advised by NRC officials that the previous five-year contract was due to expire and that a short-term contract was needed in order to continue operations. However, PWGSC could not expedite this request because the supplier refused to extend the same terms and conditions beyond the expiry date. Therefore the I/B/P in conjunction with ASPM made the decision to incur a succession of short-term contracts under $25,000 so as not to exceed the government policy that only PWGSC procure goods over $25,000 and thus avoid shutting down major research programs. In our opinion, this represents a form of contract splitting whereby purchases were split into subsets in order not to exceed the upper limit set by PWGSC for the purchase of goods. However, we observed that a new contract that was initiated by PWGSC has since been put in place.

For the same I/B/P we noted 9 purchases were made from another service provider for the same product for a total value of $189,629. Seven of these contracts were just under the $25,000 limit for sole sourcing and had the same delivery point and accounting cost centre. The I/B/P in conjunction with ASPM undertook several blanket purchase orders under $25,000 in order to procure the product from the supplier they believed to be the only supplier capable of supplying it. In our opinion, this also represents a form of contract splitting in order to exceed the upper limit set by PWGSC for the purchase of goods. In this case, PWGSC should be approached to undertake a competitive process in order to justify sole sourcing the product.

Acquisition Cards.
In the 50 transactions sampled for acquisition cards we found no evidence of contract splitting. However, employing data mining audit techniques we identified two acquisition card cases in two of the five I/B/Ps examined, where it appears there may have been contract splitting. In each case, the purchases were made on the same date, for the same product and allocated to the same accounting cost centre. The total value of each invoice exceeded the $5,000 limit by less than $1,000.

Cost Effectiveness of Using Traditional Contracting Approaches for Goods and Services less than $5,000

During the course of our audit, we noted that for 2006-07 NRC had processed 26,847 contracts for the purchase of goods or services under $5,000 – the average value being $1,047. These contracts totalled $28.1 million. We calculated that if these purchases had been made using acquisition cards, NRC could have benefited from the financial institution rebate of 0.845 percent approximating $237,000. At the same time, the administrative costs associated with cutting and mailing cheques could have been lowered. If we use a conservative cost estimate of $5 per cheque, this could have amounted to $60,000 in savings. However, a portion of these estimated savings would be offset by purchases that are either disallowed or where vendors don't accept acquisition cards as a method of payment.

Conclusions

Within the limitations of the samples drawn, we found that overall NRC is compliant with the Treasury Board and NRC policies and directives pertaining to contracting under $25,000 and acquisition card purchases. However, improvements are necessary with respect to the key government controls for authorizing, verifying and paying for contracts under $25,000 and acquisition card purchases – FAA Sections 32, 34, and 33.

For both types of procurement, we found difficulties in finding in the procurement files the appropriate authorizing certifications by the budget holders in support of the electronic authorizations. We also noted that the practice of acquisition card holders who authorize their own card purchase to be inconsistent with the FAA's fundamental principle of the segregation of duties between those executing and those approving transactions.

In our opinion, given the level of error rates noted with respect to FAA Section 34 for both contract and acquisition card procurement methods at 20 percent and 54 percent respectively, the system of controls employed by NRC aren't working as well as they should. While it may be tempting to suggest that individually low value contracts below $25,000 are low risk, collectively they account for 38 percent or $74.2 million of total NRC contract expenditures in 2006-07. Collectively, acquisition card expenditures accounted for $12 million and are expected to rise for 2007-08 and subsequent years. In our opinion, a quality assurance process or post-payment review process should be able to isolate and correct those areas of control that aren't working as well as they should.

While we found high compliance with respect to the use of PWGSC mandatory standing offers and a lack of contract splitting in the 100 transactions examined for both contracts under $25,000 and acquisition card purchases, data mining audit techniques indicate there may be potential non-compliance in five of the 10 I/B/Ps examined.

Finally, there may be opportunities for greater cost-efficiencies by using acquisition card purchases in place of most contracts under $5,000. In 2006-07, there were over 26,000 contracts for goods and services less than $5,000 valued at $28.1 million.

Key recommendations

  1. Senior management should communicate to all NRC staff that FAA Section 32 authority must have a verifiable link to the actual budget holder for all contracts and acquisition card purchases regardless of their value. Where the electronic signature in SIGMA is not completed by the actual budget holder, the procurement files must contain for verification purposes, evidence that the actual budget holder authorized it. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 and acquisition card purchases of this requirement.
  2. Senior Management should communicate to NRC staff responsible for initiating contracts under $25,000 and acquisition card purchases that where the actual budget holder does not generate the electronic Goods Receipt, hardcopy evidence of the FAA Section 34 by the actual budget holder in the form of a verifiable signature or an email should be retained on the procurement file as an adequate audit trail for verification purposes. As well, acquisition cardholders should not be providing FAA Section 34 verification and certification for goods or services that they purchased. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 and acquisition card purchases of these requirements.
  3. Finance Branch should document its risk assessment approach and strategy for implementing post-audit quality review processes for contracts under $25,000 and acquisition card purchases; consideration should be given to expanding its quality review procedures beyond what it presently provides.
  4. Senior management should communicate to all NRC staff initiating contracts under $25,000 and acquisition card purchases of the requirement to use PWGSC mandatory standing offer arrangements and, if not used the necessity to obtain a formal exemption from PWGSC and to place this document on the procurement file. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 or acquisition card purchases of this requirement.
  5. Senior management should communicate to all acquisition cardholders those purchases that are disallowed by TB and NRC policies and directives. Consideration should be given to providing training on disallowed purchases to all NRC acquisition cardholders.
  6. For all acquisition card purchases, Finance Branch should employ more rigorous data mining audit techniques and follow-up with cardholders on an ongoing basis to identify potentially inappropriate charges. Consideration should be given to withdrawing acquisition cards from repeat violators.

See Appendix C: Management Action Plans for the detailed management action plans that will address the recommendations

Appendix A: Audit Criteria – Contracts Under $25,000

No. Audit Criterion Overall Compliance Rates
1. Appropriate FAA Section 32 authorization by the actual budget holder 36%
(18 / 50)
2. Documented FAA Section 34 verification and certification of the invoice clerk in accordance with NRC's Financial Signing Authorities is on file 80%
(40 / 50)
3. Documents in file support the FAA Section 34, i.e., the quality of supporting documents such as packing slips, timesheets, etc is sufficient not including certification from the actual budget holder 84%
(42 / 50)
4. Evidence that security requirements were assessed when required 29%
(2 / 7) Footnote 6
5. Contract or Purchase Order is signed by the delegated contracting authority 98%
(49 / 50)
6. Contract amendments are within the levels identified in Appendix C of the TBS Contracting Policy 100%
(12 / 12)
7. Work commenced or the goods were received only after the contract or the Purchase Order have been signed (100%)
50 / 50
8. Payment was made to the right vendor at the right amount as agreed per the contract or Purchase Order 100%
(50 / 50)
9. PWGSC Mandatory Standing Offers were made use of when required or the required exemption was on file 100%
(1 / 1)
Data mining techniques revealed 151 potential cases where it mayhave been appropriate to use standing offers in 3 of the 5 I/B/Ps examined.
10. There was no evidence of contract splitting 100%
(50 / 50)
Data mining techniques revealed 2 potential cases of contract splitting in 1 of the 5 I/B/Ps examined.

Appendix B: Audit Criteria – Acquisition Card Purchases

No. Audit Criterion Overall Compliance Rates
1. Appropriate authorization and isse of acquisition cards 100%
(50 / 50)
2. Changes to cardholder limits were appropriately documented and authorized 100%
(9 / 9)
3. Appropriate FAA Section 32 authorization by the actual budget holder 71%
(35 / 49)
4. FAA Section 34 verification and certification in accordance with NRC's "Financial Signing Authorities" document 100%
(50 / 50)
5. Appropriate FAA Section 34 performance certification provided by the actual budget holder - includes criterion 6 without counting a single purchase more than once 46%
(23 / 50)
6. FAA Section 34 verification and certification was not performed by the cardholder 76%
(38 / 50)
7. Transactions were appropriately supported by invoices 90%
(45 / 50)
8. Government of Canada Provincial Sales Tax exemption obtained 92%
(46 / 50)
9. Acquisition card purchases were made only by the cardholder 98%
(48 / 49)
10. Expenditures were coded correctly 82%
(41 / 50)
11. Disallowed purchases were not made 94%
(47 / 50)
Data mining techniques revealed 11 cases where disallowed purchasesmay have been made by 4 of the 5I/B/Ps examined
12. PWGSC Mandatory Standing Offers were made use of when required or the required exemption was on file 29%
(2 / 7)
Data mining techniques revealed 3 cases where it may have been appropriate to use standing offers in 2 of the 5 I/B/Ps examined
13. There was no evidence of contract splitting 100%
(50 / 50)
Data mining techniques revealed 2 potential cases of contract splitting for 2 of the 5 I/B/Ps examined

Appendix C: Management Action Plans

Audit Recommendations Corrective Management Action Plan Expected Implementation Responsible NRC Contact
1. Senior management should communicate to all NRC staff that FAA Section 32 authority must have a verifiable link to the actual budget holder for all contracts and acquisition card purchases regardless of their value. Where the electronic signature in SIGMA is not completed by the actual budget holder, the procurement files must contain for verification purposes, evidence that the actual budget holder authorized it. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 and acquisition card purchases of this requirement. The President will send a communications to all NRC staff involved in contracting and procurement informing them of the audit's results and remind them of the necessity to comply with all government and NRC policies and guidelines. The importance of understanding and applying the principles ofFAA Sections 32, 34 and 33 approvals will be emphasized. October 31, 2007 President
The Chief Financial Officer and the Director General Administrative Services and Property Management (ASPM) will provide in follow-up communications and training, specific guidance on their application including FAASection 32 commitment requirements and the fact that the procurement files must contain for verification purposes an appropriate audit trail to the actual budget holder.

Finance Branch, in conjunction with ASPM, has already begun mandatory training for all staff that have been delegated FAA Sections 32 and / or 34 authority for contracts and acquisition card purchases. This training will include specific guidance on the appropriate application ofFAA Section 32 and is expected to be completed by March 31, 2008. Individuals who do not take the required training will have their authority suspended.
March 31, 2008 Chief Financial Officer and Director General Administrative Services and Property Management
2. Senior Management should communicate to all NRC staff responsible for initiating contracts under $25,000 and acquisition card purchases that where the actual budget holder does not generate the electronic Goods Receipt, hardcopy evidence of the FAASection 34 by the actual budget holder in the form of a verifiable signature or an email should be retained on the procurement file as an adequate audit trail for verification purposes. As well, acquisition cardholders should not be providing FAA Section 34 verification and certification for goods or services that they purchased. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 and acquisition card purchases of these requirements. The President will send a communications to all NRC staff involved in contracting and procurement informing them of the audit's results and remind them of the necessity to comply with all government and NRC policies and guidelines. The importance of understanding and applying the principles ofFAA Section 32, 34 and 33 approvals will be emphasized. October 31, 2007 President
The Chief Financial Officer and the Director General Administrative Services and Property Management will provide in follow-up communications and training, specific guidance on their application. This will include direction to acquisition cardholders, with a copy to their supervisor that they should not be providingFAA Section 34 verification and certification for goods or services that they purchase.

Finance Branch, in conjunction with ASPM, has already begun mandatory training for all staff that have been delegated FAA Sections 32 and / or 34 authority for contracts and acquisition card purchases. This training will include specific guidance on the appropriate application ofFAA Section 34 and is expected to be completed by March 31, 2008. Individuals who do not take the required training will have their authority suspended.
March 31, 2008 Chief Financial Officer and Director General Administrative Services and Property Management
3. Finance Branch should document its risk assessment approach and strategy for implementing post-audit quality review processes for contracts under $25,000 and acquisition card purchases. Consideration should be given to expanding its quality review procedures beyond what it presently provides. We agree that Finance Branch should document NRC's risk assessment process and strategy for implementing post audit quality review processes for contracts less than $25,000, including acquisition card purchases. This is expected to be completed by March 31, 2008. March 31, 2008 Chief Financial Officer
Finance Branch is in the process of implementing a monitoring unit for financial oversight including a Statistical Sampling Officer in the Accounts Payable section of Accounting Operations. This unit will review all of NRC's transactions based on a risk model approach. Finance Branch employees have been assigned on a full-time basis to this function, and a consultant has been engaged to assist in structuring the new unit. This function should be fully operational by March 31, 2008. March 31, 2008 Chief Financial Officer
4. Senior management should communicate to all NRC staff initiating contracts under $25,000 and acquisition card purchases of the requirement to use PWGSC mandatory standing offer arrangements and, if not used the necessity to obtain a formal exemption from PWGSC and to place this document on the procurement file. Consideration should be given to providing additional training to all personnel initiating contracts under $25,000 or acquisition card purchases of this requirement. The President will send a communications to all NRC staff involved in contracting and procurement informing them of the audit's results and remind them of the necessity to comply with all government and NRC policies and guidelines. October 31, 2007 President
The Director General Administrative Services and Property Management will provide in follow-up communications and training, specific guidance on their application including the requirement they use PWGSC mandatory standing offer arrangements or obtain exemptions from PWGSC. Staff will be encouraged to solicit assistance from Procurement Officers in determining whether standing offer arrangements should be used. ASPM will coordinate and conduct training for all staff involved in contracting and procurement on the use of PWGSC standing offers by December 31, 2008. ASPM will monitor this compliance requirement on an ongoing basis. December 31, 2008 Director General Administrative Services and Property Management
5. Senior management should communicate to all acquisition cardholders those purchases that are disallowed by TB and NRC policies and directives. Consideration should be given to providing training on disallowed purchases to all NRC acquisition cardholders. The President will send a communications to all NRC staff involved in contracting and procurement informing them of the audit's results and remind them of the necessity to comply with all government and NRC policies and guidelines. October 31, 2007 President
The Director General Administrative Services and Property Management and the Chief Financial Officer will provide in follow-up communications and training, specific guidance on those acquisition card purchases that are specifically disallowed by TB and NRC policies and directives.

ASPM and Finance Branch will coordinate and conduct training for all cardholders and their supervisors by March 31, 2008. ASPM will monitor this requirement on an ongoing basis.
March 31, 2008 Director General Administrative Services and Property Management / Chief Financial Officer
6. For all acquisition card purchases, Finance Branch should employ more rigorous data mining audit techniques and follow-up with cardholders on an ongoing basis to identify potentially inappropriate charges. Consideration should be given to withdrawing acquisition cards from repeat violators. Finance Branch agrees that as part of the Finance Branch statistical sampling process identified above in the response to recommendation three, acquisition cards purchases will be part of the representative sample of expenditures and appropriate actions will be taken where policy non-compliance is evident. This will be in place by March 31, 2008. March 31, 2008 Chief Financial Officer

Appendix D: Glossary

List of Abbreviations

ASPM – Administrative Services and Property Management
BMO – Bank of Montreal
CIBC – Canadian Imperial Bank of Commerce
CA – Chartered Accountant
CIA – Certified Internal Auditor
CMA \xE2\x80\x93 Certified Management Accountant
FAA – Financial Administration Act
FMM – Financial Management Manual
I/B/P – Institute, Branch or Program
PWGSC – Public Works and Government Services Canada
TB – Treasury Board

Footnotes

Footnote 1

The NRC Audit team was supplemented by a team of experienced auditors that were contracted to assist in conducting the audit work.

Return to footnote 1 referrer

Footnote 2

As noted above, all goods over $25,000 should be contracted through PWGSC. These transactions were examined to determine whether they were accurately reflected in NRC's contracting database SIGMA. We verified that these transactions were reported inaccurately due to the following: coding errors (three cases); special exemptions provided by appropriate authorities (four cases); sole source justification (1 case); harmonized sales tax charged in error (three cases); reduction in general sales tax error (1 case); and errors due to incorrectly including sales tax or fluctuations in foreign exchange rates (5 cases).

Return to footnote 2 referrer

Footnote 3

The TB Policy on Electronic Authorization and Authentication requires that a digital signature be used and the method to generate it must employ both a password and a physical object such as a diskette, token, card, etc. While we confirmed that NRC does not have a documented risk analysis, the policy also goes on to state that a risk and threat analysis will determine whether a physical object must be used.

Return to footnote 3 referrer

Footnote 4

See the section on Cost Effectiveness of Using Traditional Contracting Approaches for Goods and Services less than $5,000 later in this report.

Return to footnote 4 referrer

Footnote 5

One transaction sampled did not require FAA Section 32 certification as it was related to the reversal of a fraudulent charge (by an non-NRC person) on a compromised acquisition card.

Return to footnote 5 referrer

Footnote 6

This was observed in only two of the five I/B/Ps examined and therefore not included as an overall finding in the main report.

Return to footnote 6 referrer

Date modified: