Audit of Expenditure Management in the Interim Operating Environment - June 2015

Audit of Expenditure Management in the Interim Operating Environment - June 2015 (PDF, 388 KB)

Executive Summary and Conclusion

Background

This audit report presents the findings of the National Research Council Canada's (NRC) Audit of Expenditure Management in the Interim Operating Environment.

Audit Objective

The objective of the audit was to provide just-in-time independent assurance to NRC Senior management that control over expenditures remain effective in the Interim Operating Environment (IOE) to allow NRC to make necessary corrections before year-end.

Raison d'être

In July 2014, a cyber-intrusion led to the shutdown of NRC's IT network and systems. NRC then implemented the Interim Operating Environment (IOE) controls to enable the organization to continue to deliver services and value to clients and the Canadian public. Four audits of the IOE were approved by the President outside of the NRC 2014-15 to 2016-2017 Risk-Based Internal Audit Plan. These audits under the IOE were: Expenditure Management, Industrial Research Assistance Program (IRAP), Acquisition Cards and Procurement, and Contracting.

The focal point of the audit for Expenditure Management was those transactions requiring a higher level of scrutiny for financial stewardship and transparency, due to the potential damage they may cause to NRC's reputation, namely travel, hospitality and relocation.

Audit Opinion and Conclusion

Overall, controls over Expenditure Management for travel, hospitality and relocation transactions remained effective in the Interim Operating Environment (IOE).

We identified opportunities to improve the management of the travel claims. The findings are not specifically related to the controls or process which were implemented during the IOE period, but rather related to the general management of travel claims. There were no recommendations developed for the management of hospitality and relocation claims.

Recommendations

  1. Finance Branch should develop training and communication to increase the awareness of the National Joint Council Travel Directives for both the traveller and the manager with performance certification approval authority. [Priority: Moderate]
  2. Finance Branch should consider revising the NRC Policy for Non-Staff Travel Allowances to allow for exceptions approved by the Vice President. [Priority: Moderate]
  3. Finance Branch should explore opportunities to harmonize the travel claim procedures to reduce the reliance on paper based travel claims and multiple computer programs. [Priority: Moderate]

Statement of Conformance

In my professional judgment as the Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the audit opinion and conclusion. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

Alexandra Dagger, CIA, Chief Audit and Evaluation Executive

NRC Audit Team Members:

Jean Paradis, CPA, CA, CIA, Audit Manager
Scott Wark, CPA, CA, CIA, Senior Auditor

1.0 Introduction

The Audit of Expenditure Management in the Interim Operating Environment was approved by the President outside of the NRC 2014-15 to 2016-2017 Risk-Based Internal Audit Plan following a cyber intrusion which resulted in the shutdown of NRC's IT network and systems.

1.1 Context

Accountability for the policies, transactions and management of expenditures rests with the Vice-President, Corporate Management & Chief Financial Officer and ultimately the President of NRC. NRC-FB is responsible for all financial management activities including the provision of financial guidance and advice for all NRC activities.

Following the cyber intrusion in July 2014, NRC implemented Interim Operating Environment (IOE) controls to enable the organization to continue to deliver services and value to clients and the Canadian public. NRC Finance Branch (NRC-FB) has defined temporary business measures in the IOE which can be found on the Zone Intranet website. The website includes standard templates, forms and related financial tools.

Risks associated with the IOE differ from those existing before the cyber intrusion. Consequently, Internal Audit with the support of the President decided to perform an audit to provide assurance over key controls and outcomes of the IOE and to ensure the IOE meets NRC's control risk tolerance in the compromised IT environment, until such time as a new secure IT system and steady-state business processes are in place.

About the Audit

Objective

The objective of the audit was to provide just-in-time independent assurance to NRC Senior management that control over expenditures remain effective in the Interim Operating Environment (IOE) to allow NRC to make necessary corrections before year-end.

Scope

The audit scope was defined using a risk based approach. The audit examined key controls and sensitive transactions which occurred after July 29, 2014. Sensitive transactions are identified as those requiring a higher level of scrutiny for financial stewardship and transparency, due to the potential damage they may cause to NRC's reputation. They are travel, hospitality and relocation transactions. Table 1 details the travel, hospitality and relocation amounts and number of payments without reference to a purchase order (Non-PO) processed during the audit period.

Figure 1 below shows the progression of the staff travel expenses for the last three fiscal years.

Table 1: Summary of Spending (Non-Po's) for Travel, Hospitality and Relocation

Account Amount ($)
Fiscal Year
April 1, 2014 to March 31, 2015
Amount ($)
Audit Period
July 29, 2014 to December 31, 2014
Population
Audit Period
July 29, 2014 to December 31, 2014
Staff Travel 11,584,503 4,344,211 3,803
Non-Staff Travel 871,024 238,302 218
Hospitality Footnote * 307,550 115,400 385
Relocation 533,344 278,448 53

Table note

Table note *

(The Conference Services Office (CSO) business unit transactions were excluded from the hospitality portion of the audit.)

Return to table note * referrer

Figure 1: Staff Travel Expenses for the Last Three Fiscal Years

Figure 1. Long description follows.
Long description for figure 1.

Figure 1: Staff Travel Expenses for the Last Three Fiscal Years

Staff Travel Staff travel (IOE)
FY 2012-13 $9,750,988 -
FY 2013-14 $10,297,946 -
FY 2014-15 $7,240,292 $4,344,211

Approach and Methodology

The audit was conducted in accordance with Institute of Internal Auditors (IIA) Standards and the Internal Auditing Standards for the Government of Canada as required by the Treasury Board Policy on Internal Audit. The audit was conducted using a series of detailed audit criteria primarily derived from respective TBS policies, directives and guidelines. These criteria addressed the audit objective, against which we drew our observations, assessments and conclusion.

The audit approach includes, but is not limited, to the following methodologies described in Table 2.

Table 2: Overview of audit methodologies

  • Review documentation such as interim operating environment framework documents, policies, guidelines, process maps, manuals for travel, hospitality and relocations
  • Conduct interviews with managers and staff involved in expenditure management (travel, hospitality and relocation)
  • Obtain the travel, hospitality and relocation general ledger accounts for the audit period
  • Leverage SAP and business intelligence capabilities for data analytics for these accounts
  • Determine whether essential elements of the TBS and NRC polices guidelines and directives are met for travel, hospitality and relocation in the interim operating environment
  • Determine if the travel, hospitality and relocation claims have the appropriate approvals, and include eligible expenses with the required supporting documentation

2.0 Audit Findings

2.1 Travel

Assessment

Overall, controls over travel expenditures remained effective in the Interim Operating Environment (IOE).

More specifically, the audit noted that the following audit criteria were compliant at 100 percent:

  • Appropriate supporting invoices were on file
  • Travel expenses were coded correctly
  • Travel Authorization Number (TAN) were obtained when required (i.e. air and train travel)
  • Business case for travel was on file
  • The reimbursement was made to the traveller (one case of duplicate payment, more details are provided below)
  • Travel advance were refunded by the employee
  • There were no excessive (more than 90 days) outstanding balances due on individual travel cards

The following audit criteria were at a lower compliance rate, but do not affect the overall assessment:

  • Appropriate FAA Sec. 32 was provided at a rate of 95 percent (52 / 55)
  • Appropriate FAA Sec. 34 certification was provided at a rate of 98 percent (54 / 55)
  • VP approval was obtained were appropriate at a rate of 85 percent (35 / 41)
  • Claimed Travel expenses were eligible at a rate of 87 percent (48 / 55)

The audit sample for travel was selected based on the Non-PO payments processed after the cyber-intrusion, for the period of July 29th to December 31st 2014. A sample of 55 items was selected, 35 for staff travel and 20 for non-staff travel. The audit population for the period was 3,803 staff travel claims totalling $4,344,211 and 218 non-staff travel claims totalling $238,802.

Below we provide more details on the criteria which were not fully compliant: Financial Administrative Act (FAA) Sec. 32 and 34, and VP approval. In addition, we also provided further details on travel advances and individual travel cards balances.

FAA Sec. 32: Pre-Approval

The FAA specifies that the expenditure initiation must be approved for the eventual expenditure of funds, only when there is a sufficient budget available and before the work or activity is completed. We noted three non-staff travel claims where the budget holder commitment pre-approval (Sec. 32 of the Financial Administration Act) was not properly completed. The pre-approval for one of the non-staff travel claims was partially completed as the claim was signed, but not dated and was missing the budgeted costs. The remaining two non-staff travel claims had completed pre-approvals which were signed after the travel date. The travel pre-approvals for all three non-staff travel claims were prepared before the IOE, and only the reimbursements were processed after the cyber-intrusion. The incomplete budget section for the travel pre-approval form indicates a lack of control by the budget holder over the potential travel costs to be incurred by the non-staff traveller; this claim also included business class travel which is addressed in the Business Class Travel Section further down. Otherwise, the three non-staff travel claims were eligible expenses, had appropriate supporting documentation and proper performance certification (Sec 34 of the Financial Administration Act).

FAA Sec. 34: Performance Certification

The FAA requires that the performance certification be approved, to ensure the work or service is completed, before the payment is issued. There was one staff travel claim where the performance certification approval was documented on the travel claim by the direct supervisor of the traveller, but the direct supervisor did not have the corresponding authority in SAP or in the temporary Delegated Authority schedule for the cost center or project number. The budget holder commitment pre-approval (Sec. 32 of the FAA) was correctly authorized by the budget holder and the direct supervisor of the traveller. The performance certification approval should have been signed by the budget holder for the project instead of the direct supervisor of the employee. The appropriate performance certification was obtained during the audit fieldwork following the auditor enquiry.

Vice President Approval

Prior to travel, there are two approval actions required based on the Travel Authorities. The commitment authority has to be signed by the budget holder and the Vice President (VP) approval for expenditure authority is required to issue a Travel Authorization Number (TAN) for air and train travel. The VP approval is issued through the Travel Authority Request Approval Workflow (TARAW) database. Staff travellers require a TAN to complete the travel bookings through the approved travel agency. Non-Staff travellers are only required to use the travel agency if the NRC is paying for the air or rail travel directly with the NRC corporate card. The non-staff traveller could receive VP approval for air or rail travel through the TARAW database or by a direct signature on the pre-approval form. If they use the travel agency the non-staff traveller would be issued a TAN as normally and a temporary personal Travel Identification Number (TIN). The IOE process limited the VP approval requirement to international travel and conference travel only. This process was introduced as the TARAW database which is used to obtain VP approval electronically was off line during the IOE and it would have been an administrative burden to obtain manual VP approval for each case. Central Travel office had a list of available TAN's to issue throughout the IOE period when the TARAW database was unavailable. This situation explains why it was possible to have a compliance rate of 100 percent under the criterion of TAN when required (i.e. air and train travel) without having VP Approval.

From our sample of 55 travel claims, 41 should have had a VP approval. From those 41, 28 were initiated before the cyber intrusion and 13 after the cyber intrusion during the IOE period. Of the 28 which were approved before the cyber intrusion, two non-staff travel claims did not obtain the proper VP approval. From the 13 which were during the IOE period, four staff travel claims to conferences did not obtain the proper VP approval.

The audit findings for the VP approval during the IOE period were a temporary issue as the TARAW database had been restored and used by January 2015. The other pre-approval issues were not systematic and the required procedures have been reviewed and discussed with the Central Travel Office (CTO).

Eligible Expenses

The actual CTO verification process does not require the CTO staff to verify receipts for international claims for both staff and non-staff if the travel claim is below $2,500. For domestic claims of staff, the threshold is $3,500, and $2,500 for non-staff. For the travel claims above these thresholds, a verification of receipts is performed by the CTO staff.

We found four issues related to meal and incidental expenses for claims under the threshold. There was one staff claim where the lunch allowance was requested, even though lunches were provided by the conference organizers. The remaining three issues (two staff and one non-staff) were for expenses included on a hotel invoice which would normally be covered by the traveller's per diem and incidental daily rate. These ineligible expenses were not removed from the hotel invoice and were refunded to the traveller as part of the accommodation expense, resulting in an overpayment to the traveller. Note that these four travel claims were all below $3,500.

Duplicate Payment

There was one claim for which a duplicate payment was issued to the traveller due to a copy of the original travel claim which was re-submitted to the CTO. The travel claim was refunded despite the fact that the invoices were not original invoices. The auditor notified CTO to seek reimbursement, which was received during the audit fieldwork. We completed further data analytics to determine if other similar scenarios have occurred for the fiscal year 2014-15. No other duplicate claim issues were noted for the fiscal year.

Business Class Travel

There were two non-staff travel claims where congress guest speakers were reimbursed by NRC Conference Services on a cost recovery basis (congress expenses offset by congress revenues from registration fees, partnerships and sale of exhibit booths). Both guest speakers utilized business class flights for the overseas portion. The NRC Policy for Non-Staff Travel Allowances states that for air travel, only the economy rates are allowed. The actual rules do not allow exception. However, due to the length of the flight and the stature of guest speakers, who are both Nobel Prize Winners, the business class flight was objectively reasonable.

Travel Advances

Temporary travel advances can be issued on an individual basis according to specific pre-authorized travel requirements. The advance would be accounted for as part of the travel expense claim and any excess would be returned by the traveller at that time. There were 24 travel advances for $32,276 issued during the fiscal year 2014-15, and all were cleared by year-end. There was no travel advances associated with the audit sample selected.

Individual Travel Cards Balances

The traveller is responsible for the monthly card payments once they are reimbursed by NRC. The individual travel card would be cancelled by the provider if no payment is received after 90 days, and would only be reinstated after the full balance is paid. Interest is only charged after 60 days on the individual travel cards. The CTO verifies the past due report for the individual travel cards and will notify travellers as necessary. There were 16 individual travel cards for the 35 staff travel claims tested.

The audit fieldwork found one travel card with a high balance as of January 31, 2015. The traveller had made regular monthly payments on the card. The high balance was addressed by Central Travel Office (CTO) and paid by the traveller during the audit fieldwork. Otherwise the individual cards tested were used for appropriate travel expenses and were paid by the traveller in a reasonable amount of time (within 90 days).

Computer Programs

NRC utilizes three different computer programs to process a travel claim in addition to a paper claim prepared using Microsoft Excel. SAP is used to generate the payment and record the transaction, Travel Authority Request Approval Workflow (TARAW) database is used to obtain VP approval and finally, the Financial Dashboard is used to generate the Travel Authorization Number (TAN) and to reconcile the corporate travel card expense. This situation increases the level of effort and the risk of errors. Finance Branch indicated to us that they will explore other systems for the recording and the processing of the travel claims.

Recommendations

  1. Finance Branch should develop training and communication to increase the awareness of the National Joint Council Travel Directives for both the traveller and the manager with performance certification approval authority. [Priority: Moderate]
  2. Finance Branch should consider revising the NRC Policy for Non-Staff Travel Allowances to allow for exceptions approved by the Vice President. [Priority: Moderate]
  3. Finance Branch should explore opportunities to harmonize the travel claim procedures to reduce the reliance on paper based travel claims and multiple computer programs. [Priority: Moderate]

2.2 Hospitality

Assessment

Overall, controls over hospitality expenditures remained effective in the Interim Operating Environment (IOE).

More specifically, the audit noted that the following audit criteria were compliant at 100 percent:

  • the approval process (FAA sections 32 and 34)
  • the payments were not made with an acquisition or an individual travel card while not on travel status
  • the hospitality expenses claimed were eligible
  • the payments were made through a funds commitment where appropriate

The following audit criteria were at a lower compliance rate, but do not affect the overall assessment:

  • the appropriate supporting documentation was on file at a rate of 56 percent (9 / 16)
  • the hospitality expenses claimed were within acceptable limit (standard cost) at a rate of 94 percent (15 / 16)

The audit sample for hospitality was selected from the Luncheon Food Services general ledger account (50481). The 16 item sample was selected from the unique Non-PO's in the account for the period of July 29th to December 31st, 2014. The population for hospitality for this period was 385 claims totalling $115,400.

Below we provide more details on the criteria which were not fully compliant (the supporting documentation and the standard costs).

Supporting Documentation

There were seven hospitality claims with various issues related to supporting documentation. The Hospitality Blanket Approval (Blanket) forms existed, but were not in the file for one hospitality claim. The Event and Hospitality Pre-Approval forms were either missing for three files, incomplete for two files or were signed after the event for one file. The Blanket is used to reduce the administrative burden for re-occurring hospitality events and allows budget holders to initiate expenditure authority and performance certification hospitality for events they will attend. The pre-approval form would still be required in all cases to verify the standard cost per person. The three hospitality claims without the pre-approval form had calculated the standard cost per person as required.

One hospitality claim did not have a blanket authority for the budget holder who signed the pre-approval, the performance certification and who attended the event. The budget holder cannot benefit from the hospitality unless their supervisor signs the pre-approval or they have a blanket authority.

There were also three instances where the Blanket Hospitality Authority existed, but the corresponding funds commitment was not created. It is a best practice that a funds commitment be recorded. For practical reasons and with regard to materiality, the funds commitment is not required for Non-PO's below $5,000.

Finance Branch has already prepared, as of March 2015, a revised version of the Blanket Hospitality Authority, which includes the fund commitment. The completed forms are kept centrally for accounts payable verification. There is also a simplified hospitality claim form to be used with the Blanket Authority which was implemented in May 2015. The standard Event and Hospitality Pre-Approval form would be used when there is no blanket authority. These revised hospitality forms prepared by Finance Branch address the supporting documentation finding and the standard costs finding which are discussed below.

Standard Costs

The standard costs are the allowable per person costs for hospitality based on the equivalent per diem amounts taken from the National Joint Council Travel Directive. The standard costs are specified in the NRC Financial Management Manual and TBS Directive on Travel, Hospitality Conference and Event Expenditures.

The audit fieldwork found one hospitality claim where the cost per person exceeded the standard cost levels.

2.3 Relocation

Assessment

Overall, controls over relocation expenditures remained effective in the Interim Operating Environment (IOE).

More specifically, the audit noted that the following audit criterion were compliant at 100 percent:

  • the approval process (performance certification) (FAA sections 34)
  • the appropriate supporting documentation was on file
  • the maximum amount of $5,000 for initial appointees, was not been exceeded without authorization
  • relocation expenses claimed were eligible

The following audit criteria was at a lower compliance which do not affect the overall assessment:

  • appropriate FAA Sec. 32 pre-approval was provided at a rate of 87 percent (13 / 15)

The audit sample for relocation was selected from the Relocation in Canada general ledger account (50191) and the Relocation In/Out Canada account (50194) for the period of July 29th to December 31st, 2014. A total of 15 samples were selected, 12 were relocations for initial appointees and three were for relocation of current employees. The audit population for relocation was 34 relocations files with 53 reimbursements totalling $278,448.

The relocation files are processed by Brookfield Global Relocation Services (BGRS). BGRS reimburses the current employee or the initial appointee directly during the relocation process. The Central Travel Office then reviews the relocation files and issue payments to BGRS. The limit for initial employees is $5,000, plus the BRGS fee, unless a specific business case is approved by the Chief Financial Officer. The cost of relocation for current employees has no fixed limit and can exceed $25,000.

Below we provide more details on the criterion which were not fully compliant, appropriate FAA Sec. 32 pre-approval.

FAA Sec. 32 Pre-Approval

Four levels of FAA Sec 32 pre-approval presently exist at NRC for both initial appointee and current employee as follows:

  • up to $10 K: Director / Executive Director
  • $10 K to $15 K: General Manager / Director General
  • $15 K to $25 K: Vice-President
  • above $25 K: President or Chief Financial Officer

There were two open relocation files for current employees for whom the pre-approval was obtained from the General Manager, but where the costs have already or will exceed the pre-approved amount of $15,000. For these cases, a new authorisation must be obtained at the next level. Following the auditor's enquiry, the Central Travel office obtained the appropriate FAA Sec. 32 approval before the files were closed.

Appendix A: Audit Criteria

Line of Enquiry Audit Criteria
Travel
  • Appropriate FAA Sec. 32 was provided
  • Appropriate FAA Sec. 34 certification was provided
  • VP approval was obtained where appropriate
  • Appropriate supporting invoices were on file
  • Travel expenses claimed were eligible
  • Travel expenses were coded correctly
  • Travel Authorization Number (TAN) were obtained where required (i.e. air and train travel)
  • Business case for travel was on file
  • The reimbursement was made to the traveller
  • Travel advance were refunded by the employee
  • There were no excessive (more than 90 days) outstanding balances due on individual travel cards
Hospitality
  • Appropriate FAA Sec. 32 was provided
  • Appropriate FAA Sec. 34 certification was provided
  • Appropriate supporting documentation (e.g. invoices, blanket authority form and pre-approval form) was on file
  • Payment were made through a funds commitment where appropriate
  • Payments were not made with an acquisition card
  • Hospitality expenses claimed were eligible (e.g. no alcoholic beverages)
  • Hospitality expenses claimed were within acceptable limit (i.e. standard cost)
Relocation
  • Appropriate FAA Sec. 32 was provided
  • Appropriate FAA Sec. 34 was provided
  • Appropriate supporting documentation (e.g. letter of offer, Prior-Authority for Relocation and Commitment Advice form, and Brookfield invoices and account summary) was on file
  • The maximum amount of $5,000 for initial appointees, exception of authorized cases, had not been exceeded
  • Relocation expenses claimed were eligible

Appendix B: Management Action Plan

Definition of Priority of Recommendations
High Implementation is recommended within six months to reduce the risk of potential high likelihood and/or high impact events that may adversely affect the integrity of NRC's governance, risk management and control processes.
Moderate Implementation is recommended within one year to reduce the risk of potential events which may adversely affect the integrity of NRC's governance, risk management and control processes.
Low Implementation is recommended within one year to adopt best practices and/or strengthen the integrity of NRC's governance, risk management and control processes.
Recommendation Corrective Management Action Plan Expected Implementation Date and Responsible NRC Contact

1. Finance Branch should develop training and communication to increase the awareness of the National Joint Council Travel Directives for both the traveller and the manager with performance certification approval authority. [Priority: Moderate]

Finance Branch will develop an online training session for new employees (as well as existing) on travel directives.

Date: 31 March 2016

Contact: Director (Acting), Accounting Operations, Finance Branch

2. Finance Branch should consider revising the NRC Policy for Non-Staff Travel Allowances to allow for exceptions approved by the Vice President. [Priority: Moderate]

Policy update to reflect process for exceptions for VP approval underway.

Date: 30 June 2015

Contact: Director (Acting), Accounting Operations, Finance Branch

3. Finance Branch should explore opportunities to harmonize the travel claim procedures to reduce the reliance on paper based travel claims and multiple computer programs. [Priority: Moderate]

The move by PWGSC's Shared Travel Services Initiation to a new travel vendor and our assessment of its electronic integrated travel initiation and claim tool was deemed not to be as automated as required for seamless integration with SAP nor NRC's financial delegations in order to meet efficiency expectations. This project has been delayed in FB's strategic plan until FY17-18, to follow the P2P process. Date may be amended depending on progress CST project activities.

Date: 30 Septembre 2017

Contact: Director General, Finance Branch

Date modified: