Audit of Use of Acquisition Cards at Missions
December 2021
Table of contents
- Background
- Objective, Approach, and Methodology
- Findings
- Conclusion, Recommendations, and Management Response and Action Plan
1. Background
Administration and Management
- The Deputy Director of Financial Operations, International (SMFF) is responsible for issuing and monitoring the use of acquisition cards at missions.
- The Common Services Delivery Point (CSDP) verifies mission documentation, approves the payment of the master account statements, and enters journal vouchers based on documentation.
- The Management Consular Officer (MCO) or another program manager, in some cases, is responsible for coordination of the acquisition cards at mission.
- Mission cardholders include both Canada Based Staff and Locally Engaged Staff. They are responsible for using the acquisition card in compliance with Treasury Board and departmental policies.
- The Head of Mission ensures that the MCO implements controls and follows rules and requirements.
- All purchases must be approved by the appropriate authorities and compliant with applicable policies.
Policy Requirements
- Financial Administration Act (FAA)
- Treasury Board
- Policy on Financial Management
- Directive on Delegation of Spending and Financial Authorities
- National Joint Council, Foreign Service Directives (FSDs)
- Global Affairs Canada
- Directive on Acquisition Cards at Missions
- Delegation of Financial and Contractual Signing Authorities Instrument
- Official Hospitality Outside Canada Policy
- Directive on Membership Fees
- Procedures Specified Purpose Accounts
Directive on Acquisition Cards
- Acquisition cards can be used for:
- Goods and/or services with the exception of those goods/services that must specifically be purchased by Headquarters units as detailed in Chapter 3, Annex C of Material Management Manual
- Fleet vehicle operating and maintenance expenses (including fuel)
- Hotel reservations for CBS, LES and OGD employees as well as non-public servants
- Hotel payments for non-public servants
- Expenditures incurred by HOMs and Management and Consular Officers in the event of an evacuation and
- Airline/train tickets purchased at the mission for official government business (i.e. travel in accordance with National Joint Council - NJC Travel Directive)
- Acquisition cards must not be used for:
- Personal expenses
- Travel-related expenses for employees (except for buying airline/train tickets as indicated above)
- Hospitality expenses, if the employee has been provided a hospitality advance for this purpose
- Inter-departmental transactions (payment to Other Government Departments)
- Foreign Service Directives (FSD) travel or other FSD related expenses (except for evacuation as indicated above) and
- Capital assets purchases
2. Objective, Approach, and Methodology
About the Audit
Objective: The objective of the audit was to assess the effectiveness of controls in place to support departmental compliance with legislative requirements and relevant policies on the use of acquisition cards at missions.
Criteria:
- Acquisition card transactions comply with relevant policies, procedures, and guidelines.
- Departmental controls, including monitoring activities, are in place and function effectively to detect misuse of acquisition cards.
Scope:
| Population Testing | Sample Testing |
|---|---|
| Calendar Years 2019 and 2020 | Calendar Year 2020 |
| 130 missions | 83 missions |
| 84,142 transactions | 366 transactions |
| Over $43 million | $929,760 |
Approach – Data Analytics
- Risk-Based Planning
- Conduct an assessment of high risk area amenable to data analytics approach
- Develop in-depth quantitative understanding of data
- Data Analytics and Testing
- Assess control effectiveness, identify control deficiencies, and detect potential fraud
- Population analysis
- Transaction testing as required
- Conduct contextual and informational interviews
- Implementation of Continuous Monitoring Approach
- Explore data analytics monitoring practices
- Provide timely information and potential findings related to key controls and management of processes and programs
- Transfer data analytics scripts to program area and internal controls
Methodology – Sample Selection
- The audit began in early 2021 and a decision was made to analyze mission acquisition card transactions over the 2020 calendar year instead of a fiscal year so the engagement would examine a complete data set.
- The transactions were categorized to run the analytic scripts.
- Based on the results of analytic scripts, 223 samples were selected. Some samples had more than one transaction resulting in 366 total transactions.
- The sample selection was a risk-based, judgemental approach and then tested to assess compliance and operating effectiveness.
| Categories | Samples | Total Transactions | Total Value |
|---|---|---|---|
| Airlines | 6 | 20 | $164,808 |
| Alcohol | 8 | 8 | $12,416 |
| Clothing | 10 | 10 | $9,826 |
| Financial Services | 6 | 6 | $6,430 |
| Government Services | 6 | 6 | $13,604 |
| Health and Beauty | 7 | 7 | $23,009 |
| Hospitality | 13 | 20 | $98,309 |
| Hotel Expenses | 7 | 7 | $2,344 |
| Jewelry | 1 | 1 | $117 |
| Leisure | 12 | 12 | $14,251 |
| Medical Supplies | 9 | 10 | $23,263 |
| Moving Costs | 1 | 1 | $53 |
| Personal Purchases | 14 | 14 | $27,699 |
| Taxi | 9 | 9 | $5,966 |
| Travel | 8 | 8 | $8,908 |
| Vehicle Expenses | 7 | 10 | $30,293 |
| Vehicle Rental | 3 | 3 | $4,996 |
| Potential Duplicate Purchases | 23 | 88 | $206,064 |
| Potential Split Purchases | 15 | 68 | $162,732 |
| Transactions > $10,000 | 5 | 5 | $55,831 |
| Supplier Review | 53 | 53 | $58,837 |
| Total | 223 | 366 | $929,760 |
Methodology – Samples by Common Service Delivery Point
| CSDP | Missions Tested | Total Transactions | Samples | Total Value |
|---|---|---|---|---|
| Washington | 19 | 113 | 81 | $335,550 |
| London | 10 | 42 | 27 | $198,831 |
| Brussels | 10 | 36 | 22 | $140,540 |
| Berlin | 11 | 62 | 23 | $81,356 |
| Mexico | 12 | 55 | 33 | $80,690 |
| Delhi | 10 | 41 | 20 | $75,284 |
| Manila | 11 | 17 | 17 | $17,509 |
| Total | 83 | 366 | 223 | $929,760 |
3. Findings
Supporting Documentation
Policy Requirements
- The Directive on Acquisition Cards at Missions states that the cardholder is responsible for obtaining approval from the manager with appropriate delegated authorities before making any purchases with the acquisition card (Expenditure Initiation Authority) and maintaining appropriate records and an audit trail of purchases made using the acquisition card.
- The Procedure for Acquisition Cards – Missions states that the cardholder maintains a log of individual expenses/purchases incurred with his/her acquisition card during the month, which must be supported by appropriate supporting documents (e.g. invoices, receipts, etc.).
Established Controls
- At the mission, the manager approves the initiation of an expenditure using an acquisition card and ensures that the cardholder provides sufficient documentation supporting the transaction before signing Section 34 of the FAA on the Acquisition Card Purchase Log to certify that the goods have been received or that services have been rendered.
- The CSDP verifies mission documentation, approves the payment of the master account statements (Section 33 of the FAA), and enters journal vouchers based on appropriate documentation.
Observations – Control Effectiveness
- 17 percent of the sample (37 of 223) had no document number attached, which prevented the audit team from conducting any analyses.
- 31 percent of the sample (70 of 223) had insufficient documentation to demonstrate compliance with policies and directive. In many cases, receipts and invoices alone were insufficient to determine compliance because often the context within which the transaction took place was missing.
- 80 percent of the sample (179 samples out of 223) did not have documentation on the approval provided by the appropriate manager to initiate the expenditure. This information is often critical to determine compliance but the Directive is silent on whether it must be documented in writing.
- 19 percent of the sample (42 of 223) did not properly document Section 34 of the FAA.
- 11 percent of the sample (24 of 223) was unclear whether the acquisition card was indeed used by the actual cardholder because there was insufficient documentation.
Observations from Population Testing
- There were nine (9) transactions with a delay exceeding three months between transaction date and posting date. Of those nine transactions, six had insufficient documentation to explain the gap.
- Increasingly, the department is using intermediary merchants such as Amazon and Paypal to purchase goods and services. While the departmental directive allows this, service provider’s monthly statements do not provide any details about the transaction, only a transaction number. The responsibility is on the mission to provide sufficient documentation to allow for compliance monitoring.
Finding
- Population and sample testing showed that the vast majority of transactions had insufficient documentation to fully verify compliance. Better documentation is required to verify compliance, identify misappropriations or fraudulent activity.
Risk of Split Purchases
Policy Requirement
- The Directive on Acquisition Cards at Missions states that the acquisition card must not be used to split orders to avoid amounts that exceed delegated levels of authority.
Established Controls
- Each acquisition card has a total limit of up to $10,000 CAD (with a few exceptions) and a transaction limit (e.g., $3,000 CAD per transaction). The Mission Card Coordinator (the MCO in most cases) determines these limits based on operational needs and planned usage. In addition, Financial Operations, International (SMFF) must approve all limits, especially any acquisition card limit that exceeds $10,000 CAD.
Observations – Control Effectiveness
- 26 percent of transactions in calendar year 2020 (10,131 out of 39,085 representing approximately $6.35M) may have been potential split purchases.
- 7 percent of the sample (16 out of 223) were confirmed to be split purchases to circumvent the acquisition card limit.
Finding
- Acquisition card limits constitute a control to ensure that the acquisition card is used based on operational needs and planned usage. Current departmental controls could be operating more effectively to prevent split purchases.
Monitoring
Key Monitoring Practices
- At missions, managers ensure that cardholders use acquisition cards in compliance with applicable policies and directives. Regionally, the CSDP verifies mission documentation and follows up with the mission when they identify potential non-compliant transactions. At headquarters, Financial Operations, International monitors the number, location and the use of acquisition cards in circulation.
Observations on Monitoring Practices
- Headquarters has limited monitoring tools for mission acquisition cards:
- Service provider does not block transactions on the basis of the Merchant Category Codes (MCCs) because it is impractical to do so for such a large number of foreign locations with multiple local vendors.
- While missions generally comply with the departmental Directive, they do not always follow headquarters' list of ineligible merchants. For example, it is prohibited to use an acquisition card to pay for local transportation but acquisition cards are still heavily used to pay for taxis (e.g., Uber is the third most popular vendor during the audited period).
- Regionally, the CSDPs do not provide monitoring results to headquarters and monitoring activities also vary across the seven CSDPs.
- Mission level monitoring varies significantly and is dependent on the due diligence of managers at the mission. This is particularly notable in the documentation uploaded in the Financial Administration System (FAS).
- Some missions are using local acquisition cards and while this practice is allowed under certain circumstances, headquarters only has a list of local acquisition cards and does not get any monitoring reports on the use of these local acquisition cards.
- The audit team identified one (1) sample where an acquisition card was used to purchase a motorcycle as part of the mission’s fleet. While the Directive usually prohibits the use of acquisition cards to purchase capital assets, it is still possible to purchase such an asset in cases where the retail price is below $10,000 CAD however, the asset does not appear in Capital Assets Report if the mission does not communicate directly with Domestic Procurement, Contracting and Asset Management (AAC) to have it inscribed.
Finding
- Monitoring activities should be strengthen and better coordinated between the different levels to support compliant use of acquisition cards. Strengthened monitoring may also address previous observations related to insufficient documentation and split purchases.
4. Conclusion, Recommendations, and Management Response and Action Plan
Conclusion
- The department has acquisition card controls in place however the operational effectiveness of the controls needs strengthening to better support compliance with legislative requirements and relevant policies.
Conclusion on Audit Criteria
| Audit Criteria | Rating | Recommendation |
|---|---|---|
| 1. Acquisition cards transactions comply with relevant policies, procedures, and guidelines. | Partially Met | Strengthen guidance and awareness to reinforce compliance |
| 2. Departmental controls, including monitoring activities, are in place and function effectively to detect misuse of acquisition cards as well as anomalies. | Partially Met | Establish regular and automated monitoring |
Recommendations
- The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology (SCM) should revise the departmental directive and mission guidance regarding the use of acquisition cards to clearly define compliant practices and supporting documentation requirements and communicate these requirements to strengthen awareness and reinforce compliance.
- The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology (SCM) should strengthen and better coordinate monitoring activities on the use of acquisition cards and leverage automated tests to enhance monitoring capabilities.
Management Response and Action Plan
| Audit Recommendation | Management Response | Management Action Plan | Area Responsible | Expected Completion Date |
|---|---|---|---|---|
| 1. The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology (SCM) should revise the departmental directive and mission guidance regarding the use of acquisition cards to clearly define compliant practices and supporting documentation requirements and communicate these requirements to strengthen awareness and reinforce compliance. | Management agrees with the recommendation. | a) Management will reinforce departmental directive and best practices by introducing quarterly newsletters to cardholders. b) Management is in the process of developing an enhanced and standardized automated solution for acquisition card expenditures for both headquarters and missions. The new business process will require appropriate supporting documentation to be provided at the card document creation stage in order to process the transactions in SAP. Considering other departmental priorities regarding system innovation, the development and implementation of this process will require 2 years. | a) CFO-SCM/SMD - Banking operations, Domestic & International (SMFB) b) CFO-SCM/SMD - Banking operations, Domestic & International (SMFB) and Corporate SAP – Finance and HR (SMSF) | a) March 2022 b)
|
| 2. The Assistant Deputy Minister of Corporate Planning, Finance and Information Technology (SCM) should strengthen and better coordinate monitoring activities on the use of acquisition cards and leverage automated tests to enhance monitoring capabilities. | Management agrees with the recommendation. | a) Management will establish regular monitoring activities using the National Bank of Canada (NBC) platforms to ensure policy compliance, on a risk-based approach. b) CSDP will include acquisition card (both local and NBC) expenditures as part of their regular monitoring and post-sampling activities. The general audit verification/post-sampling activities are being reviewed as part of the implementation of the electronic S. 34, which impacts the business processes. Quarterly reporting on the results of the post-sampling activities will be shared with SMF. | a) CFO-SCM/SMD - Banking operations, Domestic & International (SMFB) b) CFO-SCM/SMD - Financial operations, International (SMFF) | a) September 2022 b) March 2023 |
