Atlantic Canada Opportunities Agency
Symbol of the Government of Canada

Audit Report on the Expense Management Tool System


ACOA


Internal Audit Directorate


 

Final Report



June 2008



ASSURANCE STATEMENT

President, Atlantic Canada Opportunities Agency:

We have completed the audit of the Expense Management Tool (EMT).

The overall objective was to provide assurance that the controls implemented with the Agency’s adoption of the travel Expense Management Tool (EMT) are operating effectively. In this regard, two sub-objectives were established to provide assurance that:

  • all EMT travel requests by ACOA employees are authorized and processed in accordance with government policy; and
  • all EMT travel claims paid by ACOA represent valid Agency expenditures, approved in accordance with established delegated authorities, and charged to the appropriate expense accounts.

The examination was conducted during the period of February through May 2008, and covered the operation of the system during the seven-month period that commenced April 1, 2007 and ended October 31, 2007.

The audit consisted of extensive interviews with staff responsible for implementing and operating the EMT, an examination of a sample of travel claims processed using the EMT, as well as an analysis of the population of completed EMT transactions.

Based on our audit, we concluded that the controls implemented with the Agency’s adoption of the EMT are operating effectively, and are manageable and sustainable.

The conclusion is based on a comparison of the situation as it existed at the time against the audit criteria and in consideration of the results of the audit testing.  The conclusion is only applicable in respect of the system audited.

Chief Audit Executive, Atlantic Canada Opportunities Agency


EXECUTIVE SUMMARY

Included in the Shared Travel Services Initiative (STSI) is an Expense Management Tool (EMT) that allows employees to request travel from their desktops.  As follow-up to the implementation of the system, the Vice-President of Finance and Corporate Services requested that an audit be performed on the operating effectiveness of the controls after the system had been operating for six months.  This audit covered the operation of the system from April 1 to October 31, 2007.

The audit covered the operational objectives of the EMT system, namely providing assurance that:

  • all EMT travel requests by ACOA employees are authorized and processed in accordance with government policy; and
  • all EMT travel claims paid by ACOA represent valid Agency expenditures, approved in accordance with established delegated authorities, and charged to the appropriate expense accounts.

The audit consisted of extensive interviews with staff responsible for implementing and operating the EMT, an examination of a sample of travel claims processed using the EMT, as well as an analysis of the population of completed EMT transactions.

Based on our audit, we concluded that the controls implemented with the Agency’s adoption of the EMT are operating effectively, and are manageable and sustainable.  Administrative staff at test sites were knowledgeable, well-trained and co-operative during all phases of the audit.  It is clear that they are committed to ensuring that the system provides for the smooth and efficient recording and payment of valid travel transactions.  Attesting to their diligence is the fact that no inappropriate allocations could be found, despite an electronic search of the entire population of 2,000 transactions processed using the EMT.

The one outstanding recommendation is that Public Works and Government Services Canada (PWGSC) be requested to provide a Personal Impact Assessment (PIA) as soon as possible related to the EMT’s collection and retention of employees’ personal information.


BACKGROUND

Under the Shared Travel Services Initiative (STSI), a contract for the delivery of government travel services was awarded to Accenture and its team of subcontractors: American Express, Concur Technologies, and Bell Canada.  Collectively they provided services known as “Travel AcXess Voyage.”  Included in these services is an Expense Management Tool (EMT) system that allows employees to request travel from their desktops.  The system requires changes to the roles of travellers, coordinators and supervisors, and the establishment of several new administrative roles, such as travel arrangers (i.e. delegates) and a departmental travel administrator.

In December 2006, the Vice-President of Finance and Corporate Services (VP F&CS) was asked to sign an attestation that the EMT system had been designed with appropriate controls in mind.  To support her attestation, she requested assurance from Internal Audit; however, though Internal Audit was willing to provide assurance on the design of the system, it could not provide assurance on the operating effectiveness of the controls until such time as the system was implemented and operating.  Consequently, the VP F&CS requested that an additional audit be performed on the operating effectiveness of the controls after the system had been operating for six months.  This audit covers the operation of the system from April 1 to October 31, 2007.

AUDIT RISK

The Audit of the EMT was not included in the Audit Plan for 2007-2008 and was undertaken by request of Management.  Engagement risk of planned audits is determined through the use of the Audit Universe Risk Analysis (AURA).  The AURA specifies the engagement risk by considering six risk criteria:

  • Level of funding
  • Other audits performed
  • Third-party control and delivery
  • Agency internal controls
  • Program sensitivity
  • Agency strategic direction

Using the AURA methodology, the engagement risk for the audit of the EMT was determined to be low, as the implementation of the new system included the retention of all existing internal controls.


AUDIT OBJECTIVES

An Engagement Plan was developed that focused on providing assurance that the operational objectives of the EMT system are being obtained, namely:

Objective 1 – All EMT travel requests by ACOA employees are authorized and processed in accordance with government policy.

Objective 2 – All EMT travel claims paid by ACOA represent valid Agency expenditures, approved in accordance with established delegated authorities, and charged to the appropriate expense accounts.

Audit Criteria

The following audit criteria were developed in respect of the above objectives.

Criteria for Objective 1

  • User profiles and lists of approvers and delegates are kept up to date.
  • The necessary administrative roles are appropriately filled.
  • Travel card data is stored in accordance with government policy.

Criteria for Objective 2

  • Data fed to the Agency’s financial system (GX) is properly coded and assigned to the correct account.
  • Supervisors perform their oversight duties in accordance with the FAA.
  • Travel arrangers review expense information and allocations.
  • All operational anomalies—including budget overruns, offline Travel Authority Numbers (TANs) and system errors—are duly tracked and addressed.
  • Travel commitments for cancelled trips are duly cleared from the system.

 

AUDIT APPROACH

The approach included the following steps:

  • agreeing on the risks and objectives through interviews and discussions with the Director General, Finance and Administration and the Chief, Corporate Accounting;
  • verifying that controls designed to mitigate these risks are in place and that the operation of these controls is being monitored;
  • concluding whether these controls are actually operating to reduce the risks to acceptable levels, and presenting these conclusions to the people involved in the processes concerned; and
  • agreeing the report with the people directly accountable for the processes audited, before issuing it to the VP F&CS.

Verification of the controls was accomplished by means of the following activities:

  • checking a random sample of 130 paper travel claims from head office and regional offices in Nova Scotia, Prince Edward Island, and Newfoundland and Labrador;
  • comparison of user documentation and implementation guides with the actual operation of EMT processes;
  • comparison of paper authority sheets with electronic approver status;
  • checking system profiles for correctness of allocation codes;
  • interviewing the Director of Access to Information and Privacy to understand requirements of the Privacy Act.
  • interviewing EMT department administrators to understand how user profiles are maintained in the system;
  • interviewing managers, processors, and travel arrangers to verify their understanding of system operation;
  • using the EMT test bed to verify the integrity of certain functions such as protection of access to credit card information and control of the dollar limit on blanket authority.

AUDIT SCOPE

The processes examined during the audit included:

  • system administration;
  • travel request and authorization;
  • expense reporting; and
  • tracking of errors, anomalies, and emergencies.

 

Because of the low risk, the audit did not include the following processes:

  • reconciliation and approval under FAA, section 33; and
  • reimbursement of verified claims.

AUDIT RESULTS

OBJECTIVE 1:

All EMT travel requests by ACOA employees are authorized and processed in accordance with government policy.

Criterion 1

User profiles and lists of approvers and delegates are kept up to date.

Maintenance of profiles is not seen as a priority and only a “wet signature” provides a definitive authorization.  Frequent movement within the Agency—and especially within the regions—means that profiles are not always up to date.  Administrative staff are compensating for profile problems during processing (e.g. re-assigning an allocation code).

Despite the difficulties with keeping system profiles up to date, it was observed that profile problems were being corrected over time.

Recommendation:

None.  No problems significantly impacting travel processing were found.

Criterion 2

The necessary administrative roles are appropriately filled.

Key roles are:

  • Approver – approves travel requests and/or expense claims.
  • Expense Processor –verifies the claim (may add tick marks) and enters it into GX.

Based on our interviews, Approvers and Expense Processors at test sites were knowledgeable and well trained.

Recommendations:

None.  No problems significantly impacting travel processing were found.

Criterion 3 

Travel card data is stored in accordance with government policy.

The Privacy Impact Assessment (PIA) for the Expense Management Tool (EMT) is currently under review.  PWGSC has drafted, but has not yet released, the necessary Personal Information Bank (PIB) for publication in Info Source.

Recommendation:

None.  Required action is the responsibility of STSI managers.

OBJECTIVE 2:

All EMT travel claims paid by ACOA represent valid Agency expenditures, approved in accordance with established delegated authorities and charged to the appropriate expense accounts.

Criterion 1 

Data fed to the Agency’s financial system (GX) are properly coded and assigned to the correct account.

In our 130 test paper samples, we were able to determine a single instance where the coding was incorrect.  In addition, a complete check of all 2,000 travel transactions for allocation anomalies did not turn up any instances of bad user profile entries leading to bad allocations.  Evidently, profile problems are being corrected by administrative staff during processing.

Recommendations:

None.  No problems significantly impacting the validity of Agency expenditures were found.

Criterion 2 

Supervisors perform their oversight duties in accordance with the FAA.

For Section 32 and Section 34 approvals, only the wet signature is being taken as authoritative, and Section 34 electronic approval functionality is not used.  Accordingly, the key control is whether supervisors are signing in accordance with their authority.  Of the paper transactions examined as part of this audit, in all instances of apparent signature anomalies a rational explanation or description of corrective action was provided by the Employee Administrator.

Use of blanket authority was verified by examination of documentation and through discussion with the Employee Administrators.   No anomalies were found.

Supervisors are controlling their travel budgets in periodic forecasting meetings using data pulled from GX.

On the basis of this sample, the process would appear to be adequately supervised.

Recommendations:

None.  No problems significantly impacting the validity of Agency expenditures were found.

Criterion 3 

Travel arrangers review expense information and allocations.

The EMT system is being used as a sophisticated forms generator and consequently, does not really represent a change from the paper-based system.  On this basis, we concluded that, with respect to review of claims, there is no increased risk.

Recommendations:

None.  No problems significantly impacting the validity of Agency expenditures were found.