Core Control Audit of the Security Intelligence Review Committee
Office of the Comptroller General
Why this is important
The Financial Administration Act designates deputy heads as accounting officers for their department or agency. As accounting officers, deputy heads are accountable for ensuring that resources are organized to deliver on departmental objectives in compliance with government policy and procedures.
Core control audits provide deputy heads with assurance regarding the effectiveness of core controls over financial management in their respective organizations. By doing so, core control audits inform deputy heads of their organization’s level of compliance with requirements contained in selected financial legislation, policies and directives.
About the Security Intelligence Review Committee
The Security Intelligence Review Committee (SIRC) was established in 1984 as an independent, external review body which reports to the Parliament of Canada on the performance of the Canadian Security Intelligence Service (CSIS).
Parliament has given CSIS powers to enhance the security of Canadians by investigating threats to national security. SIRC ensures that these powers are used legally and appropriately, in order to protect Canadians’ rights and freedoms. To do this, SIRC examines CSIS operations and investigates complaints.
According to its 2013–14 Departmental Performance Report, SIRC had spending of approximately $2.78 million and human resources of 16 full-time equivalents in fiscal year 2013–14.
Core Control Audit Objective and Scope
The objective of this audit was to ensure that core controls over financial managementFootnote 1 within SIRC result in compliance with key requirements contained in the selected financial legislation, policies and directives.
The scope of this audit included financial transactions, records and processes conducted by SIRC. Transactions were selected from April 1, 2014, to February 28, 2015. The audit examined a sample of transactions for each of the selected policies and directives. Appendix A provides a complete list of policies and directives included in the scope of the audit and the overall compliance in the areas tested.
Conformance with Professional Standards
This audit engagement conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.
Anthea English, CPA, CA
Assistant Comptroller General
Internal Audit Sector
Office of the Comptroller General of Canada
Audit Findings and Conclusion
Core controls over financial management regarding the transactions tested within SIRC resulted in full compliance with the key requirements contained in 1 of the 10 policies, directivesFootnote 2 and corresponding legislation tested. SIRC was not in compliance with key requirements contained in the remaining nine policies and directives tested.
Weaknesses were identified in the areas of documentation, approval and timeliness.
Weaknesses were observed in the financial management governance structure, as there was no signed budget and no documented evidence that risks were considered in establishing the budget. Weaknesses were identified in the delegation of financial signing authorities, as the signature specimen cards did not always match the Delegation of Financial Authorities Chart. In addition, for acquisition cards, documentation to support initial credit limits and cardholder acknowledgement of responsibilities was not retained on file. With respect to contracting, the documentation to support the contracting vehicles used (competitive and non-competitive), was not on file. In addition, contracting amendments were not always justified. For employees leaving the department, documentation to support the return of all equipment was not on file.
For government travel, supporting documentation for reimbursements was not always available, and exceeding applicable limits or changing itineraries were not always justified. For hospitality, documentation to support justification for the most economical means to avoid or minimize hospitality costs was not on file. Furthermore, expenditure initiation and account verification were not always supported by complete documentation.
Weaknesses were observed where one individual approving contracts and amendments did not have the appropriate delegated authority. Some individuals did not have the training or did not revalidate their financial signing authority. For government travel, applicable limits for reimbursement were not always respected. The Delegation of Financial Signing Authorities Chart did not reflect the August 2013 changes in the Directive on Travel, Hospitality, Conference and Event Expenditures for approving travel.
Contracts and amendments were not consistently approved before the goods and services were received. Pre-approvals were not always obtained prior to expenditure initiation, or timeliness could not be determined, and commitments were not always done prior to the expense. Similarly, on some occasions, account verification was not performed on a timely basis or timeliness could not be determined.
The Chair of the Security Intelligence Review Committee should ensure that:
- The Delegation of Financial Signing Authorities Chart is current and reflects the changes made to the Treasury Board Directive on Travel, Hospitality, Conference and Event Expenditures for approving travel.
- All signature cards have an effective date and reflect the delegation identified in the SIRC Delegation of Financial Signing Authorities Chart.
- All employees with delegated financial authorities receive mandatory training before they exercise their delegated authority, as well as revalidate their knowledge to maintain their delegated authorities when required.
- The budget is signed by the chief financial officer and approved by the Chair at the start of the fiscal year, and there is documented evidence that risks have been considered in the establishment of the budget.
- Proper documentation is retained on file for acquisition cards to substantiate their issuance, approval, modification and condition of use, as well as the acknowledgement of responsibilities by the acquisition cardholder.
- Business processes are improved and are consistently performed in compliance with the Treasury Board Contracting Policy, and that documentation is retained on file.
- Business processes are improved and are consistently performed in compliance with the Travel Directive, and that documentation is retained on file.
- Documentation to support justification for the most economical and appropriate way to facilitate government business is kept on file.
- Employees’ departure forms are completed and kept on file.
- Expenditure initiation (pre-approval and commitment) is properly documented and properly dated before expenses are incurred.
- Account verification is done by someone with appropriate delegated authority, properly dated, supported by complete documentation (proof of execution) and done on a timely basis.
Management has accepted the audit findings and has developed an action plan to address the recommendations. It is expected that the management action plan will be fully implemented by January 2016.
The results of the audit and the Management Action Plan have been discussed with the Chair of SIRC and with the Small Departments Audit Committee. The Office of the Comptroller General of Canada will follow up on the implementation of the Management Action Plan.
Appendix A: Policies and Directives Tested
|Policies and Directives Tested||Compliance|
|Directive on Delegation of Financial Authorities for Disbursements||Not Met|
|Policy on Financial Management Governance||Not Met|
|Directive on Acquisition Cards||Not Met|
|Directive on Accountable Advances||Met|
|Contracting Policy||Not Met|
|National Joint Council Travel Directive||Not Met|
|Directive on Travel, Hospitality, Conference and Event Expenditures||Not Met|
|Directive on Financial Management of Pay Administration||Not Met|
|Directive on Expenditure Initiation and Commitment Control||Not Met|
|Directive on Account Verification||Not Met|
|Met||Greater than or equal to 98% compliance.|
|Partially met||Greater than or equal to 80% and less than 98% compliance.|
|Not met||Less than 80% compliance.|
- Date modified: