Audit of Employee Expense Reimbursement and Acquisition Card Management

1. Background

Financial operations must be conducted in accordance with the policies of the Government of Canada and the Office of the Superintendent of Financial Institutions (OSFI) in a manner that ensures that financial resources are well managed and safeguarded through balanced controls, while enabling flexibility and managing risk. Cost centre managers are responsible for providing the appropriate approvals and ensuring that purchases are in alignment with relevant policies and directives. The processing of employee expense reimbursements and acquisition card management at OSFI is the responsibility of the Financial Operations team within the Finance Unit.

Expense reimbursements are issued to employees when they incur out-of-pocket expenses in conducting business activities such as taking taxis, purchasing meals, and paying for accommodations when travelling for business. These expenses are governed by OSFI’s Travel Policy. Additionally, the reimbursements could include expenses related to learning and development opportunities such as training sessions, examination fees, etc. These are outlined under the Learning and Development Guidelines. Lastly, to support OSFI staff with remote working during the COVID-19 out-of-office period, a $500 one-time work-from-home reimbursement was made available to all staff to allow for the purchase of approved necessary work equipment such as monitors, desks, and chairs. For the period under review, from April 1, 2019 to September 30, 2020, 4,739 employee expense reimbursements totalling $3.2M were processed by Financial Operations.

Acquisition cards are credit cards issued to designated employees to enable them to make timely purchases in support of business operations. The use of the card provides for a convenient and cost-effective method for efficiently procuring and paying for goods and services. The use of acquisition cards is governed by the Treasury Board Directive on Payments, Appendix B - Standard on Acquisition Card Payments (April 2017), the Financial Administration Act (FAA), and OSFI’s Acquisition Card Directive (the Directive). At OSFI, there are 21 cardholders for which 2,222 transactions were processed, amounting to $1.05M for the period of April 1, 2019 to September 30, 2020, inclusive of the remote working period to assess the adequacy of controls in the work-from-home environment.

While individual transactions for the expense reimbursements and acquisition card transactions are generally low-dollar values, both processes carry high inherent risks associated with various compliance and disclosure requirements, and the potential for misuse and fraud associated with cardholders having custody of the card, the right to purchase, and the preparation of corresponding reconciliations. Hence, periodic assessments of core control functions provide senior management with reasonable assurance on the extent of compliance against established policies and procedures and the assessment of controls against the changing risk landscape.

The FAA requirements for financial transactions include ensuring documented evidence exists to support:

• pre-authorization to certify that funds are available for the transaction (Section 32);
• verification by managers that the good and/or service was provided as agreed and is eligible for payment (Section 34); and
• proper authorization or funds to be released for reimbursements or payments (Section 33).

These authorizations are segregated between the cost centre managers and Financial Operations (Financial Authority) as follows:

2. About the Audit

2.1 Objective

The objectives of the engagement were to:

• Assess the extent of OSFI’s compliance with relevant policies and procedures with respect to employee expense reimbursements and acquisition card purchases;
• Evaluate the adequacy, effectiveness and efficiency of key processes and controls in place to support the employee expense reimbursements and acquisition card management; and
• Identify opportunities for improvement, as appropriate.

2.2 Scope

The scope of the audit included the assessment of management controls over employee expense reimbursements and acquisition card management, including transactional testing for the period of April 1, 2019 to September 30, 2020.

2.3 Approach and Methodology

The following audit procedures were used for this audit:

• Reviews of applicable acts, policies, directives and procedures;
• Walkthroughs and process-mapping of employee expense reimbursements and acquisition card administrative processes;
• Interviews of Financial Operations Team and OSFI personnel; and
• Testing on a statistically representative sample of transactions, supplemented by a judgemental sample based on risk, for compliance with required policies, applicable legislation and directives. This included a sample of 73 transactions for expense reimbursements, 72 for acquisition card purchases and 34 transactions for executive travel and hospitality disclosures.

2.4 Statement of Conformance

The audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board’s (TB’s) Policy on Internal Audit, and as supported by the results of the Quality Assurance and Improvement Program.

3. Summary of Results

Based on the audit findings, there are generally adequate and effective controls in place for meeting the compliance requirements surrounding cost centre manager approvals (Section 34) and Finance’s exercise of payment authority (Section 33) on expense reimbursements and acquisition card purchases. However, lower levels of compliance with documented evidence of cost centre managers’ pre-authorizations (Section 32) were noted, risking cost centres incurring expenditures without having sufficient funding in place.

There were noted instances of non-compliance in the use of acquisition card for purchases prohibited under OSFI’s Acquisition Card Directive. In some cases, the Directive was not reflective of the current broader government guidance and current business practices. Without regular reviews and revisions to maintain the Directive, and reinforce adherence requirements, OSFI risks not having sufficient controls in place to safeguard against potential risks, including improper use of acquisition cards.

The audit also identified areas for improvement related to the management of the acquisition card against the Directive, specific procedures to assist Financial Operations’ staff in processing expense reimbursements and acquisition card reconciliations, and guidance for the types of events requiring executive hospitality disclosures.

3.1 Management Response

Management would like to thank Internal Audit for its collaborative approach and constructive feedback throughout this Audit engagement. The recommendations offer meaningful opportunities to strengthen the management of OSFI’s financial resources. On one hand, they will help bolster current practices, procedures and controls for the reimbursement of employee expenses. On the other, they will lead to stronger oversight and management of acquisition cards, ultimately with greater alignment with the Treasury Board Directive on Payments.

Management Action Plans for each individual audit observation are outlined in the relevant sections. Some remedial action have been implemented, with the majority targeted for completion by June 30, 2021; all recommendations will be addressed by the end of March 31, 2022. As part of its implementation plan, the Finance team will engage all relevant stakeholders who have key roles, responsibilities and accountabilities within the expense reimbursement and acquisition card processes.

Management response and action plan

4. Observations and Recommendations

4.1 Compliance with FAA requirements

Employee expense reimbursements and acquisition card transactions are expected to be authorized in accordance with the Financial Administrative Act (FAA) requirements and abide by OSFI’s internal policies and directives, including: the Travel Policy, Acquisition Card Directive (the Directive), Learning and Development Guidelines and recent work-from-home guidance surrounding expenses incurred as a result of remote working.

At OSFI, cost centre managers are accountable through their delegated financial signing authority for authorizing purchases before transactions take place in the form of a Section 32 (pre-authorization) and after the transaction in the form of Section 34 (invoice approvals). For acquisition cards, cost centre managers exercise Section 34 approvals in the form of sign-offs on the monthly reconciliation of credit card transactions. The reconciliations are then forwarded to the Financial Operations team that reviews the transactions against supporting invoices and proper approvals.

The Financial Operations team exercises payment authority under Section 33 of the FAA upon receipt of the Section 34 approvals and review of transactions.

In the sampled transactions of 73 expense reimbursements, 72 acquisition card purchases, and 33 transactions for executive travel and hospitality disclosures, OSFI’s controls were generally found to be operating effectively against the Section 34 and 33 requirements, to ensure that reimbursements and acquisition card purchases had:

• Properly authorized Section 34 by the appropriate cost centre manager as per OSFI’s Delegation of Financial Signing Authorities;
• Properly authorized Section 33 approval for payment by Financial Operations;
• Properly maintained records, including required supporting documentation; and
• Proper coding to the appropriate general ledger (G/L) account.

However, lower rates of compliance were noted with documented evidence of Section 32s on file, which are intended to certify that funds are available for the transaction. Our sampling consisted of transactions prior to and after OSFI adopted a remote working posture, and the results were found to be consistent across both periods.

The below table provides the breakdown of the results for the 73 expense reimbursements and the 72 acquisition card purchases against the Section 32 compliance requirements:

With the exception of travel (where process controls are electronically built into OSFI’s travel system), no standardized process has been established for demonstrating documented evidence of Section 32 authorizations for expense reimbursements and acquisition card purchases. Since Section 32 authorizations are not required by Financial Operations for payment processing, cost centres were asked to demonstrate Section 32 as part of the audit’s sample selection. Responses received by employees communicated different perspectives and varying levels of understanding regarding the requirements for Section 32, including: the distinction from Section 34, when the authorization is required, proper mechanisms for obtaining authorization (i.e. verbal vs. written) and misunderstanding regarding different types of delegations (i.e. contracting vs financial delegations).

Without a consistent approach for documenting authorizations, cost centre managers risk being accountable for purchases that were not previously authorized, which could include prohibited items or expenses that exceed funding availability.

Recommendation 1 (High Risk):

Finance should establish a standardized approach for documenting and maintaining Section 32 authorizations, ensure OSFI-wide understanding of the requirements, and monitor for cost centre adherence.

4.2 Compliance with OSFI’s Acquisition Card Directive

Prohibited Transactions

OSFI’s Acquisition Card Directive (the Directive), outlines acceptable and recommended card usage, including direction on prohibited purchases and purchase thresholds. The Directive promotes the use of the acquisition cards for realizing efficiencies in the purchase of low-dollar purchases (less than $5,000) in a convenient and less burdensome method, in alignment with the Government of Canada guidance, and outlines compliance requirements to be monitored by Financial Operations.

For the 72 sampled transactions, 10 prohibited transactions did not demonstrate consultation and/or prior approval by Financial Operations. These included: professional services (4); hardware/software greater than $200 (2); furniture (3); and memberships (1). In addition, 4 purchases were over the established threshold of $5,000. As per the Directive, a temporary limit increase can be granted per prior approvals from Financial Operations; however, no evidence of these approvals could be demonstrated for the transactions that exceeded the limit. Without adherence, OSFI risks legal, financial and reputation loss associated with purchases that are not in alignment with organizational policies.

The following graph provides for a breakdown of the composition of the noted exceptions:

Acquisition Card Issuance and Management

During the period under review, a total of 21 acquisition cards were distributed throughout the organization. In addition to providing information on acceptable card usage, the Directiveoutlines the requirements for card management that are the responsibility of Financial Operations. These requirements include:

• Validation of completion of mandatory training before card issuance;
• Cardholder declarations ensuring cardholders understand their roles, responsibilities and delegated authorities;
• Annual monitoring of cards to confirm they are still in use, and there is a continued need when cards have not been used during the previous 90 days.

Financial Operations’ current practice is to obtain confirmations that the mandatory training has been completed, and cardholders are required to submit a signed declaration of understanding prior to cards being issued. However, proof of completed training is not required or validated and the declarations are not currently being retained. Without demonstration that cardholders have attended required training and have signed off on declarations, cardholders may not fully understand their roles and responsibilities with respect to acceptable card usage.

Additionally, although acquisition card statements are reviewed on a monthly basis, no formal annual monitoring is performed to confirm the continued use of cards, business needs, or inactivity. Without this oversight, exposure to financial loss increases with lost cards not being detected, and unnecessary issuance of cards and limits without the required business need. These risks are expected to increase in the future, as the Financial Operations plans to issue more cards to support operational efficiencies.

Recommendation 2 (Medium Risk):

Finance should update the Directive in consideration of relevant government guidance and current business practices, and ensure cardholders and applicable cost centre managers understand the requirements of the Directive.

Recommendation 3 (Medium Risk):

Finance should validate cardholder training records and signed declarations prior to the issuance of acquisition cards, and perform annual monitoring to ensure the continued need for existing cards.

4.3 Procedures and Guidance for Finance Staff

OSFI’s Financial Operations team is responsible for processing employee expense reimbursements, acquisition card statements, and the monthly review of cardholder’s submissions of reconciliations between the card statements and supporting documentation. As part of the processing of reimbursements and acquisition card reconciliations, Financial Operations’ staff are to validate that all supporting elements are on file (including approvals by appropriate cost centre managers, invoices, etc.) and that expenses are allowable according to OSFI policies. To support Financial Operations’ personnel in understanding and executing their operational responsibilities, documented procedures and processes along with established operational measures for assessing performance are expected to be in place.

Specific documented procedures are in place relating to processing transactions in SAP; however, documented procedures were not in place to outline the validation process for expense reimbursements and acquisition card reconciliations by Financial Operations’ employees. In the absence of this, reliance is placed on tenured staff for training and transfer of corporate knowledge, which increases the risk of individual interpretations and inconsistent practices.

For acquisition card reconciliations, Financial Operations has established internal measures to perform reviews of the reconciliations by the end of the following month after cardholder submissions. The timely review is dependent on the receipt of the reconciliation documentation from the cardholder. Of the 72 sampled card transactions 47% were reviewed within the established internal measure, and 34% could not be validated, as they were undated. The delays in the remaining 19% of sampled transactions spanned from 1.5 to 6 months, attributed by Financial Operations to receiving late documentation from cardholders. However, it was not demonstrated that Financial Operations is monitoring for adherence against internal standards and taking corrective action when required. The delays in review pre-exist the remote work environment, which saw a longer-term pause on the reviews until it was deemed safe to return to the office. Without timely reviews of acquisition card reconciliations, Financial Operations may not detect exceptions in a timely manner to enable corrective action against violations, including illegitimate transactions or improper authorizations, especially if the cardholders have since left the organization.

In the remote work environment, electronic invoices are now used to process expense reimbursements rather than the original physical, and it is not mandatory to include an invoice number in the financial system. With no method of tracking if invoices have been previously paid, there is an increased risk for duplicate payments. Interim preventative or detective controls to mitigate for the risk have not been established.

Without clearly defined validation procedures for Financial Operations’ staff, the monitoring of established performance standards and controls to address duplicate payments, there is a risk that transactions will be processed inconsistently, not in alignment with OSFI’s policies, and that Financial Operations cannot follow up on exceptions in a timely manner.

Recommendation 4 (Medium Risk):

Finance should establish documented validation procedures, including controls over duplicate employee reimbursements, and establish reporting on the measures to senior management for effective oversight.

4.4 Disclosures for OSFI Executive Staff

As required by the Access to Information Act, OSFI must proactively disclose the travel and hospitality expenses incurred by the Superintendent, Assistant Superintendents and the Chief Actuary. This provides greater transparency by which Canadians and Parliament can hold public officials accountable for their spending. The Financial Operations team has a process in place for preparing disclosure reports and validating the data with the respective individuals prior to external disclosure.

A sample of 34 expense reimbursements and acquisition card transactions, relating to executive travel and hospitality, were reviewed for accuracy against supporting documentations and for completeness against OSFI’s external disclosures.

• Travel Expenses - A sample of 26 travel expenses were validated against OSFI’s external disclosures; 100% were disclosed as required.
• Hospitality Expenses - Hospitality expenses were inconsistently disclosed due to a lack of standardized guidance to identify the nature of events for which hospitality should be disclosed. Of the 8 hospitality expenses incurred by applicable senior executives, 4 transactions were charged to cost centres that required disclosure (and were disclosed), and 4 similar expenses were charged to cost centres that did not require disclosure.

Currently, OSFI has not established guidance for what events require executive hospitality disclosures. As a result, transactions may not be consistently disclosed across all executive cost centres and the organization risks reputational implications due to incomplete and inconsistent disclosure reporting.

Recommendation 5 (Low Risk):

Finance should establish clear guidance for what types of events and related hospitality expense transactions require executive disclosures, and monitor for completeness and consistency.

Appendix A - Recommendation Ratings

Recommendations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

Recommendations are ranked according to the following:

High Risk: should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively) or a significant operational improvement opportunity.

Medium Risk: a control weakness or operational improvement that should be addressed in the near term.

Low Risk: non-critical recommendation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort. Individual ratings should not be considered in isolation; and their effect on other objectives should be considered.