Continuous Auditing of Key Controls for Selected Processes Annual Report for 2024

Audit and Evaluation Branch Natural Resources Canada

Presented to the Departmental Audit Committee, February 13, 2025

On this page

• Introduction
  • Accomplishments this Year
  • Objectives
  • Scope
  • Methodology
• Key Findings and Recommendations
• Acknowledgments
  • Conformance with Professional Standards
• APPENDIX A - Continuous Audit of Acquisition Cards

Introduction

Continuous auditing provides ongoing assurance on specific management processes and controls to enable more timely insight into possible risk and control issues. It enables the provision of findings to management on key controls related to financial and non-financial processes in a timely manner. The combination of continuous and regular audit activities provides adequate coverage of the Department’s key processes and controls. During the annual risk-based audit planning exercise, consideration was given as to whether a continuous or standard assurance audit is the most effective approach for providing assurance.

Continuous audits can significantly enhance the internal control processes and frameworks within an organization. They differ from traditional audits, which tend to be more comprehensive in terms of their scope. Continuous audit activities undertaken by Natural Resources Canada’s (NRCan) Audit and Evaluation Branch (AEB) are formally reported through an annual assurance report on key controls. This report presents the results of the continuous auditing activities completed by the AEB between January 1, 2024, to December 31, 2024.

Accomplishments this Year

With support from Senior Management and the Departmental Audit Committee (DAC), the AEB continued to provide continuous auditing capacity for NRCan in 2024.

The continuous audit activities completed in 2024 focused on identifying potential control issues related to specific processes identified in the approved 2023-28 Integrated Audit and Evaluation Plan (IAEP). Accordingly, the following area was assessed via continuous auditing:

• Acquisition Cards

The AEB was able to provide timely assurance to senior management and the DAC on the functioning of key controls for the area identified above. Findings and recommendations resulting from the examination of these processes were provided to management in order to assist them with further improving existing control mechanisms. These findings and recommendations were also presented to the DAC along with the associated management responses and action plans.

In addition to AEB’s continuous audit activities, NRCan’s management was engaged in continuous monitoring in accordance with the Treasury Board’s (TB) Policy on Financial Management. The combined efforts by both the AEB and management have resulted in improvements to control processes and the correction of any identified control deficiencies.

Objectives

The objective of the Continuous Audit performed was to assess the adequacy and effectiveness of the Quality Assurance of Account Verification process as it relates to acquisition card transactions, including corrective measures.

Scope

The scope of the continuous audit covered quality assurance activities related to acquisition cards from April 1, 2022, to August 31, 2023. This period was selected to capture the latest quality assurance activities completed by the Quality Assurance Function (i.e., sampling and testing procedures, semi-annual and annual reporting, and monitoring and implementing corrective measures).

The key controls assessed during the continuous audit are provided in Appendix A.

Methodology

The audit included the following key tasks:

• Review of key documents and relevant background information, policies, procedures, and guidelines.
• Interviews with key personnel involved in performing QA activities for acquisition card transactions as well as individuals responsible for oversight, implementation, and monitoring of corrective measures.
• Review a sample of acquisition card transactions subject to the PPV process.
• Follow-up procedures on recommendations stemming from prior continuous audits on acquisition cards.

Key Findings and Recommendations

The following summarizes the findings and recommendations for the continuous audit engagement. The audit provided reasonable assurances when arriving at conclusions for the key controls that were tested, which were assessed as either- effective, partially effective, or ineffective, based on the following criteria:

• Effective: The key control was operating effectively throughout the audit period;
• Partially effective: The key control was not operating effectively throughout the audit period; and,
• Not effective: The key control was not in place.

Continuous Audit of Acquisition Cards

The continuous audit identified the following opportunities for improvement related to the adequacy and effectiveness of the Quality Assurance of Account Verification processes of acquisition card transactions (A-Card), including corrective measures:

• Ensuring the Quality Assurance of Account Verification Plan (QAAVP) is revised to clarify (i) roles and responsibilities (R&R) of key parties involved in the post-payment verification (PPV) process and (ii) the sampling methodology.
• Strengthening the PPV process by (i) developing procedural guidance, (ii) tracking identified issues and monitoring the status of recommendations, and (iii) reporting based on senior management’s needs.
• Reinforcing acquisition cardholder awareness of document retention requirements.
• Defining and communicating R&R of responsible parties for monitoring of acquisition card transactions.
• Ensuring the Guideline on Strengthening Financial Stewardship is revised to clarify (i) R&R of key parties involved in implementing and monitoring of corrective measures, (ii) corrective measures, and (iii) monitoring and reporting of the implementation progress of corrective measures.

The continuous audit also found that outstanding recommendations from the previous continuous audits in this area have been fully implemented.

Acknowledgments

The AEB would like to thank those individuals who contributed to the performance of continuous audits and particularly employees who provided their insights and comments.

Conformance with Professional Standards

In my professional judgement as Chief Audit and Evaluation Executive, the continuous audit activities along with this annual report conforms with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit, as supported by the results of engagement supervision and the Quality Assurance and Improvement Program.

Michel Gould, MBA, CPA, CMA, CIA
Chief Audit and Evaluation Executive
February 13, 2025

APPENDIX A - Continuous Audit of Acquisition Cards

The objective of the Continuous Audit performed was to assess the adequacy and effectiveness of the Quality Assurance of Account Verification process as it relates to acquisition card transactions, including corrective measures.

The following key controls were tested during the conduct phase of the audit:

Key Controls

Line of Inquiry 1: An adequate and effective post payment verification program is in place to monitor the use of acquisition cards.

1. A Quality Assurance of Account Verification Plan is documented, regularly reviewed.
2. The sample selection methodology is adequate and enables reliable and valid post payment verification results.
3. Post payment verification assessments are performed in alignment with the Quality Assurance of Account Verification Plan.
4. Relevant stakeholders are informed of instances of non-compliance in a timely manner and are provided with both the necessary information and actionable guidance to effectively address and mitigate the risk of reoccurrence (if applicable).
5. Senior management receives regular and timely reports on the results of post payment verification assessments in line with the Quality Assurance of Account Verification Plan.
6. Identified issues and recommendations resulting from the post payment verification assessments are tracked and monitored for implementation.

Line of Inquiry 2: Corrective measures are in place to address non-compliance related to acquisition card transactions.

1. Corrective measures and implementation timelines are defined, routinely reviewed, and updated for relevance.
2. Roles and responsibilities for monitoring and implementing corrective measures are clearly defined and communicated by relevant stakeholders.
3. Corrective measures and implementation timelines are applied in a timely manner based on severity and significance.
4. The implementation status of corrective actions is tracked, monitored, and reported.