Audit Report Financial Information for Decision Making June 2011
Table of Contents
- Executive Summary
- Detailed Report
The mandate of CIHR is to excel, according to internationally accepted standards of scientific excellence, in the creation of new knowledge and its translation into improved health for Canadians, more effective health services and products, and a strengthened Canadian health care system.
For processing its financial information, CIHR uses the FreeBalance Accountability Suite, a commercial off-the-shelf integrated financial management information system commonly used in the federal government. FreeBalance is CIHR's main financial system. In February 2009, Internal Audit reported on the adequacy and effectiveness of internal controls over the confidentiality, integrity, and availability of information in FreeBalance. During the review of business cycle controls, the auditors noted that evidence of the performance of reviews and/or sign-offs for a number of manual control activities could not be found. Examples included:
- Responsibility Centre Managers' review of monthly operating budget, commitments, and expenditures reports, and
- Responsibility Centre Managers' approval of adjustments to budgets, including budget allocations.
While the February 2009 audit addressed the confidentiality, integrity, and availability of FreeBalance information, it did not assess the adequacy of the financial information available for decision-making. Therefore, this audit has been undertaken to determine if Responsibility Centre Managers are being provided with adequate financial information to facilitate decision-making related to their financial management responsibilities.
Risk Addressed by the Audit
In accordance with the Treasury Board of Canada (TB) Policy on Internal Audit, this audit addressed the risks, controls, and governance processes associated with the activity under review. This audit project was selected to assess the risk that the financial information provided for decision-making (including FreeBalance reports and other pertinent financial reports) may not be adequate. The risk relates to the TB Management Accountability Framework (MAF) elements of Stewardship, which requires that the departmental control regime (assets, money, people, services, etc.) is integrated and effective, and its underlying principles are clear to all staff; Accountability, which requires that accountabilities for results are clearly assigned and consistent with resources, and delegations are appropriate to capabilities; and Results and Performance, which requires that relevant information on results (internal, service, and program) is gathered and used to make decisions, and public reporting is balanced, transparent, and easy to understand.
The objective of the audit was to assess the adequacy of financial information provided to CIHR Responsibility Centre Managers to support decision making related to their financial management responsibilities.
The audit covered the design and use of financial reports that are issued to Responsibility Centre (RC) Managers such as the monthly Operating Budget Report, the Expenditures Report, and the Commitments Report. This audit covered the design and use of the monthly financial reports related to salary and non-salary budgets, commitments and expenditures; financial reports relating to grants and awards were excluded from scope.
Overall Audit Opinion
The audit has concluded that there are moderate issues related to the adequacy of financial information to support an RC Managers' decision making related to their financial management responsibilities: there are weaknesses, but exposure is limited because either the likelihood or the impact of the risk is not high.
Statement of Assurance
In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided in this report. The audit of financial information for decision making was conducted in accordance with the Federal Government Policy on Internal Audit and related professional standards. The audit opinion is based on a comparison of conditions that existed at the time of the audit against established audit criteria that were agreed upon with management. The evidence is sufficient to provide senior management with proof of the opinion.
Summary of Strengths
CIHR staff was very cooperative with the audit team throughout the audit. We thank them for their help and their advice. Through the course of the audit, the audit team observed a number of strengths. CIHR has:
- An integrated planning, risk management, and budgeting process, which helps to ensure that key risks are considered in operational plans and budget information is aligned with those plans.
- Comprehensive planning templates are intended to ensure completeness of planning information.
- Well-established processes in place for planning, budgeting, forecasting and budget review, reporting, and budget re-allocation. Finance provides clear direction for completion of each of these financial management processes.
- Mandatory training on delegation of financial authority, acquisition cards and procurement, which is provided to all new RC Managers.
- Financial Advisors that are aligned to RC Managers, which provides RC Managers with a single point of contact for financial management support.
Summary of Improvement Opportunities
As noted above, the audit identified a number of improvement opportunities. The following aspects of financial information for decision making require management's attention:
- Financial management roles and responsibilities for RC Managers are not clearly and consistently defined and communicated.
- The development of budgets and forecasts within spreadsheets is inefficient and subject to error.
- RC Managers do not have access to complete, accurate and timely financial information presented in a user friendly format to enable them to perform their assigned financial management responsibilities.
- Policies and processes relating to salary budget management are inconsistently documented.
- RC Manager compliance monitoring is not enforced and does not consider the quality of RC Managers' review.
- There is no formal process to gather RC managers' input on their reporting requirements.
Other, lower-risk findings have been issued in a letter to management's attention.
Internal Audit thanks management and staff for their excellent cooperation in this audit.
Dev Loyola-Nazareth, Chief Audit Executive
Steven Nimmo, Manager, Internal Audit
Michael Bazant, Internal Auditor
Canadian Institutes of Health Research
Methodology and Criteria
The internal audit of financial information for decision making at CIHR was conducted in accordance with the Federal Government Policy on Internal Audit. The principle audit techniques used included:
- Interviews with management and staff at Canadian Institute of Health Research; and,
- Examination of financial reports, policy and process documentation, and, other relevant documentation.
Controls were assessed as adequate if they were sufficient to minimize the risks that threaten the achievement of objectives. Detailed criteria and conclusions are contained in the Appendix to this report.
The audit was conducted between November 2010 and March 2011.
Observations, Recommendations, and Management Action Plan
The following are audit observations, recommendations, and management action plan to address weaknesses in the adequacy of information provided to Responsibility Centre Managers to support decision making related to their financial management responsibilities.
|Observation||Recommendation||Management Action Plan|
|Financial management roles and responsibilities for RC Managers are not clearly and consistently defined and communicated.|
1 – Document the Financial Management Framework for CIHR and include the expectations and responsibilities of all levels of Management.
2 - Develop a training session covering the Financial management framework, finance processes and all financial management responsibilities for all levels of management. In addition, an update to the delegation of authority course will include the roles and responsibilities of RC Managers.
Draft Framework July 2011
Develop Training course materials and hold a Pilot October 2011
|2. The development of budgets and forecasts within spreadsheets is inefficient and subject to error.|
During the budget development process, financial information is captured in spreadsheets. Similarly, when developing forecasts during the in-year review processes, financial information is captured in spreadsheets.
Due to the decentralized nature of the processes there is a lack of ability to monitor the status of the budgeting and forecasting processes (e.g. which RCs have completed their budget/forecast, which RCs have submitted their budgets / forecasts for review by higher level managers, and which RCs have their budgets / forecasts approved by their manager).
In addition, the manual consolidation of budget and forecast data does not allow for Directors to readily access roll-up information for the RCs reporting to them. There is also a risk of human error in budget and forecast information due to manual consolidation of spreadsheets.
|It is recommended that the Director, Finance consider the cost-benefit of implementing a centralized planning, budgeting and forecasting application that would allow for:
The planning, budgeting and forecasting application would be complimentary to FreeBalance (i.e., it does not replace it). Given that planning, budgeting and forecasting applications typically also provide rich reporting and analytics functionality, CIHR should also consider the capability of such an application to meet RC Manager reporting requirements.
1 - Development of an automatic budget loading module is currently being investigated with the ITAMS branch. This module would allow for initial budget request to be inputted by Managers, and compiled for different levels (Directors and VPs).
Controls would be implemented to ensure budget allocation is respected (i.e. Adjustments entered by FMAs following a budget transfer request form is provided).
2 – All financial planning exercises include specific dates for various tasks to be completed: (a) information provided by Managers/Directors and (b) information presented to the respective VPs for approval.
The Financial Management Advisors consolidate the information for the Directors review and approval.
3 – On-line reporting tool presently ready for testing. This tool will allow Managers/Directors to access live information on their budgets, expenditures and commitments.
Timeline: September 2011
|3. RC Managers do not have access to complete, accurate and timely financial information presented in a user friendly format to enable them to perform their assigned financial management responsibilities.|
In addition, there is risk of having two different sets of numbers used for decision-making (e.g., FreeBalance information vs. Excel).
a. To improve RC Manager's access to timely financial information, it is recommended that the Director, Finance provides end-users with direct (read only) access to all financial reports on an as-required basis. These reports should allow for RC Managers to manipulate data for the purposes of analysis. It is recommended that Finance continues to send to RC Managers the Commitments report, Expenditures report, and Operating Budget report on a monthly basis as the "official" reports requiring sign-off.
b. It is also recommended that the Director, Finance consider the cost-benefit of implementing on-line requisitioning (e.g., using FreeBalance) that will allow RC Managers to enter requisitions directly in the system, triggering real-time recording of commitments within FreeBalance. This will eliminate the time lag from the point an RC Manager requests a purchase to the point the commitment is recorded in the system.
Action: a. On-line reporting tool presently ready for testing. This tool will allow Managers/Directors to access live information on their budgets, expenditures and commitments. The new reporting tool allows the information to be imported to Excel for manipulation of information. b. As a pilot project, the branches with high volumes of requisitions (ITAMS, HR and Communications) have been provided access to input invoices for a few years Evaluate the outcome of the pilot project with those branches and Financial Operations to determine the cost/benefits of expending this access to other branches. c. Introduction of the "Operating Budget Review Cut-Off Procedures" to ensure most of the procurement activities/invoices are inputted into the financial system prior to review. Timeline: September 2011
|4. Policies and processes relating to salary budget management are inconsistently documented.|
The current process for developing salary budgets is to allocate an RC salary budget equal to 92% of the forecast based on approved positions. The resulting 8% salary pressure is to be managed and monitored corporately by Finance. This implies that RC Managers are not expected to manage to their salary budget. Rather, RC Managers are responsible for developing headcount plans and managing headcount volumes relative to their plans, whereas Finance is responsible for translating RC Manager headcount plans into salary forecasts and for monitoring the 8% pressure during the year based on headcount forecasts provided by RC Managers.
The operational planning and budgeting guidelines document provided to RC Managers states that "… managers are permitted to forecast a salary deficit at the start of the year but are expected to do their utmost to eliminate the deficit by year-end". This implies that RC Managers are responsible for managing their salary budgets, not just headcount.
In addition, interviews with Finance indicated that RC Mangers are responsible for managing within +/- 3% of their non-salary operating budgets, as well as specific salary budget items such as overtime, acting, backfilling and students. Upon review of CIHR's Performance Planning and Reporting document and a sample RC Manager Performance Plans, neither document clearly states that RC Managers are responsible for managing within +/- 3 % of their non-salary budgets, and specific salary budget items such as overtime, acting, backfilling and students. Rather the documentation states that RC Managers are responsible for proactively reporting when spending is expected to vary more than 3% from the original budget allocation.
|It is recommended that the Director, Finance review existing documents where policies and processes related to headcount / salary budgeting, forecasting, and management (i.e., the Performance Planning and Reporting document, RC Managers' Performance Plans templates, the Operational Planning and Budgeting Guidelines and Instructions document, budget input templates, forecast input templates) and revise them to ensure consistent messaging.||
a. The responsibility for the salary pressure management has been consistently communicated as part of the 2010-11 notional planning exercise. Methodology approved at EMC, communicated to EEMC, documented in the notional planning instructions and the information sessions entails that EMC will manage the salary pressure at a corporate level.
b. The "CIHR Performance Planning and Reporting" Guide is clear on the wording to be used for Performance Plans. Finance will develop guidelines for educating RC Managers and providing feedback on how the analysis will be performed. c. For future performance plans, a pre-populated template will be sent out for Managers with budgets so that the correct wording in the Guide is used and understood by all.
|5. RC Manager compliance monitoring is not enforced and does not consider the quality of RC Managers' review.|
On a monthly basis RC Managers are to review their monthly reports and notify Finance that the information is either accurate or a discrepancy has been identified that requires resolution.
Finance tracks which RC Managers have provided sign-off on their monthly reports and sends reminder emails to RC Managers who have not provided sign-off by the defined deadline.
There are RC Managers who consistently do not sign-off on their monthly reports, but their non-compliance has not been addressed. This is partially a result of a lack of a formal policy that identifies how RC Managers will be held accountable for instances of non-compliance.
There have also been instances where RC Managers have been deemed compliant as they have signed off on the monthly reports; however, a review of these reports has found that some RC Managers have approved inaccurate reports.
a. It is recommended that the Director, Finance enforce RC Manager accountabilities for completing the review. For example, a process could be implemented whereby delinquencies are communicated to the RC Manager's VP, and the VP is responsible to follow-up with the RC Manager to ensure completion. It is also recommended that, in exceptional circumstances, where RC Managers are consistently delinquent, their delegation of financial authority be revoked.
b. It is recommended that the Director, Finance conduct a periodic review of a sample of RC Manager reports with the objective of finding errors that RC Managers may have missed during their review. Finance should consider RC Managers who have historically had errors when selecting their sample. When errors are found the RC Managers should be notified and recurring issues should be addressed in RC Manager training materials.
a. COMPLETED - The "Financial Information Review and Control Process" has been updated to include a "Compliance" section to note that, starting in 2011-12, EMC will receive a compliance report on a quarterly basis.
b. Implement a new process where FMAs meet with the Managers/Directors on a rotational basis to review their monthly financial reports and obtain signoff.
|6. There is no formal process to gather input on reporting requirements.|
The RC Managers interviewed generally have good working relationships with their respective Financial Advisors and there is an open line of communication whereby RC Managers can provide feedback on matters related to financial reports to their Financial Advisors at any time.
Although communications between RC Managers and Financial Advisors may lead to improvements in financial reporting, no formal process exists to proactively solicit feedback from RC Managers on the completeness, accuracy, timeliness and format of current reports or to identify new financial reporting requirements.
Without a proactive approach to soliciting feedback on reporting requirements, there is a risk that RC Managers will continue to use Excel workbooks to track additional financial information to meet their needs, resulting in inefficiencies due to duplicate data entry (in spreadsheets and in FreeBalance).
|It is recommended that the Director, Finance establish a periodic (e.g. annual) process to solicit financial reporting improvement recommendations from RC Managers.||
On a periodic basis, financial advisors will solicit comments from RC Managers concerning any issues with the new reporting tool and the reports. Should the opportunity exist for report enhancements, feedback will be sought, reviewed and evaluated for cost effectiveness.
Audit Criteria and Conclusions
The audit uses the following definitions to make its assessment of the internal control framework.
|Conclusion on Audit Criteria||Definition of Opinion|
|Well Controlled||Well managed, no material weaknesses noted or only minor improvements are needed.|
|Moderate Issues||Control weaknesses, but exposure is limited because either the likelihood or the impact of the risk is not high.|
|Significant Improvements Required||Control weaknesses either individually or cumulatively represent the possibility of serious exposure.|
The overall conclusion considers the cumulative risk exposure related to the audit observations in the context of the above criteria.
The audit has concluded that there are moderate issues related to the adequacy of financial information to support an RC Manager's decision-making related to their financial management responsibilities: there are weaknesses, but exposure is limited because either the likelihood or the impact of the risk is not high.
|Criteria||Reference to Observations||Conclusion|
|1. Defined Roles and Responsibilities|
|1.1 RC Manager responsibilities for financial management are clearly and completely defined and communicated, including:
||Internal Audit Report Observations #1a, 1b, 4||Moderate Issues|
|1.2 Financial management processes have been clearly and completely defined and communicated, including processing RC Manager's requests.||N/a||Well controlled|
|1.3 RC Managers are provided the necessary training to support their financial management responsibilities.||Internal Audit Report Observation #1b||Moderate Issues|
|Criteria||Reference to Observations||Conclusion|
|2. Financial Information for Financial Management Responsibilities|
|2.1 RC Managers have access to complete, accurate and timely financial information presented in a user-friendly format to enable them to perform their assigned responsibilities for planning.||N/a||Well controlled|
|2.2 RC Managers have access to complete, accurate and timely financial information presented in a user-friendly format to enable them to perform their assigned responsibilities for budgeting.||Internal Audit Report Observations #2, 3a, 3b||Moderate Issues|
|2.3 RC Managers have access to complete, accurate and timely financial information presented in a user-friendly format to enable them to perform their assigned responsibilities for variance analysis and forecasting.||Internal Audit Report Observations #2, 3a, 3b Management Letter Observations #1, 2||Moderate Issues|
|2.4 RC Managers have access to complete, accurate and timely financial information presented in a user-friendly format to enable them to perform their assigned responsibilities for financial monitoring and control.||Internal Audit Report Observations #3a, 3b||Moderate Issues|
|2.5 RC Managers have access to complete, accurate and timely financial information presented in a user-friendly format to enable them to perform their assigned responsibilities for budget reallocations and re-alignments.||Internal Audit Report Observations #3a, 3b||Moderate Issues|
|3. Monitoring and Compliance|
|3.1 Instances of and reasons for non-compliance with financial management responsibilities by RC Managers are monitored||Internal Audit Report Observation #5||Moderate Issues|
|3.2 RC Managers are notified of instances where they are non-compliant with their financial management responsibilities and action is taken to ensure future compliance.||Internal Audit Report Observation #5||Moderate Issues|
|3.3 There is a process to gather feedback from RC Managers relating to existing reports and new financial reporting requirements and these requirements are considered in the design / updates of financial reports.||Internal Audit Report Observation #6||Moderate Issues|
|3.4 There is a process to identify and resolve systemic issues related to information for financial reporting.||N/a||Well Controlled|
- Date modified: