Follow-up audit of sensitive expenditures

Vetted report

November 2017

Acronyms and abbreviations
Executive summary
Management's response to the audit
1 Background
2 Objective, scope, methodology and statement of conformance
3 Audit findings
4 Conclusion
5 Recommendations
Appendix A – Audit objective, lines of enquiry and audit criteria
Appendix B – Current status of previous audits' action plans

Acronyms and abbreviations

CAP: Contract and Aboriginal Policing
*: *
CFAO: Chief Financial and Administrative Officer
CM&C: Corporate Management & Comptrollership
*: *
CROPS: Criminal Operations
DSEFSAM: Delegation of Sensitive Expenditures Financial Signing Authorities Matrix
FAA: Financial Administration Act
FP: Federal Policing
*: *
NHQ: National Headquarters
RCMP: Royal Canadian Mounted Police
SE: Sensitive Expenditures
TB: Treasury Board
TEAM: Total Expenditure and Asset Management System
*: *

Executive summary

The Royal Canadian Mounted Police (RCMP) works to ensure the safety and security of Canadians and their institutions, domestically and globally, through intelligence-based prevention, detection, investigation, and law enforcement measures. To this end, the RCMP carries out some of its operations and activities in a covert manner, designed either to infiltrate criminal or terrorist organizations or to disguise the intelligence gathering activities of the police.

Covert operations and activities can include the development of paid sources, the protection and/or relocation of witnesses, the purchase of items for evidentiary or intelligence purposes, and undercover operations. Expenditures for these types of activities are known as sensitive expenditures (SE), and are defined as an expenditure made in support of operations, incurred for law enforcement or security purposes, which could be jeopardized if payment were made using standard overt RCMP procedures.

RCMP Internal Audit has previously conducted four audits of SE, resulting in 13 audit recommendations with 19 components for which management action plans were developed. The recommendations centered on governance, roles and responsibilities, compliance, monitoring and reporting.

The objective of this follow-up audit was to assess whether the implementation of the management action plans associated with the four previous SE audits has addressed the risks and control weaknesses identified in those audits, and whether any new risks have emerged. The audit scope included SE transactions that occurred during the period of January 1, 2016 and December 31, 2016.

The audit concluded that the management action plans associated with the four previous SE audits have, for the most part, addressed the risks and control weaknesses that were identified in those audits. While the sampled SE transactions were generally compliant with policy, opportunities for improvement remain regarding: the overall governance regarding the use of SE; updates to and maintenance of SE policy; the development of training, tools and guidance for SE Coordinators and SE users; and the overall management of covert assets. An in-progress assessment of the new form 1454 would also be beneficial to determine whether the new form is working as intended, errors have been reduced, risk areas remain, and whether workarounds have been implemented by its users. *

The management responses included in this report demonstrate the commitment from senior management to address the audit findings and recommendations. A detailed management action plan is currently being developed. Once approved, RCMP Internal Audit will monitor its implementation and undertake a follow-up audit if warranted.

Management's response to the audit

Corporate Management and Comptrollership:

The Follow-up Audit of Sensitive Expenditures has noted the progress made in addressing the risks highlighted in previous audits and identifies opportunities to further strengthen the governance of sensitive expenditures.

Corporate Management agrees with the findings and recommendations and we will work with our colleagues in Operations to implement the three recommendations in the audit that are jointly directed to the Deputy Commissioner Federal Policing and the Chief Financial and Administrative Officer.

A detailed action plan, which will include specific timelines and milestones, will be developed and presented for review to the Departmental Audit Committee. Following approval, the management action plan will be implemented by Corporate Management, in coordination with Federal Policing, and will address the recommendations directed to both areas.

Dennis Watters
Chief Financial and Administrative Officer

Federal Policing:

Federal Policing acknowledges and accepts the observations noted in the Follow up Audit of Sensitive Expenditures report. The report concludes that our National Sensitive Expenditure Program would benefit from enhancements to the governance framework by documenting the roles and responsibilities and accountabilities of all involved in the process. While National Headquarters Federal Policing Sensitive Expenditure Policy Centre has taken many steps to improve and correct the current processes, additional actions have been identified and will be considered that will address the observations contained in the report. A communication strategy will be developed to provide clarification around the changes being made to the sensitive expenditure process. We are committed to developing a robust and rigorous framework governing sensitive expenditures that will fully address Treasury Board (TB) expectations and allow the RCMP to be fully accountable.

The audit makes several recommendations related to Financial Administration Act and sensitive expenditure policy compliance and standard operating procedures. In response to previous audit findings, the Sensitive Expenditure policy centre has undertaken a national pilot project over the past 21 months involving a revised form 1454 (a document based programmed management tool). The implementation of the new form has not been without its challenges. As such, Management accepts the recommendation to undertake an in-progress assessment of the new form 1454 to determine its overall effectiveness, seek further areas for improvement and determine overall training requirements related to policy and procedures.

Following on that point, Management also accepts the recommendation to formalize and enhance training offered to Sensitive Expenditure coordinators, users and supervisors. Also highlighted was the role to be played by Corporate Management and Comptrollership in providing assistance and support to the sensitive expenditure program with respect to formalized training programs and the delivery of the same to all end users, supervisors and managers. Consultation with the Chief Financial and Administrative Officer and his staff will take place to address their renewed involvement in the process so they can better support the Program.

A comprehensive review of the * will also be conducted. In consultation with divisional Criminal Operations officers, an analysis will be undertaken to determine the most appropriate means of achieving the appropriate level of visibility and oversight regarding the centralized stewardship of these assets through * or, an alternative solution.

Federal Policing appreciates the efforts and insights of the Internal Audit team, accepts the results of this audit and will address the noted recommendations through action plans that are clear, achievable and representative of the importance the RCMP places on the special authorities granted by TB and its ability to be fully accountable and meet TB expectations.

Gilles Michaud
Deputy Commissioner Federal Policing

1 Background

The RCMP works to ensure the safety and security of Canadians and their institutions, domestically and globally, through intelligence-based prevention, detection, investigation, and law enforcement measures. To this end, the RCMP carries out some of its operations and activities in a covert manner, designed either to infiltrate criminal or terrorist organizations or to disguise the intelligence gathering activities of the police. Treasury Board (TB) has recognized the inherent challenges presented by these types of operations and has provided the RCMP with special authorities and dispensations. Paramount among these are exemptions from certain external reporting provisions such as the requirements to report covert assets and inventories in integrated information systems and public disclosure related to specific types of contracts.

Covert operations and activities can include the development of paid sources, the protection and/or relocation of witnesses, the purchase of items for evidentiary or intelligence purposes, and undercover operations.^{Footnote 1} Expenditures for these types of activities are known as sensitive expenditures (SE), and are defined as an expenditure made in support of operations, incurred for law enforcement or security purposes, which could be jeopardized if payment were made using standard overt RCMP procedures.^{Footnote 2} SE can occur in all aspects of policing, in all RCMP divisions, as well as in National Headquarters (NHQ).

SE are generically recorded in the RCMP's departmental financial system (Total Expenditure and Asset Management system, commonly referred to as TEAM) without identifying details. They are recorded against one of two budgetary reporting objects. One is used to record expenditures for sensitive technical equipment and contracts, the other to record all other types of sensitive expenditures (subsequently referred to as 'general SE').

RCMP Internal Audit has previously conducted four audits of SE,^{Footnote 3} resulting in 13 audit recommendations with 19 components for which management action plans were developed. The recommendations centered on governance, roles and responsibilities, compliance, monitoring and reporting. A summary of the original audit recommendations, along with related findings and any concerns identified in this follow-up audit, is included in Appendix B.

In May 2016, the Commissioner approved the 2016-2019 Internal Audit Risk-Based Audit Plan, which includes a Follow-up Audit of SE.

2 Objective, scope, methodology and statement of conformance

2.1 Objective

The audit objective was to assess whether the implementation of the management action plans associated with the four previous audits has addressed the risks and control weaknesses identified in those audits, and whether any new risks have emerged.

Appendix A presents the audit objective, lines of enquiry and audit criteria.

2.2 Scope

The audit focussed on assessing the implementation of the management action plans undertaken in response to the recommendations made in the four previous audits. The audit also focussed on whether management actions had addressed the issues that led to the recommendations. SE transactions examined in support of this audit occurred between January 1, 2016 and December 31, 2016.

This follow-up audit focused exclusively on general SE.

2.3 Methodology

Planning for the audit was completed in April 2017. In this phase, the audit team conducted interviews, process walkthroughs and examined relevant policies, directives, procedures and results of previous audit work performed.

Sources used to develop audit criteria and audit tests included relevant TB policy frameworks and directives^{Footnote 4} and related RCMP policies. The audit objective, lines of enquiry and audit criteria are available in Appendix A.

The examination phase, which concluded in July 2017, employed various auditing techniques including interviews, documentation reviews, data analysis and transaction testing. Site visits took place at three divisional headquarters as well as at NHQ to review files and assess practices. Upon completion of the examination phase, the audit team held meetings to validate findings with personnel and debriefed senior management of the relevant findings.

Table 1 provides a summary of the transactions tested during the audit. Sampling methodology involved a combination of random and judgmental sampling based on data extracts obtained from the TEAM financial system. The SE types reflected in the sampled transactions included: *

2.4 Statement of conformance

The audit engagement conforms to the Institute of Internal Auditors' International Professional Practices Framework and the Treasury Board of Canada Directive on Internal Audit, as supported by the results of the quality assurance and improvement program.

3 Audit findings

3.1 Governance

While overall, governance mechanisms are appropriate to ensure compliant use of SE, benefits could be achieved through more fully documenting roles and responsibilities, and by increased monitoring and reporting of SE activities.

Roles and responsibilities

Sound governance structures are required to ensure that SE transactions are compliant with the RCMP's special delegated authorities. Governance should be supported by policy and program design, training, as well as clear roles, responsibilities and accountabilities. Regular monitoring and reporting activities, including performance measures, should also promote the appropriate use of SE.

Federal Policing (FP), Corporate Management & Comptrollership (CM&C) and the divisions share responsibility for the governance of SE.

Federal Policing

The Deputy Commissioner FP is responsible for ensuring oversight, accountability, and training are in place which confirm SE are used appropriately and only as needed to maintain the covert nature of a transaction. * FP's focus is on ensuring sensitive operations and associated expenditures remain covert, leading to successful investigations and the safety of police officers. Within FP, the SE Policy Centre develops SE policy and provides support and direction regarding the appropriate use of SE. The SE Policy Centre has recently moved within FP, and now reports to FP Resource Management & Administration rather than to Federal Policing Special Services (under Covert Operations). This change in reporting structure may increase the SE Policy Centre's actual or perceived segregation from operations, and reduce the potential for operational necessities to influence financial processes and compliance. It may also create stronger functional ties to the CM&C group.

Corporate Management & Comptrollership

The Chief Financial and Administrative Officer (CFAO) is responsible for the sound management and stewardship of all RCMP financial and materiel resources. The Corporate Accounting, Policy and Control branch, reporting under the CFAO, develops policies and processes, and provides oversight to ensure responsible spending and safeguarding of RCMP finances and assets, including those acquired using SE funding.

National, regional or divisional CM&C do not currently engage in SE activities at the outset of the transaction. Interviews with senior officials within CM&C and FP indicated that front-end guidance is not offered by CM&C for SE-related transactions. Moreover, there would be benefits to having greater engagement from CM&C to help ensure adherence to administrative policy requirements at the onset of high-profile projects. Without such guidance, SE Coordinators and SE users are left to navigate the complex policy frameworks and special exemptions that may apply.

CM&C has not implemented a governance framework that adequately addresses its responsibilities related to the use of SE. More specifically, Corporate Accounting, Policy and Control is responsible for ensuring that risk-based financial controls are in place for proper account verification of SE, in accordance with the Financial Administration Act (FAA).^{Footnote 5} When exercising payment authority pursuant to section 33 of the FAA, finance officers are required to review the account verification for all high-risk transactions, including SE. To maintain the covert nature of these transactions, section 33 position holders (finance officers) rely on the divisional SE Coordinators to perform this review function on their behalf when they exercise Endorsement of Payment Request authority.^{Footnote 6} While we found that there is currently a high degree of compliance with this requirement, increased oversight and monitoring by CM&C to ensure that divisional SE Coordinator positions^{Footnote 7} are well-trained and have an up-to-date Endorsement of Payment Request authority in TEAM would be beneficial. Such assurance is critical to continue the reliance placed on this key control surrounding proper account verification of high-risk SE transactions.

Leveraging corporate expertise with the new placement of the SE Policy Centre under FP Resource Management & Administration may promote a consultative approach required to ensure compliance with applicable policy frameworks.

The Divisions

The divisional Criminal Operations (CROPS) officers are responsible for the management and oversight of covert operations and related SE, with the SE Policy Centre at NHQ providing support as required. SE Coordinator positions have been established and staffed at the divisional level to review all SE transactions in accordance with national SE policy.^{Footnote 8}

Since April 2012, all divisional SE Coordinators, as a condition of their position, must sign a letter acknowledging their roles and responsibilities for proper account verification of SE. We found that for all sampled transactions, all SE Coordinators signed this letter and had valid Endorsement of Payment Request authority within TEAM. Interviews with SE Coordinators in the sampled divisions indicated good awareness of their role and responsibilities in exercising this authority. *

Clearly assigning roles, responsibilities and accountabilities

While TB and national SE policy set out the expectations for the various roles, responsibilities and accountabilities among the three areas involved in SE, opportunities exist to foster greater engagement amongst the key stakeholders involved in SE. There are benefits to using tools to clearly assign roles, responsibilities and accountabilities, including formal acceptance, among the various stakeholders involved. For example, using a visual tool would provide role clarification and promote a structured approach for stakeholders to follow when exercising their roles. In this way, management would ensure that all parties are involved in key SE processes at the appropriate time, which would in turn promote enhanced SE-related governance.

Monitoring and reporting

Previous audits documented the need for increased monitoring and reporting of SE activities at the divisional and national level. While one sampled division annually conducts fourto five management reviews that include an SE component, the remaining visited sites were not monitoring or reporting on their use of SE. Such reporting at the divisional level would assist in budget forecasting, and the development of performance metrics in relation to SE could be further explored by management. Without formal performance metrics in place, management's ability to assess or evaluate the effectiveness and efficiency of the use of SE and related controls is limited.

Consistent coding in TEAM results in reliable information for internal and external monitoring and reporting purposes. The sampled divisional SE Coordinators demonstrated a good understanding of the coding that should be applied for SE claims. The vast majority (91%) of sampled transactions were appropriately coded. Any errors observed were largely attributed to interpretation of SE coding definitions. While miscoding is insignificant from a financial statement perspective, increased consistency would allow for enhanced monitoring and reporting on the use of SE across the divisions. The SE Policy Centre has identified an interest in increasing monitoring and oversight of the specific SE general ledger codes by leveraging FP Resource Management & Administration's expertise in data analytics and trend analysis.

Segregation of duties

National SE policy states that SE Coordinators may not report directly to any manager who has exercised section 32 or 34 authority on a transaction for which they are exercising Endorsement of Payment Request authority.^{Footnote 9} In two of the four sampled divisions, the SE Coordinators reported to line officers who exercised section 32 or 34 authorities on 13 sampled transactions. As such, the review completed by the SE Coordinators in exercising their Endorsement of Payment Request authority did not maintain proper segregation of duties.

While additional resources or divisional restructuring may not be feasible to maintain segregation of duties, other mitigating measures could be considered to ensure that additional oversight over SE transactions is applied. For example, the Corporate Accounting, Policy and Control branch has proposed changes to the Delegation of Sensitive Expenditures Financial Signing Authorities Matrix (DSEFSAM) that may provide SE Coordinators with departmental and/or divisional authority. Applying this would allow another divisional SE Coordinator to exercise the Endorsement of Payment Request authority on SE claims when the segregation of duties issue is identified. There may be other options that stakeholders could and should explore to address this issue.

3.2 Policy and procedures

While observed rates of compliance with the FAA and SE policy were high, opportunities exist to clarify and potentially streamline some policies and procedures.

Established policy and procedures

The national SE policy was published in January 2011 and provides a framework for the use of SE in terms of financial, asset, materiel and real property management as well as procurement. While procedures established in the sampled divisions are consistent with current national policy, existing divisional policy supplements should be reviewed for relevance and alignment, and updated or removed accordingly.

Other beneficial policy enhancements include updates to reflect current unit and position titles, and to update links to other policy references. There are also opportunities for standard operating procedures to be developed and disseminated, including guidance on best practices, to inform SE Coordinators and other stakeholders in support of their SE responsibilities.

Document retention procedures

The Directed Annual Audit of Sensitive Expenditures 2011-2012 found that there was a risk that SE claims * were not being retained for the required period.* As such, there was a risk that documents would be destroyed when they should have been retained for a longer period of time *. This follow-up audit found that the retention issue has been addressed in the sampled divisions. The SE Coordinators made procedural changes regarding retention practices for SE claims *, and documents are now retained for the required period of time. SE policy would benefit from being updated to reflect the procedural changes to promote a consistent application across all divisions.

SE Coordinators were appropriately retaining all * ATI Act Section 16(1)(b) ATI Act Section 16(1)(b) ATI Act Section 16(1)(b)claims for six previous years plus the current year. Clarification is still required as current policy may lead users to interpret a retention period of only two years^{Footnote 10}, which would result in financial documents being destroyed earlier than they should be.

Policy compliance

High FAA compliance rates were observed for the sampled transactions. The vast majority (96%) of sampled transactions were pre-approved by a signatory with appropriate commitment authority (section 32), and certified by a signatory with appropriate certification authority (section 34). The non-compliant transactions related to specimen signature cards which were either not in TEAM, or were not active at the time of signing section 32 or 34. All sampled transactions had evidence of the Endorsement of Payment Request authority performed by the SE Coordinator. Notwithstanding, for reasons previously outlined, the quality and reliance which can be placed on these certifications varied.

It is incumbent on the user to be well-versed in and apply the spirit of relevant policies, including how the various TB exemptions can be applied. The majority of interviewed SE users indicated that they rely on their divisional SE Coordinator for policy interpretation. It was found that 98%^{Footnote 11} of the sampled transactions were compliant with relevant SE policy and all but one of the sampled transactions maintained the covert or discreet nature of the expenditure.* As was the practice in one division*

All sampled transactions demonstrated value-for-money through, for example, the inclusion of multiple quotes on the file (or referenced in the unit-level files). Moreover, all sampled transactions included an appropriate rationale that clearly articulated the need for the expenditure to be deemed sensitive, and 95% were consistent with what was originally planned and approved. The high compliance rates were largely attributed to the advisory role of the SE Coordinators as well as ongoing learning and awareness by various SE user groups. Applying the new form 1454 Request and Authority for Payment also contributed to the increased compliance rates.

New form 1454 Request and Authority for Payment

The SE Policy Centre developed the new form 1454 as part of a management action plan to address audit findings regarding compliance from the first SE audit. At the time, a project management plan was not formalized and its development has since spanned a number of years.^{Footnote 12} It remains a pilot project to allow SE users and SE Coordinators to adapt to new business processes brought about by the new form. The roll-out of the new form 1454 has been underway since January 2016, and the extent of implementation varies with most divisions having implemented it in selected units since spring 2016. The new form 1454 was designed with two goals in mind: to document pre-approval of all aspects of the transaction and to summarize all expenses with requisite details.

The new form 1454 incorporates many automated controls. It is designed to provide verification against the DSEFSAM and to identify position holders with appropriate signing authority for the transaction. Specific sections of the form must be completed before the user can proceed to a subsequent stage of the form (i.e.: pre-approval is required before proceeding to the reimbursement stage). Business rules are incorporated from various RCMP policies, including the Operational, Financial and Asset Management Manuals. Mathematical calculations are automated. In addition, the form minimizes duplication and data entry errors, as tombstone data entered by the user is automatically carried forward to subsequent stages of the form.

In the sampled divisions, users described challenges in adapting to the new form 1454 and the associated process. They indicated that the new form is lengthy and cumbersome to read and complete with ease. While the new form 1454 includes description boxes that outlinethe authorities and responsibilities of users and signatories, these descriptions are long and difficult to read. Numerous signatures are required throughout the different stages of the form to substantiate the expenditure process. This may dilute the importance of the sign-off, as the more times an individual is required to sign a document, the less likely they may be to pay attention to what they are signing. The new form 1454 is focused on the financial authorities rather than the justification or rationale for the expenditure. The rationale should document particulars about the transaction, including why the expenditure must be processed sensitively, the options that were considered and the decisions made throughout the process. Although all sampled transactions included an appropriate rationale that clearly articulated the need for the expenditure to be deemed sensitive, including the option for a more substantial rationale in the new form 1454 would promote consistency and might better demonstrate stewardship and accountability over SE.

While the new form 1454 is well suited for planned expenditures, interviewees stated that it is challenging to apply to unplanned operations that inherently require fluidity and nimbleness. In light of the expressed concerns, the SE Policy Centre should perform an in-progress assessment of the new form 1454 to determine whether it is working as intended, if errors have been reduced, if risk areas remain, and whether workarounds have been implemented by its users. A cost-benefit analysis could also be performed as part of the in-progress assessment. This analysis should examine the impact of the new form 1454 on workloads and whether there are redundancies to eliminate or efficiencies to be made. A risk-tolerance for applying the new form 1454 for unplanned expenditures or low-dollar amounts could also be considered. Options for such transactions could include the use of a modified form 1454 focusing on key control elements such as the rationale, and clearly identified section 32 and section 34 authorities.

An overall change management process regarding the new form 1454 is fundamental to its success. Firstly, from a design perspective, any changes to the DSEFSAM or to business rules from policy updates will have an impact on the complex automated controls that are embedded in the form. Secondly, from a process perspective, there is a need to ensure that users are trained and that an effective communication strategy exists for applying the process using the new form 1454. While the impact of the new form 1454 has not been fully assessed by the SE Policy Centre, there are indications from both the SE Policy Centre and the divisions that the workload will increase once fully implemented.

3.3 Human resource management

Opportunities remain to develop and implement SE-related training, tools and guidance as well as information sharing processes to support SE Coordinators and SE users in exercising their duties.

Divisional SE Coordinators

SE Coordinators perform a post-review of SE transactions and exercise Endorsement of Payment Request authority to provide assurance to financial officers when they exercise section 33 payment authority. Following a recommendation from the first SE audit, all divisions established and staffed SE Coordinators. However, the number of positions staffed and the category of employee varies considerably across the divisions.

For example, in three sampled divisions, one full-time employee occupied the SE Coordinator position. In two of these divisions, it was a public servant position, and in the third, it was a regular member position. A fourth division employed one regular member and four public servants in the SE Coordinator unit. This provided a balance of operational knowledge and expertise, as well as the administrative and financial experience and stability associated with employing public servants. The benefits of having both categories of employee in the SE Coordinator position should be considered in divisional staffing models.

The SE Coordinator position is a key control function in proper account verification, and is heavily relied on by financial officers when exercising section 33 payment authority. Accordingly, succession planning for these positions should be an ongoing consideration. Our examination found no evidence that succession planning is currently being considered.

SE-related training

Two recommendations from the first SE audit related to training. At the time, FP and the Chief Human Resources Officer were responsible to ensure that SE-related training was created and provided to all SE Coordinators in a timely manner and included in operational and supervisory training where appropriate. A formalized SE training program remains to be developed and SE-related training has not been included in relevant operational and supervisory training programs, including training for the officer cadre. There may be opportunities to include SE training in existing courses, thereby reducing the required resourcing associated with developing a standalone SE training program. While management's efforts to address these recommendations led to the development of the new form 1454, opportunities remain regarding the original intent of the recommendations and management action plans.

National SE policy specifies that FP is responsible for ensuring the appropriate training of SE Coordinators,^{Footnote 13} CM&C is responsible for ensuring the appropriate training of SE Coordinators with respect to financial and administrative requirements,^{Footnote 14} and the divisions are responsible for ensuring the hiring of SE Coordinators who are appropriately trained.^{Footnote 15}

Previous SE audits reported that no formalized SE-related training is offered to SE Coordinators, users or supervisors. Instead, they primarily learn how to perform their duties on-the-job, from their predecessors and colleagues. The same holds true at the time of this follow-up audit. Accordingly, improvements could be made by FP and CM&C to deliver on their SE-related training responsibilities.

Recently, the SE Policy Centre delivered workshops to divisional SE Coordinators and select users and supervisors regarding the implementation of the new form 1454. The training session's content was geared towards explaining the design of the new form 1454 and how it relates to the SE process. The SE Policy Centre sought input and feedback from relevant business lines during the forms' development; however, no other business line was involved in the development or delivery of the training session. Delivery of the training session was dependent on prioritization by the division as it was provided only when a requesting division had the funds to bring the SE Policy Centre representatives to their division. In the future, the SE Policy Centre has considered developing an online course for accessible SE-related training; however, this initiative remains in a conceptual stage.

While CM&C is responsible for training SE Coordinators with respect to their financial and administrative requirements, they have not been engaged in facilitating such training. Of the sampled divisions, E Division was the only division providing SE-related training to new unit commanders and those units identified as requiring an update or refresher on SE processes or use.^{Footnote 16} Also, there is still no SE-related training for SE supervisors that outlines the additional safeguards or responsibilities to be aware of when exercising section 32 or 34 authorities over SE transactions. Interviewees in all sampled divisions indicated that additional training would be beneficial and would serve to promote a comprehensive understanding of the signatories' responsibilities for exercising section 32 and 34 authorities regarding the use of SE.

Notwithstanding the high compliance rates that were noted from the sampled transactions, developing and offering formalized SE training is considered a best practice to mitigate the inherent high-risk nature of SE transactions. *

Tools and guidance

In the absence of formalized training, SE-related tools and guidance for SE coordinators and users should be developed and disseminated. As previously mentioned, SE users are not well-versed in the relevant policies and rely on their divisional SE Coordinators for policy interpretation. Development of best practice guidance would be beneficial in this regard and would ensure that business practices are consistently applied and risk-managed.

Communication amongst stakeholders

Opportunities exist to improve communication between CM&C and divisional counterparts to minimize operational impacts when policies and procedures change. * When asked, NHQ Corporate Accounting was aware of the issue and had developed a Communiqué that was sent to divisional Accounting Services for dissemination to stakeholders.* However, these procedural updates had not been provided to users in the field.

In previous audits, most SE Coordinators indicated having minimal contact with the SE Policy Centre, but this follow-up audit observed improved communication between them. The interviewed divisional SE Coordinators indicated they communicate as required with the SE Policy Centre on issues requiring clarification, and most communicate directly with users and/or supervisors in order to resolve SE claim-related issues. The new form 1454 has been a regular topic of discussion between the divisions and SE Policy Centre. These discussions range from feedback regarding the increased workload, to the impact of form changes on current business practices. Notwithstanding, opportunities exist to enhance communication and information sharing.

3.4 Financial and asset management

Increased divisional and national visibility and oversight over covert assets is warranted.

Management of covert assets

The management of covert assets * is important to ensure sound stewardship of resources. While national SE policy requires the * they only maintain records for the assets that they manage. When covert assets are procured by a unit, the covert asset records are maintained at the unit-level. As a result, a consolidated divisional record of covert assets does not exist, and the covert asset records that were reviewed as part of this audit did not provide adequate visibility regarding all covert assets in the sampled divisions. An assessment of covert asset records held at the unit level was not performed by the audit team. Additionally, in the absence of a consolidated record regarding divisional covert assets, controls that should be in place surrounding the tracking of assets from acquisition, usage, transfer, surplus and disposal were not observed or tested as part of this audit.

The first SE audit reported that most of the divisions and units visited had their own inventory tracking systems for covert assets. These systems were independent of each other and were not accessible by other units or divisions. This audit further noted that covert assets *

This follow-up audit again observed an absence of national or division-wide visibility over covert assets. Without proper management, there is an increased risk that covert assets may be acquired in duplicate, may not be fully utilized, * As a mitigating measure, * in the sampled divisions indicated that *acquired using SE. This practice maximizes the use of covert assets, and promotes stewardship and fiscal responsibility. Notwithstanding, the lack of a division-wide perspective could be an issue if a division, or the RCMP as a whole, were required * While this information may be available, considerable effort would be required to compile it.

Consultation with the divisions would be beneficial to determine what is important for national visibility and oversight of covert assets. This information should be recorded and tracked to facilitate informed decision-making. Use of a common inventory management system for covert assets would facilitate oversight with regards to asset acquisition, maintenance, disposal and overall inventory control. While recognizing the exemptions from TB directives and policies, an inventory management framework for covert assets should be consistent with the spirit and principles of conventional asset management. Building and maintaining an inventory record is a necessary first step in managing national assets. Management should consider whether the * or other form(s) of covert asset record management system, will be used in this regard.

Asset Inventory Control

The new form 1454 includes the 1454-Asset Inventory Control, intended to streamline the records management process when a covert asset is acquired. It was designed to be sent to the *, who is responsible for updating the divisional covert asset records, and to the * Administrator at NHQ for * record entry. In doing so, the 1454-Asset Inventory Control promotes the completeness of covert asset acquisitions at the divisional and national level when it is used as intended.

However, in one sampled division where the new form 1454 was fully implemented, the 1454-Asset Inventory Control was not utilized as intended. Instead, it was filed without further action along with the remainder of the SE claim in the SE Coordinator's office. When asked, the SE Coordinators indicated that they were not informed of the aforementioned process, and assumed that claimants had already forwarded the 1454-Asset Inventory Control to the appropriate individuals for inventory tracking prior to sending it to the SE Coordinators for review. Although unit-level inventory records may have been updated, it is clear that * was not updated using the 1454-Asset Inventory Control. A communication strategy regarding the design and use of this aspect of the new form 1454 would promote the completeness of divisional and national covert asset records.

Completeness of file records

In consideration of the inherent risk relating to the use of SE, strong records management practices were expected. However, in one sampled division, 5 of 24 sampled files could not be located by the SE Coordinator. Certain elements were also not provided for two of the remaining 19 sampled files. This is an indication of deficiencies in record management in this division.

As a mitigating measure in relation to the completeness of files, all SE claims are reviewed by the divisional SE Coordinators, and finance officers will not exercise payment authority pursuant to section 33 without the SE Coordinator's sign-off of Endorsement of Payment Request authority. As the missing and incomplete sampled files were selected from completed transactions posted in TEAM, which would have entailed the specific review of expenditures by the SE Coordinator and their corresponding sign-off of Endorsement of Payment Request authority, it is apparent that the account verification process was carried through.* Based on the audit team's site visits in the sampled divisions and at NHQ, the missing and incomplete files are not indicative of a pervasive issue with respect to overall records management across the divisions. Accordingly, the specific records management issue identified was raised with the relevant division's senior management for corrective action.

4 Conclusion

The audit concludes that the management action plans associated with the four previous SE audits have, for the most part, addressed the risks and control weaknesses identified in those audits. The original 19 audit recommendations were centered on governance, roles and responsibilities, compliance, and monitoring and reporting.^{Footnote 17} Still, opportunities for improvement remain in these areas.

While the sampled SE transactions were generally compliant with policy, opportunities for improvement remain regarding: the overall governance regarding the use of SE; updates to and maintenance of SE policy; the development of training, tools and guidance for SE Coordinators and SE users; and the overall management of covert assets. An in-progress assessment of the new form 1454 would also be beneficial to determine whether the new form is working as intended, if errors have been reduced, if risk areas remain, and whether workarounds have been implemented by its users.*

5 Recommendations

The Deputy Commissioner Federal Policing, in coordination with the Chief Financial and Administrative Officer, and in consultation with the divisions, should enhance overall governance over sensitive expenditures (SE) by further clarifying and documenting the roles, responsibilities and accountabilities among all parties involved in key SE processes and updating SE policy accordingly.
*
The Deputy Commissioner Federal Policing should perform an in-progress assessment of the new form 1454 to determine whether it is working as intended, errors have been reduced, and whether risk areas remain.
The Deputy Commissioner Federal Policing, in coordination with the Chief Financial and Administrative Officer should formalize the delivery of training for stakeholders involved in SE, notably the SE Coordinators, SE users and SE supervisors.
The Deputy Commissioner Federal Policing should consult with divisional Criminal Operations officers to determine information elements that are important for divisional and national visibility and oversight of covert assets, and record and track these centrally in the * or alternative solution.

Appendix A – Audit objective, lines of enquiry and audit criteria

Audit Objective:

To assess whether the implementation of the management action plans associated with the four previous audits has addressed the risks and control weaknesses identified in those audits, and whether any new risks have emerged.

Lines of Enquiry:

Status of management action plan implementation:
- Management action plans have been implemented as originally specified or as subsequently amended and approved.
Validation of risks being addressed:
- Corrective actions implemented as identified in the management action plans appear to have addressed the risks related to the previous findings / observations.

Audit Criteria:

Governance:
- Effective oversight mechanisms are established to manage the use of SE.
Policy and Procedures:
- Policies and procedures for SE are established, relevant, aligned, maintained, clearly communicated and followed.
Human Resource Management:
- Key positions and activities are identified and are adequately staffed.
- Employees are provided with the necessary training, tools and guidance to facilitate their use of SE.
Financial and Asset Management:
- File records are complete and accurate; and related SE are approved and processed in accordance with relevant policy.
- The national inventory management system for covert assets is developed, deployed, maintained and used by National Headquarters and in the divisions.
- Assets, including information technology and systems, are life-cycle managed and protected.

Appendix B – Current status of previous audits' action plans

The following table summarizes the original audit recommendations, related findings and remaining concerns identified in this follow-up audit.

Management Control Framework Audit 2007-09 Recommendations
Original audit recommendation	Summary of findings and remaining concerns	Residual risk level
1.a) The CFAO, in conjunction with D/Commr FP, D/Commr Policing Support Services and the Regional D/Commrs, should ensure that Sec. 33 Finance Officers' reliance on the work performed by the SE Coordinators is formalized.	SE coordinators duties are defined in national policy. All SE Coordinators sign a letter that acknowledges their roles and responsibilities for proper account verification of SE; this letter requires that all SE claims be reviewed prior to settlement. These findings are further explained in the sections 3.1 and 3.2 of the report. A review of TEAM confirmed that none of the current SE Coordinators have section 32 or 34 signing authorities in addition to their Endorsement of Payment Request authority.	Low risk
1.b) The CFAO, in conjunction with D/Commr FP, D/Commr Policing Support Services and the Regional D/Commrs, should ensure that SE Coordinators do not hold Sec. 34 of the FAA.
1.c) The D/Commr FP should ensure that the duties for SE Coordinators are defined in national policy with a requirement to review all SEs prior to settlement.
1.d) The D/Commr FP, in conjunction with D/Commr Policing Support Services and the Regional D/Commrs, should ensure that SE Coordinators positions are established and staffed.	While each division had established and staffed SE Coordinators, there were inconsistencies in the category of employment and number of dedicated full-time employees. Succession planning is not occurring and segregation of duties issues persist in the divisions. These findings are explained in section 3.3 of the report.	Medium risk
2.a) The D/Commr FP should ensure that adequate national SE policy is in place.	Although national SE policy is aligned with the original intent as indicated in the applicable TB submission and decision letters, awareness of the spirit of TB policy may be lacking, particularly when acting in a covert capacity. Policy would benefit from clarification and updates as explained in section 3.2 of the report.	Medium risk
2.b) The Regional D/Commrs, in conjunction with the Divisional Commanding Officers, should ensure that divisional policy is aligned with national policy.	National and divisional policies are aligned. While existing supplementary sections further define procedures regarding SE policy, there were some errors and/or small gaps that should be addressed.	Low risk
3.a) The D/Commr FP, in conjunction with the CHRO, should ensure that SE training is created and provided to all designated SE Coordinators in a timely manner.	No formalized SE-related training is offered to SE Coordinators, users or supervisors; this is highlighted in the section 3.3 of the report.	Medium risk
3.b) The D/Commr FP, in conjunction with the CHRO, should ensure that training related to SEs should be included in operational and supervisory training where appropriate.		Medium risk
4. The D/Commr Policing Support Services should ensure that an adequate national inventory management system is implemented.	While the follow-up audit focused solely on general SE and not sensitive technical equipment and contracts, there remains an overall lack of divisional and national oversight over the life-cycle of covert assets as explained in the section 3.4 of the report.	Medium risk

Directed Annual Audit of SEs 2009-10
Original audit recommendation	Summary of findings and remaining concerns	Residual risk level
1. The E-Division CO, in conjunction with the OIC Operations Strategy Branch, Pacific Region, should ensure that members and supervisors comply with policy regarding the completion of documentation to support SEs.	*	High risk
2.a) The E-Division Commanding Officer, in conjunction with the Executive Director, Corporate Management Branch Pacific Region, should ensure that all employees holding delegations of financial authority comply with the FAA, and	The divisional SE Coordinator reviews all SE claims prior to settlement, and high compliance rates were observed for the sampled transactions as further documented in sections 3.1 and 3.2 of the report.	Low risk
2.b) all employees holding delegated contracting authority comply with the Delegation of SEs Matrix.		Low risk

Directed Annual Audit of SEs 2010-11
Original audit recommendation	Summary of findings and remaining concerns	Residual risk level
1. The D/Commr FP should review SE policy to ensure [] reporting requirements are relevant [].	Policy would benefit from clarification and updates; this is explained in section 3.2 of the report.	Low risk
2. The D/Commr FP should assess the information requirements of National Headquarters* and establish annual status reporting requirements accordingly.		Low risk
3. The D/Commr FP should determine the most appropriate and efficient means of funding [*] and take the necessary implementation steps.	While the DSEFSAM was updated in January 2016, amounts under column 102 have not changed. Temporary personal advances are widely used to mitigate the limitations of the DSEFSAM.	Low risk
4. The D/Commr FP should develop new mechanisms for [] administrators and to increase awareness and to share best practices.	* this is explained in section 3.3 of the report.	Low risk

Directed Annual Audit of SEs 2011-12
Original audit recommendation	Summary of findings and remaining concerns	Residual risk level
1. The D/Commr FP should develop and implement monitoring and reporting activities, including performance measures, for key processes and procedures to ensure Program risks are addressed.	No performance metrics have been developed to assess or evaluate the effectiveness and efficiency of the use of SE *. An overall lack of performance metrics over the use of SE as a whole is discussed in section 3.1 of the report.	Medium risk
2. The D/Commr FP, in conjunction with the Commanding Officers, should ensure that the CROPS' non-financial delegation is formalized and documented.	Policy would benefit from clarification and updates. While document retention procedures for SE claims * have been clarified, these changes need to be formalized in policy. This is discussed in section 3.2 of the report.	Low risk
3. The D/Commr FP, in conjunction with the Chief Information Officer, should analyze and clarify the document retention policy or procedures to ensure that SE claims * are retained for the suitable period of time.		Low risk

Footnotes

Footnote 1

Operational Manual Appendix 32-General-1, Types of Expenditures - Sensitive Operations

Return to footnote 1 referrer

Footnote 2

Operational Manual Part 32, Sensitive Expenditures, section 2.1

Return to footnote 2 referrer

Footnote 3

The four previous audits were titled: Sensitive Expenditures - Management Control Framework Audit, 2007-2010; Directed Annual Audit of Sensitive Expenditures, 2009-2010; Directed Annual Audit of Sensitive Expenditures, 2010-2011; and Directed Annual Audit of Sensitive Expenditures, 2011-2012.

Return to footnote 3 referrer

Footnote 4

The Directive on Delegation of Spending and Financial Authorities replaces the following TB policy instruments, effective April 1, 2017: Directive on Delegation of Financial Authorities for Disbursements (October 1, 2009), Directive on Expenditure Initiation and Commitment Control (October 1, 2009) and Directive on Account Verification (June 1, 2014).

Return to footnote 4 referrer

Footnote 5

Appendix B to the Directive on Delegation of Spending and Financial Authorities defines the following:

Commitment Authority, according to section 32 of the FAA, ensures that there is a sufficient unencumbered balance available before entering into a contract or other arrangement.
Certification Authority, according to section 34 of the FAA, certifies the contract performance and price, entitlement or eligibility of the payment.
Payment Authority is the authority to requisition payments according to section 33 of the FAA.

Return to footnote 5 referrer

Footnote 6

Operational Manual Part 32 Sensitive Expenditures, section General 2.3 states that divisional SE Coordinators will perform a post-review of SE transactions and fulfill the requirements of section 33 authority when exercising Endorsement of Payment Request authority. In this way, SE Coordinators provide assurance to financial officers in order for them to exercise section 33 payment authority.

Return to footnote 6 referrer

Footnote 7

In the divisions, SE Coordinators are a mix of Federal and Provincial positions.

Return to footnote 7 referrer

Footnote 8

Operational Manual Part 32 Sensitive Expenditures, section General 2.3.

Return to footnote 8 referrer

Footnote 9

Operational Manual Part 32 Sensitive Expenditures, section General 2.3.

Return to footnote 9 referrer

Footnote 10

Return to footnote 10 referrer

Footnote 11

The 2% error observed was due to the lack of supporting documentation for two sampled transactions in one division which was attributed to the SE Coordinator's reliance on the section 34 signatory.

Return to footnote 11 referrer

Footnote 12

The development of the new form 1454 was initiated in response to recommendation 3b of the Sensitive Expenditures – Management Control Framework Audit, 2007-2010. The initial diary date for completion of the management action plan was September 2011, and multiple extensions were granted to December 2014. At the February 2015 Departmental Audit Committee meeting, FP requested another extension to April 2015. However, as a follow-up audit on SE was included in Internal Audit's Risk-Based Audit Plan, the item was closed and was to be examined as part of this follow-up engagement.

Return to bibliography 12 referrer

Footnote 13

Operational Manual Part 32, Sensitive Expenditures, section 4.1.5.

Return to footnote 13 referrer

Footnote 14

Operational Manual Part 32, Sensitive Expenditures, section 4.3.3.

Return to footnote 14 referrer

Footnote 15

Operational Manual Part 32, Sensitive Expenditures, section 5.1.3.

Return to footnote 15 referrer

Footnote 16

E Division's Internal Control and Consultative Services group within divisional CM&C provided such training.

Return to footnote 16 referrer

Footnote 17

A summary of the 19 original audit recommendations, related findings and remaining concerns that were identified in this follow-up audit is found in Appendix B.

Return to footnote 17 referrer

Date modified:: 2018-10-25

Language selection

Search and menus

Search

Table of contents