Audit of acquisition cards

Internal Audit and Program Evaluation Directorate

June 2025

Table of contents

• Introduction
• About the audit
• Audit significance
• Statement of conformance
• Audit opinion
• Key findings
• Summary of recommendations
• Management response
• Subject matter information
• Audit findings
  • Cardholder eligibility and card issuance
  • Card suspension and cancellation
  • Use of acquisition cards
  • Monitoring and quality assurance
• Appendix A: Audit criteria
• Appendix B: Progress over the years
• Appendix C: Acquisition card restrictions
• Appendix D: Acronyms

Introduction

Acquisition cards are corporate credit cards issued by the Canada Border Services Agency (CBSA, or “the agency”) to provide an efficient and secure method for purchasing authorized, business-related, low dollar value goods and services.

Like any federal government purchase, acquisition card transactions must follow the requirements of the Financial Administration Act (FAA). The CBSA Standard on Acquisition Cards, issued in support of the Treasury Board Directive on Payments, details how those requirements are implemented at the CBSA. The standard also defines the appropriate use of acquisition cards and restrictions on goods and services that may not be procured with them (refer to Appendix C for acquisition card restrictions).

Acquisition cardholders are responsible for using the cards in accordance with the Standard and reconciling transactions in the agency’s financial system. Cost Centre Managers (CCMs) are responsible for approving transactions and ensuring appropriate use of the cards.

The National Acquisition Card Program (NACP), within the agency Comptroller Directorate of the Finance and Corporate Management Branch (FCMB) of the CBSA, issues, manages, and monitors the agency’s acquisition cards. Monitoring of acquisition card transactions is conducted by the Financial Quality Assurance (QA) Unit of the Directorate, which conducts regular post-payment verifications of transactions as part of its financial QA process.

As of May 2024, 762 acquisition cards were in use at the agency. In the 2023 to 2024 fiscal year, the CBSA procured nearly $25.7 M in goods and services through approximately 57,000 card transactions. The top spending categories for the agency via acquisition cards were miscellaneous materials and supplies, and seminars and course fees.

About the audit

The objective of the Audit was to assess whether the CBSA’s use of acquisition cards is compliant with the Treasury Board Directive on Payments as well as with the agency’s internal policies.

Audit Scope Inclusions

The scope of this engagement covered acquisition card transactions and agency controls to issue, manage and monitor acquisition cards. The scope period spanned April 1, 2023 to March 31, 2024.

Audit Scope Exclusions

The scope did not include transactions and controls related to travel and fleet cards, as they are managed separately and are subject to different policy instruments.

Audit methodology

The audit included interviews and walkthroughs with key program stakeholders.

It also included detailed review of supporting documents such as Acts, policy instruments, guides, and explanatory materials.

Data analysis and structured sample testing of transactions was conducted, including:

• population analysis of 57,000 transactions and 1,300 (open and closed) cardholder files using data obtained directly from the bank as well as internal CBSA data
• detailed manual sample review of 186 transactions and 50 cardholder files

Audit significance

Stewardship of public funds and effective controls over financial processes is a top priority for the CBSA. To support this, Internal Audit periodically reviews financial processes, control frameworks, and practices in place to ensure that key risks are mitigated and the agency’s intended objectives are met.

Acquisition cards are an important tool for the convenient, timely and efficient procurement of low-risk and low-dollar value goods and services. Authorized cardholders can access funds quickly and easily.

Due processes and functioning controls are required to ensure that acquisition cards are used appropriately. This may include ensuring that there is no use of cards outside of their intended purpose or for personal gain or benefit, or that cards have not been used to side-step more appropriate procurement mechanisms that would otherwise provide the agency with better value or more efficient outcomes.

As such, there is a need to provide reasonable assurance that agency acquisition cards are well-managed and that they are used for their intended purpose and in compliance with applicable policies.

This Audit was approved as part of the 2023 to 2024 Risk-Based Audit and evaluation Plan.

Statement of conformance

This audit engagement conforms to the Treasury Board’s Policy and Directive on Internal Audit and the Institute of Internal Auditors’ (IIA) International Professional Practices Framework. Sufficient and appropriate evidence was gathered through a range of procedures to provide an audit level of assurance. The agency’s internal audit function is independent and internal auditors performed their work with objectivity as defined by the IIA’s International Standards for the Professional Practice of Internal Auditing.

Audit opinion

Use of acquisition cards by agency staff is compliant with the Treasury Board Directive on Payments and the agency’s internal policies. The CBSA has established effective controls to manage acquisition cards and their use, and provide reasonable assurance over related financial risks to the agency. Acquisition cards continue to fulfill their purpose of providing a low-cost and time-efficient procurement and payment tool for low-value transactions in support of the agency’s operations.

In the spirit of excellence in the stewardship of financial resources, the audit has noted some opportunities for improvement to existing controls and processes.

Key findings

The agency has a properly functioning acquisition card program, including administration processes for the cards and their associated transactions. A suite of preventive and detective controls to manage key risks is in place and functioning as intended. These tools provide reasonable assurance that transactions are appropriate, aligned with CBSA needs, and compliant with policy requirements. Highlights include:

• There is a mature process for the issuance, management, and cancellation of acquisition cards, ensuring that cards are only held by approved individuals who need them to support business operations.
• The use of acquisition cards is compliant with Government of Canada and CBSA policies. Controls for approving and processing transactions are effective and operating as intended.
• The agency’s monitoring of acquisition cards though post-payment verification is effective, but there are opportunities to ensure continuous improvement of oversight.

Summary of recommendations

1. Adjust the current monitoring activities for acquisition cards to:

• ensure timely cancellation of cards that are no longer needed
• use all available data sources to monitor purchases on an evolving basis

Management consideration

Implement a communications strategy to ensure that guidance on transactions is provided in a consistent and frequent manner to cost centres, CCMs and cardholders.

Management response

The Vice-President of the FCMB is pleased to see that the results of the audit demonstrate that the CBSA have effective controls to manage acquisition cards and their use and agrees with the audit recommendation given it provides an opportunity to continue to improve controls and processes.

Subject matter information

The lifecycle of an acquisition card begins with a business need. When a Cost Centre regularly needs small purchases to support its operations, the CCM identifies an eligible Cost Centre Administrator (CCA) and approves their card application.

The NACP then reviews the application to ensure it is valid, and the card is issued from the bank. Active cards are monitored by NACP and closed (or deactivated) as appropriate.

Before an acquisition card is used to make a purchase, the CCM is expected to authorize it, either verbally or in writing. The CCA completes the transaction and reconciles it in the system. Records of the purchase including the receipts are then submitted for CCM review and approval.

Later on, the Financial QA team performs reviews of various types of transactions, as well as follow-ups with cardholders and CCMs to ensure that the cards are used to purchase authorized goods and services.

Figure 1: Lifecycle of an acquisition card

Image description

New acquisition card to be issued:

• CCM identifies a business need
• CCM identifies an eligible CCA and approves their card application
• NACP reviews the CCA application, approves issuance of the card, monitors active cards and card closures

For each purchase:

• CCM provides commitment authority, per Section 32 of the FAA
• CCA completes the transaction and reconciles the purchase
• CCM provides payment authority certification, per Section 34 of the FAA
• Internal control unit provides QA, monitoring and reporting on transactions

Audit findings

The audit resulted in the findings below.

Cardholder eligibility and card issuance

To control the use of acquisition cards and prevent unauthorized transactions, the agency must ensure that cards are issued only to eligible cardholders, and that the cards have reasonable credit and transaction limits. Once cards are issued, it is important to ensure continuous eligibility of their cardholders. Cards are then cancelled when they are no longer needed, when the cardholder becomes ineligible and/or when the cardholder leaves the agency.

The audit found that the NACP has effective controls for issuing acquisition cards and that it maintains accurate information to track cards and cardholders.

Control design effectiveness ^{Footnote 1}

The audit team tested the control design effectiveness and found that NACP, with the support of the Financial Management Policy unit, has designed and implemented controls on the issuance of acquisition cards. Controls are documented in the CBSA’s Standard and the Guide on Acquisition Cards. These include:

• Cardholder eligibility: Only agency employees (indeterminate or on terms greater than six months) can receive cards. They must complete training, sign an acknowledgement of their responsibilities as cardholders, and file an application with NACP.
• Approval: CCMs select candidates to receive cards based on operational needs. They ensure the accuracy of the application and they approve it (including transaction and credit limits) with NACP. The default maximum allowable transaction limit is $9,900 and the monthly credit limit is $15,000. Credit limits above these require a rationale.
• Validation and issuance: NACP validates the elements of the application prior to initiating card creation (including rationales for increased limits), maintains the cardholder file, and logs information in a master tracker and on the card service provider platform.

Figure 2: Cardholder eligibility and card issuance process

Image description

Step 1. The Manager, per business needs, selects the employee and defines the card limits

Step 2. The employee proves eligibility (employment status is indeterminate or term over 6 months, CAS role is assigned and mandatory training is complete) and completes prerequisite steps

Step 3. The manager and the employee submit an application form and supporting documentation

• For limits above the $15,000 limit, the manager provides rationale

Step 4. The NACP receives the request and validates all requirements for the selected employee

• For limits above the $15,000 limit, the NACP reviews the rationale
• For limits above the $25,000 limit, the NACP lead provides approval

Step 5. The NACP sends the card request to the bank

Step 6. The bank issues a card under the cardholder’s name with the established limits

• Upon reception, the cardholder sends an acknowledgement form to NACP

Step 7. The NACP activates the card

Control operating effectiveness ^{Footnote 2}

The audit team tested the operating effectiveness of the controls over card issuance using a random, statistical sample of 50 cardholders and found that the controls were effective and that only eligible employees were issued cards.

• 100% of the sampled cards were issued to employees who were eligible for them. In reviewing cardholder files maintained by NACP together with data directly from the Human Resources Branch, we confirmed that cardholders completed the mandatory training, acknowledged their responsibilities, and received documented approval for the cards from their CCMs.
• 100% of employees with credit limits above the default $15,000 had approval from CCMs with a rationale, which was retained on file by NACP.

We also found that NACP’s tracking and filing of evidence was accurate overall, and that it enabled monitoring of the cardholders. Any discrepancies we found in NACP’s tracking of the cardholders were not material and they were easily corrected by NACP.

Card suspension and cancellation

As with any credit card, it is important to make sure that requests for suspension or cancellation are acted on quickly.

If a lost, stolen or not-needed card is not cancelled in a timely manner, there is a risk of unauthorized or fraudulent expenses being charged to the agency.

Acquisition cards are cancelled when the cardholder departs from the agency, when reported as lost or stolen, or when they are no longer needed. There is an opportunity to strengthen controls to ensure that cards are consistently suspended in a timely manner.

Control design effectiveness

We assessed the design of the agency’s controls for suspension and cancellation of cards, and found that they are documented in the CBSA’s Standard and the Guide on Acquisition Cards. The effectiveness of these controls is dependent on CCM’s and Cardholders’ timely communication with the NACP:

• Cardholders and CCMs must notify NACP immediately if a card is lost or stolen or any unauthorized transactions are discovered.
• Cardholders and CCMs must notify NACP if the cards are no longer needed or the employee has left the agency. In the summer of 2024, CBSA strengthened this control by implementing a new departure checklist for managers and supervisors. Among other important steps, it aims to facilitate timely deactivation of acquisition cards.
• NACP is responsible for card monitoring, suspension and cancellation.

Control operating effectiveness

To test the effectiveness of the controls, the audit team examined how and when the CBSA suspends and/or cancels acquisition cards. We sought to confirm how cardholders responded in cases of compromised cards, that only current and active CBSA employees had cards, and that cards of all departed employees had been cancelled.

Cancellation of lost or stolen cards

We reviewed purchase data in the Corporate Administrative System (CAS) Finance to see how cardholders, CCMs, and the NACP responded to the discovery of unauthorized transactions.

Our analysis of purchase data showed that there were occasions where cardholders noticed that their card had been compromised. These unauthorized activities were reported to NACP. In all cases, the audit team found that cards were cancelled by NACP and the transactions were reversed by the bank in a timely manner.

Data analysis

Using current cardholder data together with employee departure, position change, and long-term leave data contained in CAS Human Resource module (CAS HR), we verified the timeliness of card deactivation. With this method, we found that when employees left the agency, a number of cards were closed after the employees’ last day.

• Of a total population of 762 active cards as of May 2024, two were for employees who had left the agency several months earlier. NACP promptly deactivated those cards upon being notified of our observations.
• Of the 307 cards deactivated in the 2023 to 2024 fiscal year, we found that 5% of them (16 total) were cancelled more than 30 days after the employee had left CBSA. Another 5% (15 total) had not been suspended for more than 30 days after the employees went on long-term leave (for example, parental leave, long-term leave without pay, extended medical leave).

Cardholder sampling

In our random sample of 50 cardholder accounts, 15 were closed in the 2023 to 2024 fiscal year. For most cardholders and cost centres, coordination with NACP was evidenced and the cards were cancelled in a timely manner. However:

• For the two of the 15 cases where the employees had previously left the agency, the cardholder and CCM did not notify NACP of the departure or that the card was no longer needed, which resulted in a delay in cancellation. NACP discovered one of the two through its own review of inactive cards.
• In one other case, there was timely notice from the CCM, but the NACP had taken an additional 19 days to cancel the card.

We confirmed that no unauthorized transactions had taken place following the employees’ departure or long-term absence. Proactive detection of cards that should not be active, via monitoring the cardholder population with CAS HR and Financial data remains the best way to prevent unauthorized use.

Cardholder and CCM roles change frequently within the Government of Canada as a whole, as well as at the agency. Given this, it is likely that revisions to their employment status may not always be reported to NACP in a timely manner.

Risk: When a card is not cancelled after it is no longer needed for agency business, it can be (mis)used for unauthorized purchases.

Impact: Financial and reputational damage to the agency.

Recommendation 1a: The Vice-President (VP) of FCMB should ensure that all available data sources (CAS HR, CAS Finance module, internal NACP tracking, and bank data) are used in periodic monitoring to enhance the timely cancellation of cards that are no longer needed.

Management response: The VP of FCMB agrees with the recommendations and will leverage available data sources to continue to ensure the timely cancellation of on acquisition cards where warranted. The FCMB will also use available data sources to continue to closely monitor acquisition cards transactions and identify areas of risk or non-compliant transactions.

Furthermore, more communication and training will be provided to reinforce guidance and best practices surrounding the use of acquisition cards.

Completion date: November 2025

Use of acquisition cards

As with all public funds, it is important that Departments and Agencies are able to demonstrate sound stewardship. Acquisition cards must be used only for their intended purpose and in compliance with applicable legislation and policy. To provide continued assurance, effective controls must be built into the processes for approving, completing and recording acquisition card purchases and payments.

Per Treasury Board Secretariat and CBSA policy instruments, all acquisition card purchases must be:

• strictly for CBSA business and not for personal benefit
• only for low-value purchases (under $9,900)
• without violation of restrictions in place (either in fact or in principle)

Use of acquisition cards at the CBSA is compliant with the applicable policy instruments, aligned with the intended use of the cards, and controls over transactions are operating as intended. The audit did not identify any pervasive errors or significant misuse of acquisition cards.

To assess the compliant use of acquisition cards we:

• conducted interviews, walkthroughs, and reviewed documents to understand the processes in place to manage and record acquisition card transactions
• completed a review of samples of transactions to test adherence to the process and effectiveness of controls
• performed analysis on transaction data to detect any inappropriate use, and followed up with cost centres and cardholders accordingly

Control design effectiveness

We found that the design of the controls embedded in the CBSA policy instruments and financial system for processing acquisition card transactions was effective.

The CBSA Standard on Acquisition Cards and the supporting guide clearly define roles and responsibilities, restrictions on use of the cards, and control points for transactions. This includes:

• the acceptable use of acquisition cards and restrictions on their use (refer to Appendix C for acquisition card restrictions)
• clear roles and responsibilities for cardholders, CCMs, and the NACP
• Explanations of the authorized issuance and use of acquisition card convenience cheques, which are cheques that can be issued to the cardholder and then drawn on the card. These are exclusively reserved to facilitate payments to Indigenous Elders and Traditional Resources.

Transaction process

The audit team confirmed the workflow and the automated controls for purchases using acquisition cards and convenience cheques. These are:

1. The CCM with delegated authority approves the expenditure per Section 32 of the FAA. Approval may be verbal, written, or electronic, depending on type of transaction.
2. The Cardholder makes a purchase / payment using their card or convenience cheque.
3. The transactions are posted to the CBSA’s financial system (SAP Ariba). Cardholders are then notified that their transaction is ready for reconciliation.
4. The Cardholder reconciles their transactions in SAP, attaches all supporting documentation and enters the financial coding.
5. The CCM (as the certification authority) approves payment for the transactions recorded to their cost centre(s) (per Section 34 of the FAA).
6. NACP periodically reviews the queue of outstanding reconciliations and FAA Section 34 approvals, and follows up on unexplained delays.

Built-in controls set by CBSA in the card service provider’s system automatically prevent purchases from certain categories of vendors (such as jewelers, gambling facilities, cash advances and transfers, and luxury travel). Forty-six such merchant categories are blocked.

The audit confirmed that 39 of the 46 blocked categories never appeared in the 57,000 transactions. The remaining seven were documented, legitimate business purchases for which temporary (24-hour) exemptions were granted.

Figure 3: Transaction initiation and reconciliation process

Image description

CBSA Standard on Acquisition Cards and CBSA Guide on Acquisition Cards apply to the following:

Step 1. The manager authorizes purchase (via FAA Section 32 approval) using an acquisition card

• For purchases less than $5,000, verbal or written approval is required
• For purchases more than $5,000, the manager creates a Funds Reservation Number in CAS
• For certain purchase categories, the manager fills in approval forms

Step 2. The cardholder makes the purchase and retains proof in their records

Step 3. The bank posts the transactions and transfers the information to CBSA’s SAP Ariba

Step 4. The cardholder reconciles the transaction in SAP Ariba and attaches documentation, including the manager’s approval

Step 5. The manager reviews the reconciliation in CAS

• If approved, the manager signs FAA Section 34 approval (reception of goods or services)
• If rejected by the manager, it requires adjustments: go back to step 4

Step 6. The reconciliation is completed and posted to CAS

Control operating effectiveness: Acquisition card transactions

To assess if transactions followed the process and that controls were functioning as intended, we tested statistical and risk-based samples of 139 acquisition card purchases from across the agency, ensuring that all regions and branches were included. Overall, the samples were compliant with the FAA as well as with agency policies and guidance. We found that controls were operating as intended:

Expenditure approval

• The CBSA cost centres used acquisition cards to procure low-value goods in support of their operations. For 138 cases, no goods or services over $9,900 were bought. For one case, however, a room rental for an approved event costing slightly above $9,900 was paid for in two separate installments, which is not compliant with the Standard.
• 93% of transactions (129 of 139) were compliant with FAA Section 32 approval requirements. There were 10 transactions for which Section 32 approval was not processed in accordance with CBSA requirements. In one case, approval was documented after the purchase. For the remaining nine transactions, approval was to be documented via a prescribed form, but that form was not used. For example, the Section 32 approval for purchase of a specialized training course or group training uses the GC211 or BSF741 forms, but these were not on file for seven of those purchases. Two other cases were small amounts of hospitality approved by email instead of BSF741.

Reconciliations

• 95% of the reconciliations (132 of 139) were completed in under 30 days (the 30-day threshold for timely reconciliation was chosen as a general benchmark by the audit team). The rest were reconciled in under 90 days on average.
• 14% of reconciliations (20 of 139) contained incorrect information, such as a transaction being coded to an incorrect general ledger (GL) account, an inaccurate reconciliation of the taxes, or a minor misstatement of the purchase amount. Due to the timing (2023 to 2024 FY closed) and low materiality of the errors, these did not need to be retroactively corrected.
• All transactions were certified in the system by an FAA Section 34 manager with the appropriate delegated financial authority.

Value-for-Money and Purchase Types

• 99% of transactions (138 of 139) were aligned with reasonable market rates / value-for-money. There was one transaction where the purchaser should have sought a better price. The audit team identified a $685 alternative for a laboratory chemical that cost $4900. According to the CCM, the supplier was on an approved list, which normally ensures value-for-money. (The CCM took note of the need to compare prices nonetheless.)
• Six purchases (4%) did not fully align with the agency’s guidelines for the acceptable use of acquisition cards:
  • Three purchases of headphones were over $300 per unit. However, we found conflicting guidance on this type of purchase, and an accepted practice to allow managerial discretion on the cost and models of headsets. There is an opportunity to clarify this expectation or to pursue more cost-effective procurement mechanisms, especially given the need for headsets agency-wide.
  • Three purchases of furniture without prior approval from CBSA’s National Real Property and Accommodations Directorate.

While guidance had been shared with CCMs and CCAs by various means, there is opportunity to periodically review, clarify, and reinforce this guidance, especially if the practical application of it evolves over time (for example, purchases made in the context of changes in the hybrid workplace, or changes in Information Technology (IT) procurement and security requirements).

Control operating effectiveness: Convenience cheque transactions

To test the controls established for the use of convenience cheques drawn on CBSA acquisition cards, we tested 47 out of the 92 cheques used for payment by CBSA cardholders over the 2023 to 2024 fiscal year. These cheques can be risky because they are like cash-in-hand.

• 45 of the 47 payments were to Indigenous Elders or Traditional Resources, primarily made by the CBSA Indigenous Affairs Secretariat and the CBSA College. This use was aligned with the intended purpose of the payment method.
  • Two other payments were made for legitimate business purchases, but they were not in alignment with the requirement, as the payments were not for Indigenous suppliers.
  • In total, only four cardholders made transactions via convenience cheque, confirming that convenience cheques are not widely used.
• All transactions were reconciled in the CBSA’s financial system.
• Nine of the payments to Indigenous Elders or Traditional Resources did not have a completed BSF833 form attached in the reconciliation to document the purpose of the payment. The purchases did have other documentation (such as email approvals) on file.
• All transactions were certified in the system by an FAA Section 34 manager with the appropriate delegated financial authority.

Additional checks on compliant card use

In addition to verifying that transactions were made and reconciled according to the established process, we conducted data analysis using data from the credit card service provider as well as CBSA. These tests were designed to identify cases of non-compliance with the CBSA Standard and/or other indicators of suspicious or inappropriate use.

• Our analyses did not identify evidence of any attempts to override financial controls for personal benefit or for the benefit of a specific cost centre. The testing also did not discover patterns of recurring errors by cardholders or cost centres. Many of the erroneous transactions had already been identified by CBSA’s Financial QA team, and if applicable, reversed.
• For instances of non-compliance that were not identified before, we informed CCMs, who took corrective action. In some cases, no after-the-fact correction was possible, but the audit team did not consider these errors to pose a continued risk because they were infrequent and low in value.

Purchase splitting

• Regarding circumvention of the $9,900 transaction limit, there was one single transaction in 57,000 that matched this concern. In it, a cost centre used a card instead of a contract for a purchase greater than $9,900. This split was caught by a QA verification and the CCM agreed that it was an oversight. The audit team concluded that it was an isolated case, and that there were no patterns of pervasive transaction splitting at this value threshold.
• The audit team looked into transaction splitting to circumvent the $4,999 threshold for documented (rather than verbal) Section 32 approval. There were five transactions that should have been a single payment with a fund commitment, which were instead broken into two payments. We found that the transactions had one invoice sent from the supplier, on the same day, but that two payments were made instead of one. There was no apparent pattern in the cost centre or cardholder for this type of error.

Duplicate transactions

Another area where errors can occur is when a cardholder is charged twice for the same thing. By looking at the bank data, we were able to check how often such mistakes occur, and whether there were any trends.

• We found eight payments that matched the indicators of a duplicate payment (same vendor, date, amount, and invoice details), but only one of the cases turned out to be a true duplicate. We informed the CCMs so that they could investigate the payments because the system does not flag them automatically. In the one case, the purchase of five desk organizers worth a total of $169 was identified as a duplicate, but recovery of the funds was not possible due to the time that had lapsed since the original charges. There was no pattern in cost centre or cardholder for this type of error.

Other non-compliant purchases

• There were no instances of inappropriate purchases of alcohol or hospitality-related goods. For example, all purchases related to alcohol were for hosting the Standardized Field Sobriety Testing training for CBSA officers, to prepare them for testing impaired drivers, or for use by the CBSA lab. However, some hospitality purchases were incorrectly coded to a non-hospitality related GL code, which may have reduced the likelihood of QA oversight.
• Corporate memberships and retail programs (for example, Amazon Prime) are not to be purchased. Unauthorized purchases were reversed and/or identified by the QA team, except for four transactions by four different cardholders that were not reimbursed and not discovered by QA, for a total of $202. We noticed that these transactions were miscoded into GL accounts that were not part of the QA sampling strategy.
• Analysis to detect collection of reward points for personal benefit did not identify frequent purchases from vendors that offer such points, or signs of frequent reward point collection.
• The data contained examples of IT hardware purchases that should have been made through procurement (for example, monitors and external hard drives) or that were for non-approved equipment (for example, wireless keyboards).

While we noted that CCAs and CCMs received guidance by various means (for example, the Guide on Acquisition Cards, the CBSA Daily, Financial Policy Bulletins, CBSA Wiki Pages), CCMs and cardholders would benefit from receiving additional guidance, especially for “new” and evolving areas (such as subscription services or the equipment required to enable a hybrid workplace). This would ensure sustained awareness of the requirements.

Management Consideration: There is an opportunity for FCMB to regularly inform cost centres, CCMs and cardholders of evolving guidance on transactions, so as to ensure that guidance from different policy stakeholders (Financial Policy, Procurement, IT procurement, Real Property and Accommodations) remains consistent and integrated, and agency purchases are made and processed accurately.

Monitoring and quality assurance

To ensure that transaction-level controls continue operating effectively over time, that cardholders and CCMs continue to respect their responsibilities, and to detect any inappropriate or unauthorized activities, it is important to perform monitoring activities on a regular basis.

This enables the identification and timely correction of non-compliant transactions (if any), and the maintenance of system integrity.

Overall, CBSA’s risk-based monitoring over acquisition card transactions is effective. There are some opportunities to adjust and evolve the approach.

Our audit assessed the monitoring and QA at the CBSA by conducting interviews with FCMB stakeholders and reviewing documented activities, including the adequacy of coverage and its reporting.

Monitoring of acquisition card transactions is conducted by the Financial QA Unit of the agency Comptroller Directorate in FCMB. The approach is outlined in the CBSA’s QA Framework for Non-Pay Transactions and consists of monthly post-payment verifications of acquisition card transactions. Compliance checks include:

• 100% of transactions marked as high risk: hospitality, conference fees, tuition, training above $3,000, memberships, and awards and recognitions
• 100% of transactions above $5,000
• sampling of remaining low dollar-value and lower-risk acquisition card transactions with coverage of all branches and regions

The audit found that the Unit successfully applied this methodology in the 2023 to 2024 fiscal year, conducting verifications of 1,983 acquisition card transactions.

• The results reported in QA quarterly verifications were similar to the results of our own testing: high compliance with policy requirements, and a tendency to make administrative errors (such as incorrect GL coding and reconciliation of tax amounts).
• We found completed verification checklists for high-dollar value and high-risk transactions, as is prescribed by the framework.
• We found that the Unit informed cardholders and cost centres of the errors discovered during the verifications. When applicable, they corrected the transactions in the internal financial system. This included correcting GL coding if the initial reconciliation in the system was incorrect, or requesting refunds from purchases that were not aligned with policy (for example, Amazon Prime memberships). Results were also reported to the senior management of each Branch and Region.

The data analyses performed during our audit highlighted some additional opportunities to strengthen the QA framework used in the 2023 to 2024 fiscal year:

• Use of bank data: The QA Unit was relying on CBSA internal financial data in CAS (that is data entered by CBSA cardholders and cost centre management) to select their samples and conduct their risk-based analyses. They, like NACP, were not using the data available in credit statements directly from the card service provider. Yet bank data is a reliable way to identify high-risk transactions, unauthorized activity and/or high risk payments that could easily get miscoded to incorrect GL accounts.
• Holistic data analysis: The Unit was performing its monthly verifications, but not conducting holistic data analyses using combinations of available data, such as the extracts from the bank and from CBSA HR, to identify trends, indicators of non-compliance, and/or fraud. Combining multiple internal and external data sources provides an enhanced ability to identify anomalies and/or concerning trends. Once the links between the extracts are established, the large data set becomes an easy and cost-effective method to ensure careful monitoring.
• Convenience cheque monitoring: The Unit was not capturing the use of convenience cheques in its monitoring activities.

While these monitoring elements were not used during the scope period of this audit, the Unit reportedly began developing and testing methods in the first quarter of the 2024 to 2025 fiscal year, using the data and tools available to the CBSA through its corporate account with the card service provider. The stated goal of these activities was to make greater use of accurate, independently-generated data and to develop methodologies to further strengthen its QA framework.

Analyses of single data sources or sampling techniques are less likely to identify non-compliant transactions in a timely and consistent manner. They are also not well-adapted to fraud monitoring, which requires an evolving approach.

Analyses of comprehensive data sets made from combining external (card service provider) and internal (financial and human resources) data sources provide a powerful basis on which to monitor transactions. They enable compliance monitoring via standardized, efficient and automatable methods.

Recommendation 1b: The VP of FCMB should develop and implement methodologies that use all available sources of data (both bank and internal) to further enhance the monitoring of acquisition card transactions.

Management response: The VP of FCMB agrees with the recommendations and will leverage available data sources to continue to ensure the timely cancellation of on acquisition cards where warranted. The FCMB will also use available data sources to continue to closely monitor acquisition cards transactions and identify areas of risk or non-compliant transactions.

Furthermore, more communication and training will be provided to reinforce guidance and best practices surrounding the use of acquisition cards.

Completion date: November 2025

Appendix A: Audit criteria

Lines of enquiry	Audit criteria
1. Compliance	1.1 Acquisition card transactions comply with applicable Federal and agency policies, directives and guidelines.
2. Controls and monitoring	2.1 Key controls to manage and monitor acquisition cards are in place and are effective at preventing or detecting misuse, errors, and/or fraud.

Appendix B: Progress over the years

The 2017 CBSA Audit of Acquisition Cards assessed the effectiveness of the controls in place to ensure that acquisition card transactions were compliant with relevant laws, policies and directives. The audit found that key controls were established and in routine operation, but it also identified the following gaps:

• deficiencies in the documentation of approvals and supporting documents for transactions
• limited data collection to ensure sound oversight, monitoring and reporting
• limited coordination between compliance and monitoring bodies

The audit recommended that the FCMB ^{Footnote 3} implement strategies to improve Section 32 Financial Administration Act compliance, strengthen the monitoring over acquisition cards though greater use of data and greater integration between stakeholders, and establish regular reporting to senior management. These recommendations were assessed as having been closed in the 2018 to 2019 fiscal year.

Since that audit, agency processes related to acquisition cards have undergone the following changes:

• Centralization of the NACP within the agency Comptroller Directorate’s National Financial Transaction Centre, which eliminated regional Acquisition Card Coordinators.
• Implementation of SAP Ariba, which is a procurement add-on to the CBSA’s financial system. SAP Ariba streamlined the approvals workflow and transformed paper-based reconciliations into a digital process.
• Changed its acquisition card service provider.

Appendix C: Acquisition card restrictions

According to the CBSA Standard and Guide to the Use of Acquisition Cards, acquisition cards, including convenience cheques, cannot be used for:

• personal purchases
• non CBSA business-related purchases
• travel status-related expenses
• cash advances
• operating and maintenance expenses of CBSA fleet vehicles
• Interdepartmental transactions
• gifts for employees or other individuals
• tuition fees for employees
• membership fees for employees
• IT hardware items normally supplied by the central IT function
• software or software maintenance services
• portable radios
• temporary help services
• services requiring written terms and conditions
• retailer membership programs
• reward and loyalty programs

Appendix D: Acronyms

CAS: Corporate Administrative System
CAS HR: Corporate Administrative System, Human Resources
CBSA: Canada Border Services Agency
CCA: Cost Centre Administrator
CCM: Cost Centre Manager
FAA: Financial Administration Act
FCMB: Finance and Corporate Management Branch
GL: General Ledger
IIA: Institute of Internal Auditors
IT: Information Technology
NACP: National Acquisition Card Program
QA: Quality Assurance
VP: Vice-President