Internal Audit Report - Audit of the Canada Strategic Infrastructure Fund

April 2013

Table of Contents

• Executive Summary
• 1. Introduction
  • 1.1 Purpose
  • 1.2 Background
  • 1.3 Audit Objectives and Scope
  • 1.4 Audit Approach
  • 1.5 Structure of Report
• 2. Audit Findings
  • 2.1 Monitoring of Contribution Agreement Requirements
  • 2.2 Funds Disbursement and Forecasting
  • 2.3 Implementation of Project Repatriation
  • 2.4 Past Management Action Plan Implementation
  • 2.5 Completeness and Consistency of Documentation
• 3. Audit Conclusion
• 4. Statement of Assurance
• 5. Statement of Conformance
• Appendix A: Audit Criteria

Executive Summary

Introduction

Infrastructure Canada (INFC) is subject to the Government of Canada's legislative and policy framework for transfer payment programs including the Financial Administration Act, the Policy on Financial Management Governance, the Policy on Transfer Payments, and the Policy on Internal Audit. The Government of Canada announced the launch of the $2 billion Canada Strategic Infrastructure Fund (CSIF) program through Budget 2001. CSIF was designed to advance the Government of Canada's agenda for urban communities, by providing federal funding for large-scale infrastructure projects that foster economic growth or improve the quality of life for Canadians. CSIF was established under a legislative Act, the Canada Strategic Infrastructure Fund Act, which received Royal Assent on March 27, 2002.

Budget 2003 provided an additional $2 billion to be invested under the CSIF Program. Two dedicated funding envelopes under this additional funding were allocated to National Projects ($200 million) and large-scale infrastructure projects benefiting municipalities of less than 250,000 residents (10 percent of the $2 billion, net of funding provided to National Projects, research studies and program administration). A top-up amount announced in Budget 2006 has brought the total amount of federal contributions approved to date under CSIF to $4.3 billion.

CSIF is managed under a Federal Delivery Partner (FDP) model. In this model, FDPs work with INFC and recipients to administer and deliver CSIF projects according to the terms and conditions set out by Memoranda of Understanding between INFC and the FDP.

More recently, a mutual agreement was reached in late 2011-2012 for INFC to take over the administrative responsibilities from a number of FDPs for most of the remaining CSIF projects under their administration (referred herein as the "repatriation" of projects). This was done in order to more efficiently allocate resources across government. These projects were repatriated from the Canadian Northern Economic Development Agency, the Atlantic Canada Opportunities Agency, the Federal Economic Development Agency for Southern Ontario and Western Economic Diversification Canada. Most projects under the administration of the department for Canada Economic Development for Quebec Regions are currently in the early stages of repatriation.

Audit Objectives & Scope

There were three objectives of the CSIF Audit:

• to assess whether, working with Federal Delivery Partners or recipients, INFC's monitoring of Contribution Agreements is sufficient to ensure the funds are used for intended purposes;
• to assess whether the procedures followed during the repatriation of projects maintain the program's ability to meet stated outcomes; and
• to assess whether recommendations from a previous CSIF internal audit have been addressed as per management's action plan.

The audit also assessed the consistency of documentation in the above mentioned areas.

Conclusion

Working with Federal Delivery Partners or recipients, INFC adequately monitors the contribution agreements to ensure the funds are used for intended purposes. Monitoring activities exist to ensure that contribution agreement requirements were followed and funds were disbursed in accordance with the terms and conditions of the contribution agreements and only for eligible expenses.

Areas for improvement were also identified. One area that still requires management attention is the consistency and completeness of documentation. Recommendations were developed for improving processes for monitoring recipient requirements and for improving retention of documentation to better demonstrate due diligence of reviews of Federal Delivery Partner's financial forecasts and funding requests.

To address the monetary risks of overestimation of Payables at year-end (PAYE), the Department had recently instituted a process to ensure more accurate forecasting and estimation of PAYEs. Furthermore, the Department recognized that improvements were required in information management and is taking steps to increase the consistency of program data as well as information in the Shared Information Management System for Infrastructure (SIMSI).

The procedures followed during the repatriation of projects did maintain the program's ability to meet stated outcomes. The development and implementation of the repatriation process was well managed by the Department.

All recommendations from the 2007 internal audit on CSIF were appropriately addressed by Management.

Statement of Conformance

The audit conforms to the International Standards for the Professional Practice of Internal Auditing and the Internal Auditing Standards for the Government of Canada, as supported by the results of INFC's Internal Audit quality assurance and improvement program.

Signatures

1. Introduction

1.1 Purpose

An audit of the Canada Strategic Infrastructure Fund (CSIF) Program was included in the Department's 2012-2015 Risk-Based Audit Plan. The need for the audit was based on the following:

• Inherent risk of insufficient monitoring of CSIF Contribution Agreement requirements by Infrastructure Canada (INFC);
• The recent takeover of some CSIF project administration by INFC from many Federal Delivery Partners (referred hereafter as "repatriation"); and
• The need for assurance that Management implemented the audit recommendations from INFC's 2007 CSIF internal audit report (the INFC Audit of the Management Control Framework of the Canada Strategic Infrastructure Fund and of the Border Infrastructure Fund).

1.2 Background

INFC is subject to the Government of Canada's legislative and policy framework for transfer payment programs including the Financial Administration Act, the Policy on Financial Management Governance, the Policy on Transfer Payments, and the Policy on Internal Audit.

Transfer payments are monetary payments, or transfers of goods, services or assets to third parties, including Crown corporations, on the basis of an appropriation. Transfer payments do not result in the acquisition by the Government of Canada of any goods, services or assets.

Transfer payments are one of the government's key instruments in furthering its broad policy objectives and priorities. They enable and engage a wide diversity of skills and resources outside the federal government that are well-placed to further Canadian aims, contribute to building a strong society and a competitive nation that is inclusive and respectful of Canadian values and Canada's linguistic duality. The Policy on Transfer Payments requires that:

• Roles, responsibilities and accountabilities for the management of transfer payment programs are clearly defined and understood by all departments;
• Transfer payment programs are designed, delivered and managed in a manner that takes account of risk and clearly demonstrates value for money;
• Transfer payment programs are supported by cost-effective oversight and control systems at both departmental and government-wide levels; and
• Transfer payment programs are accessible, understandable and useable by applicants and recipients.

The Government of Canada announced the launch of the $2 billion CSIF program through Budget 2001. CSIF was designed to advance Government of Canada's agenda for urban communities, by providing federal funding for large-scale infrastructure projects that foster economic growth or improve the quality of life for Canadians. CSIF was established under a legislative Act, the Canada Strategic Infrastructure Fund Act, which received Royal Assent on March 27, 2002.

Budget 2003 provided an additional $2 billion to be invested under the CSIF Program. Two dedicated funding envelopes under this additional funding were allocated to National Projects ($200 million) and large-scale infrastructure projects benefiting municipalities of less than 250,000 residents (10 percent of the $2 billion, net of funding provided to National Projects, research studies and program administration). A top-up amount announced in Budget 2006 has brought the total amount of federal contributions approved to date under CSIF to $4.3 billion.

All activities under the program were initially set to terminate on March 31, 2013. However, in March 2012, this expiry date was removed from the program terms and conditions and extensions to individual projects were granted on a case-by-case basis. This is in line with the Policy on Transfer Payments.

CSIF is managed under a Federal Delivery Partner (FDP) model. In this model, FDPs work with INFC and recipients to administer and deliver CSIF projects according to the terms and conditions set out by Memoranda of Understanding between INFC and the FDP.

In 2007, the Broadband Office at Industry Canada terminated its activities and informed INFC that it did not have the resources to continue with the administration of CSIF broadband projects. Therefore, over the course of 2007-2008, INFC took over all responsibilities pertaining to the implementation of the CSIF Broadband projects (approximately $68.6M as per the 2007-08 Departmental Performance Report).

More recently, a mutual agreement was reached in late 2011-2012 for INFC to take over the administrative responsibilities from a number of FDPs for most of the remaining CSIF projects (referred herein as the "repatriation" of projects). This was done in order to allocate resources across government in the most effective manner. These projects were repatriated from the Canadian Northern Economic Development Agency (CanNor), the Atlantic Canada Opportunities Agency (ACOA), the Federal Economic Development Agency for Southern Ontario (FedDev) and Western Economic Diversification Canada (WD). Most projects under the administration of the department for Canada Economic Development for Quebec Regions (CED-Q) are currently in the early stages of repatriation. Projects repatriated to INFC, including CED-Q projects, total $649.7M in federal approved funding.

The repatriation decision was made to leverage economies of scale and INFC's expertise in managing a considerable volume of projects while enabling the FDPs to focus on the delivery of the community-based programs and lowering the administrative burden on FDPs in a time of fiscal restraint.

Currently the only FDP arrangements which remain are with WD, ACOA, and Transport Canada (TC). Due to the advanced stage of certain specific projects administered by WD and ACOA, it was deemed not to be cost effective to repatriate these projects. One Minister is responsible for both the Transport and Infrastructure portfolios and a strong working relationship exists between TC and INFC. As a result, the decision was made to continue the FDP relationship with TC.

1.3 Audit Objectives and Scope

There were three audit objectives:

• to assess whether, working with FDPs or recipients, INFC's monitoring of contribution agreements is sufficient to ensure the funds are used for intended purposes;
• to assess whether the procedures followed during the repatriation of projects maintain the program's ability to meet stated outcomes; and
• to assess whether recommendations from the previous 2007 CSIF internal audit have been addressed as per management's action plan.

This audit also assessed the consistency of documentation in the above mentioned areas.

The scope of the audit involved an examination of the forecasting, monitoring and reporting activities undertaken by INFC in relation to CSIF, as documented in electronic and hardcopy files, for the period from June 30, 2010 to June 30, 2012.

The audit did not include an examination of the procedure and practices in place at FDP organizations.

The planning for this audit consisted of interviews and examination of policies and procedures to document the existing risks and controls for the CSIF Program.

Building on the information gathered during the planning phase, the conduct phase focused on assessing the effectiveness of the three overall audit objectives.

1.4 Audit Approach

The following sources were considered in establishing the audit criteria:

• The Financial Administration Act (FAA);
• The Treasury Board Policy on Transfer Payments;
• The Treasury Board Policy on Financial Management Governance;
• The Core Management Controls from the document Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors, developed by the Office of the Comptroller General;
• The CSIF Business Model developed by INFC; and
• INFC internal finance procedures and service standards.

Based on the above the following was expected:

Monitoring of contribution agreement requirements

• By monitoring the implementation of contribution agreements, the Agreement Management Committee, provides assurance that all the obligations inherent to the contribution agreement are met by all parties;
• Project risk assessment, for the purpose of risk-based monitoring, is reasonable, consistent, and documented;
• All funds are disbursed in accordance with the terms and conditions of the contribution agreements and in accordance with applicable policies and legislation;
• A process is in place to challenge the assumptions and related resource requests of yearly financial forecasts;
• Financial forecasts are monitored on a regular basis and reviews are conducted to analyze, compare and explain financial variances between actual and planned expenditures;
• Transfers to FDPs are supported by sufficient and appropriate documentation and authorizations;
• Program data for ongoing and completed/closed projects is available, complete and accurate;
• Project close-out procedures have been established and followed to ensure that all required documentation has been received and approvals obtained for completed projects; and
• Relationships between FDPs and INFC support the program's ability to meet stated outcomes.

Implementation of repatriation

• Repatriation procedures are clearly defined and communicated to INFC staff and the affected FDPs, and are followed;
• INFC has worked with the FDPs to obtain all of the required documentation to help ensure a smooth transition and to minimize the impact on the recipient;
• Changes in Agreement Management Committee membership were recorded in meeting minutes, and supporting documentation is available; and
• Risk levels of repatriated projects have been assessed and monitoring requirements have been established based on those risks.

Follow up of past management action plan items

• Management has completed its stated actions as specified in the management action plan in a manner that addresses underlying risks.

All of these areas were additionally assessed on the consistency of documentation found to support contribution agreement requirements, information for decision-making and the retention of departmental knowledge.

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. Satisfactory audit procedures were developed and sufficient relevant information was gathered to ensure the accuracy of the opinions expressed in this report.

The audit was conducted by INFC's Internal Audit Directorate. Planning and conduct phases of the audit were completed between May 2012 and October 2012. The reporting phase, including fact verification, was completed in November 2012.

During the planning phase, to understand the CSIF Program in greater detail, the audit team interviewed staff members from the Program Operations Branch (POB), as well as INFC's Finance and Contracting Division and legal counsel. Detailed audit criteria were developed and are outlined in Appendix A. The audit sample was selected using a non-statistical risk-based sampling methodology. As a statistical sample was not used, the results cannot be extrapolated.

During the conduct phase, the audit team interviewed staff from POB, the Finance and Contracting Division, and Management responsible for the CSIF Program. In addition, the audit team examined project file documentation, and tested INFC's program management database, i.e.  the Shared Information Management System for Infrastructure (SIMSI).

1.5 Structure of Report

Audit findings are provided in five sections: monitoring of contribution agreement requirements, funds disbursement and forecasting, implementation of repatriation, past management action plan implementation, and completeness and consistency of documentation.

Recommendations to address opportunities and gaps described in the findings section are provided at the end of each relevant section.

2. Audit Findings

2.1 Monitoring of Contribution Agreement Requirements

The Treasury Board Policy on Transfer Payments requires that transfer payment programs are designed, delivered and managed in a manner that takes into account risk, and clearly demonstrates value for money. In addition, the Treasury Board Directive on Transfer Payments specifies that management is responsible for ensuring, through the timely assessment of recipient reports and other monitoring activities deemed necessary, that the recipient of a contribution has complied with the obligations and performance objectives in the funding agreement.

By monitoring the contribution agreements, it was expected that the Agreement Management Committee provides assurance that all the obligations inherent to the contribution agreement are met by all parties.

The audit team examined a sample of project files to verify whether INFC's monitoring of contribution agreement requirements was adequate.

Agreement Management Committee Guidelines are generally being followed.

The Agreement Management Committee's main role is to ensure that the terms and conditions (and other affiliated documents) set out in the contribution agreement are satisfied. The Model Agreement Management Committee Guidelines are designed to outline the mandate for the Committee and provide its members with a description of their roles and responsibilities. For example, the Guidelines outline the structure of the Agreement Management Committee, and provide a list of activities that must be reported on by the Recipient and monitored by the Agreement Management Committee, among other things.

In general, it was observed that the suggested agenda items in the Model Agreement Management Committee Guidelines are addressed at some point in the Agreement Management Committee's life for the sampled projects. This provides INFC with some assurance that the Agreement Management Committee considered the terms and conditions of the contribution agreements when performing its oversight responsibilities to ensure that a project is in line with the terms and conditions of its contribution agreement. However, it was observed that certain Agreement Management Committees did not meet at the frequency required, and that some reports, such as compliance audits and annual reports, were submitted after due dates.

The issue of late report submissions is currently being addressed by Management through a similar audit finding from a past audit report.

An audit conducted last year by INFC's Internal Audit Directorate on the Building Canada Fund-Communities Component (BCF-CC) found similar issues with late submissions by recipients and recommended that the Assistant Deputy Minister of Program Operations Branch implement procedures that analysts can use to monitor the program delivery partners' compliance with necessary terms and conditions of the contribution agreement or service level agreement (SLA). The procedures should include guidance on how to enforce performance, when required. The proposed changes intended to address the audit findings are being implemented by Management. For example, in September of 2011, POB introduced a quarterly report on the status of BCF-CC. This report is written by POB analysts and is designed to increase oversight of FDP compliance with SLA requirements. Going forward, POB will update the report's structure to ensure it adequately addresses whether terms and conditions of the contribution agreement have been met. These measures should be applied across all programs where INFC work with FDP's, currently and in the future.

Monitoring and reporting requirements are inconsistent, leading to increased complexity.

All contribution agreements include a reference to Annual Progress Reports, Financial Audits, and Compliance Audits which must be submitted by recipients to INFC through the Agreement Management Committee.

All contribution agreements require the submission of Annual Progress Reports, and the majority of contribution agreements require the submission of annual Financial Audits.

Requirements for Compliance Audits varied greatly. Most contribution agreements stated that the Agreement Management Committee would determine the need for Compliance Audits. However, some agreements required yearly Compliance Audits, while others required two Compliance Audits to be carried out during the life of the agreement.

In general, there was a lack of consistency in sampled projects in terms of monitoring and reporting requirements (Annual Progress Reports, Financial and Compliance Audits) to be submitted to the Agreement Management Committee. These requirements are also inconsistently referenced in various documents - contribution agreements, various Guidelines, Audit Plans, or directly in Agreement Management Committee meeting minutes- thereby increasing the risk that program analysts and Agreement Management Committees are not aware of, and do not monitor all requirements.

The lack of consistency in reporting requirements and in the documents used to communicate the requirements is a result of INFC having negotiated and signed contribution agreements directly with recipients over the course of a number of years. During this time, management changes and lessons learned resulted in an evolution of changes to the format and content of contribution agreements. Departmental policies also evolved over time due to the application of lessons learned and new Government of Canada policies (e.g. : the shift from a fixed number of compliance audits to risk-based frequency of compliance audits).

The inconsistent contribution agreement requirements and the range of different documents used to communicate them increases the risk that requirements will not be adequately monitored. It also increases the risk that certain requirements may not be adequately followed-up on by the Agreement Management Committee.

Management has recognized the need to increase the consistency of contribution agreements requirements and monitoring.

The CSIF program was launched in 2001. Since that time, POB has incorporated lessons learned to implement an array of monitoring tools to monitor all of its programs, including CSIF. These tools include, but are not limited to, the Project Monitoring Report, the Project Operations Risk Tool, an enhanced claims process, Agreement Management Committee Guidelines and the inclusion of CSIF in POB governance committees, where various POB analysts discuss program and project issues and develop tools, policies and procedures to govern a variety of major infrastructure programs. These are all considered to be good management practices.

The audit has noted that a formal checklist for recording all reporting requirements and due dates does not exist. As a result, contribution agreement requirements are being inconsistently tracked and late submissions of reports, sometimes occurs. A tracking document or procedure would be a useful tool for program analysts and the Agreement Management Committee to track and monitor contribution agreement requirements, as well as to help identify if a requirement has been delayed.

Recommendation 1:

It is recommended that the Assistant Deputy Minister of Program Operations Branch ensure that a tracking document or procedure be developed whereby all Recipient reporting requirements, along with progress reports, due dates and notes would be identified to help ensure consistent and timely monitoring by program analysts.

Management's Response for Recommendation 1:

Agree. For all CSIF contribution agreements  managed by INFC, POB will ensure that a one-page checklist is created to clearly articulate all of the mandatory program and project monitoring requirements outlined in contribution agreements (financial management call letter frequency, reporting deadlines, agreement management committee meeting frequency, etc).

Due Date: June 2013

2.2 Funds Disbursement and Forecasting

The Treasury Board Policy on Financial Management Governance requires that departments establish a sound financial management governance structure that fosters prudent stewardship of public resources in the delivery of their organizations' mandate. This includes the requirement to provide a challenge function on financial management matters and on the use of public resources across the department.

The audit team examined whether financial requirements of the contribution agreement were being respected, and also assessed whether this was done in accordance with applicable legislation, government policies and internal service standards and processes. A sample of claims, forecasts and financial updates within the audit time period were tested.

Funds were disbursed in accordance with the terms and conditions of the contribution agreements and only for eligible expenses.

As part of the Memoranda of Understanding (MOUs) that INFC signed with each of the Federal Delivery Partners (FDPs) between January 2003 and October 2006, the responsibility for claims processing and fund disbursement to recipients was delegated to the FDPs.

During the period under audit, INFC was only directly responsible for claims payment and administration of broadband projects under the CSIF Program. Accordingly, only the broadband projects were tested. The audit found that funds were disbursed in accordance with the terms and conditions of the contribution agreements, and only for eligible expenses. Fund disbursement was also in accordance with applicable policies and legislation.

A formal process is not in place to review and challenge forecasts from FDPs.

All FDPs submitted forecasts to INFC for the periods reviewed (June 30, 2010 to June 30, 2012). However, there was no formal process in place for reviewing and challenging FDP financial forecasts and funding requests.

Documentation on informal challenges was inconsistent (see section 2.5). INFC relies on forecasting by the FDPs, which in turn rely on the recipients to provide accurate forecasts. This multi-tiered forecasting model further complicates accurate forecasting as infrastructure project timelines often fluctuate due to unforeseeable delays.

INFC Management has recognized the risks and challenges associated with inaccurate forecasting. In fact, Management has recently put in place processes to strengthen forecasting and the challenge function by the department. POB, working in collaboration with the Finance and Contracting Division, recently developed and implemented a cash flow and forecasting guidance document to help increase the accuracy of cash forecasts for certain programs, including CSIF. This guidance document identifies, among other things, the need for more accurate forecasts, the impact of reprofiling on government expenditures, ways to improve accuracy in forecasts, documentation standards and situations that should trigger follow-up procedures.

In addition, INFC is investigating using historical program spending trends as the basis for annual program forecasts, instead of an aggregate of individual project spending forecasts. This approach is expected to yield more accurate spending forecasts on an annual basis and will help reduce the need to reprofile unused funds.

The overestimation of Payables at Year-End poses a monetary risk to INFC.

According to the TB Policy on Payables at Year-End (PAYE), departments and agencies must identify and quantify liabilities to outside organizations and individuals resulting from operations up to and including March 31^st in each fiscal year. In the absence of certainty, estimates are used to determine amounts of liabilities, as long as reasonably accurate values can be assigned. However, this increases the possibility that liabilities for PAYEs are overestimated. PAYE reprofiling requests are caused, in part, by the nature of infrastructure projects, as forecasts and timelines can be affected by unforeseeable delays (weather, material shortages, environmental issues, etc.). As a result, PAYEs may be set up for liabilities that are higher than the amount actually incurred and paid by the recipient in a given fiscal year. While the actual amount incurred for eligible expenses would be paid to the recipient, the additional amount that was overestimated would then be lost to the department as this amount would not be carried over to the next year's budget.

Requests for amounts of overestimated PAYEs to be reprofiled to the following year are no longer approved by the Department of Finance and TBS, given the current climate of fiscal restraint. Although some reprofiling requests for overestimated PAYEs have not been approved, INFC must still pay out the full funding amount as set out in the contribution agreements. This exposes INFC to a monetary risk.

In order to address this risk, the Finance and Contracting Division worked with POB, FDPs, and other stakeholders to determine options for improving the process for the creation of PAYEs. As a result of these consultations, the Finance and Contracting Division recently put in place a new procedure to strengthen controls over PAYEs. In order to reduce the amount of unused PAYEs from previous years, PAYEs will now only be established for amounts already incurred and paid by the recipient (i.e. the recipient must have received goods or services and have paid the invoices) as evidenced by a claim submitted to INFC, with copies of supporting invoices. This is in line with the TB Policy on PAYE.

Management is developing tools to document and strengthen financial controls.

The recent development of a cash flow and forecasting management guidance document will help ensure accurate cash forecasts for certain programs including CSIF. This document discusses, among other things, the need for more accurate forecasts, the impact of reprofiling on government expenditures, ways to improve accuracy in forecasts, documentation and follow-up, and sets forth a new departmental PAYE policy. This document is meant to guide and assist analysts in reviewing and challenging recipient forecasts and represents a good starting point to help improve the process. Furthermore, as of the 2012-2013 fiscal year, the Finance and Contracting Division began to validate and approve the financial claims information and cash flow information entered into SIMSI, in order to reconcile the information in the department's financial system. These additional steps serve as control points in the claim approval and payment process, and ensure that financial information is entered into SIMSI in a timely manner and matches the information in INFC's financial system.

2.3 Implementation of Project Repatriation

Given that the repatriation of projects represented a new situation for the Department, the implementation of repatriation section assessed whether the process, including the Department's decision to repatriate projects, its decision on which projects to repatriate, and the process to repatriate the project files, was done in a manner that was consistent and risk-based. All ten projects that had been identified for repatriation at the start of the audit were tested.

The CSIF Program originally used a FDP delivery model. In this model, FDPs worked with INFC and recipients to administer and deliver CSIF projects according to the original terms and conditions set out by MOUs between INFC and the FDP.

In 2011, some FDPs expressed concerns over their ability to administer CSIF projects under the terms and conditions of the MOUs with INFC and contribution agreements with recipients. To alleviate pressure on the FDPs and to take advantage of internal economies of scale, INFC conducted a risk analysis in late 2011 of all remaining CSIF projects (those not closed or completed), and initially identified twelve projects for repatriation. After further consultation, nine projects were repatriated, all from FDPs who were the most affected by the funding reductions. Of the three projects not repatriated, two projects were administered by CED-Q and are currently being repatriated, and one project administered by ACOA was due to be completed by March 31, 2012. Due to the advanced stage of the latter project, it was considered not cost effective to repatriate the project.

Communication with internal and external stakeholders was consistent throughout repatriation.

The audit found that repatriation procedures were clearly defined and communicated both internally and externally. For example, TBS was consulted prior to the repatriation of projects and provided guidance and approval to proceed with repatriation. Stakeholders were consulted numerous times during the process and a risk-based approach was used to select which projects would be best suited for repatriation amongst the remaining on-going projects. A defined set of risk factors was considered, and the decision on which projects to repatriate was made in consultation with the affected FDPs.

Furthermore, INFC provided a detailed repatriation action plan and timelines to each affected FDP and worked with the FDPs at both the executive and working level to ensure that all documentation was transferred to INFC to reduce the impact on the recipient during the transition.

Risk levels for repatriated projects were consistently assessed and clear risk mitigation strategies were developed.

Risk levels of all repatriated projects were assessed in a consistent and appropriate manner using the Program Operations Risk Tool (PORT), an Excel-based risk assessment tool. The project analyst inputs project information on a variety of risk factors relating to the areas of recipient management capacity, project financial viability, project planning, environmental and aboriginal issues, materiality and public sensitivity. Risk levels are determined either based on quantitative information (such as materiality based on funding levels) or assessed by the analyst based on qualitative information. A risk level for each of the areas, as well as an overall risk level for the project, is then generated. Recommended risk mitigation measures are generated automatically, enhancing consistency over similar risk-rated projects. The PORT is then signed off by the delegated management official. Projects that are assessed at medium or high risk require the approval of a higher level manager than projects assessed at very low or low risk.

The PORT is an example of a good practice for project risk assessment as it provides risk mitigation strategies based on assessed risk levels, and ensures that projects assessed at a similar risk are monitored in a similar manner. The implementation of risk mitigation strategies was not assessed as part of this audit, as implementation was still ongoing.

The process of deciding which projects to repatriate and the repatriation itself was generally conducted in a manner that reduced risk to INFC and was generally well documented. It also leveraged economies of scale, and took advantage of INFC's expertise in managing a large number of projects.

2.4 Past Management Action Plan Implementation

As per the Treasury Board Policy on Internal Audit, deputy heads are responsible for ensuring that Management Action Plans are prepared, adequately address the recommendations and findings arising from internal audit engagements and implemented.

It was expected that past CSIF audit recommendations from the 2007 Audit of the Management Control Framework of the Canada Strategic Infrastructure Fund and of the Border Infrastructure Fund, conducted by INFC's Internal Audit Directorate, would have been implemented as agreed upon under the 2007 audit's Management Action Plan and, where applicable, be substantiated with supporting documentation. It should be noted that the 2007 audit recommendations were closed following the Departmental Audit Committee's review of management actions taken between 2007 and 2012. The implementation of the management action plans for the 2007 audit recommendations was followed up as part of this audit in order to provide additional assurance to the Deputy Head and the Departmental Audit Committee.

All recommendations were tested to ensure that management's actions were in line with the management action plan, unless the recommendations were no longer relevant.

All past audit recommendations are closed and evidentiary documentation reviewed supports management's actions.

Due to the length of time between the review of the Management Action Plan and the original audit period, some recommendations were deemed to be no longer relevant, given that other mitigation measures or new processes and procedures were in place.

The information reviewed in order to substantiate Management's actions for items that remained relevant was sufficient to verify that Management did carry out those actions to which it had committed. One of the key documents created by Management to address the past audit recommendations was the CSIF Business Model, which serves as an integrated planning and program management document.

2.5 Completeness and Consistency of Documentation

The objective of the Treasury Board Policy on Information Management is to achieve efficient and effective information management to support program and service delivery; foster informed decision making; facilitate accountability, transparency, and collaboration; and preserve and ensure access to information and records for the benefit of present and future generations.

It was expected that consistent and complete documentation would exist in all areas of project files, in both electronic and hardcopy format, for the files tested. Through the audit testing that was conducted, consistency was tested by comparing hardcopy files with electronic files and the information contained in SIMSI. In addition, documentation was also tested against internal guidelines and standards, to ensure that these requirements were being followed.

Financial documentation supporting funds disbursement and approval of transfers to FDPs was adequate.

INFC was directly responsible for claims payment and administration of broadband projects under CSIF during the audit scope period. Accordingly, only broadband projects were tested for funds disbursement. Documentation related to funds disbursement was on file and supported the decisions made. Checklists documenting analyst review and challenge of information were included in the files, representing a good practice.

FDPs submit financial forecasts and updates to INFC, through a call letter process, four times per fiscal year and submit funding requests on an as needed basis. All of the reviewed funding transfers to FDPs were supported by sufficient and appropriate documentation and authorizations.

Documentation of the review and challenge of financial forecasts and funding requests could be strengthened.

INFC officials review and challenge financial forecasts and funding requests from FDPs. However, this process is informal and supporting documentation was found to be inconsistent. The extent of review and challenge is unknown as sufficient documentation to support these processes was not found on file.

In certain cases, email communications between INFC and FDPs were found but these were limited to corrections of missing or incorrect coding or inconsistent dollar amounts. Evidence of analysts' reviews of funding requests did not exist for those requests that did not require corrections. Therefore, if there were no issues resulting from a review, or if a challenge was not required, there was no evidence on file to support and ensure that due diligence was undertaken.

Project data is fragmented across many platforms such as hardcopy files, electronic files on the POB network drive, and SIMSI.

Recipients are required to submit Annual Progress Reports, Financial Audits and Compliance Audits as per the frequency and timelines determined in contribution agreements or other guiding documents. While many of the reports were observed on file (in hardcopy and/or electronic format), certain required reports were not observed on file, while many others did not respect established timelines. For example, Agreement Management Committee meeting minutes would often provide a rationale explaining a change in timelines or the rationale for the omission of a certain report, but in certain cases there was no information on file to explain a change in timelines or a missing report. In other instances, meeting minutes mentioned that certain reports were submitted but these reports were not found on file.

With regards to project close-out, a documented checklist of project close-out procedures and requirements was not established for CSIF until February 2012. Nonetheless, key components for project close-out were identified within some contribution agreements. Project close-out was generally completed in line with contribution agreement requirements; however, documentation was often missing or not properly filed.

Project analysts sometimes provided notes to file upon auditors' request to explain why documentation did not exist. While these notes to file were deemed acceptable, they demonstrate a potential risk should an analyst leave INFC, without documenting their knowledge of the file. In one case, however, a more recently closed project did use the newly documented close-out checklist and had all documentation referenced in the checklist on file and easily accessible. This represents a good practice, which was shared with Management so that this good filing/documentation practice can be consistently applied across the other project files.

Documentation related to items in the repatriation action plan was also difficult to find at times and project analysts also provided notes to file upon auditors' request to explain why documentation did not exist. Again, this demonstrates a potential risk should an analyst leave, without documenting their knowledge of the file. Changes to Agreement Management Committee membership as a result of repatriation were for the most part recorded in meeting minutes and supporting documentation was generally available. It should be noted that project analysts did seem to ensure that all key documents (such as financial claim histories and environmental assessment documentation, where applicable.) were received to mitigate risks to INFC.

Fragmented documentation (i.e. documentation found in various locations and which at times are not all reflective of the current project status or which may provide conflicting information) creates an unnecessary administrative burden, as significant time and effort may be expended in locating and verifying information. This problem was exacerbated by the fact that documentation requirements varied greatly from one project to another, as a result of varying contribution agreement requirements.

SIMSI data quality needs to be strengthened.

The lack of consistent understanding of data inputs creates a need to constantly review and correct data, and the need for parallel offline systems. Specifically, project information within SIMSI is not always updated regularly, and does not always corroborate electronic/hardcopy project information.

As a result, information in SIMSI was sometimes not reflective of the current project status, nor did it always contain information on the most recent project updates or decisions taken. It should also be noted that project status and information updates in SIMSI were a requirement under the repatriation action plan and were not always completed. This may result in decision-making based on information that is no longer current.

In addition, information displayed in SIMSI did not always match the information found in other documentation sources. For example, there were instances where contribution agreement dates in SIMSI did not match the agreement dates of the hardcopy contribution agreement. In one instance, the percentage of eligible costs that represented the federal share to be paid to the recipient shown in SIMSI, did not match the percentage federal share in the corresponding contribution agreement. SIMSI background calculations sometimes do not allow the information to be added as it should be, reflecting another weakness in SIMSI. These inconsistencies greatly reduce the effectiveness of SIMSI as a tool to monitor projects.

Management has recognized information management as an area for improvement and is currently developing tools to strengthen data quality.

Management has recently finalized the CSIF Business Model which provides documentation standards, names SIMSI as the central information database, and provides documentation checklists. Also, a Data Quality Initiative (DQI) is in process to standardize SIMSI information. This initiative encompasses a number of different elements that will help the department address areas identified as priorities for action, including training, improvements to systems, and the development of clear and consistent definitions and procedures. Due to limited capacity, the DQI will not assess or update closed projects or past entries. The audit has recognized Management's initiative on data quality as a good practice. The DQI implementation, however, was not assessed in this audit since it is still under development.

An audit conducted by INFC's Internal Audit Directorate in 2011 on Building Canada Fund-Community Component (BCF-CC) program  found similar issues with missing documentation and a recommendation was issued to create a documentation standard to formalize the need to store key documents. To address the issue, POB has initiated a recordkeeping initiative that focused on improving access and establishing coordinated and consistent recordkeeping policies and processes for program and project information, and creating efficiencies. Work is underway to identify the information that INFC is required to keep on program and project files. This will lead to streamlining program recordkeeping tools (e.g. file checklists, shared drive structure, etc.), with the ultimate objective of having consistent practices across program and project files.

Recommendation 2:

It is recommended that the Assistant Deputy Minister of Program Operations Branch:

1. Formalize processes and procedures for the review and challenge by program analysts of FDP forecasts and;
2. Ensure that project files are supported with notes to file to justify any decisions taken or missing documentation that should have been on file, in order to support the retention of corporate memory.

Management Response for Recommendation 2:

1. Agree. POB will ensure that steps taken and information obtained during the review and challenge of FDP forecasts and PAYE amounts as part of the annual formal call letter process are documented and included in project files (e.g., notes to file, email exchanges, etc).
2. Agree. For all CSIF contribution agreements managed by INFC, POB will ensure that appropriate documentation exists, or, in its absence, notes to file are included to explain missing information. POB will develop a Note to File Template, provide guidance on how it is to be used and ensure that it is included in project files as needed.

Due Date: June 2013 for both 1 and 2

3. Audit Conclusion

Working with Federal Delivery Partners or recipients, INFC adequately monitors the contribution agreements to ensure the funds are used for intended purposes. Monitoring activities exist to ensure that contribution agreement requirements were followed and funds were disbursed in accordance with the terms and conditions of the contribution agreements and only for eligible expenses.

Areas for improvement were also identified. One area that still requires management attention is the consistency and completeness of documentation. Recommendations were developed for improving processes for monitoring recipient requirements and for improving retention of documentation to better demonstrate due diligence of reviews of Federal Delivery Partner's financial forecasts and funding requests.

To address the monetary risks of overestimation of Payables at year-end (PAYE), the Department had recently instituted a process to ensure more accurate forecasting and estimation of PAYEs. Furthermore, the Department recognized that improvements were required in information management and is taking steps to increase the consistency of program data as well as information in the Shared Information Management System for Infrastructure (SIMSI).

The procedures followed during the repatriation of projects did maintain the program's ability to meet stated outcomes. The development and implementation of the repatriation process was well managed by the Department.

All recommendations from the 2007 internal audit on CSIF were appropriately addressed by Management.

4. Statement of Assurance

The extent of the examination was planned to provide a reasonable level of assurance with respect to the audit criteria. The opinion is applicable only to the entity examined and within the scope described herein. In the professional judgment of the Chief Audit and Evaluation Executive, sufficient and appropriate audit procedures have been performed and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The audit findings and conclusions are based on observations and analyses of conditions as they existed at the time of the audit, against established criteria agreed upon with management. The findings are only applicable to the entity examined.

5. Statement of Conformance

The audit conforms to the International Standards for the Professional Practice of Internal Auditing and the Internal Auditing Standards for the Government of Canada as supported by the results of INFC's Internal Audit quality assurance and improvement program.

Appendix A: Audit Criteria

Objective 1: Working with FDPs or recipients, INFC's monitoring of contribution agreements is sufficient to ensure the funds are used for intended purposes and to achieve stated outcomes.

• 1.1 By monitoring the contribution agreements, the Agreement Management Committee provides assurance that all the obligations inherent to the contribution agreements are met by all parties;
• 1.2 Project risk assessment for the purpose of risk-based monitoring is reasonable, consistent, and documented;
• 1.3 All funds are disbursed in accordance with the terms and conditions of the contribution agreements and in accordance with applicable policies and legislation;
• 1.4 A process is in place to challenge the assumptions and related resource requests of yearly financial forecasts;
• 1.5 Financial forecasts are monitored on a regular basis and reviews are conducted to analyze, compare and explain financial variances between actual and plan;
• 1.6 Transfers to FDPs are supported by sufficient and appropriate documentation and authorizations;
• 1.7 Program data for ongoing and completed/closed projects is available, complete and accurate;
• 1.8 Project close-out procedures have been established and followed to ensure that all required documentation has been received and approvals obtained for completed projects; and
• 1.9 Relationships between FDPs and INFC support the program's ability to meet stated outcomes.

Objective 2: Procedures followed during the repatriation of projects maintain the program's ability to meet stated outcomes.

• 2.1 Repatriation procedures are clearly defined and communicated to INFC staff and the affected FDPs, and are followed;
• 2.2 INFC has worked with the FDPs to obtain all of the required documentation to help ensure a smooth transition and to minimize the impact on the recipient;
• 2.3 Changes in Agreement Management Committee membership were recorded in meeting minutes, and supporting documentation is available; and
• 2.4 Risk levels of repatriated projects have been assessed and monitoring requirements have been established based on those risks.

Objective 3: Recommendations from past CSIF audits conducted by INFC have been addressed as per management's action plan.

• 3.1 Management has completed its stated actions as specified in the management action plan in a manner that addresses underlying risks.