EDC Internal Audit

Driving Excellence in EDC through Assurance and Advice

Purchasing Audit Final Audit Report Report Nr. 4/08 August 27, 2008
Distribution: To: President & CEO Senior Vice President & Chief Financial Officer Senior Vice President, Corporate Secretariat & Legal Services Senior Vice President, Human Resources Vice President & Corporate Controller Director, Administrative Services Senior Purchasing Advisor Senior Vice President, Business Development Senior Vice President, Insurance Senior Vice President, Financing Products Group Senior Vice President, Business Solutions & Technology Vice President, Strategic Planning & Corporate Communications General Counsel & Senior Assistant Secretary Vice-President, Human Resources Services Director, HR Policy & Strategic Services Director, Planning & Government Relations Principal, Office of the Auditor General

CC:

Audit Team: M. Langlois C. Rodrigue

Vice President Internal Audit Monica Ryan

EDC Internal Audit Purchasing Audit Report # 4/08

August 27, 2008 Page 2 of 5

Introduction
In accordance with our FY2008 Audit Plan, EDC Internal Audit (IA) performed an audit of the control framework surrounding the procurement of goods and services less than $500k CAD. For the 2007 fiscal year, EDC issued 2,267 purchase orders (POs) with an aggregate value of approximately $84.8M CAD. Of this amount, $49.4M CAD and 2,247 POs related to the procurement of goods and services less than $500K CAD. EDC's Procurement Policy (ADM-003) and related Procurement Procedure Framework (PPF) provide the principles, authority and responsibility for the procurement of goods and services.

Audit Objectives & Scope

The overall objective of this audit was to assess the adequacy of internal policies relating to the procurement of goods and services and compliance with these policies. In evaluating the adequacy of internal procurement policies, consideration was given to whether: Policies are comprehensive, providing guidance for all types of procurement activities; Actions are taken to promote awareness and understanding of procurement policies across EDC; The content is clear and lends itself to a common interpretation; and Procurement policies are consistent/complementary with other EDC policies. The scope of the audit was restricted to POs issued for amounts less than $500k CAD. POs issued under the Events & Sponsorship Guidelines and Procedures were excluded from the scope of this audit, as they follow a different control framework. Detailed testing performed in conjunction with this audit was focused on POs issued in 2007 and any related POs issued in 2008. Audit fieldwork was performed during May and June 2008.

Internal Audit Opinion

In our opinion, Opportunities Exist to Improve Controls1 surrounding the procurement of goods and services with a value of less than $500K CAD. We found that procurement activities do not consistently comply with EDC procurement policies. Key areas of non-compliance included: services received in advance of issuing a PO, the design of the exceptions approval process for consultants, in a few cases, contracts executed without the correct signing authorities. Policies relating to these procurement activities are comprehensive and consistent with other related internal policies. However, both the clarity and communication of procurement policies could be improved, which would likely have a positive impact on compliance.

Audit Findings & Recommendations

1. Services Rendered without an Approved PO and Contract Signing Authorities The Delegation of Authority (Annex N) of the Procurement Policy (ADM-003) states that two EDC Signing Officers are required on all contracts, one of whom must be from Purchasing and the other as designated by Purchasing. When designating a second signing authority, Purchasing refers to the Board of Director Resolution Respecting Signing Officers (Board Resolution). The PPF also states that an authorized purchase requisition (PR), PO, and where applicable, executed contract, must be in place in advance of
1

Our standard audit opinions are as follows: Strong Controls: Key controls are effectively designed and operating as intended. Best in class internal controls exist. Objectives of the audited process are most likely to be achieved. Well Controlled: Key controls are effectively designed and operating as intended. Objectives of the audited process are likely to be achieved. Opportunities Exist to Improve Controls: One or more key controls do not exist, are not designed properly or are not operating as intended. Objectives of the process may not be achieved. The financial and/or reputation impact to the audited process is more than inconsequential. Timely action is required. Not Controlled: Multiple key controls do not exist, are not designed properly or are not operating as intended. Objectives of the process are unlikely to be achieved. The financial and/or reputation impact to the audited process is material. Action must follow immediately.

EDC Internal Audit Purchasing Audit Report # 4/08

August 27, 2008 Page 3 of 5

the receipt of goods or rendering of services. During our testing, we found several instances where supplier services were rendered in advance of obtaining a PO and/or properly executed contract. In two cases, the related contracts were executed solely by the business without the engagement of Purchasing. Furthermore, the individuals who executed these two contracts were not designated signing officers. Failure to engage Purchasing prior to the commencement of services limits their ability to influence contract/PO terms and conditions relating to confidentiality, privacy, protection of intellectual property, deliverables, payment, etc. We have recommended increased communication of the PPF in order to enhance awareness and improve compliance. We have also recommended that a quarterly report be prepared and distributed to the Senior Management Team outlining any exceptions to the PPF in order that EDC's senior leaders may reinforce communications. Rating of Audit Finding - Major2 Action Owner - Purchasing Due Dates - All actions to be implemented by Q2 2009 2. Rules For Retaining Consulting Services Exceptions Approval Process In April 2006, Rules for Retaining Consulting Services (the Rules) and processes were introduced with input from the Human Resources, Legal Services, and Purchasing teams within EDC. These rules and processes were established in order that EDC would avoid having a consultant deemed to be an EDC employee under the Income Tax Act, the Canada Pension Plan Act, the Employment Insurance Act, the Canada Labour Code and/or the Common Law, with all of the corresponding legal obligations associated with such a designation. The Rules were applied prospectively to all contracts executed after April 30, 2006. Exceptions to the Rules require formal approval from the team SVP and either the SVP HR or the EVP and CFO. As part of our audit, we reviewed the process design for obtaining approvals of exceptions to the Rules. We found that memos requesting approval were not standardized and therefore did not always provide the approval authorities with a full description of the exception, including appropriate context. Furthermore, the process does not require business teams to seek advice from Legal Services in terms of the exposure (if any) these exceptions could create for EDC and include this input as part of the approval request. We have recommended that a standard template be implemented for approval memos in order to ensure approval authorities are provided all relevant information to support their decision. This could include input from Legal Services. Rating of Audit Finding - Major Action Owners - Purchasing in Consultation with Legal Services Due Date - All actions to be implemented by Q1 2009 3. Adequacy of Procurement Policy & Procedure Framework EDC's Procurement Policy (ADM-003) and related Procurement Procedure Framework (PPF) provide the principles, authority and responsibility for the procurement of goods and services. Both are subject to a periodic review. The next review is planned for December 2008. Overall, we found that ADM-003 and the PPF are comprehensive and consistent with other internal policies. However, we noted certain clauses which, given current practices, should be reconsidered as part of the December 2008 review. For example, Section 9.0 of the PPF allows non-compliant transactions to be processed as long as the policy deviation is approved by the next higher budget authority. This clause marginalizes the business benefit of the PPF. Another example is the requirement that written summaries of the vendor selection process be provided to Purchasing by the team initiating the procurement for all procurement transactions in
2 The ratings of our audit findings are as follows: Major - a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk is more than inconsequential. The process objective to which the control relates is unlikely to be achieved. Corrective action is needed to ensure controls are cost effective and/or process objectives are achieved. Moderate - a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk to the process is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance on compensating controls and/or ensure controls are cost effective. Minor - a weakness in the design and/or operation of a non-key process control. Ability to achieve process objectives is unlikely to be impacted. Corrective action is suggested to ensure controls are cost effective.

EDC Internal Audit Purchasing Audit Report # 4/08

August 27, 2008 Page 4 of 5

excess of $25K CAD. This includes selection criteria, supplier proposals, evaluations and the rationale for selection. Compliance with this requirement is low and likely reflects the perceived lack of benefit for lower value transactions. We have recommended that a general review of ADM-003 & the PPF be performed. Rating of Audit Finding - Major Action Owners - Purchasing in Consultation with Legal Services Due Date - Q1 2009 4. Engagement of Legal Services Within the context of the procurement process, Legal Services is responsible for drafting and/or reviewing procurement contracts in order to minimize financial and reputation risk. However, during our audit, we noted that full clarity does not exist regarding the scenarios/circumstances for engaging Legal Services in the review of a contract prior to its execution. Furthermore, the results of contract reviews performed by Legal Services are not always maintained by Purchasing. Failure to systematically engage Legal Services has resulted in the following types of occurrences: deliverables not clearly defined, unfavourable payment terms and/or failure to execute confidentiality agreements. We have recommended that Purchasing & Legal Services clarify the criteria for obtaining input from Legal Services and that evidence of the review by Legal Services be maintained in the purchasing files. Rating of Audit Finding - Moderate Action Owners - Purchasing in Consultation with Legal Services Due Date - All actions to be implemented by Q1 2009 5. General Efficiency Opportunities Currently the creation of a Purchase Order is automated, but all steps in the process leading up to the creation of the PO are manual. For example, purchase requisition approvals are manually routed and documented, business rules are applied manually, related POs are manually identified and tracked, and PO change requests cannot be processed electronically, which means a new PO must be created. As a result, many aspects of the procurement process are prone to error. We have recommended that alternatives for automating portions or all of the procurement process be examined. Rating of Audit Finding - Moderate Action Owners - Purchasing Due Date Q1 2009 6. Opportunities to Further Leverage the Procurement Review Committee (PRC) The current role of the PRC, as outlined in both EDC's Procurement Policy and the PPF, is to provide advice on the application of procurement policies, monitor compliance, and advise on supplier complaints. During the audit, we found that PRC is not always being engaged, mainly due to its limited "advisory" role. We have recommended that the existence of the PRC be revalidated. If the decision is made to continue with the PRC, consideration should be given to expanding its role to include authority to enforce procurement policies and report non-compliant transactions to EDC Executives. In addition, consideration should be given to expanding the composition of PRC to include representation from the business teams as a means of ensuring stakeholder perspectives are fully considered when enforcing policies. The expanded role and composition may also help ensure PRC is engaged once budgets have been finalized to give sufficient lead time to plan any competitive tendering requirements. Rating of Audit Finding - Moderate Action Owners - Purchasing Due Date - All actions to be implemented by Q2 2009

EDC Internal Audit Purchasing Audit Report # 4/08

August 27, 2008 Page 5 of 5

7. Contract Execution Dates EDC contract templates include standard phrase to capture the contract effective date. However, the templates do not include a section to record the date the contract was signed by either EDC or the supplier. As a result, it can be difficult to establish when a liability has been incurred for financial reporting purposes (i.e. accruals and off-balance sheet commitments). We have recommended that contract templates be modified to include a date line below the signature block. Rating of Audit Finding - Moderate Action Owners - Purchasing in consultation with Legal Services Due Date - All actions to be implemented by Q4 2008

Conclusion
The audit findings and recommendations have been communicated to and agreed by management, who has developed action plans that are scheduled for implementation no later than Q2 2009. We would like to thank management for their support throughout the audit.