Internal Audit of Procurement – Phase 1

Table of Contents

Conformance with professional standards

This audit conforms to the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Background

Procurement within the Public Service and Procurement responsibilities at Public Safety Canada

The objective of the Treasury Board (TB) Directive on the Management of Procurement (Directive) is that procurement of goods, services and construction obtains the necessary assets and services that support the delivery of programs and services to Canadians, while ensuring best value to the Crown. Procurement activities within the Public Service must be carried out in accordance with the established Government of Canada procurement framework, which includes but is not limited to the Directive, the Financial Administration Act (FAA), Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest, and the Government Contracts Regulations. In addition, there are numerous procurement mechanisms (a competitive procurement process or a non-competitive procurement process) with varying restrictions and requirements that can make procurement both complex and challenging.

At Public Safety Canada (PS), procurement is considered a critical internal service that plays a key role in the delivery of departmental core responsibilities and priorities. As such, PS must ensure that procurement activities have adequate internal controls in place to mitigate risks, comply with the federal procurement framework and stand the test of public scrutiny.

At PS, the Contracting and Procurement Unit (CPU) resides within Procurement, Material Management and Real Property (PMMRP) of the Corporate Management Branch (CMB). This unit is comprised of contracting authorities, responsible for managing all departmental contracting, strategies and processes related to procurement, with engagement from various stakeholders (e.g., security, finance, information technology) as appropriate.

The Investment Planning and Policy Unit (IPPU) of PS resides within PMMRP and was created, in part, as a result of the introduction of the Directive on the Management of Procurement, which became effective in May 2021. IPPU’s main responsibilities include the interpretation of the Directive and the development and implementation of a Procurement Management Framework (ProcMF).

Business owners are responsible for planning their procurement requirements and providing clear and comprehensive descriptions of the intended outcomes for each procurement process. Business owners, with the support of CPU’s contracting authorities, must also develop all required documentation, such as: statements of work and evaluation criteria; conduct the bid evaluation process; and manage resulting contracts.

Procurement activities at Public Safety Canada

Over the past two fiscal years, the volume of procurement transactions processed by Public Safety Canada (PS) amounted to 618 transactions in fiscal 2021-22 and 633 transactions in fiscal 2022-23 with a total value of approximately $21.4 million and $26.9 million, respectively. The term ‘transaction’ refers to the original contract issued, as well as any amendment(s) or correction(s) made thereafter to either the text (administrative amendments) or dollar value(s) associated with contracts awarded.

Table 1: Number of original contracts by contracting method for fiscal year 2021-22
Contracting method Number Final contract value (M)
Traditional non competitive 114 $3.1
Traditional competitive 259 $16.3
Open bidding 18 $2
Selective tendering 0 $0
Total 391 $21.4
Table 2: Number of original contracts by contracting method for fiscal year 2022-23
Contracting method Number Final contract value (M)
Traditional non competitive 176 $11.3
Traditional competitive 251 $11.6
Open bidding 14 $3.1
Selective tendering 9 $0.9
Total 450 $26.9

Audit objective and scope

The objective of this audit was to provide reasonable assurance that the controls in place are appropriate and effective to support procurement activities, consistent with the applicable acts, regulations and directives.

Scope inclusions

The scope of this audit examined procurement activities conducted by the CPU of the CMB during fiscal years 2021-22 and 2022-23.

Scope exclusions

The audit did not assess the Procurement Management Framework (ProcMF) currently in development by the CPU. The ProcMF will be examined separately as part of the second phase of the Audit of Procurement. Scheduling for this phase will be outlined within the 2024-25 Risk-Based Audit and Evaluation Plan.

Contracts processed through PSPC and SSC were excluded from the population of procurement transactions, CPU is not responsible for the procurement strategy and process.

Methodology and approach

For each criteria established, an audit methodology was developed to adequately examine the area to allow the engagement team to conclude on the objective. Accordingly, the following methods were applied:

Interviews

Multiple interviews were conducted within Procurement, Material Management and Real Property (PMMRP), which included the Contracting and Procurement Unit (CPU) and Investment Planning and Policy Unit (IPPU). Additional interviews were conducted with policy and program representatives of the Emergency Management and Programs Branch, one of the largest users of procurement services within the Department. Communication with the office of primary interest, CPU, was maintained throughout each phase of the audit.

Document review

Relevant documents reviewed, included, but were not limited to, the following:

Data analysis and testing

The audit included contracting activities over the period of April 1, 2021 to March 31, 2023. The population for selection consisted of 1,251 PS procurement transactions that included both original contract entries as well as amendments or corrections made thereafter for text (administrative amendments) or dollar value (financial amendments). There were 171 transactions selected at random from the population consisting of 84 original contract entries and 87 amendments, using a confidence level of 95% and a margin of error of 10%.

Observations

Observation 1: Procurement activities are largely conducted in compliance with relevant legislation, regulations, and policies pertaining to delegated spending and financial authorities, with a few exceptions.

The Department must ensure that adequate controls are in place to ensure compliance with the applicable legislation and relevant guidelines, to protect the integrity of the procurement process in a manner that will stand the test of public scrutiny and reflect fairness in the spending of public funds, which includes requirements for contract commitment (Section 32), transaction (Section 41) and certification (Section 34) authorities of the FAA.

Under contract management and documentation of the Directive, Section 4.10 specifies that contracting authorities are responsible for ensuring that accurate and comprehensive procurement records applicable to the contract file are created and maintained to facilitate management oversight and audit.

We assessed whether PS officials who exercised their authority under the FAA in procuring goods or services had the appropriate delegation to do so by comparing their Financial Authority Specimen Signature Record with the information on the purchase requisition, the contract, the call-up against a standing offer (SO)/supply arrangement (SA) and the invoice.

Commitment authority

Out of the 171 sample transactions, excluding text amendments, there were 114 transactions that required a commitment authority i.e. Section 32 of the FAA. File testing indicated the following:

Transaction authority

We reviewed 145 procurement transactions that required a new contract i.e. a transaction authority Section 41 of the FAA. Transactions were verified to ensure that appropriate evidence was on file; this included a signed contract or call-up against a standing offer (SO)/supply arrangement (SA). File testing indicated the following:

Confirming orders

Within the sample, we identified two instances of contracts of low dollar value being signed after the services were rendered or goods delivered. Those instances are called ‘confirming orders’. Confirming orders occur when a formal procurement vehicle has not been sought or put in place by an appropriately delegated individual, but an agreement has been made and work has been undertaken or goods/services delivered.

Instead of Section 32 of the FAA, completed and signed substantiation forms approved at the Director General level or higher were provided for both contracts as per PS guidelines. However, we were not able to assess the breadth of the use of confirming orders as there is no distinct code to identify confirming orders in the financial system.

“It is a Government wide policy that confirming orders be avoided.” Confirming orders may expose the Department to several risks: fraud, unfavorable terms and conditions, financial, non-compliance, false legal obligations between a supplier and the Department. CPU should consider the tracking and reporting of confirming order cases to minimize their use by Business Owners.

Certification authority

For certification authority Section 34 of the FAA, we requested one invoice per contract for the 84 sample contracts. There were 71 invoices provided, as in some cases, there were no invoices submitted during the period under review. The results of the testing indicated the following:

Payment authority

The authority to release payment, is located within the Department’s financial system along with numerous robust system compensating controls to validate when Section 33 of the FAA is exercised. As such, no testing was conducted in this area.

Segregation of duties

According to Treasury Board’s Directive on Delegation of Spending and Financial Authorities, the same individual must not exercise both transaction authority (Section 41 of the FAA) and certification authority (Section 34 of the FAA) on the same transaction, except if the transaction has been designated by a department as a low-risk and low-value transaction.

In this regard, there was one instance where the Section 41 of the FAA and Section 34 of the FAA authority was provided by the same individual. This was a sole source contract for professional services, considered low value and low risk, and did not exceed the sole source limitation of $40K.

Errors in SAP entries

During the verification of financial authorities, we observed numerous SAP transactions where the original contract, amendment and/or final contract values appeared to contain errors and did not match the supporting documentation for those transactions. Some of the financial amendments or SAP transactions should have been entered as text or administrative amendments which resulted in anomalies in the contract file and in some cases to the proactive publication.

Observation 2: Procurement activities are supported by adequate documentation to demonstrate fairness, openness, and transparency. However, opportunities exist to enhance recordkeeping practices and the accuracy of proactive publication of contract information.

The Department must ensure that procurement activities are subject to an effective set of controls to review, approve, solicit, award, and manage contracts in accordance with the Directive on the Management of Procurement and the Government Contracts Regulations.

Under contract management and documentation of the Directive, Section 4.10 specifies that contracting authorities are responsible for ensuring that accurate and comprehensive procurement records applicable to the contract file are created and maintained to facilitate management oversight and audit.

Guidance for procurement Officers

CPU has developed procedures, checklists, forms, templates, procedures and guides to provide guidance and consistency in procurement activities. They are available and made accessible to procurement officers through RDIMS, GCDocs and SharePoint. Checklists indicate what documents are required to support file completeness with appropriate authorizations before proceeding to contract award. The shift from hardcopy to electronic procurement files started during the pandemic. We found these checklists as high-level in nature, with different versions in use.

As well, although documented on the checklist, inconsistencies were observed in saving and retaining supporting documentation into RDIMS. This includes naming convention and creating folders for contract files, which makes it challenging to locate documents in RDIMS.

The inconsistencies in procurement record-keeping could lead to the inability of the Department to provide sufficient and appropriate evidence to demonstrate that its procurement practices are fair, open and transparent.

Examination of competitive contracts

From the initial sample of 84 contracts, there were 45 contracts identified as being competitive i.e. traditional competitive, open bidding and selective tendering. The examination of the sample confirmed that 43 out of 45 contracts (95%) contained all required documentation on file (e.g. completed Statement of Work, completed Evaluation Criteria, Request for Proposal, completed Security Requirements Checklist) and complied with the applicable requirements to demonstrate fairness, openness, and transparency. For the remaining two contracts, the procurement files were missing evidence of Confidentiality and Conflict of Interest forms or Security of Cabinet Confidences form.

In terms of the use of the Security of Cabinet Confidences form, the form itself appeared to be developed internally and had no official markings. While the form provides spaces for an individual’s name and signature, there is no additional field to link the document to a particular contract and in many cases, lacked the date it was signed by the project authority. Given the recent release of the Policy and Standard on the Security of Cabinet Confidences, the form together with its wording require updating to remain current.

There was evidence on file demonstrating CPU’s role in playing a challenge function for both the Evaluation Criteria and Statement of Work, where applicable. Additional evidence also suggested that contracts were awarded to vendors identified as meeting the evaluation criteria.

Examination of non-competitive contracts

Regarding non-competitive contracts, we tested 39 non-competitive contracts. The examination of the sample confirmed that 38 out of 39 (97%) of non-competitive contracts had all required documentation on file (e.g. completed Statement of Work, justification for using sole source, quote from contractors) and complied with the applicable requirements to demonstrate fairness, openness and transparency. For the remaining contract, the procurement file was missing justification for an Exception to Intellectual Property.

Proactive publication of contract information

According to the Access to Information Act, contracts valued at $10,000 or above, including any subsequent amendments increasing the value of a contract above $10,000, must be proactively disclosed every quarter. According to the Directive, departments are responsible for establishing risk-based internal controls to ensure that the data included in the proactive publication of contracts is materially accurate, complete, and proactively published in a timely manner. Consideration should also be given to: a) documenting the procedures for proactive publication and the associated risk-based internal controls as part of the Departmental Procurement Management Framework; b) ensuring periodical risk-based reviews (such as sampling) of proactively published contract information to assess whether the published information is accurate and complete; and c) requiring approval of the senior designated official for the management of procurement (or a higher authority) of the data prior to proactive publication.

The Guide to the Proactive Publication of Contracts (Guide) provides guidance to managers and functional specialists on the identification, collection, reporting and proactive publication of contract information in order to provide consistent information to the public.

The publication process is not entirely automated as departments need to manually extract reports from SAP and format the information, typically in Microsoft Excel, in a way that the portal can receive the required information.

From the population of 171 transactions, there were 62 original contracts and 17 amendment transactions that met publication thresholds. Of these, we identified 10 contracts that were not properly disclosed or disclosed with errors in the original, amended or total contract value, in the Open Government portal.

These errors in publication correspond directly to the entries made in SAP, the Department’s financial system, or how the SAP values were collected and then uploaded for publication.

Considering that the proactive publication errors noted in the audit pertain to the sample within the period of review only, it was not possible to determine the full extent of the errors without reviewing the aggregate data, within the period of review, prior to that time, or within the current period for publication. It remains the responsibility and obligation of the Department to ensure the information published is not only timely, but materially accurate and complete as it falls under public scrutiny.

Observation 3: Procurement activities are largely conducted with integrity and discretion to mitigate the risk of fraud and other unethical practices, in accordance with the Directive on the Management of Procurement.

Integrity regime of the procurement process

Public Services and Procurement Canada (PSPC) ensures that the Government of Canada conducts business or concludes real property transactions with ethical suppliers in Canada and abroad. As part of the Integrity Framework, to ensure government conducts business only with ethical suppliers in Canada and abroad, PSPC runs the government-wide integrity regime on behalf of the government to strengthen the integrity of departments’ procurement and real property transactions. The regime helps foster ethical business practices, ensure due process and uphold the public trust in the procurement process.

Each department determines whether a supplier is ineligible to do business with the government. The regime applies to goods, services and construction contracts, subcontracts and real property agreements with a transaction value over $10,000. Not completing an integrity check may lead to entering into unethical contracts.

The integrity verification process with the Registrar is not required in circumstances including the following: call-ups against standing offers (SO); contracts against supply arrangements (SAs) unless contract against an SA issued prior to April 4, 2016, where the latest Integrity Provisions have been incorporated by reference into the solicitation); and task authorizations.

At PS, the checklist is the only tool indicating the requirement to verify the Integrity Database for contracts over $10,000. There appeared to be no other guidance that explained to procurement officers how and when to perform an integrity check.

From the initial sample of 84 contracts, there were 19 contracts where an integrity check was required. File testing indicated that 16 contracts (84%) had evidence of an integrity check with PSPC on file, 2 (10%) did not have evidence of an integrity check on file, and one contract (value of $15,000) was overlooked for integrity check.

Conflict of interest

Under Business owners (client department or agency, technical authority) of the Directive, Section 4.2.2 specifies that Business owners are responsible for adhering to the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest when engaging with suppliers.

Out of the 84 sample contracts, we examined 13 competitive contracts requiring each bid evaluator to complete and sign a Confidentiality and Conflict of Interest form. The testing resulted in 1 contract missing a conflict-of-interest form.

Contracts awarded to former public servants

As per the Directive, Section 4.5 specifies that Contracting Authorities are responsible for including requirements for former public servants to self-identify in solicitations and in the resulting contract clauses of service contract documents, and informing suppliers that this information will be proactively published.

Section 4.10 specifies that they are also responsible for ensuring all files must include a justification for contracting with a former public servant that includes price substantiation, risk mitigation and cost control measures to adjust for pension or lump sum payments as appropriate. As well contracts with Former Public Servants (FPS) are subject to the spending limits outlined in Appendix A: Contracting Approvals, section A.4, Former public servants contract approvals of the Directive.

Out of the 84 sample contracts, we examined 20 competitive contracts requiring that the bidder or proposed contractor self-identify as a former public servant. The results of the testing found that:

Conclusions

The audit found that overall, controls in place to support procurement activities are appropriate, effective and consistent with the applicable acts, regulations, and directives.

Spending and financial authorities were generally appropriately exercised and documented on file with a few exceptions.

Some opportunities for improvements remain such that the Department may consistently demonstrate that its procurement activities are compliant, fair, open, and transparent, particularly in the areas of information management, entries in the Departmental financial system (SAP), compliance with the Integrity Regime and proactive publication.

Audit recommendations

The following recommendations are proposed to enhance recordkeeping practices and proactive publication process in support of demonstrating value for money, openness, fairness and transparency:

Recommendation 1:
The Assistant Deputy Minister, Corporate Management Branch should develop and implement formal information management guidelines and associated training materials to ensure that supporting documentation and justification for procurement decisions are maintained on contract file, accessible and retained according to information management requirements.
Recommendation 2:
The Assistant Deputy Minister, Corporate Management Branch should develop and implement an active monitoring process for procurement files on a regular basis, including SAP entries.
Recommendation 3:
The Assistant Deputy Minister, Corporate Management Branch should develop guidance for procurement officers on requirements for verifying the Integrity Database.
Recommendation 4:
The Assistant Deputy Minister, Corporate Management Branch should review, update and communicate internal processes and procedures related to monitoring and reporting activities for the proactive publication of contracting information according to the Treasury Board Secretariat (TBS) Guide to the Proactive Publication of Contracts.
Management action plan
Recommendation Management action clan - Deliverables Planned completion date
1. The Assistant Deputy Minister, Corporate Management Branch should develop and implement formal information management guidelines and associated training materials to ensure that supporting documentation and justification for procurement decisions are maintained on contract file, accessible and retained according to information management requirements. 1.1. Create and implement information management guidelines including naming convention, file folder structures, and proper access to documentation. March 31, 2025
1.2 Develop and implement supporting training material that will include updated processes and checklists that document justifications and decisions. March 31, 2025
2. The Assistant Deputy Minister, Corporate Management Branch should develop and implement an active monitoring process for procurement files on a regular basis, including SAP entries. 2.1 Develop and implement a monitoring process of procurement files and SAP entries through a random sampling, and; June 30, 2025
2.2 Establish and implement a requirement to validate the information in SAP is accurate at time of contract award. June 30, 2025
3. The Assistant Deputy Minister, Corporate Management Branch should develop guidance for procurement officers on requirements for verifying the Integrity Database. 3.1 Add information on the Integrity Regime (when to use the integrity database) to the file checklists. August 31, 2024
3.2 Develop guidance document related to Integrity Regime March 31, 2025
3.3 Implement the guidance and ensure that Contracting Agents apply the new guidelines. April 30, 2025
4. The Assistant Deputy Minister, Corporate Management Branch should review, update and communicate internal processes and procedures related to monitoring and reporting activities for the proactive publication of contracting information according to the TBS Guide to the Proactive Publication of Contracts. 4.1 Document internal processes and procedures related to proactive disclosure reporting. This would include information on how to create purchase orders, when files need to be proactively disclosed, and how to review the data to ensure accuracy. December 31, 2024
4.2 Develop a reporting monitoring guidelines document which outlines roles and responsibilities, frequency of the review of data, process for selecting random samplings and documenting findings. This would be done outside of the proactive disclosure report deadlines to ensure that any mistakes are corrected and identify if additional training is required or clarification April 30, 2025
4.3 Proactive Disclosure training will be provided to contracting agents to ensure monitoring and reporting activities are following TBS Guide to the Proactive Publications of Contracts. April 30, 2025

Annex A - Audit criteria

Criterion 1:
Delegated spending and financial authorities are appropriately exercised during procurement activities, in accordance with the Financial Administration Act and the Directive on Delegation of Spending and Financial Authorities.
Criterion 2:
Procurement activities are subject to an effective set of controls to review, approve, solicit, award, and manage contracts, in accordance with the Directive on the Management of Procurement and the Government Contracts Regulations.
Criterion 3:
Procurement activities are conducted with integrity and discretion to mitigate the risk of fraud and other unethical practices, in accordance with the Directive on the Management of Procurement.

Annex B - Definitions

Contract:
A binding agreement entered into by a contracting authority and a contractor to procure a good, service or construction.
Former Public Servant:
A former employee of a department or agency as defined in the Financial Administration Act, a former member of the Canadian Armed Forces or a former member of the Royal Canadian Mounted Police.
Open bidding:
A competitive process that was subject to the trade agreements.
Procurement:
The process related to obtaining goods, services or construction from the planning to the completion of the procurement life cycle.
Request for proposal:
A document used to request suppliers to supply solutions for the delivery of goods or services or to provide alternative options or solutions.
Selective tendering:
A competitive process that issued against a supply arrangement.
Standing offer:
A standing offer is an offer from a potential supplier to provide goods and/or services at pre-arranged prices, under set terms and conditions, when and if required. It is not a contract until the government issues a “call-up” against the standing offer.
Supply arrangements:
A supply arrangement is a non-binding arrangement between Canada and a pre-qualified supplier that allows departments and agencies to award contracts and solicit bids from a pool of pre-qualified suppliers for specific requirements within the scope of the supply arrangement. The intent of a supply arrangement is to establish a framework to permit expeditious processing of individual bid solicitations, which result in legally binding contracts for the goods and services described in those bids.
Task authorization:
A contract with task authorizations is a method of supply for services under which work is performed on an "as and when requested basis" through an administrative process involving TAs. Contracts with TAs are used in service contracting situations when there is a defined need to rapidly have access to one or more categories of services that are expected to be needed on a repetitive basis during the period of the contract.
Traditional competitive:
A contract awarded as a result of a competitive process that was not subject to trade agreements. The competitive process aims to get the best value for Canadians while enhancing access, competition and fairness and the majority of contracts awarded to small and medium enterprises are done on a competitive basis, making it the most common process used by the government.
Traditional non-competitive:
An approach (sole-source) used in certain special circumstances such as the need of pressing emergency, where only one person is capable of performing the work (copyright or license) or the nature of the work is such that it would not be in the public interest to solicit bids.
Date modified: