Audit of Contracting and Procurement (Goods and Services)
Audit Report - March 2010

PDF (163 KB)
Table of contents

1.0 Executive Summary

1.1 Background

Public Safety Canada (PS) manages a budget of $430 million and has a workforce of approximately 900 employees. The volume of contracts processed in 2007-2008 was approximately 2,200 transactions for a total amount of about $31 million. Contracting and procurement activities are essential to support the department in achieving its objectives but are also subject to a high level of public scrutiny across the federal government. One of the key challenges across the federal government is to establish contracting and procurement policies and practices that are flexible enough to meet business needs and also ensure fairness, openness and transparency.

The Risk-based Audit Plan, which was approved by the Internal Audit Committee in June 2008, included the carry-over assurance audit of contracting and procurement activities to be completed in 2008-2009. Given that no review or audit of contracting and procurement activities had been conducted, it was felt that an audit would provide valuable information to improve the efficiency and effectiveness of the procurement activities.

Building capacity for the future is a major thrust for the Contracting and Procurement Unit (CPU). As the lead position for the CPU only assumed responsibility in February 2007, most of the efforts during the period audited – fiscal year 2007-2008, were towards gaining an understanding of the nature of the contracts and planning for the development of a contracting and procurement management control framework, while maintaining the day-to-day activities.

The responsibility for procurement and contracting activities are shared between program managers and the CPU. Program managers are responsible for much of the upfront work such as the definition of the requirements, the selection of the contracting method, and the selection of the vendors as well as the administration of contracts. The CPU is responsible for the development of policies, procedures and guidelines; the provision of advice; and, the implementation of monitoring and quality assurance processes. Also, as the procurement authority, the CPU manages the procurement process.

1.2 Audit Objectives and Scope

The purpose of the audit was to assess the appropriateness and effectiveness of the management control framework in place to support contracting and procurement activities.

The audit focused on the end-to-end contracting and procurement activities for the fiscal year 2007-08.

1.3 Audit Opinion

In my opinion, the management control framework was not adequate to support contracting and procurement activities and thus, requires significant improvements and management focus. With a lack of proper documentation for some aspects related to contracting activities, inappropriate approvals and insufficient procedural guidelines, the department is exposed to inappropriate and ineffective contracting and procurement practices.

1.4 Statement of Assurance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed to by management. The criteria were based on the TB Management Accountability Framework (MAF) element related to “Effective Procurement” and the Canadian Institute of Chartered Accountants “Criteria for Control” (COCO) model. The opinion is applicable only to the entity examined. In our professional judgment, the evidence that has been gathered was sufficient to provide senior management with reasonable assurance of the accuracy of the opinion from this internal audit.

1.5 Audit Findings

At the time of the audit, the CPU was in the process of strengthening its management control framework, moving from informal processes to a formal management control framework. This is illustrated by initiatives such as the preparation of a departmental Contracting Policy and Procedures Guide, and plans to have a Contract Review Committee (CRC) in place for the fiscal year 2009-2010. Although there still remains a lot of developmental work, these initiatives indicate that the CPU is going in the right direction.

It should be noted that while the CPU had already begun addressing some of the issues raised in this report at the time of the audit, the impact of the new controls and procedures was not fully realized. This is due to the significance and the nature of the changes compounded with CPU's capacity issues. Specifically, the audit made the following observations:

Compliance

While the audit determined that the business requirements were appropriately defined, improvement opportunities exist with regard to the upfront planning in order to support the appropriate contracting method, to ensure that the contracting and procurement of goods and services result in best value, and to ensure policy requirements are met.

The audit noted the absence of sufficient information and guidelines to support managers when exercising delegated spending authority. As a result, a number of improper signing authorities were found. Notwithstanding the issues noted above, the procurement of the goods and services appeared legitimate and reasonable.

Also, the audit found the documentation trail surrounding contracting files to be cumbersome and in some cases incomplete.

Management Control Framework

The audit found that the key components of a sound management control framework were not in place during the period audited to effectively support contracting and procurement activities. Key weaknesses included the absence of: clearly defined roles and responsibilities; policies, procedures and guidelines to support individuals performing their assigned responsibilities; and the need to perform trend analysis supporting informed decision-making.

1.6 Management Response

Management agrees with all recommendations included in the Internal Audit of Contracting and Procurement and is committed to do what is necessary to address each recommendation. Work is now underway or completed in relation to each of these nine recommendations. This audit focused on the procurement activities for the period between April 1st, 2007 and March 31st, 2008. As recognized in the audit report, at the time of the audit, the Contracting and Procurement Unit (CPU) was already in the process of strengthening its management control framework. This is illustrated by initiatives such as the preparation of the Departmental Contracting Policy and Procedures Guide and the plans to have the Contract Review Committee in place.

Management expects that substantial implementation will be achieved before the end of the fiscal year 2009-10 and full implementation early in the following year.

To this end, policies and procedures surrounding delegated financial authorities have been developed and communicated to managers, the procurement review mechanism is now in place and the review of the security roles in the financial system has been completed.

Work remains to be done in the area of the development of a risk-based approach of the monitoring activities and service standards.

2.0 Audit Report on Contracting and Procurement

2.1 Background

The Contracting and Procurement Unit (CPU) within Public Safety Canada is under the responsibility of the Corporate Management Branch. The CPU manages departmental contracting and procurement strategies, develops tools, training and guidelines for program managers, and prepares/processes all departmental contracts and purchase orders.

The expected results are as follows:

Public Safety Canada (PS) manages a budget of $430 million and has a workforce of approximately 900 employees. The volume of contracts processed in 2007-2008 was around 2,200 transactions for a total amount of about $31 million. Contracting and procurement activities are essential to support the department in achieving its objectives but are also subject to a high level of public scrutiny across the federal government. One of the key challenges across the federal government is to establish contracting and procurement policies and practices that are flexible enough to meet business needs and also ensure fairness, openness and transparency.

The risk-based audit plan, which was approved by the Internal Audit Committee in June 2008, included the carry-over assurance audit of contracting and procurement activities to be completed in 2008-2009. Given that no review or audit of contracting and procurement activities had been conducted, it was felt that an audit would provide valuable information to improve the efficiency and effectiveness of procurement activities.

Building capacity for the future is a major thrust for the CPU. As the lead position for the CPU only assumed responsibility in February 2007, most of the efforts during the period audited – fiscal year 2007-2008, were towards gaining an understanding of the nature of the contracts and planning for the development of a contracting and procurement management control framework, while maintaining the day-to-day activities. The departmental 2008-2009 Integrated Human Resources and Business Plan identified the lack of a core group of permanent contracting and procurement staff as an important risk to the efficiency of the operations, consistency of direction and conformity to policies and procedures. The CPU continues to face the challenge of attracting qualified staff as it builds capacity within the procurement function, as all departments are competing for the same skill sets.

The responsibility for procurement and contracting activities are shared between program managers and the CPU. Program managers are responsible for much of the upfront work such as the definition of the requirements, the selection of the contracting method, the selection of the vendors, as well as the administration of the contracts. The CPU is responsible for the development of policies, procedures and guidelines; the provision of advice; and the implementation of monitoring and quality assurance processes. Also, as the procurement authority, the CPU manages the procurement process.

At the time of the audit, the CPU was in the process of strengthening its management control framework, moving from informal processes to a formal management control framework. This is illustrated by initiatives such as the preparation of a departmental Contracting Policy and Procedures Guide, and plans to have a Contract Review Committee (CRC) in place for the fiscal year 2009-2010. Although there still remains a lot of developmental work to do, these initiatives indicate that CPU is going in the right direction.

2.2 Audit Objectives

The purpose of the audit was to assess the appropriateness and effectiveness of the control framework in place to support contracting and procurement activities. More specifically, the audit objectives were to provide reasonable assurance that:

  1. An adequate management control framework was in place to effectively support contracting and procurement activities; and
  2. Contracting and procurement activities were processed in a manner that was compliant with applicable policies, procedures and regulations.

2.3 Scope and Approach

The audit focused on the end-to-end contracting and procurement activities for the period between April 1, 2007 and March 31, 2008. The components of the management control framework that were examined as of March 31, 2008, included: business plans, risk management processes, roles, responsibilities, accountabilities, authorities, procedures, and monitoring mechanisms.

The audit included various tests, as considered necessary, to provide senior management with reasonable assurance of the accuracy of the opinion. These tests included, but were not limited to, interviews, observations, walkthroughs, review of supporting documentation, sampling of transactions and analytical reviews.

Approach for Audit Objective 1:

The audit approach involved interviews with CPU personnel, reviews of documentation (organization charts, roles and responsibilities, allocation of resources), and walkthroughs of the contracting and procurement processes.

Approach for Audit Objective 2:

Sampling techniques were used to identify the transactions that were tested for compliance.

Fiscal Year 2007-2008 Contract Types
Image Description

A statistical sample of transactions was randomly selected from the population for testing of overall compliance with elements within the scope of the audit. The sample size was 81 contractsNote 1. The majority of the sample was randomly selected, with the remaining portion established based on data analysis or judgement depending on the various contracting and procurement activities included in the audit scope. (See Appendix B for details)

The audit, based on conventional benchmark standards, used the following guidelines to identify the level of deviations:

2.4 Findings, Recommendations and Management Response

At the time of the audit, the CPU was in the process of strengthening its management control framework, moving from informal processes to a formal management control framework. This is illustrated by initiatives such as the preparation of a departmental Contracting Policy and Procedures Guide, and plans to have a Contract Review Committee (CRC) in place for the fiscal year 2009-2010. Although there still remains a lot of developmental work, these initiatives indicate that the CPU is going in the right direction.

It should be noted that while the CPU had already begun addressing some of the issues raised in this report at the time of the audit, the impact of the new controls and procedures was not fully realized. This is due to the significance and the nature of the changes compounded with CPU capacity issues. Specifically, the audit made the following observations:

2.4.1 Contract Initiation Policy and Procedure

The CPU, similar to the department as a whole, is relatively new and in the early stages of defining its systems of internal control. The CPU has been mainly focused on staffing, training and fulfilling the day-to-day activities which has delayed the development and communication of risk-based policies, procedures and guidelines. The absence of formal policies and procedures brought about some compliance issues related to the initiation of the contract and key standard government terms and conditions. While the audit noted that the business requirements were appropriately defined, improvement opportunities exist with regard to the upfront planning done by Responsibility Centre Managers (RCM) to select the appropriate contracting method, to ensure the contracting and procurement of goods and services results in best value, and to ensure that policy requirements are met. More specifically, the audit noted the following:

Recommendation:

1. The CPU should develop policies, procedures and guidelines related to contracting and procurement activities. These policies, procedures and guidelines should be effectively communicated to both CPU and program managers.

Management Action Plan
Management Action Plan Completion Date
Management agrees with the recommendation.
1. Initiatives are already underway. The following steps will be actioned by the Director of Program Services and the Chief of Material Management:
The first departmental Contracting Guide will be published on InfoCentral, providing an overview of the government polices and processes and the departmental processes, roles and responsibilities and templates. March 31, 2009
A Best Practices guide is being developed for the use of PS Online September 30, 2009
A training and orientation program for Program Managers will be developed March 31, 2010

2.4.2 Approval Processes

PS has implemented some control mechanisms over its delegated authorities including, but not limited to, a departmental Delegation of Authority (DOA) matrix, signature cards, and an internal contract review process. Based on a review of these control mechanisms, the audit identified a number of opportunities for improvement, which once addressed will contribute to strengthening the approval structure.

The audit noted that the DOA matrix could be more comprehensive. For instance, some procurement methods were not indicated. Further, aside from the DOA matrix, the audit found limited documents providing information and guidelines to support employees and managers when exercising delegated spending authority (e.g. expenditure initiation, commitment, and contracting authorities, and the authority to confirm contract performance and price granted to officers).

As required by the TB Policy on Delegation of Authority, when contracting authority is delegated as a subdivision of the spending authority to a centralized function, the contracting authority must be exercised only when the RCM responsible for the budget authorizes it. For a significant number of contracts, no evidence was found whereby RCM duly authorized the CPU to exercise contracting authorities on their behalf. This is important in order for RCM's to maintain the accountability for the management of their resources.

In addition to the DOA matrix, signature cards provide further authority details specific to each person, including restrictions when deemed necessary, as well as their original signature. The signature cards also provide the documentary support to ensure that the signatures of persons authorized to exercise authorities can be authenticated before or after the processing of various transactions. The audit found the following deviations indicating that the authentication and monitoring activities need to be strengthened.

PS has developed a “routing slip” in support of a comprehensive approval and monitoring process. Various approvals and reviews are required based on the nature and value of the contracting vehicle. While the audit found that the use of the “routing slip” was generally compliant with internal policies, improvement opportunities exist to improve the clarity regarding the use of the “routing slip”.

It is noteworthy to mention that the incidents noted above had no specific trend with regard to any one individual, type of contract, or dollar value. Also, while there were insufficient approval levels or inappropriate delegation to these individuals, the procurement of the goods and services appeared legitimate and reasonable.

The audit has noted that control improvements pertaining to Approval processes have been made recently, including 1) the requirement for DOA training before delegation is granted, 2) the electronic posting via the intranet of the DOA matrix, and 3) developing a new DOA matrix.

Recommendations:

2. Financial Services, in conjunction with the CPU, should ensure that policies and procedures surrounding delegated financial authorities are effectively communicated to RCM's.

3. Financial Services, in conjunction with the CPU should develop effective review processes to monitor compliance to the DFSA matrix and the TB Policy on Delegation of Authority.

Management Action Plan
Management Action Plan Completion Date
Management agrees with the recommendations.
2. The following steps will be actioned by the Director of Financial Services and Systems:
Information sessions will be conducted with RCM's and will be repeated when operationally required to ensure a clear understanding of the delegation matrix and the related responsibilities for financial decisions. Sessions will begin before March 31, 2009
The Departmental Financial Signing Authorities (DFSA) instruments, including matrix, supporting notes and a table of Equivalent positions will be posted on InfoCentral. March 31, 2009
3. The following steps will be actioned by the Director of Financial Services and Systems:
PS Policy on DFSA which is currently being drafted will provide guidelines and procedures on obtaining, changing and removing delegated authority. March 31, 2009
A formal monitoring process to ensure compliance with the DFSA matrix will be implemented following the initial periodic information sessions to program managers to ensure a sound understanding of delegated authorities and the related accountability with each financial decision. December 31, 2009

2.4.3 Documentation

The TB Contracting Policy requires that all options, decisions, approvals and justifications be documented. While all contracting files do not require the same level of documentation, files should include enough information, based on the level of risk, materiality and significance, in order to support accountability and transparency. The audit found that there were no formal guidelines surrounding documentation requirements of contracting files. As a result, during the process of obtaining and reviewing key contracting and procurement documents, the audit found the documentation trail to be cumbersome and in some cases incomplete.

Also, in a moderate number of payments, invoices could not be found. Without these invoices, the audit could not determine whether:

The failure to maintain complete contracting and procurement files that contain contracting details related to relevant communications and decisions including the identification of involved officials and contracting approval authorities hinders the ability of the department to facilitate appropriate management oversight.

2.4.4 Management Control Framework

The audit found that the key components of a sound management control framework were not in place during the period audited to effectively support contracting and procurement activities. Key weaknesses included the absence of: clearly defined roles and responsibilities; policies, procedures and guidelines to support individuals performing their assigned responsibilities; and the need to perform trend analysis supporting informed decision-making. Specific issues noted during the audit were:

For the fiscal year 2008-09, although not included in the scope of our audit, the CPU has defined their business strategy and objectives, including an assessment of HR requirements.

The audit also noted inefficiencies within the procurement processes. These inefficiencies burden the procurement capacity and increase the risk of errors. Examples of areas for improvement include:

Recommendations:

4. The CPU should continue to strengthen all key components of a sound management control framework related to planning, including the development of: an integrated human resources and business plan; a performance management process; and service standards.

5. The CPU should adopt a risk-based approach for the identification and selection of contracts subject to monitoring, as well as for determining the frequency and timing of monitoring activities.

6. The CPU should produce reports which identify, explore and analyze contracting trends and anomalies to support monitoring and decision-making.

7. The CPU should clearly define and communicate roles and responsibilities in regard to the contracting and procurement activities.

8. The Comptrollership directorate should address the operational segregation of duties within the SAP system applications.

9. PS, as a whole, led by the Corporate Management Branch, should continue to strengthen the upfront responsibility of program managers for the overall planning and understanding of contracting and procurement activities.

Management Action Plan
Management Action Plan Completion Date
Management agrees with the recommendations.
4. Initiatives are already underway as outlined in the Action Plan for Recommendation # 1. The following steps will be actioned by the Director of Program Services and the Chief of Material Management:
The Department will establish a Contract Review Committee to provide additional oversight. April 1, 2009
The Contracting Unit will consult with other departments on the establishment of service standards and will develop departmental standards. March 31, 2010
5. The following steps will be actioned by the Director of Program Services and the Chief of Material Management:
The Contracting Unit will consult with other government departments and develop a risk-based approach for monitoring contracting activity. March 31, 2010
6. The following steps will be actioned by the Director of Program Services and the Chief of Material Management:
The Contracting Unit has developed a tracking system which will facilitate the generation of management information reports in addition to the reports currently prepared: Proactive Disclosure and Annual Contracting Activity Report. A contracting activity report will be provided to the Management Committee by June 30th of each year. The information will be based on the data provided on an annual basis to PWGSC. June 30, 2009 and annually thereafter
7. The following steps will be actioned by the Director of Program Services and the Chief of Material Management:
As noted above the departmental Contracting Guide and the proposed training will assist in defining and communicating roles and responsibilities. Ongoing
8. The following steps will be actioned by the Director of Financial Services and Systems:
In August 2008 a review of the segregation of duties within SAP User Profiles was initiated. Since that time, Financial Services and Systems Division has been dedicated to reducing and/or mitigating the related risks on an ongoing basis. User Profiles will be adjusted and other actions outside of the financial system, including documentation will be undertaken, to mitigate risks.

PS is dependant on the RCMP to host its financial system. The basic system roles are shared with the RCMP, therefore, completion of this plan is subject to the RCMP priorities and schedule. If a system-based solution is not possible, alternate compensating controls will be developed.
September 30, 2009
9. The following steps will be actioned by the Director of Program Services and the Chief of Material Management in conjunction with Responsibility Centre Managers:
The Department is continuing to enhance contract planning. For example, as a pilot project in April 2008, the Department established a contracting plan for the Canadian Emergency Management College based on the projected course schedule for the next two fiscal years. All the contractual requirements were grouped into eight commodities and the Department will be preparing Requests for Proposals for these commodities for a two-year period. This will alleviate awarding ad hoc contracts and will ensure a much more open and transparent process.

Last year the Communications Branch developed and adopted a procurement strategy designed to consolidate individual purchases into larger contracting purchases. It alleviates burdens on procurement managers and suppliers as well as increases internal capacity to track related acquisitions.

Based on the results of these approaches, the CPU will continue to work with Program Managers to seek opportunities for improved planning of Contracting and Procurement activities.
Ongoing

Appendix A – Audit Criteria

The following is a summary of the key criteria developed to provide a framework in assessing the extent to which CPU activities, were meeting the audit objectives.

Appendix B – Contract and Audit Sampling Statistics (Fiscal 2007-2008)

Contract and Audit Sampling Statistics
Contracting Audit Test #1 Population Statistics Audit Sample Statistics (Audit Sample #1)
Contract Type and Method * Symbol Population Population % Population Value ($K) Population Value % Audit Sample Audit sample % # of population Audit Sample Value ($K) Audit Sample % $ of Population Value
Construction Traditional Competitive CTC 2 0% $31 0% 0 0% $ - 0%
Construction Traditional Non-competitive CTN 4 0% $9 0% 0 0% $ - 0%
Goods Traditional Competitive GTC 152 7% $1,571 5% 10 7% $ 220 14%
Goods Traditional Non-competitive GTN 458 21% $1,273 4% 16 3% $ 10 1%
Services Traditional Competitive STC 182 8% $10,481 34% 6 3% $ 2,996 29%
Services Traditional Non-competitive STN 409 19% $5,078 16% 21 5% $ 2,375 47%
Call-up Against Standing Offer SO 990 45% $12,723 41% 28 3% $ 846 7%
Total   2197 100% $31,166 100% 81 4% $ 6,447 21%
* Note - Population information taken directly from SAP
Contracting Audit Test #2 - Trend analysis performed on the entire contracting population of 2197 contracts and 31M.
Contracting Audit Test #3 - Free Balance (Audit Sample #2)
Population of Free Balance Vendors: Approx. 960 vendors
$ Value of Free Balance Vendors: Approx. $5.1M
Audit Sample of # of transactions of Free Balance Vendors: 33 vendors
Audit Sample $ Value of Free Balance Vendors: $1.8M (36%)

Notes

  1. 1

    This is based on a level of confidence of 95%, an expected error rate of 5% and a precision rate of 5%.

Date modified: