Archived — Audit of Contracting
Recommended for Approval to the Deputy Minister By the DAC on
Approved by the Deputy Minister on
This publication is available upon request in accessible formats.
Multimedia Services Section
Communications and Marketing Branch
Room 264D, West Tower
235 Queen Street
Ottawa ON K1A 0H5
Permission to Reproduce
Except as otherwise specifically noted, the information in this publication may be reproduced, in part or in whole and by any means, without charge or further permission from Industry Canada, provided that due diligence is exercised in ensuring the accuracy of the information reproduced; that Industry Canada is identified as the source institution; and that the reproduction is not represented as an official version of the information reproduced, nor as having been made in affiliation with, or with the endorsement of, Industry Canada.
For permission to reproduce the information in this publication for commercial redistribution, please email: firstname.lastname@example.org
Aussi offert en français sous le titre Vérification sur la passation de marchés
Table of Contents
- 1.0 Executive Summary
- 2.0 About the Audit
- 3.0 Findings and Recommendations
- 3.1 Introduction
- 3.2 Governance
- Finding 1: Outdated IC Contracting Policy and procedure documentation
- Recommendation 1.1
- Recommendation 1.2
- Finding 2: Ineffective monitoring of contracting activities
- Recommendation 2
- Finding 3: Insufficient reporting to management
- Recommendation 3.1
- Recommendation 3.2
- 3.3 Controls
- Finding 4: Insufficient verification of CR:PSB approval for sole source contracts
- Recommendation 4
- Finding 5: Insufficient verification of CIO approval for contracts for software development
- Recommendation 5
- Finding 6: Insufficient verification of Contracting Delegations
- Recommendation 6.1
- Recommendation 6.2
- 4ANNEX A: IC Contracting Expenditures FY 06/07
- 5ANNEX B: Detailed Audit Criteria
- 6ANNEX C: Management Action Plan
1.0 Executive Summary
Contract and Material Management (CMM) is the centre of expertise for procurement at Industry Canada (IC) and, in this capacity, produces policies and procedures and provides directional guidance. The Manager's Guide to Contracting for Goods and Services, produced in September 2003, provides specific guidance when contracts are to be issued to meet specific needs. In addition, the IC delegation instrument sets forth the signing authorities for contracting activities. Together with the Treasury Board (TB) Contracting Policy, these policies and guidelines constitute the cornerstone of the management control framework for the management of IC contracting.
The audit examined the Management Control Framework (MCF) in place to monitor procurement and contracting activities within IC. The audit included an examination of procurement documents and contracts issued between April 1, 2006 and March 31, 2007 and included samples from National Headquarter (NHQ), the Ontario and Quebec Regions and all semi-autonomous organizations. Interviews were conducted with key players in the process. During this period, IC entered into just over 13,000 contracts with a total value of $123 million.
The audit was carried out to provide Industry Canada (IC) Management with reasonable assurance that the risk management system is effective, the internal control system is adequate, efficient and effective and the governance process defines and preserves values, sets goals, monitors activities and performance and defines accountability methods.
The audit of procurement and contracting activities was conducted in accordance with the approved 2006-2007 Audit Plan.
1.2 Main Findings
- There is no mechanism to update, maintain and distribute contracting policies, procedures and guidelines to all staff involved.
- There is no effective, ongoing monitoring of contracting activities within IC.
- High-level reporting of IC's contracting activities is limited to the IC-website as required by TB proactive disclosure. The report does not fully disclose contracting information as required.
- There is a weakness in the use of the internal controls for the verification of Contracts Review: Program and Services Board (CR:PSB) approval for sole source contracts greater than $25,000.
- There is no systemic verification of Chief Information Officer (CIO) approval for contracts for the software development.
- In one major Sector, a system function permitted non-delegated staff to sign contracts without reference to a higher level of authority.
The Director General, Financial Operations and Systems (DG, FO&S) responsible for CMM should:
1.4 Statement of Assurance
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed with management. The opinion is applicable only to the entity examined.
1.5 Audit Opinion
In my opinion, there are multiple risk areas presenting no serious risk exposure related to the control and governance processes of contracting that require management attention. Current risk management processes and procedures provide management with a reasonable level of assurance that IC is meeting the intended objectives of government contracting policy.
Chief Audit Executive, Industry Canada
2.0 About the Audit
The stated objective of the TB Contracting Policy is to acquire goods and services and to carry out construction in a manner that enhances access, competition and fairness and results in best value or, if appropriate, the optimal balance of overall benefits to the Crown and the Canadian people. The TB Contracting Policy states that Government contracting shall be conducted in a manner that will:>
- Stand the test of public scrutiny in matters of prudence and probity, facilitate access, encourage competition, and reflect fairness in the spending of public funds;
- Ensure the pre-eminence of operational requirements;
- Support long-term industrial and regional development and other appropriate national objectives, including aboriginal economic development; and
- Comply with the Government's obligations under the North American Free Trade Agreement, the World Trade Organization—Agreement on Government Procurement and the Agreement on Internal Trade.
Also, in 2005, fundamental changes were introduced to the way the Government of Canada purchases goods and services in keeping with the government's commitment to deliver services smarter, faster and at a reduced cost. Departments must now use a PWGSC standing offer to buy a number of goods and services.
For FY 2006/07 the IC budget was approximately $1,358 million, of which just over $123 million was expended under contractual arrangements (see ANNEX A for details). At IC, CMM is the centre of expertise for procurement and, in this capacity, produces policies and procedures and provides directional guidance. CMM responsibility includes ongoing monitoring of the procurement/contracting activities and providing management with the assurance that the function is performing as intended and in compliance with the Government Contracting Regulations.
The Manager's Guide to Contracting for Goods and Services, produced in September 2003, provides specific guidance when contracts are to be issued to meet specific needs. In addition, the IC delegation instrument sets forth the signing authorities for contracting activities. Together these policies and guidelines constitute the cornerstone of the management control framework for the management of the contracting function.
Procurement and contracting services are generally provided to the Responsibility Centre Managers (RCM) and/or contracting authorities by Administrative Officers (AO) operating in all Branches/Sectors throughout IC. Because of the decentralization of the function, it becomes more important for CMM to be able to effectively monitor the function activities.
Managers and other staff are required to take a two day introductory training course in procurement and contracting in order to receive their contracting delegations. There are dedicated procurement and contracting staff at a few locations throughout IC, primarily in the semi-autonomous organizations and major branches due to their specialized requirements. These procurement specialists work independently and are involved in supporting specific Programs. The prime area of expertise is within CMM, where dedicated procurement officers are involved in all contracts greater than $25,000, with the exception of those that are forwarded to PWGSC for processing. CMM is not involved in regional contracting activity at all.
Within IC, the contracting for goods and services has been decentralized to the Sectors, Branches, Regions and semi-autonomous organizations. The contracting process begins with the RCM who decides that, in order to meet operational requirements, the contracting of goods or services is required. The RCMs are accountable for the administration of each contract they signed under their cost centre. An initial request, statement of work or description of the goods, is forwarded to the divisions' AO, usually via an e-mail.
The AO, in consultation with the RCM, determines the best method for the acquisition of goods or services. The necessary information is entered into the Integrated Financial and Materiel System (IFMS) to initiate the contractual process. Users are guided (prompted) through the process to select the appropriate method and document types to complete the process.
The types of contracting/procurement activities that can be created in IFMS include, but are not limited to:
- Temporary Help contracts;
- Public Works and Government Services Canada (PWGSC) requisitions for goods and services (9200);
- Purchase Orders;
- Call-up against Standing Offers (942);
- Service Contracts (SERV);
- Interdepartmental Letter of Agreement (ILA), and;
- Memorandum of Agreement or Understanding (MOA / MOU).
IC has established a Contracts Review: Program and Services Board (CR:PSB) which forms the foundation of the risk-based contract review process. During the period under review, it reviewed all sole source contracts over $25,000. Its role has recently expanded to include all competitive contracts with a value greater than $84,000.
In accordance with the approved 2006-07 Audit Plan, the Audit and Evaluation Branch (AEB) has conducted a department-wide audit of contracting. The Audit Objective is to assess the current management control framework for contracting activities in the department and to determine the level of compliance with applicable government policies.
The audit was carried out during the period May to December 2007. The audit scope included an examination of procurement documents and contracts issued between and and included samples from NHQ, the Ontario and Quebec Regions and all semiautonomous organizations.
Items excluded from our audit scope included Interdepartmental Letters of Agreement (ILA) or Memoranda of Understanding (MOU or MOA) and Collaborative Arrangements (CA) with one or more third parties working together cooperatively on a project.
In support of the requirements under TB Policy on Internal Audit, audit criteria were developed and linked to each audit objective under the categories of internal controls, governance and risk management (see ANNEX B for detailed audit criteria).
The audit work for this project was substantially completed on November 30, 2007. The audit work consisted of a review of management practices, system of internal controls, related policies, procedures, guidelines and processes, interviews with departmental officials, the examination of procurement and contracting files and a review of the contracting and financial databases.
Our work included documentation analysis and file review. Interviews were conducted with staff directly involved with the procurement of goods and services. These included interviews with the Manager CMM, Branch Managers, Administrative Officers, and Procurement and Contracting staff.
A total sample of 302 files was composed of randomly and judgmentally selected contracts examined in detail. Contracts selected on a judgmental sample ensured that high risk contracts were included.top of page
3.0 Findings and Recommendations
This section presents detailed findings from the audit of Contracting at Industry Canada. Findings are based on the evidence and analysis from both our initial risk analysis and the detailed audit conduct. In addition to the findings presented below, observations of conditions that were non-systemic and of low materiality and risk have been communicated to management for their consideration.
Finding 1: Outdated IC Contracting Policy and procedure documentation.
There is no mechanism to update, maintain and distribute contracting policies, procedures and guidelines to all staff involved.
IC policies, guides and manuals should be consistent with governmental policies relating to contracting and communication and training related to contracting should be sufficient, available and provided where required in a timely manner.
The IC Contracting Policy is a blend of policy and procedure. More attention is afforded to mechanisms such as Advance Contract Award Notification (ACAN) than for frequently used processes such as for Temporary Help Call-ups. The IC Contracting Policy is available on-line for all staff and encompasses the essential elements of the TB Contracting Policy.
The Policy is not reviewed on a regular basis to ensure its continued relevance and it has not been updated since 2003 to reflect significant changes in procurement policies and procedures (e.g.: the use of Mandatory Standing Offers and the revised role of the CR:PSB). IC Contracting Policy and procedural updates are issued from time to time through the Bulletin and the Staying in Touch newsletter process. These have not been incorporated into the Policy document.
The new Early Warning System was introduced through email to senior departmental managers who were to advise their respective staff in February 2007. This information has not been included in IC Contracting Policy and neither the Bulletin nor the Staying in Touch means were used to share the approach.
Training materials do not provide sufficient guidance in the areas of: preparing a Statement of Work; satisfying Government Contracting Regulations for sole sourcing; the use of Temporary Help Services; and contract file maintenance (e.g.: MERX/GETS posting, signed evaluations and letters to unsuccessful bidders).
The DG, Financial Operations and Systems (DG, FO&S) should ensure that the IC Contracting Policy and related procedures are brought up-to-date.
The DG, FO&S should ensure that the contracting training manual is amended to reflect the IC Contracting Policy as well as TB Policy with a focus on areas of high activity and risk.
Finding 2: Ineffective monitoring of contracting activities.
There is no effective, ongoing monitoring of contracting activities within IC.
A key element in the effective administration of contracting requires that processes be in place to ensure that contracting practices comply with policy requirements. Management oversight should serve to ensure that matters related to contracting are identified.
Internally, CMM conducts a monthly review of 15% of the contracts issued by all Branches at NHQ. It was not operating during the period under review, re-commenced activity as of September 2007 and has since stopped. There is no monitoring in regions.
The Terms of Reference for the monthly 15% review were re-written in September 2007 and document the corrective action for "errors/mistakes of a serious nature"; it does not address risk and materiality. There is no evidence that such action has been taken; and the tendency has been to send information to all users rather than focus on Branches with significant errors.
Results of the review are not followed-up to ensure that the risk of ongoing non-compliance with IC and TB Contracting Policy is mediated.
The DG, FO&S should develop an effective mechanism to monitor non-compliance with both the IC and TB Contracting Policies.
Finding 3: Insufficient reporting to management.
High-level reporting of IC's contracting activities is limited to the IC-website as required by TB proactive disclosure. The report does not fully disclose contracting information as required.
Monitoring practices and controls should be adequate to ensure compliance with TB policies and practices. Information reported should be sufficient, appropriate and consistent.
Although IFMS has all the necessary features to provide the information on activity by location, type and dollar value, no periodic activity reports are prepared for Senior Management's review.
High-level reporting of IC's contracting activities is limited to the TBS proactive disclosure reporting requirements. Departments are required to disclose on their Web sites all procurement contracts valued at $10,000 or more (including GST/GST) committed by or on behalf of their respective institutions, including PWGSC contracts.
From our review of the data for the Proactive Disclosure report, and the conduct of a specific inquiry for 196 files, we found that 32 (15%) of the contracts originally valued over the proactive disclosure limit were not reported as required. These omissions were not noticed and reported.
The DG, FO&S should develop a system of regular and detailed reporting that summarizes departmental contracting activities (cost centre, division, directorate and branch) and value.
The DG, FO&S should develop a system to ensure the accuracy and completeness of information released under Proactive Disclosure requirements.
Finding 4: Insufficient verification of CR:PSB approval for sole source contracts.
There is a weakness in the use of the internal controls for the verification of CR:PSB approval for sole source contracts greater than $25,000.
CMM Bulletin 003 states that Contracts Review: Program and Services Board has the responsibility to make decisions on whether or not to proceed on sole source service contracts over $25,000 as well as any amendments to existing sole source service contracts that would bring the total value over this threshold. Managers who request such contracts complete the needed documentation that is forwarded to CR:PSB via CMM to who confirm the completeness of the documentation. An officer from the organization must be available at the time of the CR:PSB to answer questions, either on-site or via teleconference.
Contracts awarded by PWGSC, Call-ups against a Standing Offer (within the allowed dollar limit) and library contracts (value of less than $100,000) are not required to be submitted to the CR:PSB.
For each organization reviewed in the audit, we selected contracts with a value equal or greater than $25,000 that were awarded according to the traditional non-competitive (TN) procurement process. CMM provided a listing of all files submitted to the CR:PSB for FY 2006/07; it amounted to only 13 cases. On the 10 files reviewed for this audit procedure, 6 were compliant with the directive and 4 were not compliant, i.e. they did not have the CR:PSB approval required by IC Contracting Policy.
Many files were classified incorrectly in the system. Some files were classified as TN when they were awarded at the end of a competitive process. Furthermore, no files over $25,000 classified as TN are subject to verification to ensure that they have the appropriate authorization.
The DG, FO&S should develop a process to ensure compliance with the Policy regarding CR:PSB review and approval.
Finding 5: Insufficient verification of CIO approval for contracts for software development.
There is no systemic verification of CIO approval for contracts for the software development.
CIO approval of external application development is required to ensure strategic alignment, to assess appropriateness of the investment and to avoid duplication. The web link 'Directive–IT Goods and Services Procurement' describes the request process for CIO approval as follows:
- The IM/IT Manager sends the attached form to the IT Procurement Request In-box along with any other supporting documents.
- The CIO manager will review and assess the request against departmental standards, potential impact on departmental network performance and IT support demands, and IT replacement cycle guidelines.
- The CIO manager will reply formally to the requester with an approval to purchase or with a recommendation for alternative action.
CMM re-iterated this policy in their internal communiqué, dated August 2007:
10. Chief Information Office (CIO) Approval Required for the Procurement of Specific IT Goods and Services: Office sectors must receive an authorization from the (CIO) for specific IT goods and services. Always include this authorization in the Header Note of the IFMS Purchase Order as well as in the contract file to demonstrate compliance with the directive.
Six contracts were requested from Corporate Administrative Services (CAS) with three received; none had proof of authorization from the CIO.
The DG FO&S should develop a procedure to ensure that CIO approval of external application development is provided before processing such requests for contracts.
Finding 6: Insufficient verification of Contracting Delegations
In one major Sector, a system function permitted non-delegated staff to sign contracts without reference to a higher level of authority.
We have reviewed the contracting delegation of authority to ensure that the officers signing contracts on behalf of the Minister have the authority to do so. In the vast majority of the cases reviewed, the officer signing had the delegated authority. Each officer who is authorized to sign for the Minister has their own unique identification. For the majority of the regions/sectors this unique identification is required to create a contract in the system.
In one of the major sectors however, officers may produce and sign contracts without having the proper authorization to do so. This is due to a system function that allows an employee to create and print a contract without entering a unique identification number in the system. Therefore, even if only six employees actually had the appropriate delegated authority to sign the contracts, many other employees were able to sign contracts without having to go through a higher level of authority. Further controls that exist within the Finance function serve to mitigate the potential impact of this system flaw, but the inherent risk of the situation is significant.
In addition to this procedural oversight, there is no formal process to update the list of staff with delegated authority.
The DG, FO&S should develop a procedure to ensure that all Regions, Sectors and semiautonomous organizations have controls in place to ensure that only those with appropriate delegated authority approve contracts.
The DG, FO&S should develop a procedure to update the Delegated Authority for contracting as required.
4.0 ANNEX A: IC Contracting Expenditures FY 06/07
During the period under review, from to , Industry Canada issued the following contracts:
|Document Type||Dollar Value (%)||Total Dollar Value|
|9200 (via PWGSC)||25%||31,153,809|
|942G (Standing Offer–Goods)||10%||12,081,997|
|942S (Standing Offer–Services)||12%||14,571,339|
|TAS (Task Authorization)||7%||8,625,283|
|POG (Purchase Order–Goods)||2%||2,534,802|
|POS (Purchase Order–Services)||5%||5,720,730|
|SERV (Service Contracts) Total
|TH (Temporary Help)||9%||10,513,682|
5.0ANNEX B: Detailed Audit Criteria
For the risk management and governance process, the extent to which Industry Canada's Contract Management Control Framework (MCF) is adequate and is functioning as intended.
- Risk Assessment / Management–IC identifies, evaluates and manages risks pertaining to contracting. Risk assessment is documented.
- Policy Framework–IC policies, guides and manuals are consistent with governmental policies relating to contracting.
- Roles & Responsibilities–IC organizational structure, roles and responsibilities are clearly defined, understood and documented.
- Communication / Training–Communication and training related to contracting are sufficient, available and provided where required in a timely manner.
- Monitoring and Reporting–Monitoring practices and controls are adequate to ensure compliance with TB policies and practices. Information reported is sufficient, appropriate and consistent.
IC's internal controls for contracting activities, ensuring their compliance with Government Contract Regulations, TB Contracting Policy and its own Contracting Policy.
- Contract Planning–Contract planning activities clearly define requirements, taking applicable policies and the rules of fair competition into account.
- Solicitation Activities–Solicitation activities comply with the competitive procurement process. All exceptions must be documented and supported by applicable regulations. Solicitation activities take trade agreements into account when applicable.
- Contract Award #8211;Contracts are awarded within the approval limits set forth in the financial delegation of authorities and are issued in such a way as to protect Canada's interests and deliver best value for the money spent.
- Contract Administration–Contract administration activities are conducted to ensure that goods and services are delivered as stated in the contracts.
- Contract Closeout–Contract closeout activities require that all contractual obligations are fulfilled and that all pertinent documentation is complete and filed to ensure a clear audit trail.
6.0ANNEX C: Management Action Plan
|Recommendation (Page/Section)||Planned Action or Justification for no action on the Recommendation|| Respon-
| Target Comple-
| Revised Comple-
|1.1 The DG, Financial Operations and Systems (DG, FO&S) should ensure that the IC Contracting Policy and related procedures are brought up-to-date.||Policy document has been updated by contracting team. In review process before publication.||DG, FO&S||March 08|
|1.2 The DG, FO&S should ensure that the contracting training manual is amended to reflect the IC Contracting Policy as well as TB Policy with a focus on areas of high activity and risk.||Review and revision of training manual and training course to ensure that the new IC Contracting Policy is reflected will be undertaken as soon as Policy documents are finalized.||DG, FO&S||June 08|
|2. The DG, FO&S should develop an effective mechanism to monitor non-compliance with both the IC and TB Contracting Policies.||Implementation of a Quality Assurance role in CMM is being done. Restarting of sampling shall commence upon approval and staffing of the Quality Assurance team.||DG, FO&S||Sept 08|
|3.1 The DG, FO&S should develop a system of regular and detailed reporting that summarizes departmental contracting activities (cost centre, division, directorate and branch) and value.||A Needs Analysis will be undertaken to determine necessary reports. Following results of the analysis, CMM will implement reports recommended in the Needs Analysis.||DG, FO&S||June 08|
|3.2 The DG, FO&S should develop a system to ensure the accuracy and completeness of information released under Proactive Disclosure requirements.||Revision to the proactive disclosure application and processes is being done. CMM will coordinate changes with the Business Analysis and Application (BAA) group and IFMS system support team in the CIO.||DG, FO&S||June 08|
|4. The DG, FO&S should develop a process to ensure compliance with the Policy regarding CR:PSB review and approval.||Review to be undertaken to develop processes to ensure compliance with CR:PSB. These changes may have IFMS implications that will have to be coordinated with BAA and the CIO as and when required.||DG, FO&S||Sept 08|
|5. The DG FO&S should develop a procedure to ensure that CIO approval of external application development is provided before processing such requests for contracts.||For contracts approved by CR:PSB, the process was implemented. For contracts that do not require CR:PSB approval, we will review and streamline the process to ensure that procurement for external applications development are approved by the CIO.||DG, FO&S||April 08|
|6.1 The DG, FO&S should develop a procedure to ensure that all Regions, Sectors and semi-autonomous organizations have controls in place to ensure that only those with appropriate delegated authority approve contracts.||Streamlining of contracting delegation was done with CRC in December 2007.|
|CMM will develop procedures and guidelines for the creation of a Contracting Authority User Id in IFMS. These procedures and Guidelines will be shared with employees who attend the Mandatory Contracting training and should ensure that employees with delegated contracting authority contact the CMM officer responsible to create Contracting Authority User Id in IFMS.||DG, FO&S||Sept 08|
|CMM will work with IFMS Security (CIO) to ensure that only the Communication, Policy and Training officer ( CMM) has access to create Contracting Authority User ID in IFMS.||Immediately|
|6.2 The DG, FO&S should develop a procedure to update the Delegated Authority for contracting as required.||Review and implementation of delegations is currently underway, CMM is taking into account the organization structure, staff using an acquisition card use and training requirements. CMM is looking at reducing the number of Contractual delegations in each Sector/regions and discrete units.||DG, FO&S||Sept 08|
- Date modified: