Audit of Cyclical Financial Controls – Revenue and Directed Contracts

(Approved October 2, 2013)

Table of contents

Executive summary

Context

The majority of Public Service Commission (PSC) revenues are derived from staffing and assessment services provided to other departments under the PSC’s cost-recovery authority. These are optional services provided to organizations both within and outside the core public service, as defined in the Public Service Employment Act. Over the last few years, the volume of services provided has been lower and management expects revenues to decline somewhat, due in part to less government-wide activity and greater capacity of departments to manage their own staffing. Cost-recovered revenue was $10.5 M in 2011-2012, and it was about $8.3 M in 2012-2013.

Directed contracts represent a potential risk to the effectiveness and credibility of procurement activity, unless properly managed. In terms of procurement, the percentage of non-competitive service contracts went from 47% in 2009-2010 to 7% in 2012-2013. In fiscal year 2011-2012 for which the samples were selected, the PSC awarded competitive contracts valued at $4.022M, and $3.218M in non-competitive contracts for a total value of $7.240MFootnote 1 

Rationale

The Office of the Auditor General of Canada (OAG) announced in February 2012 that it would no longer be auditing the PSC’s financial statements, given the low risk they represent. In July of that year, the Executive Management Committee (EMC) decided to entrust the examination of financial reporting controls to the Internal Audit Directorate (IAD).

In light of the PSC’s efforts regarding non-competitive contracting, a review of progress in this area of fiscal management was deemed timely.

Objective

The objective of this audit was to assess the adequacy and effectiveness of financial controls for reporting revenue and for managing procurements using directed contracts.

Overall conclusion

In general, financial controls for revenue reporting are sufficiently reliable for the purpose envisaged. Overall, staff understand their roles and responsibilities, most of which are documented. Revenue recognition is defined in terms of invoicing, but not the timing of invoices, leaving a policy gap. We found controls for completeness and accuracy of reporting revenue to be effective. The timeliness of billing, however, is challenging, with some billing delays occurring during the year but corrected by year-end. Staff duties were appropriately segregated. Most processes and internal controls for key operations and each revenue stream are documented, albeit inconsistently. Management takes a risk-based approach in dealing with oversight-level control processes but transaction-level controls are not as clearly managed that way. We attribute this gap partly to the variety and complexity of billing processes.

While individual residual risks noted earlier may be low, their combined effect reduces the ability to rely on controls. Furthermore, if organizational changes cause informal controls such as employee knowledge to decrease, risk levels rise. We do not expect that filling the documentation gaps would be onerous.

Overall, controls for the management of directed contract procurement are adequate. The management of directed contracts entails close collaboration between Procurement Services (PS) and Responsibility Centre (RC) managers. To that end, PS has implemented mechanisms and tools to support the administration of procurement requests related to directed contracts. PSC users are informed of these tools and documents through various means. Training is available to managers and to assistants dealing with services contracts. The use of the requisite exception is justified with reason and files are generally well documented.

Consequently, the controls in place allow PS staff to apply the various legislative, regulatory and policy requirements related to procurement services requests. Roles and responsibilities concerning the delegation of financial authorities should be further clarified regarding the accountabilities of PS, its representatives, and RC managers.

Management has provided comprehensive action plans, which we believe will address the deficiencies noted.

1. Introduction

The Internal Audit Committee (IAD) approved the audit of financial controls in August 2012 as part of the 2012-2013 risk-based internal audit plan. This audit is composed of two parts: revenue and directed contracts.

The planning phase of this audit began in October 2012.

2. Background

Revenues

According to financial statements for the 2011-2012 fiscal year prepared using the accrual basis of accounting, the Public Service Commission (PSC)’s value of revenues was $12.850M. Given the materiality of this amount, sound revenue management is critical to ensuring that the PSC achieves its overall objective of responsible fiscal management.

Every year since 2005-2006, the Office of the Auditor General of Canada (OAG) has audited the PSC's financial statements. The OAG has always issued an unqualified opinion on the adherence to the rules and accounting principles and concluded that the audited financial statements accurately reflect the Commission's financial situation. In February 2012, the OAG announced that it would no longer be auditing the financial statements of a number of smaller federal departments and agencies, including the PSC, given the low risk they represent. In July 2012, the Executive Management Committee (EMC) decided to entrust the examination of financial controls to the Internal Audit Directorate (IAD). To this end, IAD intends to carry out yearly testing of controls on various subject matters related to financial management, including financial presentation.

According to Treasury Board (TB)’s Policy on Financial Resource Management, Information and Reporting and the new Policy on Internal Control, departments and agencies must produce auditable financial statements (meaning financial statements that can withstand a controls-based audit). They are not required to have these statements audited every year.

The majority of PSC revenues are derived from staffing and assessment services provided to other organizations under the PSC’s cost-recovery authority. These are optional services provided to organizations both within and outside the core public service, as defined in the Public Service Employment Act. Typical service offerings include helping organizations staff vacant positions, assessing candidates for merit criteria, and providing counseling for public servants. Rates are outlined in detailed price lists. Service delivery is governed through memoranda of understanding with organizations, supplemented by detailed service requests.

Management had been expecting these revenues to decline somewhat, due to less government-wide staffing activity and greater capacity of departments to manage their own staffing. This cost-recovered revenue was $10.5M in 2011-2012, and it was about $8.3M in 2012-2013. After the completion of the audit fieldwork, the PSC announced a substantial restructuring of its cost-recovered service organization and product offerings. This decision was made in light of the reduced demand being experienced for staffing services. These changes will be implemented during 2013-2014.

Directed contracts

In 2011-2012, the PSC awarded competitive contracts valued at $4.022M and $3.218M in non-competitive contracts for a total value of $7.240MFootnote 2 . These figures ​​do not represent actual expenditures, but rather the total value of contracts awarded and modified during this period.

The Government Contract Regulations (GCR) set out the conditions for entering into contracts. Although competitive bids are the norm, there are some exceptions to the rule that allow directed contracts. This mechanism enables the contracting authority to award the contract to a pre-selected provider when deciding not to use a competitive bid process. IAD also took into consideration other related policy instruments such as the TB's Contracting Policy and Guidelines on the Proactive Disclosure of Contracts, as well as the PSC’s Procurement Guidelines for Goods and Services and internal contract award procedures.

In 2011, the PSC conducted an audit of selected Advance Contract Award Notices (ACANs) and the Office of the Procurement Ombudsman also published a procurement practices review of these files. Both reports made recommendations regarding procurement processes and their consistency with applicable policies and regulations. Management action plans for both the internal audit and the practices review have been fully implemented.

Procurement Services (PS) of the Finance and Administration Directorate (FAD) provides central contracting services to PSC headquarters and regional offices. In 2011-2012, PS administered 1,024 service contracts. Of these contracts, 74% were competitive while 26% were non-competitive. In 2010-2011, 33% of the service contracts were non-competitive compared to 47% in 2009-2010. In 2012-2013, out of 710 service contracts, only 7% were non-competitive. This last figure reflects senior management’s effort in maximizing competitive processes to the greatest extent possible. Directed contracts are those where the requirement for competitive bids is set aside under certain exceptions, e.g., contracts under $25,000 or where only one person is capable of performing the contract.

In the PSC, three areas of activity are involved in the operations covered by this audit:

  • The Business Management and Support Directorate of the Staffing and Assessment Services Branch (SASB) plays a role in supporting various cost-recovery services, especially with regard to invoicing and departmental reporting, not only at headquarters but also at the seven regional offices.
  • The Accounting Operations Directorate of the Corporate Management Branch (CMB) is responsible for accounting for financial transactions and ensuring that accounting policies are applied effectively throughout the PSC.
  • CMB's Administration Services Division – Procurement Services (PS) provides the PSC with specialized assistance at each stage of the procurement cycle and develops tools to accelerate and facilitate the purchase of goods and services.

3. Risks

Revenue reporting controls at the PSC must be adequate for effective operations in a complex environment consisting of many delivery units providing a variety of services. Recently, demand for some services has fluctuated significantly while remaining stable for others, affecting the potential for savings from improvements to business processes.

In line with client service requests, the bulk of the revenues are generated and billed in the last quarter of the year. This represents a challenge for operations, budgeting and billing. Furthermore, work that is done on a cost-recovery basis on a service request may span two years. A number of billing processes are used with various information flows, documents and control processes, and many stakeholders are involved. Client relationship management considerations make it difficult to standardize or streamline some processes.

The number and complexity of procurement rules and regulations and the pressures on management to deliver results can lead to regulatory, reputational or material risks. These rules specify the procurement instruments available and how each must be used. Many of these requirements also refer to other documents such as policies referring to trade agreement obligations. The failure to comply with procurement regulations or internal procedures can expose the PSC to challenge, increased government inspection or the inability to enforce contracts. Inadequate contract management could result in disputes, and, ultimately, litigation. Additional potential risk arises from the inadequacy of, or non-compliance with, delegated authorities. There is also a risk that procurement officers are not properly trained or that managers and assistants do not receive adequate training related to contract administration.

4. Objective

The objective of this audit was to assess the adequacy and effectiveness of financial controls for reporting revenue and for managing procurements using directed contracts.

5. Scope

For PSC revenues, the audit covered invoicing, accounting and reporting controls. Efficiency, inputting of employee time incurred and pricing for services rendered was excluded from this audit because these areas were or will be covered in other audits. Control processes and transactions sampled were for the 2012-2013 fiscal year.

For procurements, this audit examined directed goods or services contracts for compliance with relevant federal government regulations and policies. A selection of high-risk transactions and commitments for the 2011-2012 fiscal year has been used for this purpose.

6. Statement of conformance

This internal audit engagement conforms with the Internal Auditing Standards of the Government of Canada as supported by the results of the quality assurance and improvement program.

Audit work, as described in the methodology section, was planned to provide a reasonable level of assurance for the conclusions drawn.

7. Methodology

The PSC standard audit process includes three principal phases: planning, detailed examination and reporting. This standard audit process conforms to the International Standards for the Professional Practice of Internal Auditing.

All deliverables were reviewed and signed off by the Director, IAD. Briefings and validations of observations were ongoing during the course of the audit, and CMB and SASB management took part in the audit process. CMB and SASB have provided all requested documents and access to employees.

The planning phase began in October 2012.  At that time, a summary risk assessment and review of documentation were used to identify lines of inquiry. IAD developed draft criteria relating to procurement using the GCR and related documents. Draft criteria for revenue reporting were based on a risk assessment following interviews and a review of policies, process documents and reports. Criteria were largely derived from Government of Canada legislation and policy, and TB accounting standards. Auditee management reviewed and agreed with the draft criteria (see Annex A).

Following the planning phase, the audit moved to detailed examination. Methodologies included interviews with management and staff, and review and analysis of procurement files, documents and key processes related to the 45 selected directed contracts active during 2011-2012. Revenue examination included analysis of revenue transactions, sampling of the different types of transactions and related controls, interviews, and a review of process and control documents. Observations were sent to auditee management for validation in May 2013.

8. Observations and recommendations

The following section presents the key observations of this audit, as well as the related impact and recommendations.

Revenue Cycle

Control objective 1

Governance: There is an effective management control structure in place for managing revenues.
1.1 Roles and responsibilities

The auditors expected that clear roles and responsibilities were established for PSC’s revenue cycle. To that end, we examined documentation on roles and responsibilities and interviewed representatives of the various functions involved in revenue cycle processes. As well, we traced sample transactions through the billing process.

The revenue cycle is the responsibility of two organizations. SASB generates revenue and administers billing requests. Actual billing and financial recording are the responsibility of Accounting Operations Division (AOD) of CMB.  The functions involved in revenue operations include:

  • SASB service delivery units (providing services to clients);
  • SASB service delivery project leads (signing service agreements with clients, recording requests into the Revenue Management System (RMS), approving client billings);
  • SASB’s Integrated Service Division (ISD) (coordinating client billings, providing quality assurance on billing inputs, providing billing support, e.g., supplying client invoice copies if requested); and
  • AOD (issuing invoices, monitoring receivables, overseeing settlement, reconciling accounts).

We found two key documents that outline roles and responsibilities. The Revenue Process Narrative (2011) summarizes high level processes. It does not fully address ISD’s role nor document the complexity and variety of billing processes. The Policy on Revenues, Recoveries and Accounts Receivable (2006) outlines the PSC’s billing structure, although updating is needed. Interviews with staff indicated they had a solid understanding of their respective roles and responsibilities.

At a more detailed (individual) level, there is variation in how responsibilities are defined and documented. Lack of clarity on process and responsibilities is noted in these key areas:

  • establishing a memorandum of understanding (MOU);
  • amending a service request when the service value exceeds the initial estimate;
  • cancelling or adjusting an invoice; and
  • understanding the role of MOUs vs. service requests, as to which is the primary control document.

Overall, roles and responsibilities in the revenue cycle are established, understood and documented. However, consistent and comprehensive documentation of these roles and responsibilities at the functional and individual level is lacking. In a stable operational environment, documentation gaps are compensated by employee knowledge, leaving risk low. These compensating controls might not prove effective in a less stable environment. Management of both AOD and ISD has an opportunity to improve documentation on roles and responsibilities.

1.2 Revenue recognition policy and guidance

It was expected that the PSC had established and documented comprehensive policy guidance to support appropriate recognition of revenues. To that end, we reviewed the documents that address revenue recognition.

The 2006 Policy on Revenues, Recoveries and Accounts Receivable states: “...revenues are to be recognized in the period in which transactions or economic events giving rise to revenues occurred. Instead of recording revenue when money or interdepartmental settlement is received, revenues are recorded when invoiced to the clients.” It further states that the PSC’s Revenue Recognition Principle is “[t]he basis for recording revenues in an accrual accounting environment. This principle stipulates that revenue is recorded in the period in which it is earned.” Because annual financial statements are prepared on an accrual basis and quarterly financial statements on an “expenditure basis”, we also expected but did not find additional guidance.

While the policy provides guidance on when revenue should be recorded (i.e. on invoicing a client), we found no similarly definitive guidance on the timeliness of invoicing relative to the underlying service delivery. Our transaction sampling showed some inconsistencies between the timing of service delivery and the date of invoicing. This may partly be attributable to the wording commonly used on the MOUs examined: “Invoicing for fees for services rendered, where applicable, will be done on a monthly basis or as per terms mutually agreed upon but in no case later than the end of the current fiscal year and will include all services delivered during that period.” This language allows significant discretion as to when billings should take place during the fiscal year, without identifying the principles to consider in the timing of invoices.

Overall, current policy guidance clearly defines when revenue should be recognized (i.e. on invoicing), but not when invoices should be rendered relative to the timing of the underlying product or service delivery.

Recommendation 1: 

The Director, Accounting Operations Division, should update the current revenue policy guidance to ensure that management expectations for timeliness of invoicing are clearly articulated.

Management response:

In order for AOD to process an interdepartmental settlement creditor transaction with other government departments using the Standard Payment System (SPS), SASB must first assess if the goods and services under the MOU have been provided. After this assessment has been completed, the invoicing amount is recorded in Revenue Management System (RMS), which interfaces with PSC’s financial system. The information is then extracted by AOD and processing of the IS can occur in SPS.

Action plan:

The Director, AOD will consult with the revenue generating entity (SASB) regarding the feasibility of adjusting current MOU wording to clearly articulate the earliest point at which goods and services are provided to ensure prompt collection of amounts owing. Updating the current revenue policy guidance to clarify management expectation with respect to timeliness of invoicing will follow.
Completion: March 31, 2014

Control objective 2

Internal control: Effective internal controls exist to ensure accurate and timely reporting of revenue.
2.1 Controls for complete, accurate and timely recognition of revenue

We expected that management had implemented a comprehensive set of internal controls to ensure that revenue recognized in PSC financial statements is complete, accurately calculated and recognized on a timely basis.

We found that PSC revenue billings are supported by the Revenue Management System (RMS), but using a variety of underlying processes. ISD coordinates the handling of them all. For example, six different billing streams support second language evaluations, with data coming from other systems and sources, e.g., spreadsheets uploaded to RDIMS. Other streams may include different inputs, such as scanned service requests. AOD issues the actual invoices through the interdepartmental settlement process.

Each billing stream has unique process steps and internal controls, with “manual” effort typically required of ISD. This may involve data capture (e.g. recording into RMS), validation (e.g. to confirm approval) and reconciliation (e.g. tracking sheets for transactions against service requests). The audit also noted areas of billing cycle inefficiency. These include duplicate data entry to set up transactions in various streams, duplicate electronic and paper records, and reissuance of 23% of the invoices issued in 2012-2013, based on client requests for copies. We noted that different revenue streams arose over time in various PSC operating units.

The cost implications of these inefficiencies are amplified by the high number of billing transactions, many of which are quite small. For 2012-2013 revenue billed to the end of February, $6,266,960 was billed through 9,153 invoices. Of these, 5,136 invoices were for amounts over $50 (average amount $1,192) and 4,017 were for amounts of $50 or less (average amount $37).

The PSC has multiple levels of internal controls to ensure accurate billing. Of note, ISD monitors service requests for accuracy and completeness of billings, and conducts detailed checks and reconciliations of inputs to ensure transactions are properly approved. In turn, AOD conducts daily, monthly and quarterly reconciliations to ensure RMS amounts agree to the amounts recorded in the FreeBalance financial system. AOD also samples transactions weekly for various aspects and also periodically tests key revenue controls for internal controls over financial reporting purposes. Our audit sampling of invoiced transactions along with other steps indicates that these controls operate effectively to provide for accurate and complete financial reporting of revenues.

Controls to ensure that revenue is recognized on a timely basis (i.e. invoiced within a month of service delivery) are less evident. Consequently, billing delays contribute to a lag in recognizing revenue during the year, until eliminated at year-end. Certain delays arise as intrinsic aspects of certain revenue streams, such as revenue for executive counselling. In other cases, delays are not as readily explained. Of note, the auditors tested 10 revenue billings for the first 11 months of 2012-2013, and found that six of these involved billing delays of more than a month. (The range was from two months to nine months.) SASB’s scheduled year-end effort to catch up on billings is further challenged by high rates of client requests traditionally received in the fourth quarter. The Government’s “Period 13” process gives some leeway to accounting staff.

In conclusion, we find that effective controls exist to ensure that revenue in annual financial statements is complete, accurately calculated and recognized on a timely basis. However, additional management attention is needed to ensure timely recognition on a month-to-month basis.

2.2 Segregation of duties

We expected that the PSC maintains an appropriate segregation of duties within the various stages of billing approval, invoice generation and settlement/collection of revenues.

We noted through the transaction sampling that different individuals in different organizations were responsible for:

  • Generating a billing request/authorization – SASB project lead;
  • Validating billing request/authorization and generating RMS invoice request – SASB-ISD analyst;
  • Generating client invoice – automated AOD process; and
  • Settling an invoice – managed by AOD with the agreement of Public Works and Government Services Canada (PWGSC) and the client organization.

These controls were found to be appropriate.

2.3 Documentation and communication of internal controls

We expected to see comprehensive internal control process documentation including identification of key control inputs, control activities, control outputs, exception handling processes and supporting roles and responsibilities.

Within AOD, we found various process control documents. Key among these is the “Revenue Process Narrative”, which summarizes key processes, control considerations and roles within the revenue cycle. In addition, as part of its internal controls over financial reporting, AOD has documented its internal controls relating to revenue and accounts receivable in support of its periodic tests of key internal controls.

Within ISD, we found documents outlining most, but not all, process and controls. As well, a comprehensive user guide exists for RMS 1.0. Similarly, ISD staff have a number of process description documents for their responsibilities.

We noted the varied level of completeness and detail in these internal control and process documents supporting various revenue streams. Similarly varied was the detail and completeness of documents supporting related areas such as revenue adjustment processing and reconciliations (e.g. FreeBalance to RMS).

Interviews with AOD and ISD staff confirmed their understanding of detailed processes.  The lack of comprehensive internal control and process documentation, however, forces reliance on the knowledge of existing staff — a risk in the event of employee absence.

In conclusion, process and internal control documentation exists to varied levels of completeness and detail. In addition, we noted areas where no process documentation was available (e.g. FreeBalance/RMS reconciliation, revenue adjustment). We consider risk levels currently to be medium, given the number of documentation gaps.

Recommendation 2:

The Director, Business Management and Support, and the Director, Accounting Operations Division, should ensure that key revenue cycle processes (including billing, adjustments and reconciliation) have been comprehensively and consistently documented.

Management response:

FAD: It was noted in this report that key revenue cycle processes are documented in AOD's Revenue Process Narrative. This document summarizes key processes, control considerations and roles within the revenue cycle. As part of its rotational periodic Internal Control Over Financial Reporting (ICFR) testing for operational effectiveness in the fall, AOD will further document its internal controls relating to revenues and accounts receivable.

SASB: The branch is reorganizing its service organization, and will subsequently review its processes and related documentation needs.

Action plan:
  1. As part of its annual assessment of the operating effectiveness of the PSC's system of ICFR conducted in the fall, the Director of AOD will strengthen the existing documentation of key controls to ensure that key revenue cycle processes, including billing, adjustments and reconciliation, are comprehensively and consistently documented.
    Completion date: December 31, 2013
  2. For all revenue streams which SASB maintains, gaps in documentation related to service delivery processes will be filled and documented to formalize the process by the Director General, Personnel Psychology Centre and Regional Offices.
    Completion date: End of July, 2014

Control objective 3

Risk management: Revenue cycle internal controls appropriately address the risks associated with revenue transactions.
3.1 Controls appropriately reflect the risks associated with various revenue streams.

We expected to see risk-based controls in the application of both oversight control processes and transaction-based control processes.

We observed evidence of a risk-based approach being used for oversight purposes. For example, in support of its periodic testing of key revenue controls, AOD conducted a risk assessment to identify the key revenue cycle risks, determine how internal controls addressed these risks, and design a control test cycle to focus on the most relevant controls.

Less evident are risk-based approaches for transaction-based internal controls for billing processes. This is partly attributable to the variety, complexity and inefficiency of billing processes, impacting on the control procedures needed. For example, re-keying billing data, as done in some processes, adds both process complexity and introduces risk (e.g. data errors) that must be addressed by controls. The high volume of low value transactions noted earlier points to the opportunity for savings from the simplification of transaction processing. This simplification could start through streamlining (by reducing steps) and standardizing by developing more uniformity between streams.

ISD had requested an RMS system change to address some identified process and control inefficiencies, but this proposal was not approved.

There is evidence of a risk-based approach in the application of some oversight control processes but not in transaction-based processes. This is partially a result of the underlying complexity and variety of the PSC’s billing processes. We consider risk levels currently to be medium, given the number of risks introduced by process complexity.

Recommendation 3:

The Director, Business Management and Support, and the Director, Accounting Operations Division, should undertake a review of the “end-to-end” revenue cycle to identify opportunities to improve the timeliness and efficiency of revenue transaction processing.

Management response:

The revenue generating entity (SASB) submitted an Information Technology Service Request (ITSR) in 2012-2013 to further enhance the interfacing capabilities of RMS to reduce the number of feeder systems and manual entries that are currently required and to provide automated reconciliation (check and balance) functions. However, the ITSR was deemed a low priority for the PSC and will be re-submitted in fiscal year 2013-2014.

Action plan:

Considering the delay in implementing systems controls, the Director of AOD will work in collaboration with the Director General, Personal Psychology Centre and Regional Offices, to determine which manual processes could be standardized, streamlined or reduced to improve timely and efficient revenue transaction processing.
Completion date of determination: March 31, 2014
Completion date of implementation: September 30, 2014

Directed Contracts

Control objective 4

Internal controls: Effective internal controls exist to ensure compliance of procurement services with applicable acts, regulations, policies and procedures.
4.1 Tools and procedures

The auditors expected that tools, procedures and checklists were in place and effective to help contracting officers manage non-competitive procurement activities.

Directed contracts for the procurement of goods and services are subject to various legislative, regulatory and policy requirements, including the Financial Administration Act, Government Contracts Regulations (GCR), and TB’s Contracting Policy.

Checklist

PS has drawn up a checklist for individual procurements, to capture the key elements of the services or goods sought and the agreed upon mechanism, e.g., expected modifications and previous contracts with same supplier. This checklist is a useful tool for enhancing the consistency and completeness of files, as well as for monitoring throughout the procurement process.

The auditors found that all of the 45 files reviewed contained a checklist. All of the files showed one checklist item left unchecked: the one on the use of the four exceptions allowing the requirement to solicit bids to be set aside. The procurement officer will check off this criterion if the information supporting the selection of the exception is included in the file. A review of the files indicated that although the checking off of this criterion had been fully omitted, key supporting information was contained in the procurement files.

The examination indicated that the majority of the checklists were otherwise complete. Only four checklists had information that was missing or misplaced. The criterion concerning the award of a contract to the same supplier was the most frequent irregularity. Although the auditors did not find inappropriate awarding of these contracts, such documentation errors are indicative of gaps in the review process and could affect the effectiveness of the monitoring process.

The selection of the procurement files was based on an analysis of the contracts awarded for 2011-2012. Since then, PS has introduced a revised PS checklist which addresses the shortcomings or ambiguities noted in the previous format. For instance, the revised version includes the key requirements for the processing of ACANs.

Tools and guidelines

PS published a series of information documents and procurement management tools on the intranet, e.g., Procurement Guidelines for Goods and Services, Procurement Work Plan, and Project Authority Contracting Checklist. These documents define roles and responsibilities for both the client and PS. They also provide detailed information on the selection of an adequate procurement mechanism and compliance with government contracting policy instruments. One document critical to the selection of ACAN as a procurement mechanism, Contracting Policy Notice 2007-4, was not part of the list of related tools although this item has since been included in the new revised checklist.

The Contract Management System (CMS) is an in-house system for managing PSC service contracts, including amendments. For PS to approve a contract, Responsibility Centre (RC) managers must first provide information, including a completed and signed Contract Justification and Approval Form. A review of evidence indicated that CMS does not have the capacity to validate the information input. PS has to review the information separately and, if there are any doubts, challenge the RC managers.

PSC procurement guidelines include provisions for “after-the-fact-contracts”, which are commitments made without the official signed contract. This type of agreement does not comply with the Financial Administration Act and the TB directives on contracting requirements. The auditors found two files where the purchase of equipment was verbally committed before any contract was signed by the PS for the respective RC managers. Both commitments were made by employees of the respective RC managers and did not constitute an override of a PS decision. In both instances, PS worked with RC managers to rectify the situation. In one case, the supplier agreed to take back the material. In the other case, the disposition for after-the-fact contracts was followed, i.e., the RC manager’s supervisor provided documentation explaining this irregular situation, as well as mitigation measures. PS then recorded it had “seen” the contract, instead of “recommending” it.

PS indicated that since the contracting authority resides with RC managers, PS does not currently follow up on the implementation of the mitigation measures. Their role is limited to providing advice and recommendations. However, PS exercises an oversight function on all contracts to minimize the risks to the PSC.

According to PSC procurement guidelines, PS is accountable for the integrity of the entire contracting process. PS provides RC managers with advice and recommendations throughout the administration of the procurement process to ensure it meets all government legal, regulatory or policy requirements. They are supported in this capacity by the Contract Review Board (CRB), which acts as an oversight mechanism. The CRB is composed of the Director General, Finance and Administration; the Director, Administration Services; the Chief, Procurement Services and the Senior Procurement Officer, Procurement Services. The CRB is mandated with strengthening the PSC procurement process by ensuring compliance with legislated requirements, delegations, integration with programs, monitoring and reporting.

Despite the procurement guidelines, PSC’s Delegation of Financial Authorities for Disbursements indicates that RC managers have full contracting authority. As such, they are accountable for the compliance to legislative, regulatory and policy requirements of the procurement. PS ultimately signs contracts on behalf of the RC manager, in a “transactional” role.

Evidence collected during interviews and review of procurement files indicated that both parties fulfill their respective obligations in a collaborative fashion. There remains a notional risk, however, that an RC manager could exercise their authority by approving a contract against PS recommendations. Such exceptional situations would be documented, although, as PS has indicated, there is currently no procedure in place to escalate such cases.

This discrepancy in the roles and responsibilities of PS and RC managers has apparently not affected the regular administration of procurement requirements. However, an alignment of the responsibilities stated in the PSC’s Procurement Guidelines for Goods and Services, the mandate of the Contract Review Board (CRB), and the PSC’s Delegation of Financial Authorities for Disbursements would clarify the respective accountabilities and help in determining if any additional measure is necessary to mitigate any risk arising from such a situation.

Overall, the PSC and PS have implemented mechanisms and tools to support the administration of procurement requests and ensure the process meets the objectives of the PSC and is compliant with these requirements.

Recommendation 4: 

The Director General, Finance and Administration Directorate, should align the responsibilities stated in the PSC procurement policy instruments and documents, and the PSC’s Delegation of Financial Authorities for Disbursements to clarify the respective accountabilities of PS personnel or representatives and RC managers.

Management response:

As expert specialists, Procurement Services (PS) is accountable for specific functions in supporting the procurement process. It is also accountable for exercising, on behalf of the President, an oversight function for the PSC's contracting function.  At the same time, contracting authority remains with RC managers who are accountable for specific implementation functions. The separate and complementary roles, responsibilities and accountabilities of PS and RC managers will be clarified and documented.

Action plan:

Following consultation with a functional expert at Treasury Board Secretariat, the Director, Administrative Services Division (ASD), and the Director General, Finance Administration Directorate (FAD) will:

  • develop a proposal to clarify the separate and complementary roles, responsibilities and accountabilities for Procurement Services (PS) and RC managers; bring the proposal to EMC for its review; and make revisions needed to the following documents:
    • Procurement Guidelines for Goods and Services;
    • The mandate of the Contract Review Board (CRB); and
    • Delegation of Financial Authorities for Disbursements.
  • Completion date: March 31, 2014
4.2. Monitoring of the procurement process

Monitoring of the procurement process is one of the means by which PS can detect and prevent any unnecessary break up by users of a comprehensive service or goods requirement into smaller contracts so as to avoid controls on the contract approval authorities, applicable limits or duration of engagement.

Contract splitting

PS’s checklist is the starting point for its monitoring of the procurement process. The checklist captures key characteristics of individual procurement requirements and helps PS ensure compliance with legislation, policies and contracting delegations. Procurement officers will also discuss the more complex files during their regular team meetings. This helps provide a broad picture of any emerging issues or trends regarding procurement risk.

At the onset of a request for a procurement requirement, the procurement officer (PO) reviews the requirement documentation for indications of possible contract splitting. The PO will also identify any previous contracts awarded by the PSC to the same supplier and review the scope of work for any elements that may be perceived as contract splitting. This information is recorded on the checklist.

Of the procurement file sample, six contracts indicated that at least one contract had been awarded to the same supplier in the previous or following year. IAD reviewed these contracts and concluded there were no indications of contract splitting.

The internal auditors found that contracts were in line with the corresponding contracting limits and their value was within the threshold established under the policy.

Amendments

Treasury Board Contracts Directive allows for contracts to be amended under certain conditions to the extent such amendments are in the best interest of the Government of Canada.

Since an amendment can impact the initial selection of a procurement mechanism or delegated authority limits, the PS manager indicated that they probe for potential amendments at the onset of a procurement. PS will ask RC managers about any planned or foreseeable amendments and review work descriptions or statements of work to detect potential changes, delays or extensions. If there is a potential for an amendment, PS will verify that contract provisions ensure that the contract is consistent with procurement policy on, for example, contract splitting. If an amendment is requested, the RC manager has to provide PS with a justification on why it was unforeseen and represents a good value. PS will also ensure that the proper authorities are exercised in compliance with TB’s Contracting Policy requirements.

IAD examined 14 contracts with amendments. For the majority of these contracts, the total value was below $25,000. In all cases, the justifications provided were adequate and the proper authorities had been exercised.

Reporting

Monitoring is an integral part of the procurement management process. It allows management to perform due diligence, including with regards to higher risk aspects such as contract amendments or contract splitting, and to generally report on procurement activities.

PS reports on the number of competitive and non-competitive service contracts in the Monthly Report. The PS manager indicated the analysis required for this regular reporting is also an opportunity for the team to review potentially contentious files or any emerging trends. PS also prepares ad hoc reports on procurement at the request of management. In early 2012, PS prepared a number of reports on sole-source contracts for 2011-2012 for the President.

In conclusion, management has established effective processes for monitoring contracting activities.

4.3 Exception to competitive procurement and justification

We expected to see effective controls to ensure that non-competitive procurements are justified and recorded, in compliance with policy.

Although competitive bidding is the norm for the procurement of goods and services for the Government of Canada, Government Contracting Regulations (GCR) allow for some flexibility under certain conditions.

Section 6 of the GCR includes four exceptions to this obligation. The exceptions are when:

  • There is a pressing emergency;
  • The value of the procurement is below $25,000;
  • The solicitation of bids would not be in the public’s interest; and
  • Only one supplier is capable of performing the contract.

To invoke any of these four exceptions which permit a directed contract to be made, the GCR requires management to demonstrate and document how their procurement requirement meets the criteria for the exception selected.

The audit found that all the procurement files reviewed contain a statement justifying the selection of the corresponding non-competitive procurement strategy. Given that all the contracts were valued at below $25,000, this was the sole exception invoked. The justifications recorded and documented are generally succinct, consisting most often of a statement referring to the low value of the goods or services being procured. Only one client provided details about the supplier’s expertise, experience and competencies and explained how this constituted good value for the Government of Canada.

4.4 Reference material and communication

The auditors found that PS has made a comprehensive set of reference documents on various aspects of procurement available to PSC employees. Documents posted on the intranet cover PSC guidelines and government policy instruments on procurement, including guidance and supporting documents specific to directed contracts.

PS offers training on procurement geared to both managers and administrative clienteles. The Procurement/Contracting Awareness Session, targeting managers, is provided once a year and was last offered in December 2012. Training for administrative assistants is offered as part of the training on the suite of PSC systems. The session provides essential information on dealing with service contracts, including key elements of policies, practices, and the use of CMS. At this writing, the formal session had not been offered for 20 months due to system changes underway and a lack of participants. Financial Administrative Systems Division offers orientation on systems to new users, as well as one-on-one training on request.

PS also informs PSC employees of new developments pertaining to procurement. PS has developed a new form for suppliers to confirm if they are former public servants, so as to ensure they will be compliant with the new reporting measures set out under the recently introduced Contracting Policy Notice: 2012-2.

In conclusion, PSC procurement internal controls for directed contracts are documented and communicated through various means in order for these reference documents or tools to be readily available to users. 

4.5 ACAN

The auditors expected that effective controls exist to ensure that the Advance Contract Award Notice (ACAN) mechanism is used effectively.

As long as their proposed directed contract qualifies under one of the four exceptions, GCR give managers an additional procurement mechanism: ACAN. GCR requires that the proposed award be advertised through an ACAN using the electronic bidding methodology. If no potential supplier provides a valid statement of capabilities meeting the requirements set out in the ACAN within 15 calendar days, the proposed contract is deemed to be competitive and may be awarded using the electronic bidding contracting authority.

PS has developed guidance on the use of ACANs. These guidelines, along with documents and tools such as TB’s Guide for Managers – Best Practices for Using Advance Contract Award Notices, are readily available to PSC employees to help them in selecting the best procurement mechanism for their needs. The PS manager indicated that they always advise their clients to consider competitive bidding, but if a client were to present a strong case for the exception that only one firm or person is capable of performing the contract (for example, due to a patent or copyright), then PS would agree to an ACAN. PS would still conduct a preliminary search for the provision of similar goods or services, including through the Web or the Government Electronic Tender Service (GGETS). If this search is inconclusive, then PS would apply the GCR for processing ACANs. Before an ACAN is posted, regardless of its value, it has to be submitted to the CRB for review and to the Director General, FAD for approval.

The PS manager indicated that since 2011, PSC has published one ACAN, and following this posting, no statement of qualifications had been received. However, management later decided not to award a contract.

The auditors found that for the posted ACAN, the selection of the exception had been justified and was reasonable. The supporting evidence was documented in the procurement file, as required.

In conclusion, we find that effective controls are in place to ensure ACANs are managed in compliance with policy requirements.

9. Overall conclusion

Financial controls for revenue reporting in general are sufficiently reliable for the purpose envisaged. Overall, staff understand their roles and responsibilities, most of which are documented. Revenue recognition is defined in terms of invoicing, but not the timing of invoices, leaving a policy void. We found controls for completeness and accuracy of reporting revenue to be effective. Timeliness of billing, however, is challenging, with some billing delays occurring during the year but corrected by year-end. Staff duties were appropriately segregated. Most processes and internal controls for key operations and each revenue stream are documented, albeit inconsistently. Management takes a risk-based approach when dealing with oversight-level control processes but transaction-level controls are not as clearly managed that way. We attribute this gap partly to the variety and complexity of billing processes.

While individual residual risks noted earlier may be low, their combined effect reduces the ability to rely on controls. Furthermore, if organizational changes cause informal controls such as employee knowledge to decrease, risk levels rise. We do not expect that filling the documentation gaps would be onerous.

Overall, controls for the management of directed contract procurement are adequate. The management of directed contracts entails close collaboration between PS and RC managers. To that end, PS has implemented mechanisms and tools to support the administration of procurement requests related to directed contracts. PSC users are informed of these tools and documents through various means. Training is available to managers and to assistants dealing with services contracts. The use of the requisite exception is justified with reason and files are generally well documented.

Consequently, the controls in place allow PS staff to apply the various legislative, regulatory and policy requirements related to procurement services requests. Roles and responsibilities concerning the delegation of financial authorities should be further clarified regarding the accountabilities of PS, its representatives, and RC managers.

Management has provided comprehensive action plans, which we believe will address the deficiencies noted.

Appendix A – List of audit criteria

Revenue

Control objective 1: There is an effective management control structure in place for managing revenues.
Criterion 1.1 Clear roles and responsibilities have been established for the PSC’s revenue cycle.
Criterion 1.2 Management has established comprehensive revenue cycle policy guidance to ensure appropriate recognition of PSC revenues.
Control objective 2: Effective internal controls exist to ensure accurate and timely reporting of revenue.
Criterion 2.1 Effective controls exist to ensure that revenue recognized in the PSC’s financial statements is complete, accurately calculated and recognized on a timely basis.
Criterion 2.2 Segregation of duties within the PSC’s revenue cycle is appropriate.
Criterion 2.3 PSC revenue cycle internal controls have been appropriately documented and communicated.
Control objective 3: Revenue cycle internal controls appropriately address the risks associated with revenue transactions.
Criterion 3.1 The level of internal controls applied to revenue cycle transactions appropriately reflect the level of risk associated with those transactions.

Directed contracts

Control objective 4: Effective internal controls exist to ensure compliance of procurement services with applicable acts, regulations, policies and procedures.
Criterion 4.1 Effective tools, procedures and checklists are in place to help contracting officers manage non-competitive procurement activities.
Criterion 4.2 Effective monitoring of contracting activities is in place to ensure management performs its due diligence, particularly with regards to contract amendments or contract splitting.
Criterion 4.3 Effective controls exist to ensure that selection of a non-competitive procurement strategy is fully justified and recorded in compliance with TB’s Contracting Policy requirements.
Criterion 4.4 Directed contracts meet at least one of the four exceptions to competition stipulated in TB’s Contracting Policy.
Criterion 4.5 PSC procurement internal controls for directed contracts have been appropriately documented and communicated.
Criterion 4.6 Effective controls exist to ensure that the ACAN mechanism is used appropriately.

Appendix B – Glossary

  • ACAN Advance Contract Award Notice
  • AOD Accounting Operations Division
  • CMB Corporate Management Branch
  • CRB Contract Review Board
  • CMS Contract Management System
  • GCR Government Contract Regulations
  • GGETS Government Electronic Tender Service
  • IAD Internal Audit Directorate
  • ICFR Internal Control Over Financial Reporting
  • ISD Integrated Service Division
  • MOU Memorandum of Understanding
  • OAG Office of the Auditor General of Canada
  • PO Procurement Officer
  • PS Procurement Services
  • PSC Public Service Commission
  • RC Responsibility Centre
  • RMS Revenue Management System
  • SASB Staffing and Assessment Services Branch
  • SPS Standard Payment System
  • TB Treasury Board

Footnotes

Page details

Date modified: