Audit of contracting and procurement processes, 2014

The Audit of Contracting and Procurement Processes was included in the 2012-2015 Risk-Based Audit Plan and was conducted in concert with The Audit of Low Value Contracts. The audits were conducted separately in order to address the different risks and processes associated with low value contracts and contracts over $25,000. Both audits link to: Correctional Service Canada's (CSC) priority of "efficient and effective management practices that reflect values-based leadership"; CSC Values Statement which includes fairness and accountability; and, the Values and Ethics Code for the Public Sector.

Contracting for goods and services represents a significant expenditure for CSC. The organization purchases a wide range of goods and services to secure its offender population and to deliver services in specific fields such as health care, education and informatics. In 2011^{Footnote 1}, CSC entered into 116,997 contracts totaling $508,128,000^{Footnote 2}. Of this total, 624 contracts were valued at over $25,000 for a total expenditure of $235,174,000. These latter numbers represent less than 1% of all CSC contracts awarded but 46% of CSC's spending dollars in contracts. The number of contracts valued below $25,000 totaled 116,373 for a total expenditure of $272,953,000. This represents more than 99% of all CSC contracts awarded and 54% of CSC's contract spending.

The audit objectives were to:

• assess the extent to which a framework is in place, meets departmental and Treasury Board requirements, and is functioning as intended; and
• provide assurance that contracts over $25,000 are processed in compliance with relevant Government of Canada legislation, policies and guidelines.

The audit was national in scope covering the five regions and National Headquarters (NHQ), and included goods and service contracts for CSC including CORCAN^{Footnote 3}, originating over $25,000, during the period of April 1, 2011 to December 31, 2012.

Overall, the results of the audit confirmed improvement from the 2007 CSC internal audit, the Audit of Contracting for Goods and Services.

For the first objective, the audit found that: CSC directives, guides and manuals were consistent with government policies relating to contracting and procurement; roles and responsibilities were defined and clear; mandatory training was offered and taken; and external monitoring and reporting requirements were being met.

Nonetheless, there were areas within the management framework that require attention:

• a regular, established communication forum between Contracting and Materiel Services (CMS) managers at NHQ and the Regions needed strengthening; and
• existing monitoring and reporting exercises were inefficient.

With regard to the second objective, the audit results demonstrated that contracts were processed as per relevant legislation, central agency policies and CSC directives. Contract files over $25,000 generally contained required documentation, Contract Review Boards (CRB) reviewed and approved applicable contracts, and contracts were proactively disclosed as required.

Nevertheless, the following shortcomings were identified:

• contract files lacked a consistent audit trail to support contract administration, including the timely signing of contracts and CRB decision-making information across regions; and
• a standardized documented process for the certification and verification of contract invoices, as required by section 33 of the Financial Administration Act (FAA), had not been fully implemented.

Recommendations have been issued in the report to address these areas for improvement.

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the area examined.

The audit conforms to the Internal Auditing Standards for Government of Canada, as supported by the results of the quality assurance and improvement program. The evidence gathered was sufficient to provide senior management with proof of the opinion derived from the internal audit.

The audit objectives were to:

• assess the extent to which a framework is in place, meets departmental and Treasury Board requirements, and is functioning as intended; and
• provide assurance that contracts over $25,000 are processed in compliance with relevant Government of Canada legislation, policies and guidelines.

Specific criteria related to each of the objectives are included in Annex A.

The audit was national in scope covering the five regions and NHQ, and included goods and services contracts and construction contracts for CSC including CORCAN, originating over $25,000^{Footnote 12}, during the period of April 1, 2011, to December 31, 2012. Contracts managed by PWGSC were not examined as part of this audit, and this would include high value construction contracts.

A risk assessment was completed based on interviews with the Office of Primary Interest (OPI), members of the CMS Branch at NHQ and a review of policies, past audit work, previous fraud risk assessment work, and other documentation related to contracting and procurement. Overall, the assessment identified that the main risks to CSC relate to the impact that incidents of perceived and actual non-compliance with legislation and policy would have on the organization.

Audit methodology built on the 2007 CSC internal audit, the Audit of Contracting for Goods and Services. Audit evidence was gathered through the following methods.

Interviews: Interviews were conducted with, and internal questionnaires were completed by 26 CSC employees, including CMS staff, senior management at NHQ and RHQ, and with staff involved in the management and administration of contracts in the regions and at selected institutions and sites across Canada.

Review of documentation: Relevant documentation, such as legislation, FDs, CDs, corporate documents, process maps, and reports were reviewed.

Testing: File examination was performed to provide assurance that contracts were processed according to legislation, policies, and CSC procedures, and included proper form completion, adherence to time frames, receipt of goods, and approval by appropriate delegated authorities.

A directed judgment sample of 50 files was selected from all six regions, including CORCAN, for contracts initially valued at over $25,000 for the period from April 1, 2011 to December 31, 2012. The following categories were used to identify the sample:

• greater than $25K but less than $1M;
• $1M and greater; and
• CORCAN, greater than $25K.

Files were selected based on a risk assessment that included the following criteria: repeat vendor, award method and dollar value. File examination was conducted at NHQ.

Total file population used to select the audit sample.^{Footnote 13}

The first objective of this audit was to provide assurance that practices were in place to support CSC's contracting and procurement activities. To achieve this, the audit team assessed the management framework for contracting from four perspectives: policy framework; roles and responsibilities; communication and training; and monitoring and reporting.

We expected to find that CDs and FDs were consistent with legislation and TB policy.

CSC CDs and FDs were consistent with relevant legislation and TB policy.

The audit examined FD 350-3 and other corporate guidance documents, such as CSC National Standards Procurement Delegation Instrument, and found them to be compliant with legislation and TB policy. The 2007 CSC Internal Audit of Contracting for Goods and Services reported that CSC's contracting directives needed to be better integrated and updated. In March 2012, CSC approved FD 350-3 Contracting, thereby fully implementing the 2007 audit recommendation.

Further, all 26 questionnaire respondents, (which included budget managers, project authorities, procurement specialists and members of CRBs), stated that policies were clear.

We expected to find that CSC's organizational structure and roles and responsibilities were defined and documented.

Roles and responsibilities were defined and documented.

Roles and responsibilities are clearly defined in FD 350-3. Terms of reference exist for all CRBs and all 26 questionnaire respondents said that they understood their roles and responsibilities.

All regions have procurement specialists (PGs) in place who report to the regional chief/manager of CMS. Responsibilities are comparable, but workload is allocated differently, either by institution or sector, such as health services, or contract type, such as construction.

There were other inconsistencies noted, as some regions have a PG resource within the community who reports to the Assistant District Director, Management Services and not to the regional CMS groups. Other regions have coordinators at institutions who report to their respective management teams. In addition, there are numerous staff supporting the administration of contracts across the organization who do not report to CMS.

With multiple lines of reporting, there is an increased risk for instances of inconsistent and non-compliant contracting and procurement practices. To mitigate the risks associated with a decentralized operating environment, robust training and communication are necessary. This is discussed below. While the audit team found no issues with compliance in contracts above $25,000, it was reported as an area of concern in the Audit of Low Value Contracts.

We expected to find that communication and training for contracting was available and provided where required.

Communication occurs between NHQ and the Regions; however, the form and frequency of communication between CMS groups at NHQ and RHQs require attention.

Joint Regional Comptroller videoconference meetings occur biweekly, providing a regular forum to discuss contracting. NHQ CMS communicates changes in policies and procedures via bulletins and internal emails called GEN-COMs to regional CMS groups, and in turn are communicated to the local level via regional bulletins or regional intranet sites. While one-way communication was reported as occurring between NHQ CMS and the regional CMS groups, internal questionnaire results indicated that five of the six regions believed that communication required improvement.

During the audit timeframe, no established meetings occurred between Regional CMS Chiefs/Managers and the Director, CMS at NHQ. Until December 2011, Regional CMS Chiefs and Managers held bi-annual meetings to allow managers from all regions to meet in person to discuss issues and ideas regarding procurement and materiel management. Without opportunities for discussion between those who are responsible for ensuring adherence to CSC directives and TB polices, there is a risk that practices may not be consistently applied across the organization's decentralized operating environment. In addition, there is a missed opportunity for the sharing of issues and best practices, and consultation between the regions and NHQ.

Mandatory training was available at the national and regional levels for budget managers and contracting staff.

CSC's mandatory training, referred to as the National Training Standards, includes the Canada School of Public Service (CSPS) mandatory training for PGs and budget managers' delegation of authority. All budget managers, CMS regional managers and PGs reported they had taken the required training. The audit team tested this data, which is tracked by NHQ and is recorded in the Human Resources Management System^{Footnote 14} (HRMS) and no issues were found.

We expected to find that monitoring practices and systems were in place to ensure compliance with contracting policies and practices, and that monitoring results were reported and corrective action taken.

CSC met its external reporting requirements; however, the current processes were inefficient.

CSC monitors contracts over $10,000 on a monthly basis in each region and NHQ, to support its requirement to proactively disclose all contracts and amendments over $10,000. Proactive disclosure is discussed further in section 4.2.7.

Regional CMS staff obtains data on contracts over $10,000 from all community and institutional sites, and consolidates it into a Buyers Report for NHQ. NHQ reviews all reports and if errors or questionable entries are discovered, the regions are contacted for clarification and to have the error rectified if required, prior to posting on the organization's external website. NHQ CMS also reports on any contracts to be posted on the GETS on a weekly basis.

CSC is also required to report purchasing activities to Treasury Board on an annual basis. This "Datacap^{Footnote 15}" reporting exercise is performed at the end of the fiscal year, and was reported to be very time consuming by staff responsible for its production. Two regions stated that reporting was a full-time job for one staff member; another region reported that it takes two staff six weeks to fulfill the year-end Datacap reporting requirement.

The information compiled for the monthly Buyer's Reports is similar to that required for the end of year Datacap reporting exercise, resulting in an inefficient use of procurement resources, as data is captured twice for these separate processes. As TB had finalized the new reporting requirements for the Datacap, the audit team was informed that a reconciliation of these processes is on-going, and will alleviate the pressure of year-end reporting.

The audit found that a management framework was in place and was compliant with TB policy. CSC directives, guides and manuals were consistent with government policy relating to contracting and procurement; roles and responsibilities were defined and clear; training was offered and taken; and external monitoring and reporting requirements were met.

Nonetheless, there were areas within the management framework that require attention:

• a regular, established communication forum between CMS managers at NHQ and the Regions needed strengthening; and
• existing monitoring and reporting exercises were inefficient.

The second objective of this audit was to provide assurance that contracts greater than $25,000 were processed in compliance with Government of Canada legislation, policies and guidelines.

CSC contracting and procurement follows a standard seven phase process, as per the Policy:

Fifty files were examined to determine if those contracts were processed in compliance with the Policy and CSC directives in each of the above areas.

We expected to find that contract requirements were determined and appropriate contract methods were selected.

Contract requirements were identified and appropriate contracting methods were selected; no evidence of contract-splitting was detected.

Corporately, CSC produces an annual National Procurement Plan to provide industry and the public information regarding anticipated CSC contracting activities for the upcoming fiscal year, including a list of planned major procurement requirements. Input is requested from all regions, the plan is approved by the Commissioner, and it is posted on CSC's external website.

At the individual contract level, a first step in the contracting process as prescribed by FD 350-3 requires that CSC Form 286 "Request for Contract/Amendment/Extension" be completed for all service contracts going to the CRB. Of the 50 files reviewed, all had the completed form on file and contained information such as the justification for contract; security requirements; and certification that an employer/employee relationship will not develop.

The audit team examined a number of contracts, as CSC uses many different contracting methods to acquire goods and services. The appropriate method for contracting is determined by weighing the contract requirements against the available methods, while adhering to policies and regulations. As part of this examination, the audit team also looked for indications of contract-splitting. The audit team determined that appropriate methods were selected for all contracts examined, and no evidence of contract-splitting was detected. One method called the Advance Contract Award Notifications (ACANs) was examined closely, as the audit team noted a steady increase in the number of ACAN contracts issued at CSC from 115 in 2008 to 231 in 2010 (see Table 2). ACANs allow an organization to post a notice, for no less than fifteen calendar days, indicating to the supplier community that it intends to award a good, service or construction contract to a pre-identified contractor^{Footnote 16}. If no other supplier submits a statement of capabilities that meet the requirements set out in the ACAN during the posting period, the competitive requirements of the government's contracting policy have been met. If a potential supplier can demonstrate that their capabilities meet the requirements set out in the ACAN, the organization must proceed to a full tendering process in order to award the contract^{Footnote 17}. Of the 50 files examined, 15 were ACANs and all files contained justification to support the use of the ACAN process, although justification varied in length from one or two sentences in some files, to a full page justification in others.

In 2011, the number of ACANs dropped significantly, to be more in line with ACAN use across government. The audit team also noted a 10% increase in the number of non-competitive contracts issued at CSC, rising from 74/794 (9.3%) contracts in 2010 to 120/624 (19.2%) contracts in 2011. While CSC's numbers are comparable with the government average of 20.5%, attention should be paid to ensure competitive processes are used as much as possible to enhance access, competition and fairness.

We expected to find that contracts were reviewed and approved as required, and that appropriate FAA section 32 approvals were in place.

Section 32 approvals were in place prior to expenditure.

Appropriate pre-approvals were in place for all files reviewed, and funds were committed by creating a requisition or purchase order in iProcurement,^{Footnote 18} or a commitment in the Integrated Financial and Material Management System (IFMMS).

All contracts were reviewed and approved by the CRB as required; however, detailed decision-making information was not consistently on file.

As reported in section 1.4, CSC has established CRBs in each region and at NHQ. The NHQ CRB also serves as the National Contract Review Board which is responsible for reviewing issues that are national in scope, such as contracts with former public servants.

CRB minutes and decision logs were reviewed for the selected files for justification of all requests, and for proof of the CRB approval decision. All contracts were CRB approved, and decision logs/records of decision were on file; however, it was not clear to the auditors what documentation was provided to the CRB for their decision making, nor was a detailed record of the decision-making process on file.

While decision-making information was recorded electronically and maintained on shared drives accessible to all staff, some regions save all information on the shared drive, including legal reviews, email correspondence, and a signed copy of the CSC Form 286, whereas other regions save select information, such as signed records of decision. It was reported to the audit team that NHQ is currently taking steps to unify the information that is to be kept electronically.

Full implementation of this process will help CSC identify key documents and increase the consistency of information. This will mitigate the risk that a lack of proper documentation could jeopardize the organization's ability to demonstrate the high level of oversight being performed by the CRBs to the public and external oversight agencies.

We expected to find that contract files contained a complete audit trail that included details such as decisions and contract content.

All contracts examined included supporting documentation in accordance with TB policies and CSC directives; however, some contracts were not signed before their start date.

The Policy requires that contract files be documented in such a way that all options, decisions, approvals and justifications are documented. For the purpose of this audit, a file was considered to have a complete audit trail if it included: a statement of work; timeframes; deliverables and payment terms and schedule; the signed contract; and evidence to support a competitive process if applicable.

All files examined included the necessary information. All files from two regions contained checklists that indicated what should be on file. CSC staff informed the audit team that NHQ is now using a mandatory checklist for file content; however, the implementation of this checklist occurred after the time period of files reviewed. Therefore, its effectiveness could not be ascertained.

In 11 contracts reviewed, the contracting authority signatures were not timely (in effect a verbal contract was in place prior to signature). One contract reviewed required a payment on strength for $13,000.00, as work had been performed before the contract was in place. As per FD 350-3, the payment on strength was submitted to the CRB for approval, and a memo issuing a warning and requiring corrective action was issued. The risk to CSC is that if a contract is not signed in a timely manner, it could call into question the validity of the contract, particularly if an adverse situation occurred during the contract period or prior to signing.

We expected to find that invoices submitted for payment were in accordance with contract terms, contained sufficient information for certification of payment, and were approved by an individual with authority under section 34 of the FAA.

No concerns were noted with respect to certification of invoices under section 34 of the FAA.

All invoices were certified under section 34 of the FAA, by individuals with delegated authority. Further, all invoices tested were found to be in accordance with contract terms.

We expected to find that the verification of invoices under Section 33 of the FAA was performed in accordance with TB policy and CSC directives.

A documented standardized approach to verification and certification of invoices under section 33 of the FAA has not been finalized; however, no improper payments were noted.

As previously reported in the 2007 Audit of Contracting for Goods and Services, CSC has not finalized or fully implemented its documented process for section 33 of the FAA. While 100% verification occurred, as all invoices had a signature, stamp, initials or an electronic signature that belonged to the individual authorized under section 33, the audit team was unable to determine what verification or certification activity was conducted to support the decision behind the signature, as required by the FAA.

We expected to find that post-contract evaluations were completed in accordance with policy and guidelines.

Contract evaluation templates met the Policy requirements and were completed as required.

The Policy requires that, upon completion of a service contract, the contracting authority evaluates the work performed by the consultant or professional^{Footnote 19}. In 2007, the CSC Audit of Contracting for Goods and Services found that the content of the Contractor Evaluation (CSC Form 996) did not fully comply with the Policy. The 2007 audit and the 2010 CSC Review of CORCAN Construction Contracts also found that evaluations were not always completed as required. The results of this audit show that the current CSC Form 996 has been updated and now complies with policy, and all files reviewed had an evaluation on file as required.

We expected to find that contract and amendment information was disclosed, as required.

Contracts and amendments were disclosed as required.

As reported in section 4.1.4, each region prepares a monthly list of contracts over $10,000, referred to as Buyers Reports, which are sent to NHQ for review prior to publication on the CSC website. All files examined as part of the audit were disclosed as required, showing marked improvement from the 2007 Audit of Contracting for Goods and Services where 16/131 (12%) of contracts were not disclosed.

Contracts greater than $25,000 were processed in compliance with Government of Canada legislation, policies and guidelines, with minor exceptions. Contract files contained required documentation, CRB reviewed and approved applicable contracts, and contracts were proactively disclosed as required.

Nevertheless, the following shortcomings were identified:

• contract files lacked a consistent audit trail to support contract administration, including the timely signing of contracts and CRB decision-making information across regions; and
• a standardized documented process for the certification and verification of contract invoices, as required by section 33 of the FAA, had not been fully implemented.

Overall, the results of the audit confirmed improvement from the 2007 CSC internal audit, the Audit of Contracting for Goods and Services.

For the first objective, the audit found that: CSC directives, guides and manuals were consistent with government policies relating to contracting and procurement; roles and responsibilities were defined and clear; mandatory training was offered and taken; and external monitoring and reporting requirements were being met.

Nonetheless, there are areas within the management framework that need improvement:

• a regular, established communication forum between CMS managers at NHQ and the Regions needed strengthening; and
• existing monitoring and reporting exercises were inefficient.

With regard to the second objective, the audit results demonstrated that contracts were processed as per relevant legislation, central agency policies and CSC directives. Contract files generally contained required documentation, CRBs reviewed and approved applicable contracts, and contracts were proactively disclosed as required.

Nevertheless, the following shortcomings were identified:

• contract files lacked a consistent audit trail to support contract administration, including the timely signing of contracts and CRB decision-making information across regions; and
• a standardized documented process for the certification and verification of contract invoices, as required by section 33 of the FAA, had not been fully implemented.

Recommendations have been issued in the report to address these areas for improvement.