Internal Audit of Procurement

Internal Audit Report
Prepared by the Internal Audit Directorate
November 2025

Executive Summary

What we examined

The objective of this internal audit is to provide reasonable assurance that the contracts awarded by the Department of Finance Canada (the Department) were processed in compliance with key components of applicable legislation, policy requirements, and guidance, and to assess the effectiveness of the procurement process.

Why it is important

The procurement of goods and services by the Government of Canada is essential for enabling departments to deliver programs and services to Canadians. Except where explicitly exempted, government procurement processes are mandated to be conducted in a fair, open, and transparent manner.

Procurement represents a vital corporate function at the Department, with approximately 512 contracts issued between April 1, 2020, and December 31, 2023, valued at approximatively $17.6 million. Effective procurement capabilities are therefore critical for the Department to fulfill its strategic objectives and maintain daily operations while ensuring value for money for Canadians.

What we found

We found that the Department has established governance and risk management mechanisms to provide oversight of procurement and contracting activities and mitigate risks, however some weaknesses were identified, particularly related to monitoring.

Overall, we found that the Department has established and implemented effective procurement processes and controls to comply with legislative, policy and directive requirements. However, we found that not all controls were functioning as intended, with certain gaps, such as:

• proper financial delegated authorities (s.32, s.34 and transaction authority);
• a lack of completeness of key procurement documents, such as:
  • the procurement request form;
  • signatures of the vendor on the contract;
• a lack of enforcement of roles and responsibilities for all stakeholders (business owners vs. procurement officer); and
• departmental guidance was not in alignment with the current policy and directive.

The Department is actively working to resolve these control weaknesses.

Marie-Josée Yelle
Chief Audit Executive

Background

Context

In accordance with the Department of Finance Canada's (the Department) approved 2023-2025 Risk-based Audit Plan, the Internal Audit Directorate conducted an internal audit of procurement. Given recent media scrutiny and subsequent targeted procurement audits across the Government of Canada (GoC), this internal audit was undertaken to provide assurance that departmental procurement activities are conducted in accordance with established policies and procedures.

Procurement and Contracting in the Government of Canada

Procurement activities across the GoC operate within a complex regulatory framework, requiring departments and agencies to comply with comprehensive policies, directives, and regulations (see list in Annex D).

As of May 13, 2021, procurement activities are governed by the Treasury Board (TB) Policy on the Planning and Management of Investments (the Policy) and the Directive on the Management of Procurement (the Directive). These instruments replace the rescinded TB Contracting Policy and are designed to ensure that goods, services, and construction acquisitions support program delivery to Canadians while achieving best value to the Crown.

Since 2022, the Directive has significantly evolved and includes: (1) a new appendix on mandatory procedures for contracts awarded to Indigenous businesses; (2) the integration of human rights, the environment, social and corporate governance, supply chain transparency principles, as well as Public Services and Procurement Canada's (PSPC) Code of Conduct for Procurement into all government procurements; (3) additional requirements for risk-based systems of internal control, information management and proactive publication of contracts; (4) new requirements related to values and ethics, documentation and reporting; and, (5) the first report to deputy heads from senior designated officials for procurement on professional service resources in their departments.

Procurement and Contracting at the Department of Finance Canada

Procurement represents a vital corporate function at the Department with approximately 512 contracts issued between April 1, 2020, and December 31, 2023, valued at approximately $17.6 million. Effective procurement capabilities are therefore critical for the Department to fulfill its strategic objectives and maintain daily operations.

The Department can issue contracts within specific Canadian dollar thresholds as specified in Appendix A of the Directive on the Management of Procurement. PSPC and Shared Services Canada (SSC) play an important role in acquiring goods and services on behalf of departments. In addition to contracts issued by the Department, there were 223 contracts and amendments processed by PSPC and SSC on behalf of the Department; valued at approximately $61.4 million. Requisitions are sent by the Department's procurement officers to PSPC and SSC in the following three situations:

1. The estimated dollar value of the goods or services being procured exceeds the Department's non-competitive or competitive contracting authority limits.
2. The goods or services being procured are under the exclusive authority of PSPC or SSC, regardless of dollar value.
3. PSPC or SSC have awarded multi-departmental contracts or government-wide agreements for a particular good or service with a specific contractor, which the Department must utilize.

It is important to note that although a contract may be awarded by PSPC or SSC on behalf of the Department, the Department is still responsible for writing statements of work, evaluation criteria, sole-source justifications and providing necessary documentation to support PSPC and SSC's procurement files. In addition, the Department manages the contract, pays all invoices, and reports on the contract to the public and Parliament, as is the case for contracts awarded by the Department using its own contracting authorities.

As per the Policy, the Deputy Minister is responsible for designating senior officials to support its accountability for all policy requirements, including procurement. The Department's Procurement Management Framework (PMF) identifies the Deputy Chief Financial Officer (D/CFO) as the Senior Designated Official for the management of procurement, with functional reporting to the Chief Financial Officer (CFO), who reports to the Deputy Minister.

The Procurement and Materiel Management Division (P&MM) within the Financial Management Directorate of the Corporate Services Branch is responsible for providing advice, guidance, and functional support to clients throughout all phases of the procurement and materiel management process. The P&MM team reviews contracts and procurement requests for compliance with applicable laws, policies, and best practices related to government contracting, while advising managers of potential risks.

Since April 1, 2020, the Department's P&MM team has provided essential procurement support for key initiatives such as:

• The Department's economic response to the COVID-19 pandemic
• Federal Budgets and Fall Economic Statements
• The 2025 G7 Finance Ministers and Central Bank Governors Meeting
• Procuring furniture, IT and AV equipment, and software to support workplace modernization
• Procuring professional services to support the advancement of key policy files

At the time of this report, the P&MM team consisted of only ten employees with procurement and materiel management responsibilities. Four full-time equivalents (FTEs) were dedicated to procurement and contracting operations, one FTE focused on procurement reporting, three FTEs focused on acquisition cards and materiel management, and the remaining two FTEs held supervisor and managerial responsibilities for both procurement and materiel management functions. These two managerial positions are also responsible for ensuring that the Department meets its reporting requirements.

Business owners are responsible for identifying and defining requirements, developing statements of work and the evaluation criteria, and submitting the appropriate contract request form with supporting documentation to the P&MM team. Supporting documentation includes Section 32 (s.32) authority under the Financial Administration Act (the FAA), which grants individuals the authority to commit funds against an appropriation. Business owners are also responsible for the overall contract management, contractor performance oversight, and authorizing invoice payments under Section 34 (s.34) of the FAA.

Contracting Transaction Authority, also known as Transaction Authority or Contracting Authority, are designated individuals, with the authority to sign goods and services contracts within approved delegated limits on behalf of the Department. The authority to sign contracts is restricted to designated individuals within the Corporate Services Branch. This authority rests with the CFO and procurement officers. As per the P&MM team, this authority has been clarified in the Department's 2025 update to its Delegation of Financial Signing Authorities document where business owners may only authorize acquisition card transactions up to $10,000. Under exceptional circumstances, the Deputy Minister may exercise Contracting Transaction Authority, such as the need to enter into an emergency contract.

About the Audit

Objective

The objectives of this internal audit engagement were to:

• provide reasonable assurance that the contracts awarded by the Department of Finance Canada were processed in compliance with key components of applicable legislation, policy requirements, and guidance; and
• assess the effectiveness of the procurement process.

Scope

The audit scope encompassed contracts awarded by the Department of Finance Canada (the Department) between April 1, 2020, and December 31, 2023, covering the period and following the transition to the COVID-19 remote working environment. The audit also examined newly established departmental processes and controls implemented following the Treasury Board (TB) Directive on the Management of Procurement, including the early implementation of the Procurement Management Framework (PMF).

The scope of the audit excluded procurement and contracting activities conducted by external contracting authorities, such as Public Services and Procurement Canada (PSPC) and Shared Services Canada (SSC), as well as transactions related to purchases on Government Acquisition Cards.

The internal audit team did not assess the quality or adequacy of key procurement documents such as the Statement of Work (SoW), nor the competitive bid selection assessments. Certain aspects of the audit program were adjusted during the engagement, including the decision not to conduct a survey of business owners, not assessing business owners' file contents, including services and goods received.

Approach

The internal audit engagement was conducted using following procedures:

• interviews with departmental management and staff;
• reviews of applicable policies, directives, and regulations, guides, and procedural documents;
• analysis of documents including system-generated reports and financial data;
• mapping of key processes and performance of data analytics to identify anomalies and potential risk indicators; and
• testing of a stratified sample of 94 files^{Footnote 1}, supplemented by judgmental sampling and data analytics-driven testing where feasible (see Appendix C).

Field work for this audit was substantially completed by early May 2025.

Opinion

Sufficient and appropriate procedures were performed, and evidence gathered, to support the accuracy of the internal audit conclusion. The internal audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the internal audit against established criteria that were agreed upon with management.

The findings and conclusion are only applicable to the areas examined and for the scope and period covered by the internal audit.

Statement of Conformance

The internal audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.

Detailed Findings and Recommendations

Governance and Oversight of the Procurement Process

Under the Treasury Board (TB) Policy on the Planning and Management of Investments (the Policy), Deputy Heads must ensure that all projects and programs have appropriate governance structures and processes in place, including committees, quality assurance mechanisms, and independent reviews. Specifically, governance over procurement ensures transparency, promotes fairness and competition; promotes individual accountability for decisions; controls cost and maximizes value; and supports the strategic goals of the Department.

Overall, the audit found that while the Department of Finance Canada (the Department) had established and implemented governance mechanisms in 2023 to oversee procurement and contracting activities — including a Procurement Management Framework (PMF) and Procurement Review Board (PRB) — these mechanisms are evolving and have limitations.

Limitations in the Procurement Management Framework

The TB Directive on the Management of Procurement (the Directive) (May 2021) requires all departments to establish and implement a Procurement Management Framework (PMF) that consists of processes, systems, and controls that includes clearly defined roles, responsibilities, accountabilities, best practices, and procedures. Establishing a PMF is meant to ensure that the procurement community has the necessary support to manage procurements in a fair, open, and transparent manner that meets public expectations for prudence and probity.

In February 2022, the Treasury Board Secretariat's (TBS) shared its Draft Guide to Establishing a Procurement Management Framework with departments which provides a list of suggested activities that departments may consider in order to ensure that the requirements of the Directive are addressed.

The internal audit team compared the Department's PMF, approved in June 2023, to the TBS draft guidance and determined that the Department's PMF incorporated many of the suggested activities of the guide, however, the Department did not include the following activities:

• Build quality assurance procedures into procurement processes to monitor compliance and identify improvement opportunities.
• Use data analytics to report evidence-based results internally and externally to inform management and stakeholders.
• Define and communicate risk management responsibilities of procurement officials, business owners, and other key departmental stakeholders.
• Communicate procurement service and quality standards with internal and external stakeholders.

While these activities are not specifically required, the internal audit team notes that these would be good practices and could improve the effectiveness of the process as a whole.

Of the activities that the Department has included in the PMF, the internal audit team notes that the majority of activities have been implemented with the exception of incorporating the new GC procurement competencies into the Departmental PG developmental program.

Furthermore, the P&MM team has not instituted a formal tracking system to assess the implementation progress of the Department's PMF. In addition, the P&MM team noted that they are completing environmental scans, however, the internal audit team was unable to assess due to lack of documentation (i.e., overall analysis of the environmental scans).

Opportunities for improvement within the Department's governance structure related to procurement

While the Department's governance structure is referenced within the PMF, the internal audit team found that procurement was not formally included as a responsibility for any of the Department's approval committees (the Executive Committee and the Management and Operations Committee) or advisory committees (the People Management Committee and the Workplace Management Committee).

In the absence of a fixed requirement for a senior committee to exercise oversight, procurement-related matters such as procurement reporting, policy changes and training were discussed occasionally by committees. Although not documented, the CFO confirmed that procurement-related matters were raised to the Deputy Minister and the Associate Deputy Minister through bilateral meetings.

Procurement oversight boards ensure that procurement activities are transparent, fair, and compliant with laws and policies. These boards review and approve procurement policies, monitor risk and compliance, promote accountability, and ensure decisions are made ethically and in the organization's best interest. Through this oversight, they help prevent conflicts of interest, support best practices, and strengthen the integrity of the procurement process.

To meet the requirement of the TB Directive, in the Fall 2023, the Department established the Procurement Review Board (PRB) to provide risk-based oversight of high-risk or high-value procurement activities.

Operating as a Director-level committee outside the Department's core governance network, the PRB is chaired by the Deputy CFO and holds weekly meetings requiring a minimum of five members, including the Chair. In addition to its weekly meetings, the PRB holds quarterly meetings to discuss emerging issues and trends, and reviews planned procurement requirements to facilitate early identification of potential concerns before procurement strategies. Unresolved issues are taken by the Chair to the CFO for final decision. Currently, there is no formal escalation process beyond the PRB.

Individual board members leverage their expertise to evaluate individual procurement risks and approve activities based on established criteria. While membership originally consisted of internal service representatives, in November 2024 membership was expanded to include clients and business owners, with policy branch representation rotating every six months.

The internal audit team found that the PRB was functioning effectively. However, the team found that due to high workload, turnover and conflicting priorities, the Chair of the PRB had not provided an update on procurement issues and trends to the Management and Operations Committee (senior level governance committee) in a consistent manner as stipulated in the PRB's terms of reference. In addition, the PRB has not been formalized in the PMF as the main governing body for procurement.

Since early 2023, the Financial Management Directorate (FMD) has also provided semi-annual monitoring reports to the Departmental Audit Committee (DAC). However, similar to the PRB, reporting to the DAC has not been formalized within the PMF.

Recommendation #1

The Senior Designated Official for the Management of Procurement should formally document the existing governance structure for procurement within its Procurement Management Framework and work with Corporate Governance to ensure that procurement is clearly integrated into the Department's governance structure.

Procurement Controls

Overall, the internal audit team found that the Department has established processes and controls to guide procurement activities. In particular, the team notes that, with regards to the competitive process, the contract files were generally complete, controls were functioning as intended and the competitive process for vendor selection was followed. In addition, of the 94 contracts reviewed, the team found that all contracts over $10,000 were proactively disclosed on the Open Government portal.

However, some control weaknesses were identified, which are detailed below.

Pre-contract controls and procedures were not consistently applied

Procurement Request Forms incomplete

The procurement and contracting process requires that business owners seeking to acquire goods or services consult with procurement officers before contacting vendors or engaging in contracts. Business owners must complete the Department of Finance Canada's (the Department) Procurement Request Form (PRF) for all new procurement of goods or services. Each PRF requires the business owner to identify the contract requirements (good or services, start date, security), total estimated cost, sole source justification if required, and the fund center's authorization (Section 32) that unencumbered funds are available to cover cost of the proposed contract.

The completed PRF is provided to the Procurement and Materiel Management (P&MM) team, who reviews the form to ensure there is appropriate supporting documentation (statement of work, security requirement check list, sole sources justification, price support, etc.) that is consistent with the proposed procurement approach and characteristics. The P&MM team also checks to ensure that, for the proposed procurement, there are no established standing offers or supply arrangement in place, whether indigenous vendors are available, if former public servants are involved and if proposed vendors are deemed unethical. Once reviewed, the procurement officer signs the PRF.

During the review of contracts, the internal audit team identified deficiencies with the completeness of the PRF. In some instances, the internal audit team found evidence where the business owners did not properly complete the PRF (for example, nine contracts did not identify which of the four sole source justifications were used) or provide key supporting documents (for example, two contracts were missing a quote on file, two contracts did not include responses to the seven Treasury Board questions for sole sourcing with one vendor when required, and six contracts did not include a statement of work).

Furthermore, two versions of the PRF were in use during the sample testing period, with the updated version implemented in September 2021. The revised form included a new section requiring procurement officer attestation to verify PRF completeness. However, among contracts utilizing this updated form, the internal audit team found that the attestation section was completed in only one instance.

As per the P&MM team, there was an issue with the review process where the PRF section reserved for procurement officers did not work as intended and therefore was not used as intended. They are currently updating the PRF and developing a separate checklist for procurement officers to address these issues. At the time of the report, the revised forms were still in draft form.

Existence of confirming orders

Confirming orders occur when the formal procurement approach has not been followed but the Crown has entered into a contractual arrangement with a vendor. In such cases, the goods or services have been provided, and payment is being sought.

Confirming orders expose the Department to several risks including fraud, unfavorable terms and reputational, and should be avoided since there is no binding agreement between the supplier and the Department. Furthermore, confirming orders present financial risks to a fund centre's budget and can impact branch or departmental budgets if significant.

The internal audit team identified that two of the contract files reviewed were confirming orders. In both instances, the business owner had entered into an agreement with a vendor for services without informing the P&MM team. The value of these two contracts totaled $118,162. This was a clear disregard of procurement rules and processes, which denied P&MM the opportunity to review and ensure key elements of fairness, transparency and accountability were maintained. Key financial controls, like Section 32 of the Financial Administration Act (the FAA), were documented after services were provided to allow for payment. The P&MM team has noted that following the issuance of these confirming orders, they have met with the branch responsible to raise awareness, discuss risks and possible consequences to ensure that the P&MM team is engaged at the onset of the procurement activity.

The internal audit team also reviewed the entire population (512 contracts) for the period of April 1, 2020, and December 31, 2023, for other possible confirming orders and found an additional five confirming orders, representing less than 1% of all contracts. As per senior management, they have noted that due to urgent needs related to the Department's core mandate (for example, expenses related to the tabling of the Federal Budget and Fall Economic Statement), there have been exceptional circumstances where confirming orders have been used.

Documenting Procurement decisions

Sole source justification not consistently documented

The Government Contract Regulations (GCR) requires contracting authority to solicit bids prior to awarding contracts. However, contracts can be awarded on a sole source basis if the contract meets one of the following conditions: emergency; estimated cost are below specified thresholds for goods ($25,000) and services ($40,000); solicitation would not be of public interest; and only one supplier can perform the contract.

In situations where a business owner seeks an exception to competitive bidding, that decision should be fully justified by the contracting authority, and appropriate documentation placed on the contract file. If only one supplier can perform the work and the value of the contract exceeds the specified thresholds for goods and services, Treasury Board (TB) requires that responses to seven questions be completed by the contracting authority (P&MM) and the business owner before awarding the sole-source contract.

The documentation in the procurement file of the appropriate rationale for a sole-source contract awarded is crucial for ensuring transparency in the use of public funds; accountability and reduces the risk of corruption; demonstrates value for money; and allows for better oversight of the procurement process.

A review of the PRF for 75 non-competitive contracts found that the sole source justification was not consistently documented in nine instances: seven were under the goods and services thresholds, and two were issued under PSPC's standing offers. Furthermore, for the two contracts, where the exception was identified as being the only capable supplier, the file did not contain the required response to the TB questions. The internal audit team noted that there was confusion between the Department and PSPC as to who was responsible for completing the TB questions with regards to vendors on PSPC's standing offer and supply arrangement list. Clarification was added in the PSPC supply manual in 2024. Following discussions with the P&MM team, they have noted they now add the TB questions for all relevant contract files.

Security considerations were not consistently considered

The TB Directive on Security Management (July 2019) requires departments to integrate security considerations into departmental procurement processes and identifying security requirements for specific contracts. Considering security requirements before soliciting or awarding contracts is essential to prevent the inadvertent disclosure of sensitive government information to individuals or organizations that have not been cleared to access information or work sites.

For the Department, the business owner is responsible for identifying the need for a security assessment via the PRF based on the proposed contract's tasks. If a security assessment is deemed required, the Department's Security Services Division assesses and completes the Security Requirement Checklist (SRCL). Once the SRCL is completed, it is included as supporting documentation along with the Procurement Request Form to P&MM.

The internal audit team found, of the 94 contracts examined, 33 contracts included an SRCL. Of these 33 contracts, the audit identified six contracts where the security level specified in the SRCL did not align with the selected vendor's security level clearance. For example, one contract indicated that the vendor needed to have a 'Secret' security level clearance, however, the selected vendor had 'Reliability' status at the time of the contract being awarded. These findings highlight the importance of maintaining consistency between identified security requirements and contractor selection decisions.

The current process could benefit from enhanced guidance or additional checkpoints to ensure security requirements are systematically considered and aligned.

Financial Authority Framework and Delegation

The Financial Administration Act (FAA) provides the legal framework for financial management in the Government of Canada (GoC) and guides public servants in their financial responsibilities. In contracting three key sections of the Act are important to demonstrate good financial management and responsibilities: commitment of budgets (s.32), transaction authority, certification of receipt of goods or services (s.34), and payment (s.33)^{Footnote 2}.

Proper delegation of these authorities is essential to ensure that financial commitments and payments are legally valid and comply with established controls. This delegation framework serves as a safeguard for public funds by restricting spending approvals to authorized personnel, thereby promoting accountability, preventing misuse, and supporting sound financial management practices.

The Department maintains an approved Delegation of Financial Signing Authorities Instrument (Delegation Instrument) that is structured in two distinct categories: operational authorities and functional authorities, providing clear description of responsibilities and approval levels by units and positions throughout the Department.

Business owners' authorities (s.32 & s.34)

The internal audit team reviewed all 94 contracts for compliance with requirement to s.32 of the FAA. Given the importance of maintaining control over individual and collective budgets, we expected to find that s.32 approvals would align with the Department's Delegation Instrument, and individuals, who approved commitments, would have appropriate authority at the time of signature.

The internal audit team found three instances where the authorizing individual did not possess the required delegated authority for s.32 at the date of signature. In all three of those instances, the same individual had lapsed authority for its respective fund center.

The internal audit team also reviewed all 94 contracts to determine if compliance with requirement to s.34 of the FAA were met. Given the importance of ensuring the government receives the goods and services it purchases from vendors, we expected that s.34 approvals would align with the Department's Delegation Instrument, and individuals who confirmed receipt of goods or services would have appropriate delegated authority at the time of signature.

The internal audit team found that, of the 378 invoices associated with the 94 contracts reviewed, there were 16 invoices (4% of the total) in which the authorizing individual(s) did not possess the required delegated authority for s.34 when certifying receipt of good or services. These 16 invoices were related to seven (7) individuals whose delegated authority had either lapsed, expired, or had not yet come into effect^{Footnote 3}.

The internal audit team notes that payment of invoices, confirmation of active delegation of authority, and maintaining documentation for s.34 is a shared responsibility with TBS Accounting Services. The team did note that in most of the 94 contract files, with a few minor exceptions, there were copies of signed s.34 invoice(s) on file.

P&MM informed the team that the process relies on the business owners' awareness of their own authority levels and at the time undertook manual verification of s.32 and s.34 authority on a random basis. In addition, as part of the Department's Account Verification Framework (AVF), TBS, on a quarterly basis, conducts a post-verification of a sample of processed s.32 and s.34 transactions. As noted in the AVF, the Department has accepted a tolerable error rate of 8% of transactions. While the internal audit team's error rate falls within the acceptable error rate established in the AVF, improvements to the verification process could still be made.

P&MM team recognizes the need to be more systematic in its verification processes and is updating the Procurement Request Form to support and improve its capabilities to monitor completeness. They have also informed the team that FMD is exploring the option of implementing automated controls in SAP to validate s.32 and s.34 going forward. Integration of the signing cards in the Departmental Financial Management System was achieved in 2025 and was a step towards automation.

Transaction authority

The internal audit team also expected that officials signing contracts on behalf of the Department would have valid up to date delegated authority in accordance with their position as defined in the Department's Delegation Instrument. We found that two individuals in the P&MM team did not have an up-to-date specimen signature card or active acting card to authorize them to exercise the authorities delegated to their position. This resulted in 13 contracts and 10 contract amendments where the authorizing individual did not have the proper level of signing authority to enter into a contract or amend an existing one. The P&MM team, as contracting authorities, have updated their signing authorities during the audit to rectify this issue.

Counter-signed contracts not returned by suppliers

A contract is a legal binding agreement between two or more parties, outlining specific rights, obligations and responsibilities. Having a contract signed by both parties is essential to ensure that both parties understand the terms of the agreement and to reduce the risk of disputes.

The internal audit team expected that a signed contract between the department and the vendor would be in place prior to goods or services being delivered.

Of the 92 contracts examined (excluding the two confirming orders), the internal audit team found that three non-competitive contracts were missing the vendor's signature.

Recommendation #2

The Procurement & Materiel Management team should review and update the procurement request workflow and its associated templates (i.e., the Procurement Request Form) to ensure consistent documentation, formal documentation of the quality assurance process, and compliance with legislative and policy requirements.

Procurement Monitoring and Training

Quarterly monitoring of procurement activities

The Directive requires that the Department has a risk-based system of internal controls that is maintained, monitored, and reviewed to provide reasonable assurance that procurement transactions are carried out in accordance with the framework, and applicable laws, regulations, and policies. Departmental internal control functions play a crucial role in ensuring that procurement activities are conducted efficiently, ethically, and in compliance with external and departmental policies, directions and regulations.

In the Department of Finance Canada (the Department), Financial Management Directorate's (FMD) internal control team produces a quarterly report for the Deputy Chief Financial Officer and the Manager of Procurement. The report covers departmental procurement and contracting activities for the previous quarter (i.e. April 1 to June 30). Since early 2023, FMD has also provided semi-annual monitoring reports to the Departmental Audit Committee (DAC).

Using data analytics, the internal control team identifies risks associated with contract splitting, repetitive sole sourcing, and contracting with former public servants. To date, the team has not identified any fraudulent activities.

The internal audit team notes that in addition to the quarterly monitoring being done for procurement, the Department may want to consider monitoring additional high-risk procurement activities such as analyzing for sole sources contracts awarded below sole source threshold and where subsequently amended pushed the contract value above threshold.

Recent changes to identify and remove potential conflict of interest

Reporting potential conflicts of interest in public sector procurement is essential to ensure fairness, transparency, and accountability in the use of public funds. Early disclosure of potential conflicts of interest fosters public trust and safeguards the integrity of the procurement process and helps prevent biased decision-making, supports compliance with legal and ethical standards, and protects both the organization and individuals from reputational and legal risks.

The Treasury Board (TB) Directive on the Management of Procurement (the Directive) (May 2021) requires business owners to adhere to the Values and Ethics Code for the Public Sector and the TB Directive on Conflict of Interest (April 2020) at all times during the procurement process, including but not limited to, when engaging with suppliers, evaluating bids, awarding and managing contracts.

Recognizing the higher risk to employees when contracting for professional services, the TB Directive (Appendix F of the Directive) specifies mandatory procedures for all professional services contracts that exceed $40,000. Business owners are to provide contracting authorities with signed confirmation that they do not have any perceived or real conflict of interest, and should any develop, they will immediately report it as required by the TB and notify the contracting authority.

The internal audit team found that the Department's annual confidential reporting process, administered by the Office of Values and Ethics (OVE), serves as the primary mechanism for all departmental employees to report Conflict of Interest (CoI). However, the self-declaration is completed once a year and the OVE relies on individuals to report when their personal circumstances change. The team found there was no direct link or communication between the work conducted by the OVE and that of the procurement team for individual contracts. Through consultations, P&MM indicated that they were previously relying on the OVE annual reporting process to support reporting of CoI concerns for procurement.

Recently, the internal audit team found that the P&MM team and the OVE have successfully collaborated to implement improvements to its CoI reporting and oversight mechanisms for procurement related activities. An automated annual confidential reporting system now specifically targets procurement-related conflicts by requiring employees to declare their participation in procurement activities as business owners. Business owners who indicate involvement must complete an additional specialized declaration form through an automated follow-up process.

The P&MM team is advancing these controls further by updating the Procurement Request Form (PRF). The enhanced PRF will integrate CoI screening directly into the procurement workflow, requiring all business owners to address potential conflicts for each individual procurement process. This approach will embed CoI considerations at the start of each individual procurement activity.

Together, these initiatives should create a comprehensive dual-layer system: annual declaration coupled with transaction-specific screening. This approach significantly strengthens the Department's ability to identify, assess, and manage potential conflicts of interest in procurement activities before they can impact decision-making processes.

Departmental guidance to managers is not up to date

The Department uses two key guidance documents for the procurement process. The Department's Manager's Guide to Contracting (November 2017) and the Contracting and Procurement Guide (July 2016). The Department's Manager's Guide to Contracting provides the Department's employees, particularly fund center managers (i.e., individuals responsible for managing a budget), with the information necessary to effectively undertake the procurement of goods and services on behalf of the Department. It is intended to help managers gain a better understanding of their operational and fiduciary responsibilities in all phases of the procurement life cycle. The Department's Contracting and Procurement Guide provides procurement officers with an understanding of the Department's contracting and procurement unit's function, and how it interrelates with the Department as a whole.

The internal audit team found that departmental guidance was not up to date and aligned with current Treasury Board policies, directives and guidance. The absence of up-to-date guidance that is aligned with current TB and departmental policies, directives and guidance, risks of omitting key controls in the procurement process and having accountability gaps with respect to roles and responsibilities of officials in the department. For example, current guidance has limited reference to conflict-of-interest management, reference to security in the absence of a SRCL, and does not enforce the importance of records management as a shared responsibility between P&MM and business owners.

Updates to Department's PG development program required

TBS has established a list of mandatory training which outlines required training for procurement specialists. The internal audit team found that mandatory training was mostly completed by all required employees, with some minor exceptions for newer P&MM employees who took over procurement responsibilities in the past year.

The Office of the Comptroller General (OCG) has developed new procurement specialists' competencies. From consultations, the P&MM team noted that these have been successfully incorporated into procurement officers' Performance Management Agreements (PMAs) for fiscal year 2025-2026.

The Department has a PG development program in place to assist with the recruitment, retention and development of procurement officers. However, this has not been updated since 2016 and therefore is not reflective of the current mandatory training requirements in place or the new competencies developed by the OCG.

Recommendation #3

The Procurement & Materiel Management team should update its procurement-related guidance to ensure that it is in line with recent legislative and policy requirements.

Conclusion

We found that the Department has established governance and risk management mechanisms to provide oversight of procurement and contracting activities and mitigate risks, however some weaknesses were identified, particularly related to monitoring.

Overall, we found that the Department has established and implemented effective procurement processes and controls to comply with legislative, policy and directive requirements. However, we found that not all controls were functioning as intended, with certain gaps, such as:

• proper financial delegated authorities (s.32, s.34 and transaction authority);
• a lack of completeness of key procurement documents, such as:
  • the procurement request form;
  • signatures of the vendor on the contract;
• a lack of enforcement of roles and responsibilities for all stakeholders (business owners vs. procurement officer); and
• departmental guidance was not in alignment with the current policy and directive.

The Department is actively working to resolve these control weaknesses.

Recommendations, Management Response and Action Plan

Annex A: Audit Criteria

The following audit criteria were used in the conduct of this audit:

1. Criteria 1: The integrity of the procurement activities was maintained consistent with the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest;
2. Criterion 2: Procurement activities were conducted in a fair, open and transparent manner consistent with key components of the Treasury Board (TB) Policy suite and related requirements on procurement.^{Footnote 4}
3. Criterion 3: Procurement activities were conducted in a manner consistent with the Department's internal processes and control frameworks.^{Footnote 5}
4. Criterion 4: The Department's internal processes are identifying and meeting the needs of the business owners.

Annex B: Sampling Strategy

The internal audit team identified a population of 825 entries for the period of April 1, 2020, to December 31, 2023. Given the scope was limited to only contracts where the Department was the contracting authority, the population was further reduced to 512 by removing all contracts led by PSPC and SSC (222 records). In addition, contracts started before April 1, 2020, that included an amendment in the scope period were further removed (91 records). The total population consisted of 431 service contracts (512 records including amendments) and 81 goods contracts (91 records including amendments).

Targeted population distribution

Sample Selection

A total of 94 contracts were selected for sampling. The population was divided into four groups to facilitate stratified sampling. The criteria for each of these groups were as follows:

Annex C: Key Procurement Policies, Directives and Regulations

The following is a non-exhaustive list of key information reviewed by the internal audit team:

Legislation

• Financial Administration Act
• Government Contract Regulations

Policies, Directives and Guidance

• TB Contracting Policy (rescinded)
• TB Policy on Planning and Management of Investments
• TB Policy on Government Security
• TB Directive on Conflict of Interest
• TB Directive on the Management of Procurement
• TB Directive on Security Management
• TBS Guide to Establishing a Procurement Management Framework
• TBS Guide to Delegating and Applying Spending and Financial Authorities
• Code of Conduct for Procurement

Key Departmental Documents

• Code of Conduct
• Financial Signing Authority Guide
• Guide to Mitigating Conflicts of Interest in Procurement
• Manager's Guide to Contracting
• Manager's Guide: Key Considerations when Procuring Professional Services
• Procurement Management Framework
• Departmental Security Plan

Annex D: Acronyms