Internal Audit of Federal Government Consulting Contracts Awarded to McKinsey & Company
Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.
- Executive summary
- Conformance with professional standards
- Audit objectives and scope
- Overview of DND Contracts
- Findings and recommendations
- Management response
- Appendix A: Audit criteria
- Appendix B: Management Action Plan
- Appendix C: Breakdown of findings
The audit was mandated by the Office of the Comptroller General (OCG), on February 8, 2023, for all departments who had entered into any contracts with McKinsey & Company since January 1, 2011. The audit looked at the integrity of the procurement processes, and assessed whether the procurements were conducted in a fair, open and transparent manner consistent with the Treasury Board (TB) Policy that was in place at the time and if the procurements were conducted in a manner consistent with the organization’s internal processes and control frameworks.
The Department of National Defence and the Canadian Armed Forces (DND/CAF) had 15 contracts with McKinsey between 2011 and 2023 with a total contract value of $29.6M. Twelve of these contracts were signed under Public Services and Procurement Canada’s (PSPC) contracting authority and were call-ups against a non-competitive National Master Standing Offer (SO) established by PSPC with McKinsey for the entirety of the Government of Canada (GC). Many of these contracts were leveraged to support the work of the Chief Professional Conduct and Culture (CPCC), a new organization created in April 2021. CPCC works to unify and integrate all associated culture change activities across the Department and become the centralized expertise for professional conduct and culture. Other contracts were established to support the digitization initiatives for the Navy and Canadian Joint Operations Command (CJOC).
Overall, DND/CAF has an established integrity framework that covers both public servants and military members. There is an opportunity to strengthen due diligence on a risk basis to ensure that anyone involved in the contracting process, whether contractors’ resources or Defence Team members, are not in a real or perceived conflict of interest situation. DND/CAF generally adheres to procurement policy and to its own internal processes, including to financial and delegation processes. Some exceptions were noted in financial controls and full determination of compliance was limited by the absence of key information on some files, with a need to improve file management practices through dedicated digital solutions. Improvement opportunities were identified to enhance guidance and training as well as to leverage the existing departmental compliance verification framework to better demonstrate compliance to policy. Finally, controls over proactive disclosure should be strengthened to ensure that all DND/CAF contracts are disclosed completely, accurately and on a timely basis.
Conformance with professional standards
This internal audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing.
Susan Cole for,
Assistant Deputy Minister (Review Services)/Chief Audit Executive
Procurement in the GC is subject to the Directive on the Management of Procurement (and the now rescinded Contracting Policy prior to May 13, 2022),Footnote 1 which has as its objective to ensure that procurement of goods, services and construction obtains the necessary assets and services that support the delivery of programs and services to Canadians, while ensuring best value to the Crown. As a result, among others, procurements are expected to enable operational outcomes, to be subject to effective governance and oversight mechanisms, to be fair, open and transparent, and to meet public expectations in matters of prudence and probity.
The Prime Minister tasked Minister Fortier, as President of the TB, along with Minister Jaczek, Minister of PSPC, to undertake a review of contracts awarded to McKinsey & Company (McKinsey). On February 8, 2023, the OCG requested from government organizations, by February 15, 2023, a list of all contracts with McKinsey dating back to January 1, 2011, as well as related information on these. For those organizations that have been the technical authority (TA) and/or entered into any such contracts as the contracting authority, the OCG has directed the Chief Audit Executives (CAE) of these organizations to conduct a formal independent internal audit of the related procurement processes, with results to be reported to the OCG by March 22, 2023.
Audit objectives and scope
The objectives of the audit were to determine the following for all scoped-in contracts with McKinsey:
- The integrity of the procurement process was maintained consistent with adhering to the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest;
- The procurements were conducted in a fair, open and transparent manner consistent with the TB Policy that was in place at the time (Contracting Policy or the Directive on the Management of Procurement); and
- The procurements were conducted in a manner consistent with the organization’s internal processes and control frameworks (i.e., consistent with procurement management frameworks, financial controls, security controls).
The scope of the audit focused on the examination of the procurement practices for all competitive and non-competitive contractsFootnote 2 with McKinsey awarded (i.e., signed) by DND/CAF between January 1, 2011, and February 7, 2023Footnote 3 with a total combined expenditure of $26,983,571. Amounts reported outside of this audit refer to a total contract value of $29,652,666 while the audit captures actual expenditures. The main difference between the two figures results from one contract (contract 8 per the following table) as having a contract value of $3,087,079. This contract was terminated after an expenditure of $600,744 and a new contract issued (contract 10) with the remaining value. Other minor differences resulted from corrections to taxes.
The audit did not assess:
- All contracts with any entity other than McKinsey.
- All contracts awarded (and signed) outside of the audit period.
- Compliance with any other policy instrument, laws and/or regulations not specifically mentioned in this audit report.
The OCG provided all departments with an audit plan and audit work program to ensure consistency of coverage across the GC. While the OCG developed the objectives, scope, audit criteria and audit work program for use by implicated departments, audit findings and recommendations were developed independently by DND/CAF’s internal audit function. The approach followed by DND/CAF was in alignment with the approach described in the OCG audit plan and audit work program. To ensure the integrity and objectivity of the audit work, this audit was conducted only by public servant internal auditors subject to the Global Internal Auditing Code of Ethics of the Institute of Internal Auditors.
In total, DND/CAF had 15 contracts with McKinsey between 2011 and 2023. While one of these contracts dates back to 2013, most of the awarded contracts occurred within the last three years. Three contracts were signed under DND’s contracting authority including one sole source contract and two supply arrangements. The remaining 12 contracts were signed under PSPC’s contracting authority and were call-ups against a non-competitive Standing Offer (SO) put in place by PSPC with McKinsey for the entirety of the GC. More specifically, this included an assessment of the following contracts:
|#||Start date & end date||Contract Payments*||Procurement strategy||Purpose of contract||Contracting Authority|
|1||03 Jan 2013
31 Jul 2013
|$565,000||Competitive, against Supply Arrangement||Independent review for the planning, management, oversight and reporting of departmental transformation initiatives||DND|
|2||13 Aug 2019
31 Dec 2019
|$24,860||Non-Competitive, Sole Sourced||Digital Use Case Workshop and associated industry tour||DND|
|3||23 Mar 2021
31 May 2021
|$1,964,081||Non-Competitive, Call-Up against SO||Benchmarking services to support the Digital Navy Program.||PSPC|
|4||26 Mar 2021
22 Apr 2021
|$1,057,256||Non-Competitive, Call-Up against SO||AI-driven fleet management Assessment. Benchmarking using "Analytics Quotient"||PSPC|
|5||30 Jul 2021
08 Oct 2021
|$2,523,431||Non-Competitive, Call-Up against SO||Integrated Digital Solution to Complaint System||PSPC|
|6||05 Aug 2021
15 Oct 2021
|$1,578,893||Non-Competitive, Call-Up against SO||Review of culture-related reports and recommendations and to categorize topics and recommendations||PSPC|
|7||14 Sept 2021
25 Mar 2022
|$5,705,894||Non-Competitive, Call-Up against SO||Qualitative assessment of DND/CAF culture||PSPC|
|8||04 Nov 2021
11 Feb 2022
|$600,744||Non-Competitive, Call-Up against SO||Actionable roadmap to build a modern complainant-centric digital complaints solution||PSPC|
|9||08 Nov 2021
07 Feb 2022
|$2,602,108||Non-Competitive, Call-Up against SO||Benchmark of RCN digital capabilities, understanding of capability gaps||PSPC|
|10||24 Feb 2022
20 May 2022
|$2,486,334||Non-Competitive, Call-Up against SO||Integrated Complaints Management Solution||PSPC|
|11||31 Mar 2022
27 May 2022
|$1,195,021||Non-Competitive, Call-Up against SO||Talent strategy to enable digitization, agility, future priorities, and responsibilities||PSPC|
|12||05 Aug 2022
30 Sept 2022
|$1,533,766||Non-Competitive, Call-Up against SO||Organizational Health Index benchmark||PSPC|
|13||23 Sept 2022
10 Nov 2022
|$5,650||Competitive, against Supply Arrangement||High-level Recommendations Based on the Current State Review of Canada's Defence Supply Chain||DND|
|14||19 Oct 2022
03 Mar 2023
|$2,047,705||Non-Competitive, Call-Up against SO||Complaints process transformation - technology assessment||PSPC|
|15||09 Jan 2023
17 Apr 2023
|$3,092,828||Non-Competitive, Call-Up against SO||Organizational Health Index benchmarking solution||PSPC|
*All amounts with the exception of contracts 8 and 10 are based on payments made during the scope period per the financial system of record. Contracts 14 and 15 were ongoing at the time of the audit, and not fully invoiced and are thus based on contract value.
Table 1 Summary
The table is sub-divided into 6 columns. The contract numbers are indicated in the left-hand column. For each contract, read across the row to determine the Start Date & End Date of the Contract, Contract Payments, Procurement strategy, Purpose of Contract, and Contracting Authority.
Many of the afore-mentioned contracts were established to support the work of CPCC, a new organization established in April 2021. CPCC works to unify and integrate all associated culture change activities across the Department and become the centralized expertise for professional conduct and culture. Other contracts were established to support the digitization initiatives for the Navy and CJOC.
Findings and recommendations
Objective 1: Integrity of the procurement process
Finding 1: There is an established integrity framework that covers both public servants and military members. There is an opportunity to strengthen the control framework in relation to potential conflicts of interest to ensure that proactive steps are taken to avoid real or perceived conflicts in line with the DND and CF Code of Values and Ethics.
Values and Ethics
The Values and Ethics Code for the Public Sector notes that public servants shall serve the public interest by: acting at all times with integrity and in a manner that will bear the closest public scrutiny; never using their official roles to inappropriately obtain an advantage for themselves or to advantage or disadvantage others; and taking all possible steps to prevent and resolve any real, apparent or potential conflicts of interest between their official responsibilities and their private affairs in favour of the public interest.
DND/CAF also has several policy instruments covering value and ethics requirements for its employees including the DND and CF Code of Values and Ethics, Chapter III: DND and CF Policy on Conflict of Interest and Post-Employment, Defence Administrative Orders and Directives (DAOD) 7021-1, Conflict of Interest, Queen Regulations & Orders article 19.39, Dealings with Contractors and Queen Regulations & Orders article 19.42, Outside Employment or Activities.
Within the current internal policy framework, active CAF members, including reservists, are required to provide a confidential report to the Deputy Minister (DM) or the Chief of the Defence Staff (CDS) through the Director Defence Ethics Programme, when their outside employment or activities might subject them to demands incompatible with their official duties, or cast doubt on their ability to perform their duties in a completely objective manner.Footnote 4 Following the creation of CPCC in April 2021, Defence Ethics Programme was transferred to CPCC. However, the compliance of Conflict of Interest remains with Assistant Deputy Minister (Review Services) (ADM(RS)), as such the declaration of outside employment and activities must be submitted to ADM(RS). There is an ongoing process to update the internal procedures and policies to reflect the changes.
Based on the contract documentation and policies reviewed, several reservists were employed by McKinsey at the time of the contracts. Insufficient information was available at the time of the audit, to determine whether there were potential conflicts of interest. No declarations of outside employment and activities were made to ADM(RS) in these instances. It is acknowledged that reservists usually have other full-time jobs as their reserve duties are part-time.
Finally, there is an expectation that the contractor selection is not influenced in any way by the Minister or Minister’s office. There was no indication on file that the Minister and/or Minister’s staff were involved in the contracting process for the McKinsey contracts.
Contracting with Former Public Servants
The Procurement Directive section 4.5.5 says that contracting authorities are responsible for including requirements for former public servants to self-identify in solicitations and in the resulting contract clauses of service contract documents, and informing suppliers that this information will be proactively disclosed. According to the PSPC Supply Manual, disclosure is required when contracting with the following entities: an individual who was a former public servant; a former public servant who has incorporated; a partnership made of former public servants; or, a sole proprietorship or entity where the affected individuals are former public servants having a controlling or major interest in the entity. McKinsey, as a corporation, is not required to disclose former public servants in its bids. As such, no justifications for contracting with former public servants were found on file.
Post-employment restrictions for former DND/CAF members, as described in DAOD 7021-2, Post-Employment only apply to Senior CAF Officers at the rank of Lieutenant Colonel/Commander and above in the Regular Force or on full-time service in the Reserve Force. During the course of our audit, it was identified that at least three former DND/CAF members were employed at McKinsey. Based on information available, all former members fell outside of the post-employment restrictions period. For civilians, the DAOD applies to employees occupying a position equivalent to the EX minus 1 level and above. Second Career Assistance Seminars are provided as part of the release process when a member leaves the CAF and includes a seminar on Post Employment.Footnote 5 No such seminar is provided by Assistant Deputy Minister (Human Resources – Civilian) (ADM(HR-Civ)) to senior civilian staffs who are about to retire or leave the Public service.
As per Treasury Board of Canada Secretariat (TBS) Contracting Policy Notice 2012-2, DND/CAF reports quarterly on contracts awarded directly to former public servants in receipt of a Public Service Superannuation Act pension, to former CAF Members in receipt of a Canadian Forces Superannuation Act pension and to former Royal Canadian Mounted Police members in receipt of a Royal Canadian Mounted Police Superannuation Act pension. In this case, former public servants and CAF members employed by McKinsey would have been considered sub-contractors of McKinsey. There are no policy requirements to report on sub-contractors.
Conflict of Interest for Contractor
The Contracting Policy section 4.2.12 stipulates that all contracts must contain appropriate clauses to reflect the requirements of the Conflict of Interest Act. The policy also notes that to avoid a conflict of interest, contracting authorities should, before signing a contract, require the selected consultants or professionals to sign a declaration stating that no pecuniary interest in the business of any third party exists that would affect objectivity in carrying out the contract.
The requirement to declare conflict of interest, while not explicit, is alluded to in the SO general condition clauses. The clause states that “the Contractor acknowledges that individuals who are subject to the provisions of the Conflict of Interest Act, 2006, c. 9, s. 2, the Conflict of Interest Code for Members of the House of Commons, the Values and Ethics Code for the Public Service or all other codes of values and ethics applicable within specific organizations cannot derive any direct benefit resulting from the Contract.” It also states that contractors are subject to the Code of Conduct for Procurement, which has a section on Conflict of Interest. In practice, when a vendor bids or submits a proposal, they effectively warrant that they have no real, apparent or perceived conflict of interest, thus no form or declaration is typically completed.
Neither PSPC nor DND/CAF currently has a systematic approach to request and verify potential suppliers’ conflict of interest. The process largely relies on awareness of the requirement and self-declaration.
In addition to conflict of interest for contractors, the Office of the Procurement Ombudsman made a recommendation with regard to conflict of interest with a focus on bid evaluators. “DND should update its procurement policies and training to require all evaluators, regardless of employment status, to assess and confirm they are not in a conflict of interest position prior to obtaining bid documentation and/or participating in the evaluation process”.Footnote 6
In conclusion, while an integrity framework is well-established and covers both public servants and CF members, compliance against this audit objective could not be fully determined and is considered partially met. A more proactive approach to requesting and documenting conflict of interest declarations would enhance the transparency and integrity of the procurement process.
Strengthen due diligence on a risk basis to ensure that anyone involved in the contracting process, whether contractors’ resources or Defence Team members, are not in a real or perceived conflict of interest situation.
OCI: CPCC, ADM(RS), ADM(Fin)
Finding 2: DND primarily leveraged a PSPC established sole source standing offer for 12 of its 15 contracts, in accordance with applicable policy. Justification on the choice of a contracting vehicle, as well as formal articulation of DND requirements and risk assessment for service contracts over $25K is required when using standing offers and were often missing.
Of the 13 non-competitive DND contracts awarded to McKinsey, 12 were call-ups against an SO where PSPC was the contracting authority, and 1 was a sole source contract awarded by DND. Contracts were reviewed to assess compliance against TB policies and to determine whether the contracts met the Terms and Conditions of the Standing Offer and Supply Arrangement.
All non-competitive contracts had an expenditure initiation on file. Based on available documentation, contracts had a proposal that outlined specific services to be provided, deliverables and milestones. The call-ups against the SO were within the contracting limits, with contracts having a dollar value over $200,000 being sent to PSPC for approval. Finally, contract work began after the contracts and any respective amendments were signed as was expected.
Justification for procurement strategy
The Directive on the Management of Procurement section 4.10 states that the contracting authorities are responsible for ensuring that a description of the requirement and the rationale for the procurement strategy options is included on file. The DND/CAF Procurement and Administration Manual (PAM) also requires the Project and TA to complete a procurement strategy and risk assessment for service contracts greater than $25K. The PAM states that the TA must have a written justification if they use a non-competitive contract.
A review of contract documentation highlighted that clear justifications for selecting a given procurement vehicle were lacking in several contract files. Both PSPC as contracting authority for 12 of 15 contracts, and DND as TA should have ensured that the justification for the use of the sole-source standing offer with McKinsey was on file for each call-up.
Statement of Work
The Contracting Policy section 16.1.2 stipulates that the Statement of Work (SOW) or requirements description should clearly describe the work to be carried out, the objectives to be attained and the time frame. The SOW should identify the specific stages of the work, their sequence, their relationship to the overall work in general and to each other in particular. The OCG confirmed that using the SOW provided in the SO was not sufficient to comply with policy requirements. Rather, departments are required to define their own requirements.
Several contracts reviewed did not have a specific and departmentally generated SOW on file that satisfied Government of Canada Contracting Policy requirements as previously listed. Departmental officials frequently relied on the SOW included in the SO or on McKinsey’s proposal and used those documents to develop the contract SOW instead of clearly documenting the department’s requirements and expected benefits.
Duration and Costs
Contract documentation was reviewed to assess whether the cost and duration of the contracts were reasonable. Duration was found to be reasonable in all cases given the scope and nature of the work to be delivered. In two cases, the period of work extended past the expiry date of the SO. For 12 of 15 contracts, costs were negotiated by PSPC when the SO was established and DND/CAF paid the negotiated rate. In the case of DND contracts, quotes or price comparisons were on file in the case of the two supply arrangements.
DND awarded one sole source contract to McKinsey for a one-and-a-half day immersive workshop. According to the Government Contracts Regulation, a contracting authority may enter into a contract without soliciting bids when estimated expenditure does not exceed $25,000. The contract met the dollar value threshold for sole-source contracting as per the Government Contracts Regulation. There is no evidence on file to indicate an assessment of the value for money and price reasonableness.
The Contracting Policy section 11.2.7 states that contracting authorities must not split contracts or contract amendments in order to avoid obtaining either the approval required by statute, the Treasury Board Contracts Directive or appropriate management approval within the department or agency. SOs are designed to provide an option for recurring call-ups as requirements are identified and present a minimum inherent risk of contract splitting. There were a couple of instances where the cumulated value of contracts similar in scope was over PSPC’s authority limit of $5.75M. Rationale was provided for the repeated call-up approach with the same contractor. The lack of procurement strategy and documented business requirements in most instances limited the opportunity for in-depth analysis.
One of the two competitively sourced DND contracts with McKinsey was a call-up against a Supply Arrangement. Based on the available documentation, the bid selection method and evaluation criteria for this contract were clearly identified prior to the Request for Proposal (RFP) being issued. The SOW, work description and evaluation criteria were assessed to be open, fair, and transparent, and the SOW outlined and defined the work to be carried out and the objectives to be attained within a reasonable time frame. Evidence was also provided pertaining to the evaluation and selection of awarded contractors. While evaluator’s individual assessments, results of consensus evaluation and Non-Disclosure Agreements were on file, not all of these were dated and signed. Lastly, there was no justification within the Procurement Plan for the selection of the procurement vehicle.
The second competitively sourced DND contract with McKinsey was dated back to 2013. The procurement contracting file for this contract was past its retention period of 6 years after contract completion and most of the documentation was not available for review.
Based on available documents, it was determined that the bid selection method and evaluation criteria for this contract were clearly outlined in the bid solicitation document before the RFP was issued. The SOW, work description and evaluation criteria were assessed to be open, fair, transparent, and written in a way that allowed for free competition between vendors without the use of specific qualifications that would favor one individual. The SOW outlined and defined the work to be carried out and the objectives to be attained within a reasonable time frame. Evidence supports that the contracting authority reviewed the SOW and the evaluation criteria to ensure that the structure of the procurement process did not influence the outcome. While no documentation was on file to assess the evaluation and selection of the contractor, the contract, the supply arrangement, invoicing, and invoice/spending authorizations, the file was compliant to procurement requirements to the extent it could be determined through available documentation.
PSPC has an established compliance verification framework for federal contracts where it is the contracting authority which covers a sample of all contracts across departments. The results are not shared with individual departments.
In conclusion, many items tested complied with policies and guidelines. Some key DND/CAF documentation such as ensuring that SOWs are created to define the requirement and that justification is on file for the choice of procurement vehicle were not found or not completed. While these are DND/CAF responsibilities, DND/CAF currently excludes many of these contracts from their compliance activities since PSPC is the contract authority; as a consequence, gaps in these files have a lower likelihood of being selected by DND.
The scope of the existing DND/CAF contract compliance framework should be expanded on a risk basis to include DND contracts where PSPC is the contracting authority to ensure key procurement requirements are met to the extent that they fall within DND/CAF’s responsibility as TA and project authority.
There is an opportunity to leverage the results from the compliance verification work undertaken by PSPC as it relates to DND contracts and controls to identify key risk areas and support ongoing improvement.
Finding 3: Information management practices are expected to support effective and timely access to key contract information. Contracting file structure and completeness was often found to be inconsistent, with information held in diverse locations.
The Contracting Policy section 12.3.1 stipulates that procurement files shall be established and structured to facilitate management oversight with a complete audit trail that contains contracting details related to relevant communications and decisions including the identification of involved officials and contracting approval authorities.
Generally, contract documentation reviewed was scattered, not easily accessible and not organized in a way that supported effective compliance. Information management discipline could be improved by placing the main contracting documents and relevant correspondence between project authorities and contractors on the contracting file to demonstrate the good management of performance and issues. This will be key as the department moves towards the implementation of its digital strategy.
As required, all contracts were signed prior to services being delivered. Three contracts reviewed had contract amendments. Testing demonstrated a reasonable justification for the amendments, as well as the completion of proper documentation approved in a timely manner. Two amendments were signed by both McKinsey and a departmental representative. One was missing the vendor signature.
Documentation reviewed showed that security requirements were assessed, and a Security Requirements Check List (SRCL) was completed for each contract which is a good practice. Twelve out of fifteen contracts did not have any security requirements. For the three cases where a security requirement was identified (e.g., reliable or secret clearances for contractors), the SO with McKinsey should not have been used given that it specified that it should be used only for contracts with no security requirements. There was no evidence on these three files that security clearances for McKinsey contractors had been verified and provided before the work began. It was subsequently mentioned that the work did not require any security clearance. No further validation was possible at the time of the audit. An audit of security requirements in DND contracting was launched on January 18, 2023 by ADM(RS) and will focus on these processes.
The Contracting Policy section 16 and Procurement Directive section 4 note that on completion of the contract, the contracting authority should evaluate the work performed by the consultant or professional. Evidence of regular monitoring were found on files in the form of progress report, steering committee presentations, and regular correspondence. No issues related to contractor performance were noted by the project or TA.
In conclusion, the management of McKinsey contracts was generally done in accordance with policy and directives. Services were provided after the signature of contracts or amendments; security requirements were consistently identified and monitoring of contract performance took place. Ensuring the contracting vehicle can be used based on security requirements is an area for improvement. Information management discipline is another area that could be improved. While a requirement to move to a digitized solution is integral and should be expected to occur in the medium term, a short- term solution emphasizing the development of enhanced guidance and training to improve the organization of digital non-transitory information of contracting files would improve the effective and timely access to key contract information.
Training and guidance should be developed to strengthen information management practices for contracting files in order to effectively demonstrate compliance and access to information on a timely basis.
The exploration and implementation of digitized solutions to improve the storage and organization of contracting information should be planned and executed.
OCI: ADM(Mat), CIO
Finding 4: Financial controls generally operated as designed with the exception of two payments being made prior to service being rendered and instances where lack of segregation was observed.
The Financial Administration Manual (FAM) stipulates that according to the Financial Administration Act (FAA), Section 34 and Section 33 must not be exercised by the same individual on the same transaction. The following functions are to be kept separate when responsibility is assigned to individuals involved in the expenditure management process: the contracting authority, the confirmation of the receipt of the goods; the certification of account (s.34); and the certification of payments (s.33). Transactions for non-competitive contracts over $25K and/or transactions over $250K are considered high-risk. DND standard operating procedures requires that for high-risk transactions, there should be segregation between the person confirming the receipt of goods and/or the provision of services and the person certifying the account pursuant to FAA Section 34. Only if the transaction is deemed low risk (i.e., non-competitive contract value below $25K and transaction under 250K) can the same individual undertake both actions.
For three contracts, s.32 and s.34 were signed by the same individual, who also certified that the services were rendered. All transactions qualified as high risk and thus s.34 and the confirmation that services were rendered should have been done by different persons.
Delegation of Authorities (DOA) (s.32 and s.34) for all McKinsey contracts were verified against DOA records housed in the Defence Resource Management Information System (DRMIS), the financial system of record. Verification of the DOAs found that all individuals who signed s.32 and 34 on McKinsey contracts had the proper authority to sign.
Invoicing Instructions outlined in the SO specify that “invoices cannot be submitted until all work identified in the invoice is complete.” Payment and invoicing irregularities were identified in two contracts. Invoices were submitted and payments were made to McKinsey before work was completed and deliverables received.
In a separate instance, file review provided an example of effective s.34 controls when an invoicing error with an amount above the negotiated rate was identified by the Financial Officer prior to payment. This error was corrected before the invoice was paid. The remainder of tests applied to the total of contract files were found to be compliant.
In conclusion, while some instances of noncompliance were identified in relation to the timing of payments and segregation of certification, the financial controls were found to be effective at ensuring that the correct amount was paid to the contractor with appropriate exercise of financial authority.
Additional training and communication of the policy requirements and repercussions of not complying with the financial policies and procedures including the advance payment policies should be considered.
Finding 5: Proactive disclosure on the Open Government Portal was posted and accurate for 6 of the 14 DND/CAF McKinsey contracts that required disclosure. The Department has recognized that proactive disclosures require improvement to ensure accuracy and completeness.
The TB Directive on the Management of Procurement requires that departments quarterly disclose all contracts entered into by or for the department valued over $10,000, as well as all amendments within 30 days of entering into that contract. DND/CAF uses the Contract Data Management System (CDMS) to generate proactive disclosure. As such, DND policy stipulates that the contracting personnel within DND/CAF must enter the information into CDMS within 30 working days of the contract award date or amendment issue date. All new and amended goods and services contracts, regardless of value, awarded by or on behalf of DND/CAF, including contracts awarded by PSPC, must be reported in CDMS including call-ups against SO and Supply Arrangements.
In order to assess policy compliance, the 14 McKinsey contracts over $10,000 were searched on the open government portal. The last contract was under the $10,000 threshold for disclosure and was not subject to proactive disclosure requirement. Several contracts were not proactively disclosed on the open government portal, which is non-compliant with policy. Two contracts were disclosed incorrectly as competitive when they were non-competitive contracts.
Departmental officials explained that the information disclosed on the open government portal is derived directly from the information entered into CDMS. There is currently no challenge function in place to verify that the information in CDMS is complete and accurate. Past audit reports have highlighted the need to improve the completeness and quality of CDMS data. A Management Action Plan related to proactive disclosure stemming from the report of the Office of the Procurement Ombudsman has also been developed to address the following recommendation: “DND should ensure the established electronic system accurately tracks, controls and reports on its contracting activities and ensures all contracts that are required to be proactively disclosed are.”Footnote 7
Meeting the minimum proactive disclosure requirements is important to strengthen transparency and accountability of the procurement process. There is an opportunity to improve proactive disclosures by adding a control to ensure contract information is first entered into DND’s CDMS in an accurate and timely fashion, and ensuring there is clear accountability.
Controls for proactive disclosure on Open Government Portal should be strengthened to ensure that all DND/CAF contracts are disclosed completely, accurately and on a timely basis.
OCI: Corp Sec, DTO, ADM(Fin)
Discussions took place with the Senior Designated Official for the management of procurement, Assistant Deputy Minister (Materiel) (ADM(Mat)), and the Chief Financial Officer (CFO), Assistant Deputy Minister (Finance) (ADM(Fin)) to identify additional controls specific to DND/CAF. It was noted that DND has several internal controls and processes in place to ensure the fairness and effective management of procurement and contracting in the department in addition to TB policies and directive for procurement and contracting.
Oversight committees for procurement and contracting primarily include the Defence Procurement Strategy (DPS) governance committee. DPS is a governance structure established to enable effective whole-of-government decision making. The structure centres on committees at the DM and Assistant Deputy Minister (ADM) levels to provide senior level oversight and decision making on Defence and major Canadian Coast Guard procurements, as well as the National Shipbuilding Strategy. Two other levels of DPS Governance Committees are Director General level for procurements with an estimated value above $100 Million, and Director level for procurements between $20M and $100M. Additionally, the Independent Review Panel for Defence Acquisition validates requirements for major military equipment procurement by providing independent, third party advice to the Minister of National Defence (MND)/DM before project approval.
Given the relatively low value of McKinsey contracts and the procurement mechanism used in 12 of 15 files, namely call-up contracts against a PSPC sole-source SO, none of the contracts reviewed would have gone through a review by the previously mentioned oversight committees.
Contract Compliance Review Processes
Finding 6: There is an established DND/CAF control framework that includes oversight, financial approval, contract compliance review, training and procedures. Not all were directly applied to the contracts in scope given the relative low materiality. In particular, the compliance review process only applies to contracts where DND is the contracting authority.
The Contract Compliance Review Team under ADM(Mat), Director Supply Chain Operations (DSCO) reviews procurement contracts and assesses compliance against TB and DND procurement and contracting policies. Their compliance review is based on adherence to the DND PAM. The compliance review is conducted during site visits to specific units or bases. A random selection of files are assessed for compliance. Files where PSPC is the contracting authority are excluded from the sample. A summary of findings from compliance reviews, including contracting irregularities, is presented annually to the steering and oversight committees on the Defence Supply Chain, up to DG and ADM level.
Only three of the contracts reviewed would fall under the scope of the compliance review framework given that 12/15 files were call-ups signed by PSPC. DSCO confirmed that none of the three files eligible had been randomly selected for review.
Procurement Administration Manual
The PAM is the main procurement policy manual for DND/CAF. It details procurement processes and includes links to key documents, forms and templates. It details the end-to-end procurement process from identification of the requirements until the procurement file is closed. It also establishes the standard procedures for all publicly funded DND/CAF procurement and contracting activities, and establishes the roles and responsibilities of DND/CAF procurement practitioners.
Delegation of Authority Training
In order to hold Delegated Authority, employees must complete specific training in order to exercise their authorities. For any authority delegated within the DOA Matrix, the Authority Delegation Training Validation Certification via the Canada School of Public Service is required for managers and above with a delegated authority for staffing. This course is valid for 5 years and requires renewal. Additional training is required for: Expenditure Initiation; Section 32, 33, and 34; Procurement Initiation; and Transaction and Contracting authorities. Members with a DOA form in DRMIS receive an automated message 45 days prior to training expiry and must recertify to keep their active DOA.
Account Verification Process Checklist
According to FAM 1016-3, Section 34 certification authority is a key internal control mechanism in the expenditure management process to support the sound stewardship of financial resources. It is the authority to certify, before making a payment, that work was performed, goods were received, services were rendered, terms and conditions of the contract were met, and that the payee is eligible for or entitled to receive payment. Section 34 requires both the completion of the account verification process and the exercising of certification authority. An account verification checklist that standardizes the performance of account verification across DND/CAF must be used when a transaction is deemed to be high risk.
During audit testing, the use of the Account Verification Process Checklist was tested. The checklist was used in several contracts to certify that the work had been performed and the payee was eligible for payment.
In conclusion, the Directive on the Management of Procurement 4.1.1 stipulates that Senior Designated Officials for the management of procurement are responsible for establishing, implementing and maintaining a departmental procurement management framework, consisting of process, systems and controls. In response, DND has developed a framework that includes various internal processes and control such as the use of internal oversight committees, compliance review processes and defined policies/procedures such as the FAM and the PAM.
No further recommendation was raised as finding 6 is addressed through recommendation 2.
The findings and recommendations of this audit were presented to management of DND. The audit report was reviewed and recommended for DM and CDS approval by DND’s Departmental Audit Committee.
Management has accepted the audit findings and has developed an action plan to address the recommendations (see appendix B for management action plan). The identified actions are scheduled to be completed by December 2024. DND Departmental Audit Committee will be engaged in the monitoring of the implementation of this action plan, in line with the department’s standard internal audit processes. If additional issues or recommendations are found following the results of the external reviews by the Office of the Procurement Ombudsman and/or the Auditor General, DND will update the management action plan accordingly to incorporate these.
The DM and the CDS of DND approve this report, including the management action plan.
|Audit Objectives||Criteria||Criteria Sources|
|1. The integrity of the procurement process was maintained and consistent with adhering to the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest||1. Public servants and Public Office Holders ensure that the integrity of the procurement process is maintained and consistent with the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest.|
|2. Contracting with Former Public Servants and Former Public Office Holders is performed with integrity in accordance with the Directive on Conflict of Interest, Conflict of Interest Act and procurement policy instruments.||
|2. The procurements were conducted in a fair, open and transparent manner consistent with the TB Policy that was in place at the time (Contracting Policy or the Directive on the Management of Procurement)||1. Procurement: non-competitive - There is documentation to support the justification for non-competitive procurement contracts in accordance with section 6 of the Government Contract Regulations.||
|2. Procurement: Competitive - Bid evaluation criteria were provided on Request for Proposal (RFP) documents and were used for contractor selection in an open, fair and transparent manner.|
|3. Contract Management - Contracts and contract amendments were approved prior to the receipt of any services or the expiration of the original contract and supporting documentation is retained on file. Documented monitoring and certification of the delivery of the services was implemented.||
|4. Certification Authority (section 34) - Certification authority is performed by someone with the delegated authority to do so, is accomplished in a timely manner and verifies the correctness of the payment requested (Section 34 of the FAA).||
|5. Proactive Disclosure - Contracts, including amendments, valued at over $10,000 meet minimum proactive disclosure requirements.||
|3. The procurements were conducted in a manner consistent with the organization's internal processes and control frameworks (i.e., consistent with procurement management frameworks, financial controls, security controls)||1. Procurements are conducted in a manner consistent with your departmental internal processes and control frameworks.|
Note: On April 11, 2019, the contracting limits for organizations and PSPC were updated to reflect a 25% increase to account for inflation (see Appendix C of the Contracting Policy).
Table A-1 Summary
The table is sub-divided into 3 columns. The audit’s objectives are presented in the left-hand column. Criteria related to each objective are outlined in the centre column with the sources for these criteria provided in the third and last column
|Recommendation||Management action||Area responsible||Expected deliverables per action||Expected completion date|
|#1: Strengthen due diligence on a risk basis to ensure that anyone involved in the contracting process, whether contractors resources or Defence Team members, are not in a real or perceived conflict of interest situation.||
ADM(Mat) will review its policies, and update procedures, guidance and training as required to more clearly address possible conflict of interest situations in contracting.
ADM(Mat) will update its compliance framework to match any changes to policies, procedures and guidance to ensure compliance with departmental direction on conflict of interest in contracting activities.
OCI: CPCC, ADM(RS), ADM(Fin)
|Updated policies, processes and training which could include the establishment of verification mechanisms and the updating of the compliance framework.||December 31, 2024|
|#2: The scope of the existing DND/CAF contract compliance framework should be expanded on a risk basis to include DND contracts where PSPC is the contracting authority to ensure key procurement requirements are met to the extent that they fall within DND/CAFs responsibility as TA and project authority.||ADM(Mat) will implement a risk-based assessment to determine compliance verification activities, to include DND contracts where PSPC is the contracting authority.||OPI: ADM(Mat)||
Expand scope of contracts considered for compliance activities to include those where PSPC is the contracting authority on behalf of DND.
Adjust the existing compliance framework for PSPC contracts to address DND compliance requirements in those contracts.
|March 31, 2024|
#3: Training and guidance should be developed to strengthen information management practices for contracting files in order to effectively demonstrate compliance and access to information on a timely basis.
The exploration and implementation of digitized solutions to improve the storage and organization of contracting information should be planned and executed.
DND/CAF will leverage the digital transformation to ensure Information Management capabilities and solutions are leveraged to better manage its information and data assets associated with contract lifecycle management.
Specific policies, directives, procedures guidance, and training will be developed/reviewed and communicated, targeting Information Management experts, procurement teams, contracting authorities and Access to Information and Privacy groups. These will include: contract lifecycle management, application of information management rules, and how to save and find the information.
|Review/development of contracting policies, directives, procedures and Information Management responsibilities.||March 31, 2024|
|Amendments, communications plan and training.||December 31, 2024|
|#4: Controls for proactive disclosure on Open Government Portal should be strengthened to ensure that all DND/CAF contracts are disclosed completely, accurately and on a timely basis.||
The current 30-day grace period for reporting contract awards in CDMS will be eliminated from internal policies and procedures.
L1s will be advised that all contracts and amendments must be reported in CDMS immediately upon award or in the case where an external stakeholder (PSPC/SSC/DCC) is the Contracting Authority, contract data must be entered into CDMS immediately upon receipt of the contract.
Work with ADM(Fin) to implement a quality control measure, if possible, that ensures all invoices in the Finance Module are connected to a contract entry in the enterprise system.
In the long term, implementation of the Electronic Procurement System will enable system level controls that will ensure compliance to the reporting requirements (timeline is depending on DefenceX and capability).
OCI: Corp Sec, DTO, ADM(Fin)
|1. Communication of the policy change to all L1s by ADM(Mat)||1. March 13, 2023|
|2. PAM updated||2. March 31, 2023|
|3. PAC advised||3. March 31, 2023|
|4. Courses content updated.||4. June 30, 2023|
|5. Procurement and contracting bulletin issued.||5. March 31, 2023|
Table B-1 Summary
The table contains 5 columns. The recommendations are indicated in the left-hand column. For each recommendation, read across to determine the Management Action, Area Responsible, Expected Deliverables per Action, and Expected Completion Date.
|Audit criteria||Audit assessment (Compliant, Partially Compliant, Not Compliant, Unable to assess, Not applicable)||Rationale for assessment|
|Audit objective 1: The integrity of the procurement process was maintained and consistent with adhering to the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest|
|1. Public servants and Public Office Holders ensure that the integrity of the procurement process is maintained and consistent with the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest.||Partially Compliant||No evidence was found on file demonstrating that the integrity of the procurement process was not maintained.
Insufficient information was available at the time of the audit to make a full determination of potential conflict of interest for DND/CAF and/or McKinsey personnel in alignment with the Code of Ethics.
|2. Contracting with Former Public Servants and Former Public Office Holders is performed with integrity in accordance with the Directive on Conflict of Interest, Conflict of Interest Act and procurement policy instruments.||Compliant||No evidence was found on file of non-compliance with regard to contracting with former public servants, with most potential instances for former CAF members falling outside of the prescribed timelines for post-employment restrictions.|
|Audit objective 2: The procurements were conducted in a fair, open and transparent manner consistent with the TB Policy that was in place at the time (Contracting Policy or the Directive on the Management of Procurement)|
|1. Procurement: non-competitive - There is documentation to support the justification for non-competitive procurement contracts in accordance with section 6 of the Government Contract Regulations.||Partially Compliant||Several contracts were missing procurement strategies including detailed requirements definition (SOW), risk assessments, and justification for the selected procurement vehicle. Two call-ups extend past the February 2023 expiry date of the SO.|
|2. Procurement: Competitive - Bid evaluation criteria were provided on RFP documents and were used for contractor selection in an open, fair and transparent manner.||Compliant||The first competitive contract was largely compliant to required processes in alignment with policy.
The second contract could not be fully assessed as documentation was disposed as per the 6 year retention period for contracting files. Elements that could be assessed were found to be compliant.
|3. Contract Management - Contracts and contract amendments were approved prior to the receipt of any services or the expiration of the original contract and supporting documentation is retained on file. Documented monitoring and certification of the delivery of the services was implemented.||Compliant||The management of contracts was generally done in accordance with policy and directives. Services were provided after the signature of contracts or amendments, security requirements were consistently identified and monitoring of contract performance took place. Information management discipline and practices could be improved.|
|4. Certification Authority (section 34) - Certification authority is performed by someone with the delegated authority to do so, is accomplished in a timely manner and verifies the correctness of the payment requested (Section 34 of the FAA).||Partially Compliant||Financial controls largely operated as intended (S32, S34, DOAs). Payment irregularities were noted for two contracts with payments made before services were rendered.|
|5. Proactive Disclosure - Contracts, including amendments, valued at over $10,000 meet minimum proactive disclosure requirements.||Not Compliant||Proactive disclosure issues observed. Several contracts were not proactively disclosed and others were inaccurately disclosed as competitive instead of non-competitive.|
|Audit objective 3: The procurements were conducted in a manner consistent with the organization's internal processes and control frameworks (i.e., consistent with procurement management frameworks, financial controls, security controls)|
|1. Procurements are conducted in a manner consistent with your departmental internal processes and control frameworks.||Compliant||Established control framework that includes governance committees, a contract compliance review mechanism, DOA training and the use of an account verification checklist, which were used where applicable.|
Table C-1 Summary
The table is sub-divided into 3 columns. For each audit objective, the Audit Criteria are indicated in the left-hand column. Read across the row to determine the Audit assessment (Compliant, Partially Compliant, Not Compliant, Unable to assess, Not applicable) and the Rationale for assessment.
- Date modified: