(Chapter 2—Status Report on Security in Contracting—Spring 2013 Report of the Auditor General)
Ottawa, 30 April 2013—The government has taken steps to improve security in contracting but overall progress has been unsatisfactory given how critical this area is, says the Auditor General of Canada, Michael Ferguson, in a Status Report tabled today in Parliament. Status reports look at whether the government has made satisfactory progress in acting on issues raised in past audits. This audit focused on the government’s progress in implementing commitments made to address issues raised in the Auditor General’s 2007 audit on safeguarding government information and assets in contracting.
“Protecting information and assets entrusted to contractors is critical to the government’s ability to prevent misuse and unauthorized access, and to achieve its security objectives,” said Mr. Ferguson.
The audit found that the progress made by individual departments, as well as their compliance with the government’s security policy, varied widely. Public Works and Government Services Canada has put in place standard procedures for managing security risks on behalf of client departments. Most of the audited departments have departmental security policies and plans, and most lead security agencies have policies and procedures designed to provide a higher level of assurance than is required. However, National Defence falls short of policy requirements and still does not have an approved departmental security plan. In addition, audited departments have developed different practices to determine whether a contract security requirement exists. Auditors reviewed almost 300 contracts and found that, in 85 cases, security documentation was incomplete or missing or control procedures had not been followed. This resulted in some contracts being awarded before all security clearances were in place.
The audit also found that the government has made policy changes to improve security in contracting. The requirements for departments to monitor and report on their security programs have been clarified. While the revised policy explicitly deals with the clearance of individuals who have access to protected and classified information, it does not deal with the clearance of private sector firms.
“To appropriately address security risks, both individuals and firms need to be cleared,” said Mr. Ferguson. “Departments and agencies—in particular National Defence—need to improve their practices to ensure that security requirements are met before a contract is awarded.”
- 30 -
