Audit of Professional Services Contracting

Audit Report

Office of Audit and Evaluation
April 2014

Executive Summary

What we examined

Professional services contracts can be used to meet unexpected fluctuations in workload, to acquire special expertise not available in the public service or to fill in for public servants during temporary absences.

This audit provides assurance that professional services contracts at Shared Services Canada (SSC) comply with government policies, specifically concerning employer-employee relationship.

The scope of the audit included all professional services contracts and amendments in effect from March 1, 2012 to February 28, 2013.

Why it is important

Upon its creation, SSC management team had to establish the new organization by integrating over 6 000 employees from 43 partner organizations. In addition to the employees, management had to judiciously manage a contingent workforce, including the use of contracted resources, some of whom were transferred from the partner organizations.

From March 1, 2012 to February 28, 2013, SSC established approximately 860 professional services contracts, at a cost of approximately $238M.

What we found

SSC was developing a formal procurement plan and policy, as well as procurement process documentation.

SSC did not maintain a complete and accurate list of all contracted resources that have been engaged through a vendor. We found this information to be generally incomplete and containing errors. Even without a source of complete and reliable data, the audit team was able to determine that there was a risk to SSC of developing employer-employee relationships.

Management and procurement officers took suitable measures consistent with good practices to ensure the fees paid for services would not exceed the appropriate market rate for the service provided.

Almost half of the procurement files from our sample were not properly documented, which meant that they did not comply with the Treasury Board’s (TB) Contracting Policy. In addition, there were some discrepancies in the overall compliance of the procurement files.

Yves Genest
Chief Audit and Evaluation Executive

Background

1. The Government of Canada established SSC on August 4, 2011, to modernize how the federal government manages its information technology (IT) infrastructure in order to better support the delivery of programs and services to Canadians.
   
2. Approximately 1 300 IT employees from Public Works and Government Services Canada (PWGSC) transferred to the new department in the summer of 2011. An additional 5 000 IT and internal services employees from 43 other federal organizations were transferred in November 2011. This experienced workforce operates under a new business model, one that encourages partnerships and that is based on service excellence, innovation and value for money.
   
3. SSC stated it will follow a strategic sourcing and procurement plan through the centralization of contract administration and the acquisition of IT and other goods and services. With careful attention to overall strategy and supporting technology, SSC stated it will effectively manage long-term partnerships and ensure that supplied goods are of high quality, procured at the best value and provided in a timely fashion. In the first 18 months of its existence, SSC transferred in approximately 3 000 contracts from its 43 partner organizations and is working on a consolidation strategy.
   
4. Professional services contracting is used to meet unexpected fluctuations in workload, to acquire special expertise not available in the public service or to fill in for public servants during temporary absences.
   
5. Professional services are usually provided by self-employed individuals or independent organizations that are engaged for a fixed period to provide expertise in such areas as IT, management consulting, engineering and architecture. Specific conditions and details of the work to be performed are outlined in a contract.
   
6. A variety of contractual arrangements are used to procure professional services, including publicly tendered and sole-source contracts, which precisely define the deliverables that are to be provided to a specific client by a specific date. Procurement frameworks, such as standing offers, supply arrangements, task authorizations and Professional Service Online contracts, are also used to meet professional services requirements.
   
7. From March 1, 2012 to February 28, 2013, SSC established approximately 860 professional services contracts, at a cost of approximately $238M.
   
8. In contracting for professional services, there was the risk of non-compliance to government policies. There was also the risk of establishing employer-employee relationships. Managers must not create an employer-employee relationship with a contracted resource as this may create a liability risk to the government. An employer-employee relationship may result in unintended benefits to the contracted resource and obligations on the part of the employer. In addition, due to the high volume and associated dollar values, there was a risk of SSC not obtaining value for money.
   
9. SSC’s Professional Services Procurement Operations team operates under the Procurement and Vendor Relations Directorate (PVRD) and had a total of eight full time equivalent (FTE) staff. The team was responsible for all professional services procurement activities at SSC by complying with the TB’s Contracting Policy and federal legislation, including the Financial Administration Act and the Government Contracts Regulations for its policies. The procurement process, including professional services, affects every branch in the Department.

Objective

10. The objective of this audit was to provide assurance that professional services contracts at SSC comply with government policies, specifically concerning employer employee relationships. The criteria used to conduct this audit are presented in Annex A.

Scope

11. The scope of the audit included all professional services contracts and amendments in effect from March 1, 2012 to February 28, 2013.
    
    
    • This included contracts, whether or not the contract was initially signed by SSC; and
    • Any contract selected as part of the sample had any and all subsequent amendments reviewed as part of the audit work.
12. The primary focus of the audit was on the contract issuance, including amendments. Contract administration activities related to the contract after signing was considered low risk and scoped out of this audit. These activities included the approval of invoices for work performed and contract close-out administration procedures. Contract administration activities will be considered in the development of future risk based audit plans.

Methodology

13. The following approaches were used during the conduct of the audit:
    • Interviewed managers, contracting authorities and technical experts from Procurement and Security, and Technical Authorities contracting for professional services;
    • Conducted file walkthroughs and reviewed contracts and amendments of 41 files, totaling approximately $4.6M, which was representative of the professional services contracts for the scope of this audit. Sampling was based on a 90% confidence interval and a 20% expected error rate;
    • Reviewed relevant documents, such as previous audits, government guides and policies with regard to procurement for professional services, Financial Administration Act and SSC procurement process documentation; and
    • Performed data analysis by means of data mining and use of data analytics software.
14. Field work for this audit was substantially completed by May 31, 2013.

Statement of assurance

15. Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion were based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. This engagement was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. A practice inspection has not been conducted.

Detailed Findings and Recommendations

The Department was establishing its procurement framework

16. TB Contracting Policy states that it was the responsibility of departments to ensure that an adequate control framework was in place. In addition, contracting authorities are encouraged to establish and maintain a formal challenge mechanism for all contractual proposals.
    
17. We found that the Department was developing a formal procurement plan and policy, as well as procurement process documentation such as the Checklist for Employer-Employee Relationship.
    
18. A Procurement Review Board (PRB) was established in January 2013 as the formal departmental challenge mechanism, along with additional support from the Corporate Management Committee and the Senior Management Board. The PRB met regularly to review and approve procurement transactions of contracts valued at $2M or more, which have commitments exceeding 12 months. The PRB also reviewed any transactions that were referred to it by Procurement executives. The PRB may forward transactions to other senior management committees for further consideration.
    
19. Within its current state of development, we found the procurement framework was adequate and working as intended. PVRD developed a procurement policy framework that included directives, policy information notices, operational guidelines and processes. Senior management approved three of the directives in June 2013. PVRD stated that communication to SSC employees would begin in Q2 2013-2014.

Risks of employer-employee relationships were present

20. The TB Contracting Policy requires contracting authorities to ensure that an employer-employee relationship will not result when contracting for the services of individuals, in accordance with criteria established by the Canada Revenue Agency (CRA) and pertinent court rulings. The guidelines developed by CRA in considering whether there was an employee-employer relationship included factors such as: who controlled the work processes; who owned the tools and equipment for the work; who assumed the financial risk; who was responsible for investment and management; and who had the opportunity for profit.
    
21. We expected SSC contracting authorities to mitigate the risk of establishing employer-employee relationships when engaging contracted resources. We reviewed statements of work, previous long-term government contracts and other facts that might give the perception that the contracted resource was an employee.
    
22. The main control established by the contracting authority was an Employer-Employee Relationship checklist. This checklist consisted of 10 questions such as “will the contractor be provided with a cubicle and equipment?” and “has the requestor developed the SOW so that the risk of an employer/employee relationship is mitigated?”. The checklist was to be completed and signed by the manager as the technical authority. We found that the contracting authority did not take any action from this checklist but considered it as a helpful reminder to the managers as to what may result in establishing an employer-employee relationship.
    
23. We concluded that the risk for the establishment of an employer-employee relationship was greatest with long-term contracted resources. We intended to test the controls on these higher risk contracted resources by selecting a sample of long-term contracted resources. However, we found no reliable data source for contracted resources. Therefore, in an effort to identify long-term contracted resources at SSC, we gathered data from various sources. First, we used data from the 41 files from our representative sample. We also used data produced by PWGSC that identified long-term contracted resources. We were advised that this list was compiled to maintain a source of information on contracted resources following a change to how procurement files were identified. With the establishment of SSC, this department inherited many of the contracted resources from PWGSC. We also used a list of contracted resources informally maintained within PVRD. Finally, we used data from the Security ID card data base to cross reference the names of contracted resources found in the other data sources to determine whether the individuals were still contracted with SSC. The audit team identified 121 higher risk contracted resources by comparing these various data sources.^{Footnote i}
    
24. We selected four indicators to assess the potential risk of an employer-employee relationship developing:
    • Inclusion in the Government Electronic Directory System (GEDS);
    • Incorrect security identification (ID) card type;
    • Incorrectly completed ID card application; and
    • Inclusion in the PWGSC contracted resource data (previously identified long term contracted resources).
25. We identified eight contracted resources who had previously been engaged via vendors at PWGSC for at least eight years that had subsequently been engaged via vendors by SSC.
    
26. These indicators, such as inclusion in GEDS and an incorrect ID card, can increase the perception that the contracted resource was an employee. Table 1 below presents the results of the review of the 121 contracted resources against these four indicators.

27. We found that 50% (61 of 121) of the high risk contracted resources we reviewed had one indicator. Moreover, 34% (41 of 121) had two or more indicators. Only 16% (19 of 121) of the contracted resources did not have any indicators.

28. GEDS was defined officially as a directory of federal public servants. Almost half of the contracted resources appeared in GEDS. Although there was a functional need for the contracted resources to be entered in GEDS, there was a function in the system to hide the profiles of individuals who were not public servants. This has not been applied on a consistent basis.
    
29. We also found that 12% (15 of 121) of the high risk contracted resources we reviewed had been issued employee ID cards based on incorrect information.
    
30. Of the files from our representative sample, we found 88% (36 of 41) required a statement of work and 92% (33 of 36) were on file. Of the 33 statements of work that we reviewed, all were consistent with the Guide for the Preparation of a Statement of Work. Only one file included tasks relating to the supervision of employees that was not consistent with the Manager's Guide - Considerations when Staffing or Contracting for Professional Services. Many of the files with amendments that included a statement of work were not consistent with the original statement of work as tasks and/or deliverables had been added or modified. Additionally, the technical authority for one of the files explained that the statement of work had not been modified during the contract period; however, the documentation indicated otherwise.
    
31. New requests for services were to be accompanied by a completed and signed Checklist for Employer-Employee Relationship document. The Checklist indicated that those having two or more “No” responses to the questions had a high potential for developing an employer-employee relationship. We found that 25% (5 of 20) of the files had two or more “No” responses.
    
32. SSC technical authorities associated with higher-risk contracted resources (based on our review of the representative sample of files and/or identification of indicators) were interviewed, and all were aware of the risk of establishing an employer-employee relationship, their responsibilities, and all had received some form of employer-employee relationship training in the past. Technical authorities stated that they were making efforts to mitigate their risk of developing an employer-employee relationship with contracted resources by trying to not assign them office space or provide telecom equipment, as well as trying to staff positions with public servants. In addition, when contracted resources were used at SSC, efforts were made by technical authorities to keep contracts short-term and with specific deliverables. Shorter-term contracts can help to reduce the risk of employer-employee relationships from developing.
    
33. Even without a source of complete and reliable data, the audit team was able to determine that there was a risk to SSC of developing employer-employee relationships.

Information on contracted resources was inadequate

34. We expected SSC to have mechanisms in place to capture accurate and complete data.
    
35. SSC management submitted professional services requests to the staff at the Request for Acquisition Services (RAS) Intake Desk, who ensured the RAS forms were complete, with attachments, and entered the information into the RAS database. The database was used to store and track information regarding procurement files. We found many files recorded in this database had inaccurate and incomplete information, due in part to database limitations. We found that the RAS database did not provide a complete nor accurate picture of what was contained in the hardcopy file. Procurement was actively working to develop and enhance the database to better capture required information in a more timely and accurate manner. The release of this new system was scheduled for June 2013.
    
36. We found that there were controls in place to ensure that information was properly entered into SIGMA, the Department’s financial system. A few contracts and amendments were not consistent with the information in SIGMA. The inconsistencies noted included discrepancies in values and the RAS not being entered into SIGMA. Discrepancies in values may represent a partial sum which remained to be paid when the contract was transferred to SSC from another department.
    
37. SSC did not maintain a complete and accurate list of all contracted resources that have been engaged through a vendor^{Footnote ii}. We found this information to be generally incomplete and scattered across different sources. In order to identify a list of contracted resources, the audit team gathered information from a variety of sources, although none were found to be free from error. Within Procurement, there was an unofficial list of contract information available, such as the vendor and the name of the contracted resource, start and end dates, and the value of the contract. We found this document contained errors, in part due to lack of management oversight and a lack of controls on data entry.
    
38. Other systems that may collect this information were found to either contain errors or did not provide the information required. This information would allow management to identify and mitigate SSC’s risk of establishing an employer-employee relationship. Due to this lack of information, the audit team was unable to determine the extent and pervasiveness of this issue and, therefore, the level of risk of employer-employee relationships for SSC. A reliable and timely source of information would assist in assessing and monitoring this risk over time.

Key steps in the procurement of professional services were generally compliant

39. We expected, and found, that all of the files reviewed had selected an appropriate procurement vehicle and all financial evaluations reviewed were conducted appropriately.
    
40. We also expected the files to have appropriate technical evaluations, authorizations and for the security requirements to have been met.
    
41. We found two files where the technical evaluation was not performed appropriately. In one file, the proposed resource achieved a score that did not meet the required minimum pass mark. Correct evaluation criteria was provided, showing the correct pass mark, which the proposed resource met. Therefore, there was no impact on the process. In the second file, a resource was indicated as not meeting two of the required criteria. We found evidence of these criteria in the resource’s résumé. The impact of this situation was that another resource was awarded the contract.
    
42. In determining whether contracts were awarded appropriately, we considered the approval of the RAS form, the meeting of the security requirements and the appropriate approval of the contract. Three RAS forms were not signed appropriately; two were not signed by the procurement officer and one contravened the TB Directive on Delegation of Financial Authorities for Disbursements. As the contract refers back to the RAS for the Section 32 authorization, the contract was not correctly authorized.
    
43. We found that all contracted resources, once documentation was provided, met the security requirement when the contract was awarded.
    
44. We found that there were minor discrepancies in the overall compliance of the procurement files. The discrepancies noted would have little risk to SSC; however, the information has been shared with the Procurement group.

Files for the procurement of professional services were not properly documented

45. TB Contracting Policy states that contracting authorities are to ensure that contract files are properly documented.
    
46. We examined a representative sample of 41 procurement files relating to professional services and expected them to comply with the appropriate legislation, regulations and policy.
    
47. We found that by not properly documenting the procurement files, that almost half of the files did not comply with the TB Contracting Policy.
    
48. 41% (17 of 41) of the files were not fully documented. Many (6 of 17) were missing two documents. Examples of missing documentation included statements of work, security confirmations and technical evaluations.
    
49. The most often missing document was the security confirmation. Without this particular document on file, it was unknown whether the contracted resource met the required security requirements at the time the contract was awarded when we reviewed the file. However, we found upon further review, that all contracted resources did meet the security requirements at the time the contract was awarded.
    
50. We identified a total of 21 missing documents in the 41 sampled files; however, almost half of the missing documents (10 of 21) were provided by Procurement upon request.
    
51. Without the proper documentation to demonstrate otherwise, there was a risk that a procurement process could be non-compliant. This could have serious repercussions, especially with regard to security confirmations if the contracted resource was found to not have met the requirements.

Suitable measures were taken to ensure fees paid would not exceed market rates

52. The TB Contracting Policy states that with respect to contracting for services, contracting authorities must ensure that the fees paid do not exceed the appropriate market rate for the service provided.
    
53. Based on the information available, we determined that the majority of SSC’s contracting was for skilled work, such as project managers, technology architects and IT security specialists. Technical authorities indicated that planning efforts were made for their resource needs and that due consideration was given to using FTE resources on hand or staffing through human resources, where possible.
    
54. Management and Procurement staff took measures to ensure that fees were in line with the market rate for the services acquired. This included the procurement vehicles that were used; knowledge of the Procurement staff; an evaluation of bids that allowed for both technical and financial requirements; and the knowledge and expectations of the technical authorities.
    
55. We found that, in general, SSC took suitable measures consistent with good practices to ensure the fees paid for services would not exceed the appropriate market rate for the service provided.

Conclusion

56. We determined that SSC was working towards establishing a procurement framework and conducting its contracting for professional services in a manner that was compliant with government policies. The Department was developing a formal procurement plan and policy, as well as procurement process documentation.
    
57. However, almost half (41%) the procurement files from our sample were not properly documented, which meant that they did not comply with the TB’s Contracting Policy. In addition, there were some discrepancies in the overall compliance of the procurement files.
    
58. Management and Procurement Officers took suitable measures consistent with good practices to ensure the fees paid for services would not exceed the appropriate market rate for the service provided.
    
59. We found that SSC was at risk of employer-employee relationships developing. SSC did not maintain a complete and accurate list of all contracted resources that have been engaged through a vendor. We found this information to be generally incomplete and containing errors. Without the appropriate tracking of the information required to monitor the risk, as well as additional controls to reduce the perception of this relationship, SSC may not be able to fully mitigate its risks.

Management Response and Action Plans

Overall management response

Management has reviewed the draft audit report on professional services and agrees with its recommendations.

Shared Services Canada agrees that professional services contracting requires senior management attention when it comes to employer-employee relationships.  Senior management will exercise due diligence in the management and oversight of the work performed under each particular contract, including aspects that may contribute to the employer-employee relationship.

Recommendation 1

Senior Assistant Deputy Minister, Corporate Services should implement a process, including proper monitoring, to prevent the provision of incorrect information to security operations that could result in contracted resources incorrectly being issued an employee ID card.

Recommendation 2

To facilitate the sharing of information, the Senior Assistant Deputy Minister, Corporate Services should modify the process of identifying individuals for entry into Government Electronic Directory Services (GEDS) to ensure that contracted resources are not visible in GEDS and that monitoring should occur to ensure that the process is working and to correct any discrepancies.

Recommendation 3

The Senior Assistant Deputy Minister, Corporate Services should co-ordinate to develop andimplement a process to identify, track and monitor contracted resources.

Recommendation 4

The Senior Assistant Deputy Minister, Corporate Services should implement procedures to improve the documentation of SSC procurement files to ensure compliance with the Treasury Board’s Contracting Policy.

Annex A

The following audit criteria were used in the conduct of this audit:

1. Shared Services Canada (SSC) established appropriate mechanisms to oversee and ensure compliance with legislative and policy requirements for professional services contracting.
   
2. With respect to contracting for services, contracting authorities ensured that an employer-employee relationship did not result when contracting for the services of individuals in accordance with criteria established by the Canada Revenue Agency and pertinent court rulings.
   
3. When contracting for the procurement of professional services, SSC achieved its goal of providing fair market value.
   
4. SSC conducted procurement of professional services in a manner that ensured compliance on a consistent basis, with appropriate legislation, regulations and policy.
   
5. Accurate and complete information regarding the procurement of professional services was available to SSC management and for reporting purposes.

Annex B

Identification of contracted resources

We identified 37 contracted resources from the 41 sample files. These names were compared with the resource list from Public Works and Government Services Canada (PWGSC), data from the Security ID card and a list maintained by Procurement.

By comparing the names from the PWGSC list with the ID security list and the procurement contracted resource list, we identified an additional 84 contracted resources. By using data analytics software, we identified 121 names that appeared in the PWGSC list and at least one of the other two lists.

The 121 names were then used as the basis for our review against the indicators.

Free PDF download

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet:

• Adobe Reader
• Foxit Reader
• Xpdf
• eXPert PDFReader