Internal Audit of Contracting Practices Within CIC

Audit Report
Internal Audit and Accountability Branch
Citizenship and Immigration Canada
September 2012

Executive summary
Why this is important
Key findings
Conclusion
Statement of assurance
Background
Audit objectives and scope
Detailed recommendations and findings
- Finding 1: Governance and Risk Management
- Finding 2: Contract Award and Administration
Appendix A – Detailed audit criteria
Appendix B – Management action plan
Appendix C – Links to applicable legislation, regulations, policies and directives

Executive Summary

The objective of this audit was to assess the effectiveness of the governance framework, risk management practices and internal controls for the awarding and administration of contracting and procurement within Citizenship and Immigration Canada (CIC). The audit covered contracting and procurement transactions during the 2011 calendar year.

Why This Is Important

Government-wide policy for contracting requires that contracting practices result in openness, fairness and transparency in the spending of public funds. Given the complexity of the policies and regulations established by central agencies, contracting has traditionally been recognized as a high-risk area. Adding to the complexity has been the decentralized nature of CIC operations (only 20% of contracting activities were reviewed by a centralized authority for the period covered by this audit), which can hinder standardization and oversight efforts. It is therefore important that CIC have effective contracting practices in place to meet its needs and that the activities be governed by an appropriate level of oversight to ensure that policies and regulations are respected and corrective action is taken when appropriate. Contracting should not be seen as an impediment to effective operations, but rather as an activity requiring planning in order to ensure resources are in place when needed.

Key Findings

Oversight of contracting activities does exist, but is insufficient. A contract review committee has been established and has terms of reference; however, the challenge provided by the committee does not address all high-risk areas. CIC is not adequately monitoring day-to-day contracting activities carried out either centrally or regionally. However, with the increase in centralized contracting services, Procurement and Contracting Services (PCS) is now in a better position to implement risk-based monitoring activities.

In general, we noted a need for more complete supporting documentation in procurement files. Evidence of contract splitting was found in four files, in all cases to avoid triggering a contract threshold. Some contract files are not compliant with sections 32 and 34 of the Financial Administration Act. Some contracts have not been proactively disclosed in a complete manner when it has been required to do so.

Conclusion

CIC’s governance framework, risk management practices and internal controls over the awarding and administration of contracting and procurement are insufficient to ensure compliance with contracting policy.

Although the audit noted no instances of fraudulent or unethical behaviour, work needs to be done to streamline and provide greater clarity around mandatory business processes and monitoring activities to ensure compliance.

Management has committed (through the Management Action Plan – see Appendix B) to undertake a thorough process review of the procurement function in order to identify opportunities to strengthen controls while maintaining efficiency. Subsequent to this review, proposals for a new procurement business model will be tabled to senior management in December 2012 and will include the following deliverables: new terms of reference for the contract review committee, a monitoring plan for department-wide procurement activities, mandatory checklists for all contracting activities, training plans for procurement and non-procurement staff, and proposed service standards

If implemented in a timely fashion, the Management Action Plan should mitigate the risks noted in this report.

Statement of Assurance

The conduct of this engagement was done in accordance with the Internal Auditing Standards for the Government of Canada, which incorporate the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing. Sufficient and appropriate auditing procedures were performed to provide a high level of assurance over the findings and conclusion in this report.

Gibby Armstrong
Chief Audit Executive
Citizenship and Immigration Canada

Background

The Treasury Board Contracting Policy ensures that the procurement of goods and services is accomplished “in a manner that enhances access, competition and fairness and results in best value or, if appropriate, the optimal balance of overall benefits to the Crown and the Canadian people.” The Contracting Policy states that “government contracting shall be conducted in a manner that will stand the test of public scrutiny in matters of prudence and probity, facilitate access, encourage competition and reflect fairness in the spending of public funds.”

The objectives of procurement and contracting within CIC are consistent with federal government objectives, and practices are expected to be conducted in accordance with the Government Contracting Regulations and with Treasury Board policies.

Within CIC, contracting and procurement accountabilities are delegated according to level of authority. Delegations for different offices are based on risk, with thresholds of either $5,000 or $10,000 for contracting decisions. All procurement values above delegated authorities and under $2 million are processed through Procurement and Contracting Services (PCS) within the CIC’s Corporate Services Sector , and in these circumstances, responsibility becomes shared with the offices initiating the activity. The procurement of goods and services under $5,000 or $10,000 (depending on authority level), with the exception of software purchased under a standing offer or a supply arrangement, are processed directly by the initiator of the purchasing transaction. No interaction with PCS is required. Contracts for services over $2 million and goods over $25,000 except where a standing offer/supply arrangement exists require that a requisition be sent to PWGSC.

Until 2012, the procurement function was decentralized within delegated authority thresholds, and monitoring of activities was left to the offices across Canada. This resulted in about 20% of contracting activities being reviewed by PCS. Recently, CIC procurement has become more centralized, and PCS now has greater accountability in monitoring department-wide procurement activities.

Audit Objectives and Scope

The audit scope covered the procurement and contracting processes across the Department, including practices in place within the following offices:

National Headquarters (NHQ), both centralized and decentralized activity;
Ontario Regional Headquarters; and
the Centralized Processing Centre in Mississauga, Ontario.

The audit covered contracting and procurement transactions during the 2011 calendar year.

Detailed Recommendations and Findings

Finding 1: Governance and Risk Management

Oversight of contracting activities does exist, but is insufficient.

Effective oversight of contracting activities should ensure that contracting requirements are met in an open, fair and transparent manner. Decisions for contracting and means of contracting for requirements should be challenged to ensure requirements such as the following: the needs are clearly defined, they could not be met by alternative methods, they are within the legislative mandate, and the contracting procedures respect relevant policies and regulations.

It is important that senior management contribute to contracting decisions. This challenge function should ensure that the procurement strategy selected allows for an open, fair and transparent contracting process and respects contracting policies and regulations. Finally, what is discussed and the conclusions reached from this challenge function should be documented in order to provide sufficient evidence of the existence of this oversight.

Oversight responsibilities are assigned.

A contracting review committee can ensure an appropriate level of governance over contracting activities, and we found that CIC recognized the importance of this challenge function. CIC has established terms of reference for the contracting review committee, which include a review of the following types of contracts: sole source requests greater than $25,000, all requirements that will be published by CIC on MERX, any procurement deemed to be sensitive or contentious by the Director General responsible for PCS, and all confirming orders (situations when goods or services are received before a contract is signed). The committee maintains records of decision and meets as required based on its terms of reference.

The challenge provided by oversight does not address all high-risk areas.

A contract review committee’s mandate should take effective risk management practices into consideration, and thereby address high-risk areas. A contract review committee should also have the authority to enforce its mandate in order to mitigate high-risk areas.

At CIC, the contract review committee’s mandate does not include the review of contract amendments. Contract amendments currently represent between 40 and 60% of quarterly activities directly related to contracting, yet amendments are not included in the scope of the committee’s responsibilities. Amendments in some quarters outnumber all other contracting activities combined, which means that the committee’s sample is not representative of the function it is meant to oversee. There is a risk that, if not reviewed by an oversight body, amendments could result in a circumvention of other control functions, such as sole-source limitations or delegations of authority, or be a result of poor planning, where contracting needs are not accurately recognized prior to entering into a formal contract with a vendor.

There was also no evidence found to suggest that the contract review committee is in a position to know whether all necessary contracts are being sent for review. Two confirming orders that had not been reviewed by the committee were found in our file sample. During the 2011 calendar year, the committee reviewed 1% of all contracting activities, representing less than 5% of the total dollar value of contracting activities at CIC. There is no process used by the committee to clearly identify high-risk transactions and to ensure they are reviewed as part of their mandate.

CIC is not adequately monitoring contracting activities.

While the contract review committee is charged with reviewing contracts as identified in the terms of reference, no other contracts outside of the committee’s mandate are currently subject to any oversight. As a result, CIC has no means of providing assurance that contracting activities are compliant with policy, or that CIC is achieving best value through its procurement activities. With a more centralized procurement function, PCS is now in a better position to monitor contracting activities throughout CIC. Monitoring should be risk-based and provide assurance that all those with delegated authority respect policy. It should include a sampling strategy, a monitoring plan and a strategy for presenting results to the contract review committee.

A human resources plan for PCS is in place but does not address some key issues.

Given the recent changes in the responsibilities of CIC’s PCS Branch, it would be considered prudent to reassess the human resources / business strategy to ensure all activity included in PCS’s mandate can be accomplished in an efficient and effective manner. This examination should consider both the efficiency of its current practices and the resources required to deliver on its mandate in an effective manner.

It was noted that staff turnover within PCS has hindered the efficiency of contracting activities. However, there is no mitigation strategy in the current function’s human resources plan. It was also noted that PCS is responsible for amending all entries in the financial system: a high-volume activity that may strain the effectiveness of existing resources and affect the efficiency of the function. While this responsibility falls outside of the scope of this audit, these activities represented 41 to 78% of all PCS transactions in recent quarters. In many organizations, this responsibility falls outside of the contracting function; this subject may be considered in a future audit to ensure practices are efficient.

PCS is making efforts to improve procurement services.

During the course of this audit, PCS created a working group to address systemic procurement issues. Participation was requested from multiple sectors across the country in order to obtain input from all functional areas. PCS intends to develop a report summarizing the findings during the current fiscal year. PCS has also established standards for client services and has begun to monitor performance against the standards. Achievement against service standards are presented to CIC senior management on a regular basis.

Recommendations:

1. CIC should review the terms of reference of the contract review committee and address any additional areas of risk that should be subject to oversight.

2. PCS should implement active monitoring of contracting activities to ensure that government-wide policies and CIC processes are respected.

3. PCS should develop a business strategy that addresses capacity, efficiencies of current practices and monitoring requirements in order to effectively deliver on its mandate.

Finding 2: Contract Award and Administration

There is insufficient documentation to support the notion that contracts are being awarded in an open, fair and transparent manner.

Contracts should be awarded in an open, fair and transparent manner. Requests for proposals from suppliers should include a Statement of Work that outlines a department or agency’s specific contracting requirements. The Statement of Work should detail, for example, background on the requirements, the services required, a timeline for the completion of services and any client support to be provided. The Request for Proposal should include evaluation criteria that will enable objective selection of the best proposal received from suppliers. Criteria should be clear and should logically relate to the requirements for professional services.

In evaluating proposals, contracting officers should clearly document the quality of responses received in accordance with the evaluation criteria established in the Request for Proposal. These should be documented in sufficient detail to support the choice of the winning supplier. In awarding the contract, terms and conditions, as well as the scope and budget of an engagement should be commensurate with the service requirements described in the Request for Proposal.

The Financial Administration Act (FAA) is legislation that acts as a control for all financial transactions in the Government of Canada. Signatures are given by individuals with the delegated authority to do the following: a) confirm the availability of funds prior to initiating a contract, as per section 32 of the FAA; and b) confirm the delivery of services or goods prior to invoice payment, as per section 34 of the FAA. The Government of Canada requires 100% compliance with the FAA.

In addition, proactive disclosure of all contracts over $10,000 (including all contract amendments) is an important element of contract administration, typically done after file close-out, to ensure that all material contracting done by departments and agencies is disclosed to Canadians in a transparent manner. Proactive disclosure also permits Canadians to understand what types of services departments and agencies are contracting to suppliers and which suppliers are conducting the work required.

Contract files lack adequate documentation.

In general, we noted a need for more complete supporting documentation in procurement files. Typical examples of missing documentation included the following: justification for sole sourcing, including support for the fact that activities will not be amended, when the justification for sole sourcing is that the contract is under $25,000; support for the selection of a particular contracting strategy; documentation specifically required when using particular standing offers such as temporary help services; and rationale required for contract amendments.

In a few of the files examined, a copy of the contract could not be produced. What was contained in the files varied from office to office; requirements were not consistent across the organization. PCS has developed guidelines for procurement officers, but they are not commonly known or used throughout the Department. While some offices had checklists to ensure file completeness, the checklists differed from office to office and were rarely used.

Evidence of contract splitting was found in four files to avoid exceeding delegated authorities.

Of the 83 files reviewed, 4 contained evidence of contract splitting. In each case, contracts were split to avoid triggering a contract threshold. If left unmonitored, contract splitting has the potential to circumvent most controls in the contracting function, which will prevent CIC both from being compliant with the Policy and from achieving best value. The evidence of contract splitting further emphasizes the need for CIC to review the terms of reference of the contract review committee and for PCS to actively monitor contracting activities, particularly those at or near authority thresholds.

Contracting files generally contain insufficient documentation to support the evaluation of bids.

If contracting officers are evaluating bids in a fair manner, documentation does not exist to support this. Without transparently documenting contract requirements, CIC cannot be assured that bidders will address the specific requirements of the request. In addition, if the requirements are not made clear in advance of the work, there is a greater risk that contracted firms will misunderstand the requirements and that the total costs of the contracts will increase through amendments.

In addition, many of the contracts that were reviewed were issued to the same supplier multiple times through standing offers. In these scenarios, no other suppliers on the standing offers were contacted, while CIC engaged the same supplier for every purchasing need. While this practice does not explicitly run counter to policy, CIC is not obtaining multiple bids for goods and services through efficient and existing means, meaning CIC cannot be sure that it is achieving best value.

Some contract files are not compliant with sections 32 and 34 of the FAA.

Our file sample consistently showed that there were issues with both pre-approval of funds and confirmation of services rendered or goods delivered. In 33 of 83 files, section 32 was signed after the initiation of the contracted activity. Out of 36 contract amendments reviewed, 12 were signed after the original contract had already expired. While section 34 was followed more rigorously, 12 out of the 83 files did not contain all of the invoices, hindering our ability to conclude that goods or services had been received before payment was made.

Some required contracts have not been proactively disclosed.

We examined the proactive disclosures to ensure that contracts greater than $10,000 had been disclosed in an open manner. Out of 24 files that should have been proactively disclosed, 5 were not. While 1 file was simply not disclosed, 3 files did not disclose the full values of the contracts including all amendments. Another contract was not disclosed because the cost of the contract was split into two: as each contract on file was valued at less than $10,000, it was not flagged for proactive disclosure. Not proactively disclosing contracts runs counter to policy and risks public perception that CIC is not conducting contracting activities in a transparent manner.

Recommendations:

4. CIC should implement the mandatory use of file checklists in all contracting files. This will standardize contracting and contracting administration requirements to ensure that government-wide and departmental policies are respected. This checklist should ensure that the file contains (at a minimum):

the bid selection method and evaluation criteria, which should be included in the bid solicitation document before the request for proposal is issued;
justification for all non-competitive procurement contracts;
evaluations of proposals and contractor selections, which are conducted in accordance with the pre-established criteria as stated in the request for proposal, and in an open, fair and transparent manner;
a copy of the signed, written contract;
assurance that contracts are issued before goods or services are received;
contract amendments that are signed before the original contracts expire; and
assurance that contracts with a value over $10,000 are proactively disclosed.

5. CIC should address contract splitting in a timely manner.

6. CIC should ensure that all contracting files contain FAA section 32 signatures and that all payment files contain FAA section 34 signatures from those with the proper delegated authority to do so, at the appropriate time.

7. CIC should ensure that all contracting files with total values greater than $10,000 are proactively disclosed.

Appendix A – Detailed Audit Criteria

The objective of this audit was to assess the effectiveness of the governance framework, risk management practices and internal control framework for the awarding and administration of contracting and procurement within CIC.

The following criteria were used to conduct the audit:

Criterion #1

The Department has policies, systems and procedures in place to enable transparent, efficient and effective procurement activities that reflect relevant federal legislation and policies.

Criterion #2

Mechanisms are in place to help ensure compliance with departmental procurement policies and practices.

Criterion #3

Processes to identify and mitigate contracting and procurement management business risks are in place and operating effectively.

Criterion #4

Effective monitoring and reporting mechanisms are in place to provide management with accurate, relevant and reliable information for decision making.

Appendix B – Management Action Plan

Recommendation	Risk Ranking	Action Plan	Responsibility	Target Date
1. CIC should review the terms of reference of the contract review committee to address any additional areas of risk that should be subject to oversight.	High	Management Response: The current terms of reference (TOR) were developed with the view of balancing oversight with the need to meet service standards. The mandate focused on procurement processes that were not subject to other levels of oversight and standardization. Action Plan: A review of the TOR was initiated prior to the completion of this report and was discussed with members of the contract review committee during the July 9, 2012 meeting. Additional changes to the TOR will be proposed to ensure the committee is able to fulfil its mandate to the fullest and provide the adequate level of challenge function and reporting requirements to senior management. The proposed TOR will be presented to the Management Accountability Committee in the fall of 2012, followed by the Executive Committee, for approval. The new TOR will likely increase the volume of procurement and contracting files to be reviewed, which will require more time and effort from contract review committee members.	Administration, Security and Accommodations (ASA) Branch	December 2012 (Q3)
2. PCS should implement active monitoring of contracting activities to ensure that government-wide policies and CIC processes are respected.	High	Management Response: Our ability to actively monitor contracting activities is limited for lack of capacity and because of the salary cap. Up to now, our focus has been on productivity within established service standards. Action Plan: ASA will proceed with a benchmarking exercise (see recommendation 3) and present options for monitoring requirements and service standards to the Executive Committee and will implement adjustments to address this deficiency accordingly.	ASA	December 2012 (Q3)
3. PCS should develop a business strategy that addresses capacity, efficiencies of current practices and monitoring requirements in order to effectively deliver on its mandate.	Medium	Action Plan: ASA will perform a benchmarking exercise to assess capacity, workload – adding in needed monitoring activities – and service standards to determine what mix is appropriate and achievable. ASA will examine business processes throughout the procurement cycle to determine efficiencies in the process, to reduce redundancies and to potentially allow for realignment of some functions. CIC will require that sector managers provide forecasts of procurement activity requirements, which will be compared with actual activity for quarterly reporting purposes. Managers will be expected to plan their procurement activities as per published service standards. The results of these reviews will be presented to EXCOM in the 3rd quarter of 2012–2013.	ASA	December 2012 (Q3)
4. CIC should implement the mandatory use of file checklists in all contracting files. This will standardize contracting and contracting administration requirements to ensure that government-wide and departmental policies are respected. This checklist should ensure that the file contains (at a minimum): the bid selection method and evaluation criteria, which should be included in the bid solicitation document before the request for proposal is issued; justification for non-competitive procurement contracts; evaluations of proposals and contractor selections, which are conducted in accordance with the pre-established criteria as stated in the request for proposal, and in an open, fair and transparent manner; a copy of the signed, written contract; assurance that contracts are issued before goods or services are received; contract amendments that are signed before the original contracts expire; and assurance that contracts with a value over $10,000 are proactively disclosed.	High	Management Response: A checklist was developed for procurement officers in 2011 for use by Procurement and Contracting Services (PCS) members. Action Plan: The procurement officer checklist will be reviewed and implemented throughout the PCS network, including by regional procurement officers reporting to PCS. Training will be developed to address the checklist and to inform the Department of changes to requirements from PCS and new operating procedures.	ASA	December 2012 (Q3)
		A checklist will be developed for fund centre managers, which will be applied when exercising their delegation. The use of these checklists will be deemed mandatory for all procurement activities. ASA will monitor and report on usage.		December 2012 (Q3)
5. CIC should address contract splitting in a timely manner.	Medium	Action Plan: ASA will implement a monthly data mining protocol effective September 2012 that will permit the analysis of procurement activities with a view to identifying potential contract splitting. Management engagement will follow any potential issues to determine the cause and correct the situation.	ASA	September 2012 (Q2)
		Results of this activity will be presented to the Executive Committee on a quarterly basis.		December 2012 (Q3)
6. CIC should ensure that all contracting files contain FAA section 32 signatures that and all payment files contain FAA section 34 signatures from those with the proper delegated authority to do so, at the appropriate time.	High	Management Response: ASA can review and certify section 32. Monitoring of section 34 is the responsibility of the Finance Sector. Action Plan: The proposed checklists at recommendation 4 will require assurance that section 32 has been certified by the appropriate authority. Development of the fund center manager checklist will assist in ensuring that proper documentation is on file.	ASA	December 2012 (Q3)
		The issue is not with section 34 per se, but rather with the filing of documentation related to the approval of section 34. Management is aware that there is a need for improvement regarding the filing and safeguarding of invoices. Actions have already been taken, in conjunction with Records Management, to minimize the risk of lost and misfiled invoices. For example, all invoices paid by Finance are now stored in a filing cabinet pending pick-up from Records Management. Also, meetings have been held between Finance and Records Management to discuss a new filing convention. The result is that Records Management will file all invoices according to the SAP Vendor Number instead of the Vendor Name. This change has not yet been implemented, but is scheduled to implemented by the end of fiscal year 2012-13.	Finance	March 2013 (Q4)
7. CIC should ensure that all contracting files with total values greater than $10,000 are proactively disclosed.	High	Management Response: ASA uses a pre-established query to capture proactive disclosure information from SAP. The data is then compiled into a report and validated by each branch prior to posting. Action Plan: As part of the review set out in the action plan for recommendation 3, an analysis of this process will be conducted to determine if the process adequately captures data for proactive disclosure purposes.	ASA	December 2012 (Q3)

Appendix C – Links to Applicable Legislation, Regulations, Policies, and Directives

Page details

Date modified:: 2013-01-02

Language selection

Search