Common menu bar links
ARCHIVED - Audit of Information Technology Services Contracts
This page has been archived.
Archived Content
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Internal Audit Report
November 2009
Table of Contents
- Executive Summary
- Introduction
- Audit Opinion
- Findings, Recommendations and Management Action Plans
- Appendix A: Summary of Findings
- Appendix B: List of Acronyms
Executive Summary
Background
Prior to its creation on December 12, 2003, Canada Border Services Agency (CBSA) was part of Canada Customs and Revenue Agency (CCRA) and the contracting function for information technology (IT) contracts was shared.
The separation of these entities, at the end of 2003, meant that the CBSA no longer had access to the resources available at CCRA for obtaining IT services. CBSA, therefore, turned to Public Works and Government Services Canada (PWGSC) for an alternative approach. A temporary contracting solution was provided by PWGSC whereby the CBSA would use task authorizations (TAs) to provide IT services within the context of Government On-Line.
The Competition Bureau conducted a four-year inquiry into possible collusion in the bidding process between IT consulting services providers under the above-mentioned PWGSC-led, task authorization (TA) contracting process. In February 2009, the Competition Bureau accused firms of having participated in bid-rigging and collusion. None of the allegations involved employees or individuals who had performed work on behalf of the CBSA.
Following the allegations of bid-rigging, the PWGSC Deputy Minister and the President of the CBSA requested an audit of these IT services contracts.
Objective and Scope
The audit objective was to assess whether the TAs issued were compliant with contracting practices and the terms and conditions of the TA contracts.
The audit focused on TA contracts and the TAs issued under those contracts, whereby the CBSA was functional authority, that were awarded to IT service firms investigated or charged by the Competition Bureau between April 1, 2004 to September 30, 2008.
Statement of Assurance
This audit engagement was planned and conducted in accordance with the Internal Auditing Standards for the Government of Canada.
Audit Opinion
The task authorizations were administered in accordance with contract management practices and services rendered; payments were made in accordance with contract terms and conditions and the Financial Administration Act (FAA).
Minor issues were noted in the monitoring of the financial delegations and the contract file maintenance.
Main Observations
The audit found that the contract administration of the TAs and their amendments were issued in accordance with the terms and conditions of TA contracts. Roles and responsibilities were defined, communicated and fully executed. Furthermore, services were rendered and payments made were in accordance with the contract terms and conditions.
Issues related to section 32 and section 34 financial delegated authorities were identified in this and previous audits. They should be addressed with the implementation of the action plans of those audits. The file review identified minor issues related to the monitoring of the contract process and TA contracts, thereby ensuring completeness of contract files. After the conduct of the audit, these issues were addressed by the implementation of a contract monitoring process.
The audit scope included the review of TA contracts and their applicable TAs. On March 31, 2009 the use of TAs expired as a new PWGSC method for supply of Task-Based Professional Services was made available to obtain professional IT services. This contracting solution may no longer be used; however, the observations and recommendations herein are applicable to all contracts issued within the Agency.
Management Response
The Innovation, Science and Technology Branch agrees with the recommendations contained in this report.
Introduction
Background
The Canada Border Services Agency (CBSA) was created on December 12, 2003 and falls under the Public Safety Portfolio that combines the functions related to security, law enforcement, correctional services, and border services.
Prior to its creation, the CBSA was part of Canada Customs and Revenue Agency (CCRA) and the contracting function for information technology (IT) contracts was shared.
The separation of these entities, at the end of 2003, meant that CBSA no longer had access to the resources available at CCRA for obtaining IT services. CBSA, therefore, turned to Public Works and Government Services Canada (PWGSC) for an alternative approach. A temporary contracting solution was provided by PWGSC whereby the CBSA would use task authorizations (TAs) to provide IT services within the context of Government On-Line.
In 2005, PWGSC, as the contracting authority, issued TA contracts for IT services on behalf of the CBSA. The TA contracts facilitated contracting where there was a specific need for a category of services and the special nature and the timeframe had not been established in advance. They allowed the CBSA to quickly obtain IT contractor or consultant services following the evaluation of proposals submitted and signed by designated contractors. The CBSA's acceptance of a TA was based on who was the best technical resource.
Although Contracting, Assets and Telecommunications Division (CATD) was responsible for contracting for the CBSA, Business Integration Services Division (BISD) within Innovation, Science and Technology Branch played an active role due to the complexity of the contracts. The Agency used TAs to conduct work on the basis of “timely customized services” in accordance with the terms of the TA contracts. This contracting approach was adopted until a new one could be put in place. Thus, during the transition phase, the CBSA used TA contracts as a short-term approach to fill longer-term needs.
Since the expiry of the last TA contracts in March 2009, the CBSA has used a new PWGSC contracting approach for the Task-Based Informatics Professional Services (TBIPS), which allows new arrangements to fulfill specific IT needs for special activities or initiatives.
The Competition Bureau conducted a four-year inquiry into possible collusion in the bidding process between IT professional services providers under the above-mentioned PWGSC-led TA contracting process. In February 2009, the Competition Bureau accused firms of having participated in bid-rigging and collusion. None of the allegations involved employees or individuals who had performed work on behalf of the CBSA.
Following the allegations regarding bid-rigging, the PWGSC Deputy Minister and the President of the CBSA requested an audit of these IT service contracts.
The CBSA initiated an audit of IT services contracts in February 2009 and the examination phase was conducted between April and June 2009. In January 2009, PWGSC's Office of Audit and Evaluation started an audit of IT services contracts. The objectives were to determine whether contracts awarded by PWGSC to companies that had been subject to administrative review had provided value to the Crown and if these companies owed monies to the Crown. The results of this audit will be communicated to the client departments for follow-up.
In May 2009, the Office of the Comptroller General published the results of a horizontal audit that was conducted in nine large departments and agencies (LDA) on Contracting Information Systems and Monitoring. The audit found that:
- Information was adequately captured and reliable systems and processes were in place to help ensure data was accurate;
- LDAs identified information required to meet ad hoc requirements related to contracting activities;
- The LDAs assessed did not have a formal risk-based approach to monitor contracting risks at the entity level;
- The reporting was generally ad hoc and transactional in nature.
Risk Assessment
Based on a review of internal and external sources, such as the PWGSC policy notification on task authorization contracts, the main risks of the TA contracting process are as follows and formed the basis of the objective and scope of the audit.
- Improper authorization and description of work by the project and functional authorities through TAs that are outside the scope of the original TA with respect to statement of work and dollar limit;
- Insufficient review by the project and functional authorities of task performance and invoicing regarding the TA and the TA contract;
- Insufficient monitoring and control of total expenditures by the project and functional authorities.
Audit Objective and Scope
The audit objective was to assess whether the TAs issued were compliant with contracting practices and the terms and conditions of the TA contracts.
The audit focused on TA contracts and the TAs issued under those contracts, whereby the CBSA was functional authority, that were awarded to IT service firms investigated or charged by the Competition Bureau between April 1, 2004 to September 30, 2008.
Approach and Methodology
The examination phase included the following:
- Interviews with key CBSA stakeholders involved in IT services contracting, including the CATD and the BISD.
- Review and analysis of TA and TA contract documents, including invoices, time sheets, solicitations and evaluations. Fifty TAs valued at $17 million were sampled out of 164 TAs valued at $35 million issued between November 2005 and January 2008.
- Collaboration and exchange of information with PWGSC's Office of Audit and Evaluation.
Audit Criteria
The following audit criteria were developed from a review of legislation, policies and best practices:
- TAs and their amendments were issued and administered in accordance with the terms and conditions of the TA contracts (statement of work and dollar limit), contracting policies and procedures and delegated financial authorities.
- Services rendered and resulting payments made were in accordance with the terms and conditions of contracts and the Financial Administration Act (FAA).
Statement of Assurance
The audit was planned and conducted in accordance with the Internal Auditing Standards for the Government of Canada.
Audit Opinion
The task authorizations were administered in accordance with contract management practices and services rendered; and payments were made in accordance with contract terms and conditions and the Financial Administration Act (FAA).
Minor issues were noted in the monitoring of the financial delegations and the contract file maintenance.
Findings, Recommendations and Management Action Plans
The audit found that the contract administration of the TAs and their amendments were issued in accordance with the terms and conditions of TA contracts. Roles and responsibilities were defined, communicated and fully executed. Furthermore, services were rendered and payments made were in accordance with the contract terms and conditions.
Issues related to section 32 and section 34 financial delegated authorities were identified in this and previous audits. They should be addressed with the implementation of the action plans from those audits. The file review identified minor issues related to the monitoring of the contract process and TA contracts, thereby ensuring completeness of contract files. After the conduct of the audit, these issues were addressed by the implementation of a contract monitoring process.
Contract Administration
Roles and responsibilities were defined, communicated and fully executed. Weaknesses were found regarding the initiation of TAs without proper section 32 delegation of the FAA, and the completeness of contract files.
The CBSA must ensure that TAs and their amendments are issued and administered in accordance with the terms and conditions of TA contracts (i.e. statement of work and dollar limit), contracting policies and procedures, and delegated financial authorities.
Compliance of TA contracts
TA contracts describe, among other things, the process that must be followed and the roles and responsibilities of the various stakeholders. TAs, which allow for calling up previously specified resources, must be compliant with the terms and conditions of contracts.
The audit reviewed a sample of 50 files that included contracts, TAs and related amendments, solicitations and evaluations, invoices, and time sheets. A summary of the findings is found in Appendix A, Sections A and B.
The review of the following factors for the 50 selected files concluded that the Agency complied with the terms and conditions of contracts. For example:
- TAs were approved by the various stakeholders, contractors, project authorities, contracting officers and PWGSC;
- The TAs issued did not exceed the amounts stipulated in the TA contracts;
- The TAs contained statements of work including tasks that were consistent with the TA contracts;
- The rates and the resources categories were in accordance with those described in the TA contracts;
- The TAs were not used to modify TA contracts terms and conditions.
TA Section 32 Contracting Authority
Prior to issuing TAs, managers are to complete an action request form and then approve the TAs as per section 32 delegation of the FAA. These approved forms are the basis for issuing the requisition for goods and services, which must also be approved under section 32 of the FAA. Both of these documents must have the signatures of individuals with the appropriate signing authority under section 32 of the FAA.
To ensure compliance with section 32 of the FAA, the Comptrollership Branch has developed the delegation of financial signing authorities in the Finance Volume. This document contains the financial delegation matrix of authorities delegated by the Minister and the President. Management has also established specimen signature documents to identify the incumbent of the positions that have signing authority.
TA amendments were issued in accordance with delegated financial authorities. The audit found that in 82 percent of cases reviewed, the individuals who approved the action request form under section 32 of the FAA had the appropriate signing authority. Since January 2007, the signing authority for requisition for goods and services under section 32 of the FAA had been delegated to a manager in BISD on behalf of the ISTB. Thus, upon signing the requisition for goods and services, this manager was counting on the action request form to certify the availability of funds. However, the audit found that in four of 50 files the person who signed the action request did not have delegated authority. Hence, there is a risk that managers may be entering into commitments without having the budget to do so.
In April 2009, the CBSA Internal Audit Directorate presented the Audit of Delegated Authority Under Section 33 of the FAA. It recommended implementation of an annual review based on the risks of all delegated authorities, which in turn could lead to the recommendation of corrective measures based on review results. Implementation of this recommendation by the Comptrollership Branch will ensure that the approvals made under section 32 of the FAA are monitored.
Recommendation:
1. The Vice-President of the Innovation, Science and Technology Branch should reinforce to its Branch Management Services Unit their role with respect to section 32 of the FAA requirements.
| Management Action Plan | Completion Date |
|---|---|
| Send a formal note to managers – both substantive and acting in ISTB to remind them of the requirement for appropriate training and delegation before signing any documents. | December 2009 |
| A review of delegation instruments related to sections 32 & 34 has been conducted for all managers in ISTB to ensure managers exercising this authority are delegated and have received the appropriate training. New signature cards are being produced on an ongoing basis as managers change or updates are required. Managers will now be reminded of their responsibilities when their cards are updated with an attached e-mail outlining section 32 and section 34 and their level of authority. Managers will continue to provide copies of the signing authority document to the Comptrollership Branch. | Currently underway & ongoing |
Roles and Responsibilities
Roles and responsibilities were described in the policy notification (PN-75) concerning contractors, and CBSA and PWGSC contracting officers. According to the PN-75 there should be a clear understanding of roles and responsibilities relating to the management of the contract and the use of task authorizations. It is important that employees and managers understand their roles and responsibilities and execute them.
Based on the interviews and review of files, the audit concluded that the TA process was relatively simple and that the managers understood their roles and responsibilities and executed them. The use of TAs for IT services involved intervention by various external stakeholders (PWGSC and contractors) and internal stakeholders (project authority, contracting officers, Comptrollership Branch, and the Innovation, Science and Technology Branch).
The audit found that the CBSA Contracting Policy summarized the roles and responsibilities of the Agency's contracting and supply functions. Although there was no written procedure outlining specific roles and responsibilities regarding TAs, managers interviewed were able to explain clearly the roles and responsibilities of the stakeholders.
Monitoring
Monitoring is a crucial aspect of proper management. It helps to detect anomalies and weaknesses as they arise, so as to be able to take the necessary corrective measures. It also prevents problems from becoming more serious.
The audit found that monitoring was in place at the BISD regarding staying within the number of days authorized in a contract. The Division also monitored the level of financial commitments to ensure that no open commitments should have been closed. The electronic tools developed by this Division are also accessible to project authorities to ensure that they are able to conduct their own follow-ups.
The audit also found that the monitoring had not been conducted on TA contracts or the TAs. For example, the audit revealed two cases of sub-contracting out of the 50 samples reviewed where the contractor and the sub-contractor were both eligible to bid on work. In both cases, the contractor with the higher rate won the process and sub-contracted the work to the contractor with the lower rate. Even if sub-contracting is allowed, a monitoring system must be in place to reveal unusual trends and be able to take the appropriate preventive measures. After the conduct of the audit, CATD implemented a contract monitoring process which includes, for example, a weekly status update of contract status; a monthly dashboard on contracting performance; and an annual contracting activities report.
Contracting Files
CBSA must ensure that all documentation is contained in contract files. The Treasury Board of Canada Secretariat's Contracting Policy stipulates that:
4.2.15 Departments must ensure that adequate management controls are in place to protect the integrity of the bidding process. It is recognized that the bidding process may employ either traditional hard copy documents or electronic bid documents. In either situation, in order to stand the test of public scrutiny in matters of prudence and probity, Departments must have the ability to demonstrate that all bid materials are received on time and in the manner prescribed in the tender/solicitation documents. In the case of electronic bids, Departments must also ensure that the documents are not altered, forged, changed or corrupted either intentionally or by error. If a contracting authority suspects that collusion or bid-rigging has taken place in the bidding process, it shall notify Industry Canada.
5.2.2 Contracting authorities are to ensure that contract files are properly documented.
The audit found that in 17 of the 50 files reviewed, the essential documents that would support diligence in the TA award process were not available for review. The missing contractor solicitations and resource evaluations were related to contracts that had been awarded during the period the Agency was co-located with CCRA. CATD did not have a process in place to ensure that files were properly documented. This documentation is necessary evidence to justify the integrity of the solicitation process and to satisfy the criteria of prudence, integrity and competitiveness. It is also required to justify the decisions taken and provide an audit trail.
Knowledge
The Policy Notification 75 stipulates that:
29. The client is responsible for ensuring that its staff authorized to issue TAs or seek PWGSC approval of TAs are properly trained to do so, including particularly knowledge of the TA provisions and scope in the contract, and information reporting requirements.
It is expected that managers and employees would be trained, understand their roles and responsibilities and fully execute their duties.
The Agency had one employee who took formal training on the TA contract process, but the others learned via on-the-job training. Interviews with CBSA employees and the review of documents showed that there were no problems in understanding the process and that it was managed appropriately.
Payments
Services rendered and payments made were in accordance with the contract terms and conditions.
Services rendered and payments made must be in accordance with section 34 of the FAA, terms and conditions of the contract and financial delegated authority.
A sample of 50 files and related payment documents were reviewed covering 1,308 invoices and related time sheets and reports signed under section 34 of the FAA. The audit reviewed the use of delegated financial authorities and the charges for services rendered to determine compliance with section 34 of the FAA and with the terms and conditions of the contracts. Appendix A, Section C provides a summary of the main data that were compiled from the audited files.
Ninety-one percent of the invoices were signed by the managers who had delegated signing authority under section 34 of the FAA. The CBSA conducted an internal audit of delegated authorities under section 34 of the FAA in December 2008. It had a wider scope than the current audit in that it covered all aspects of this topic including the transactional aspect targeted in the current audit. Observations, recommendations, and actions planned by management are still relevant to the current audit. Some of the findings of the audit of delegated authorities corroborated the results of the current audit.
The recommendations made by the previous audit regarding training on section 34 and the use of work tools such as checklists to help delegated managers execute their certification pursuant to section 34 were made to improve results to ensure conformity with the FAA. In responding to these recommendations, management committed to developing and providing training to financial contacts, who in turn would have trained delegated managers before the end of March 2009. Management also committed to putting in place a checklist to help delegated managers to execute confirmations under section 34 of the FAA.
Charges for services rendered were in accordance with the terms of the contract. As shown in Appendix A, Section C, results were favourable in terms of:
- The level of effort required (i.e. daily rate and number of days) to perform the task on the invoice was the same as what appeared on the TA in 96% of the invoices reviewed; and
- The categories of resource use and their daily rates of pay were identical to what appeared on the TAs in all invoices reviewed.
Appendix A: Summary of Findings
| Findings | Yes % |
No % |
Unable to Assess % |
Not Applicable % |
|---|---|---|---|---|
| Section A - Approval | ||||
| TA approved by the contractor and the project authority | 100 | |||
| TA approved by the contracting authority | 84 | 16 | ||
| TA approved by functional authority | 98 | 2 | ||
| TA approved prior to start of the work | 66 | 4 | 30 | |
| Section 32 of the FAA signed by the appropriate signing authority | 82 | 8 | 10 | |
| Section B - Statement of work and documentation | ||||
| TA contains a clear statement of work | 94 | 6 | ||
| TA is within the duration of the work contract | 98 | 2 | ||
| Rates and resource categories conform to contract | 100 | |||
| Evaluation of resources on file | 66 | 34 | ||
| TA is not used to modify the contract | 98 | 2 | ||
| TAs are modified to extend the dates to finish work that has not been completed | 98 | 2 | ||
| TA is not used following contract expiry | 94 | 6 | ||
| Supplementary resources or replacements are allowed under the contract | 30 | 8 | 62 | |
| Daily time sheets are on file | 84 | 16 | ||
| Section C - Payments | ||||
| Section 34 of the FAA signed by the appropriate signing authority | 91 | 9 | ||
| Level of effort on the invoice identical to what appears on the TA | 96 | 4 | ||
| Rates and resource categories conform to TA | 100 | |||
| Payments have not exceeded TA | 96 | 4 | ||
| The amount of the TA is within the contract value | 100 | |||
| Invoice calculations are correct | 100 | |||
Appendix B: List of Acronyms
| Acronym | Description |
|---|---|
| Agency | Canada Border Services Agency |
| BISD | Business Integration Services Division |
| CBSA | Canada Border Services Agency |
| CATD | Contracting, Assets and Telecommunications Division |
| CCRA | Canada Customs and Revenue Agency |
| CRA | Canada Revenue Agency |
| FAA | Financial Administration Act |
| IT | information technology |
| LDA | large departments and agencies |
| PN-75 | Policy Notification 75 |
| PWGSC | Public Works and Government Services Canada |
| TA | task authorization |
| TBIPS | Task-Based Informatics Professional Services |
