Internal audit of federal government consulting contracts awarded to McKinsey & Company

1.0 Conformance with professional standards

1. This internal audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing.

_________________________________________________________________

Marianne Thouin, Chief Audit and Evaluation Executive

2.0 Background

2. Procurement in the Government of Canada (GC) is subject to the Directive on the Management of Procurement (and the now rescinded Contracting Policy prior to May 13, 2022)^{Footnote 1} , which has as its objective to ensure that procurement of goods, services and construction obtains the necessary assets and services that support the delivery of programs and services to Canadians, while ensuring best value to the Crown. As a result, among others, procurements are expected to enable operational outcomes, to be subject to effective governance and oversight mechanisms, to be fair, open, and transparent, and to meet public expectations in matters of prudence and probity.

3. The Prime Minister tasked Minister Fortier, as President of the Treasury Board (TB), along with Minister Jaczek, Minister of Public Services and Procurement, to undertake a review of contracts awarded to McKinsey & Company (McKinsey). On February 8, 2023, the Office of the Comptroller General (OCG) requested from government organizations, by February 15, 2023, a list of all contracts with McKinsey dating back to January 1, 2011, as well as related information on these. For those organizations that have been the technical authority and/or entered into any such contracts as the contracting authority, the OCG has directed the Chief Audit Executives (CAEs) of these organizations to conduct a formal independent internal audit of the related procurement processes, with results to be reported to the OCG by March 22, 2023.

3.0 Audit objectives and scope

4. The objectives of the audit were to determine the following for all scoped-in contracts with McKinsey:

• i. The integrity of the procurement process was maintained, consistent with adhering to the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest;
• ii. The procurements were conducted in a fair, open and transparent manner, consistent with the Treasury Board (TB) Policy that was in place at the time (Contracting Policy or the Directive on the Management of Procurement); and
• iii. The procurements were conducted in a manner consistent with the organization’s internal processes and control frameworks (i.e., consistent with procurement management frameworks, financial controls, security controls).

5. The scope of the audit focused on the examination of the procurement practices for all competitive and non-competitive contracts^{Footnote 2} with McKinsey that were awarded (i.e., signed) by the organization between January 1, 2011, and February 7, 2023^{Footnote 3}. More specifically, the audit included an assessment of the following contracts:

Table 1: Contract overview

Contract numberFootnote 4	Contract start date & end date	Contract amount (including amendments)	Amount spent	Procurement strategy	Purpose of contract
1	02/05/16- 30/10/16 Contract closed	$1,999,998.30	$1,769,910.00	Competitive using Task and Solutions-Based Professional Services (TSPS) Supply Arrangement	Business Consulting Services
2	23/10/17-31/10/18 Contract closed	$1,796,700.00	$1,590,000.00Footnote 5	Competitive using TSPS Supply Arrangement	Executive Support Services
3	31/08/18-31/08/20 Contract closed	$1,332,000.00	$977,700.00	Traditional Competitive	Creation of a Value Management Office
4	21/10/22-19/12/22 Contract closed	$1,975,270.50	$0.00	Non-competitiveFootnote 6 using a Benchmarking Standing Offer	Benchmarking Services

6. Although contracts were awarded for a total of $7,103,968.80, only $4,337,610.00 was spent. Work on all contracts has been completed therefore there will be no further expenditures against them.

7. The audit did not assess:

• Any contracts with any entity other than McKinsey.
• Any contracts awarded (and signed) outside of the audit period.
• Compliance with any other policy instrument, laws and/or regulations not specifically mentioned in this audit report.

4.0 Approach

8. The OCG provided all departments with an audit plan and audit work program to ensure consistency of coverage across the GC. While the OCG developed the objectives, scope, audit criteria, and audit work program for use by implicated departments, audit findings and recommendations were developed independently by the CBSA’s internal audit function. The approach followed by the CBSA was in alignment with the approach described in the OCG audit plan and audit work program. To ensure the integrity and objectivity of the audit work, this audit was conducted only by public servant internal auditors subject to the Global Internal Auditing Code of Ethics of the Institute of Internal Auditors.

9. Due to time constraints, as well as incomplete documentation (elaborated further under section 5.0), the audit closely followed the approach outlined in the OCG audit work program to conclude on each audit criteria and did not undertake any additional audit procedures. On February 22, 2023, the CBSA’s Departmental Audit Committee approved an Internal Audit of Contracting and Procurement as part of the 2023-2024 Risk-Based Audit and Evaluation Plan, through which further work will be conducted to understand the gaps and risks within the procurement process.

5.0 Findings and recommendations

5.1 Findings for objective 1: Integrity of the procurement process

10. It is imperative that integrity in the procurement process be maintained throughout the procurement process in a manner consistent with the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest.

11. Evidence that the Minister or the Minister’s staff influenced the outcome of the procurement process was not present. Additionally, when reviewing emails, notes to file and other documentation, there was insufficient evidence to demonstrate public servants contravened the Values and Ethics Code or the Directive on Conflict of Interest.

12. We reviewed each of the contracts and found that they all included conflict of interest (COI) clauses. However, only one of the four files we reviewed (contract 2) contained evidence that the CBSA employees (i.e., bid evaluators) involved in the procurement process completed COI declarations.

13. When contracting with former public office holders and former public servants, the Directive on Conflict of Interest and Conflict of Interest Act must be respected. We reviewed documentation such as the consultants’ resumes and proposals outlining the consultants’ work history, and found no indication that any of them were former public servants or former public office holders.

Conclusion

14. We found no evidence that public servants or public office holders demonstrated behaviours that would contravene the Values and Ethics Code for the Public Sector or the Directive on Conflict of Interest. There was no evidence of contracting with former public servants or former public office holders. COI controls could be improved by ensuring that declarations are completed and retained on file. Without formal documentation to consider and declare a real or apparent COI, appropriate actions may not be taken to mitigate situations where a COI is actually present.

Areas of improvement^{Footnote 7}

15. Insufficient documentation was retained to demonstrate that CBSA employees involved in the procurement process for the files reviewed had completed COI declaration forms.

16. COI declarations ensure that public servants involved in the procurement process are reminded of their obligations under the Conflict of Interest Act to declare any real or apparent COI that may exist.

Recommendations

17. Refer to Recommendation 1 a) at the end of this report.

5.2 Findings for objective 2: Fairness, openness, and transparency, in line with applicable policy

18. In order to assess fairness, openness and transparency of the procurement processes undertaken by the CBSA, we assessed the following criteria:

• a) Non-Competitive Contracting;
• b) Competitive Contracting (including, the bid solicitation, evaluation of bids and the duration of the contract);
• c) Contract Management;
• d) Certification Authority (section 34); and
• e) Proactive Disclosure.

a) Non-Competitive Contracting

19. Of the four contracts issued to McKinsey, contract 4 was a call-up^{Footnote 8} against a non-competitive standing offer (SO)^{Footnote 9} for benchmarking services. When a non-competitive contract is issued, the rationale for why it was issued must be included on file and must align with the exceptions outlined in Section 6 of the Government Contracts Regulations:

• a) the need is one of pressing emergency in which delay would be injurious to the public interest; or
• b) the estimated expenditure does not exceed thresholds; or
• c) the nature of the work to be contracted for is such that it would not be in the public interest to solicit bids; or
• d) only one person is capable of performing the contract.

There was no documentation in CBSA or Public Services and Procurement Canada (PSPC) files outlining why this contract was issued non-competitively.

20. There are rules in place which explain how a call-up against a SO is to be issued. The SO for benchmarking services allowed the CBSA to contract directly with McKinsey as long as the proposed work was aligned with the work offered in the SO. However, the call-up procedures were not followed in this case; a competition was held by CBSA management between McKinsey and two other firms offering benchmarking services, to assess which firm was most capable of meeting the requirements. While it does not appear there was an intention to break contracting rules, holding a competition with firms that were already pre-qualified was not in alignment with the procedures of the SO and not required.

21. After the contract was awarded, a decision was made by CBSA senior management to terminate the contract and complete the work in-house.

Areas of improvement

22. Earlier engagement of the CBSA contracting team by CBSA management could have helped ensure that the contracting process aligned with the requirements prescribed in the SO.

b) Competitive contracting

23. The information in the request for proposal (RFP) is used by suppliers to bid for potential contracts. It is important for the key components of the RFP, mainly the bid evaluation criteria^{Footnote 10} and the statement of work (SoW)^{Footnote 11}, to be open, fair and transparent so that all suppliers understand what they are bidding on and how they will be evaluated, as well as ensure they are able to freely compete. Of the four contracts issued to McKinsey:

• Contracts 1 and 2 used mandatory methods of supply required by PSPC to solicit bids;
• Contract 3 used a traditional competitive RFP process to solicit bids; and
• Contract 4 was a non-competitive call-up against a SO. As noted in Criteria a), CBSA management held a competition prior to awarding the call-up. For this reason, this contract was also assessed in this section.

Bid solicitation

24. Prior to soliciting bids, it is important that steps be taken to ensure that the procurement process is designed in a way that will facilitate fair, open and transparent contractor selection. For this reason, we assessed whether:

• Section 32 (S32)^{Footnote 12} was appropriately authorized;
• The SoW and bid evaluation criteria were reviewed by the contracting authority;
• The bid selection method and bid evaluation criteria were outlined in solicitation documents before the RFP was issued; and
• The SoW and evaluation criteria were fair, open and transparent.

25. We found that for all four contracts, S32 was appropriately authorized to ensure that funding was set aside to meet contractual requirements. In three of the four contracts issued (contracts 1-3), the SoW and bid evaluation criteria were reviewed by the contracting authority. The purpose of this step was to help ensure that the SoW was clear and the evaluation criteria were fair and open. We found evidence that the SoW, bid selection method and bid evaluation criteria were included in the RFP issued in three of the four contracts (contracts 1-3). The purpose of including these key documents in the RFP is to help ensure that all bidders received the same information at the same time, knew what they were bidding for and understood how they would be evaluated prior to committing the time and expense to prepare a bid.

26. In assessing whether the SoW and bid evaluation criteria were fair, open and transparent, we assessed several indicators including whether:

• The SoW and bid evaluation criteria were tailored to a specific firm;
• The evaluation criteria were clear, precise and measurable;
• Questions received from bidders were appropriately considered and answered; and
• Any complaints were received from bidders and their related outcomes/resolution.

27. While bid evaluation criteria by their nature are restrictive, we found that the criteria used were related to the essential work outlined in the SoW and therefore did not consider them to be overly restrictive. In addition, our discussions with CBSA contracting indicated that they were required for the work to be completed. However, for one contract (contract 3) where PSPC was the contracting authority, the Internal Audit division of PSPC noted that the bid evaluation criteria seemed overly restrictive in the context of their own internal audit of this file. Based on our review of the SoW of contract 3 describing the nature, scale and complexity of the CBSA’s requirement, and explanations provided by the CBSA contracting team, we did not consider the evaluation criteria to be overly restrictive.

28. In contracts 2 and 4, evidence was found that McKinsey was being considered by CBSA management prior to the issuance of the RFP. This raises questions as to the overall fairness and openness of the processes as it could be perceived that McKinsey’s bids were favoured by the CBSA.

29. We further noted that in contract 3, bidders requested extensions and asked whether experience on a smaller project could be accepted. Both requests were denied by the CBSA, with no clear rationale. When the bidding period closed, only one bidder had submitted a proposal: McKinsey. Providing additional context when responding to bidders would have contributed to improving the transparency of the process.

Evaluation of bids

30. In order to support a fair, open and transparent procurement process, it is imperative that bids are evaluated according to established criteria and documentation is retained to show how bids were evaluated. We assessed whether:

• Records of individual and consensus evaluations were on file for all bidders;
• Bids were evaluated in accordance with the criteria outlined in the solicitation documents;
• The contract was awarded to the top-ranked firm in accordance with the selection methodology; and
• If a SO or Supply Arrangement (SA)^{Footnote 13} was used, the process followed aligned with the requirements prescribed in the SO or SA.

31. Records were unavailable or insufficient to show that individual and/or consensus evaluations were completed for all files. In some cases, some or all evaluations were not signed or were not on file. For this reason, we were unable to conclude that bids were evaluated in accordance with the criteria outlined in the solicitation documents or that the contract was awarded to the top-ranked firm in accordance with the bid selection method. No issues were identified by the Internal Audit division of PSPC regarding the bid evaluation criteria or bid selection method for contract 3 where PSPC was the contracting authority.

Duration of contract

32. When assessing the reasonability of the duration of contracts compared to the scope of the SoW, we did not find any indication of unreasonable contract end dates.

Areas of improvement

33. Insufficient documentation was retained to demonstrate how bids were evaluated.

34. When the need for a contract arises, management should focus on defining the work requirement and the essential qualifications of the contractor rather than targeting suppliers who may be capable of performing the work.

c) Contract management

35. Effective contract management is important to ensure that the CBSA receives the required services, quality expectations are met and that disputes between contractors and the Agency do not occur. We assessed whether:

• Contracts and contract amendments were on file and appropriately signed prior to the commencement of any work;
• Security requirements were established and verified; and
• Oversight and monitoring of the contract took place.

36. For all four contracts awarded, a signed contract was on file. For contracts 1 and 2, where the CBSA was responsible for issuing the contract, we verified whether the individual signing the contract had the requisite authority to enter into that contract. When contract 1 and 2 were issued, physical records were maintained to demonstrate that the individual signing the contract had the appropriate authority to sign a contract. These physical records could not be located to verify that the individuals signing the contracts had the required authority. However, we noted that both contracts were signed by the Director of Strategic Procurement who would normally have the authority to approve the contracts that were signed. For contracts 3 and 4, issued by PSPC, we requested that they provide evidence that the contracting authority was appropriately exercised. No issues were identified by PSPC.

37. Prior to the commencement of any work on a contract, all individuals working for McKinsey were required to have the necessary security clearances in place. While we did find evidence that the security requirements of the contract were established at the onset, we were unable to verify whether all resources had clearances in place prior to beginning work. Given the absence of documentation on file as well as the volume of information included in some files, we were unable to verify the security clearance status of all McKinsey consultants within the time constraints of this audit.

38. We assessed files to determine whether services were received before a written contract was in place. Of the four contracts awarded:

• Services were provided for contracts 1 and 3 after the contract was signed, in alignment with requirements;
• Contract 2 required a task authorization (TA)^{Footnote 14} to be issued prior to the commencement of any work. The project authority verbally assigned work for approximately $800,000 more than the original contract value without a formal TA being issued; and
• Contract 4 was terminated before work began.

39. We assessed the contract amendment process to understand whether contract amendments were approved by an authorized officer, issued before services were received, justified and substantiated, and issued before the contract expiry date. Of the four contracts awarded, only contract 2 required an amendment as work was required beyond what was included in the initial contract scope. Our assessment found that:

• An approved and signed contract amendment was not on file. Only draft and partially signed versions of the amendment were found. While contracting officials at the working level were trying to resolve the issue once they were made aware of the need for a contract amendment, there was no evidence that senior management of CBSA’s procurement department were aware until an after-the-fact contracting mechanism was necessary to address the issue;
• Documentation was on file to provide justification for the additional work undertaken; however, due to the total value of the amendment compared to the initial contract amount, it is unclear why this work was not foreseen at the time the bid was solicited; and
• All work was completed before the contract expiry date.

40. Oversight and monitoring of contract performance can help ensure that the delivery of services meets quality standards and expectations. We sought documents to assess how the work of McKinsey contractors was monitored. In all three contracts where deliverables were produced (contracts 1-3), we found that contractual documents identified a CBSA project authority who would be responsible for the oversight of the contract. However, in all cases, despite following up with management, we were unable to locate draft deliverables, comments provided by CBSA employees or any other evidence which would demonstrate that CBSA management monitored and oversaw McKinsey’s performance.

Areas of improvement

41. Documents were not available to clearly show that all security clearances were obtained prior to work commencing or that individuals responsible for contract oversight monitored and oversaw the performance of the contractor.

42. A contract amendment was not obtained before additional work was authorized.

d) Certification authority (section 34)

43. Certification Authority or Section 34 Authority (S34) is exercised prior to the issuance of payments in order to certify that goods have been provided or services have been rendered. Contracts 1-3 had payments made against them. The fourth contract was terminated prior to any work being undertaken; therefore, no payments were made. We assessed all payments made against Contracts 1-3 to determine whether the individuals who performed the S34 signoffs had the delegated authority to do so. We found that in all instances, S34 signoffs were appropriately authorized.

44. We also verified whether evidence was available to demonstrate that services were provided per the terms of the contracts. The contracts we reviewed required McKinsey to provide multiple deliverables. We found no evidence to question the quality of the services delivered. Invoices showed that the CBSA was billed for services provided consistent with the requirements of the contracts. However, while some deliverables were retained as proof that services were rendered, we were unable to obtain evidence demonstrating that all expected deliverables were received. The deliverables we were unable to locate include but are not limited to:

• Contract 1 - A project plan before commencing the study, project terms of reference, and information on how the research, analysis and reporting would be undertaken.
• Contract 2 – Since a final TA or contract amendment was not on file, we used draft documentation to help determine what was required of the contractor. While there were a significant number of documents delivered by McKinsey, we could not always confirm whether they aligned with the deliverables outlined in the TA. In some cases it was difficult to validate the completion of certain tasks; for example, knowledge transfer to support final products or deep dives into areas approved by the project authority. In other cases we did not see evidence that tasks were completed; for example, holding workshops or presenting to senior management.
• Contract 3 – Details on work performed related to the project’s webpage, comments on their review of a future contract^{Footnote 15} and a Treasury Board submission.

Areas of improvement

45. Greater diligence should be taken to ensure that individuals who perform S34 signoffs retain all documentation associated with these costs prior to the issuance of payment.

e) Proactive disclosure

46. We obtained data from the CBSA financial system for contracts issued to McKinsey and cross referenced this data with proactive disclosure records of McKinsey contracts to assess whether all contracts and contract amendments over $10,000 were disclosed. We found that all contracts and contract amendments over $10,000 issued to McKinsey were proactively disclosed.

Conclusion

47. Most contracts for which documentation was missing were issued between 2016 and 2018. At the time of the audit, most of the individuals who were responsible for the management of these contracts were no longer working at the Agency. Although the audit team took steps to locate missing documentation, some key records could not be located. The absence of documentation led to conclusions of non-compliance with Treasury Board Policy and Agency procedures (see Appendix C for a breakdown of the findings).

48. Improvements are required in the issuance of both competitive and non-competitive contracts to ensure that contracting procedures are adequately followed. The completion of key documentation and greater diligence in documentation retention would help ensure that:

• Decisions taken to award contracts are supported and justified;
• Security requirements for contracts are met;
• Work is not completed without a contract or contract amendment in place; and
• Evidence is retained that all contractual deliverables have been received.

Additional training and awareness of contracting rules and regulations would help ensure that those involved in procurement processes exercise their duties in a manner that is fair, open and transparent and that commencement of work is not authorized before a contract or contract amendment is in place.

Recommendations

49. Refer to Recommendation 1 a) to d) at the end of this report.

5.3 Findings for objective 3: Adherence to departmental processes and control frameworks

50. Departmental controls beyond those required by the Treasury Board Policy can help mitigate procurement risks. We met with CBSA management and reviewed the financial control framework for procurement to understand whether additional Agency-specific procurement controls were in place. Our analysis showed that two controls beyond those tested in Audit Objective 2 were in place at the CBSA. These were:

• The existence of a contract review board during the time period of contract 4; and
• A centralized procurement function.

51. We found that the CBSA Contract Review Board (CRB) was recently established and therefore was only in existence during the award of contract 4. However, the CRB did not have the mandate to review procurements awarded using a SO as these were considered to be of lower risk. The use of a centralized procurement function was viewed as a good practice as this organizational design could:

• Reduce the pressure and influence line management could have on an individual procurement officer;
• Help promote knowledge sharing and experience between procurement officers; and
• Standardize procurement practices.

Conclusion

52. Some weaknesses within the CBSA’s internal procurement processes were outlined in the findings for Audit Objective 2. Amendments to the scope of the CRB’s authority would help improve the oversight of procurement practices in the Agency.

Areas of improvement

53. Based on the observations noted in Audit Objective 2, additional risk-based oversight for call-ups against SOs and contracts against SAs could help mitigate procurement risks.

Recommendations

54. Refer to Recommendation 1 d) at the end of this report.

Recommendation 1

55. The Vice-President of the Finance and Corporate Management Branch (FCMB) should establish appropriate controls to oversee the management of procurement by:

• a. Ensuring procurement files contain all documentation of business value;
• b. Obtaining greater assurance that Section 34 for contracts is appropriately carried out by managers;
• c. Increasing management’s awareness surrounding contracting rules; and
• d. Increasing oversight of the use of Standing Offers and Supply Arrangements in a risk-based manner.

6.0 Management response

56. The findings and recommendations of this audit were presented to management of the Canada Border Services Agency (CBSA). The audit report was reviewed and recommended for approval by the CBSA’s Departmental Audit Committee to the deputy head.

57. Management has accepted the audit findings and has developed an action plan to address the recommendations (see appendix B for the management action plan). The identified actions are scheduled to be completed by December 2023. The CBSA’s Departmental Audit Committee will be engaged in the monitoring of the implementation of this action plan, in line with the Agency’s standard internal audit processes. If additional issues or recommendations are found following the results of the external reviews by the Office of the Procurement Ombudsman and/or the Office of the Auditor General, the CBSA will update the management action plan to incorporate these elements.

58. The deputy head of the CBSA approves this report, including the management action plan.

_________________________________________________________________

Erin O’Gorman, President

Appendices

Appendix A: Audit criteria

Audit objectives	Criteria	Criteria sources
1. The integrity of the procurement process was maintained and consistent with adhering to the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest	1. Public servants and Public Office Holders ensure that the integrity of the procurement process is maintained and consistent with the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest.	Conflict of Interest Act- Part I Directive on Conflict of Interest - 4.2.16, 4.17.3 Values and Ethics Code for the Public Sector – Integrity section (3) Contracting Policy (before May 13, 2022) – 4.2.12,10.8,11.1.1,12.4 Directive on the Management of Procurement - 4.2.2, 4.3.2
	2. Contracting with Former Public Servants and Former Public Office Holders is performed with integrity in accordance with the Directive on Conflict of Interest, Conflict of Interest Act and procurement policy instruments.	Conflict of Interest Act – Part I, Part III (35, 36) Directive on Conflict of Interest - 4.2.16 Values and Ethics Code for the Public Sector – Integrity section Contracting Policy (before May 13, 2022) – 4.1.9, 4.2.20, Annex C, schedule 5 Directive on the Management of Procurement (after May 13, 2022) - 4.5.5, 4.6.4, 4.10.1.7
2. The procurements were conducted in a fair, open and transparent manner consistent with the TB Policy that was in place at the time (Contracting Policy or the Directive on the Management of Procurement)	1. Procurement: non-competitive - There is documentation to support the justification for non-competitive procurement contracts in accordance with section 6 of the Government Contracts Regulations.	Contracting Policy (before May 13, 2022) – Sections 10.2.1, 10.2.6, 10.5, 10.7.30, and Appendix C Directive on the Management of Procurement (after May 13, 2022) – 4.3.1,4.3.2, 4.3.5 (4.1.1 procurement framework should include detailed requirements) Contracting Policy Notice 2007-4 - Non-Competitive Contracting Government Contract Regulations [Current to January 25, 2023] – Section 6
	2. Procurement: Competitive - Bid evaluation criteria were provided on Request for Proposal (RFP) documents and were used for contractor selection in an open, fair and transparent manner.	Contracting Policy (before May 13, 2022) Sections 4.1.2; 4.1.4, 4.1.9; 16.1.2; 10.5; 10.7; 10.8; 11.1 and 11.3, Appendix J Directive on the Management of Procurement (after May 13, 2022) – 4.1.1, 4.3.1, 4.3.5 (4.1.1 procurement framework should include detailed requirements)
	3. Contract Management - Contracts and contract amendments were approved prior to the receipt of any services or the expiration of the original contract and supporting documentation is retained on file. Documented monitoring and certification of the delivery of the services was implemented.	Contracting Policy (before May 13, 2022) – Sections 4.2.10; 11.2; 11.3; 12.3; 12.4.1; 12.9, Appendix H 2.6 Directive on the Management of Procurement (after May 13, 2022) – 4.3.1, 4.3.5 (procurement framework should include detailed requirements on contract management), 4.10.6 Policy on security Appendix A A.6
	4. Certification Authority (section 34) - Certification authority is performed by someone with the delegated authority to do so, is accomplished in a timely manner and verifies the correctness of the payment requested (Section 34 of the FAA).	Directive on Delegation of Spending and Financial Authorities [2017-04-01] – Sections 4.1.11, A.2.2.1.1 to A.2.2.1.3, A.2.2.1.7 to A.2.2.1.9 Financial Administration Act [2018-03-18 current to] – Section 34
	5. Proactive Disclosure - Contracts, including amendments, valued at over $10,000 meet minimum proactive disclosure requirements.	Contracting Policy (before May 13, 2022) – Section 5.1.6 Directive on the Management of Procurement (after May 13, 2022) – Appendix C Guidelines on the Proactive Disclosure of Contracts - Canada.ca Section 4.1 (amended April 1, 2022). Proactive Disclosure on Contracts, Guidelines on [previous version] – Section 4.1 Access to Information Act (86-1)
3. The procurements were conducted in a manner consistent with the organization's internal processes and control frameworks (i.e., consistent with procurement management frameworks, financial controls, security controls)	1. Procurements are conducted in a manner consistent with your departmental internal processes and control frameworks.	Contracting Policy (before May 13, 2022) Directive on the Management of Procurement (after May 13, 2022)
Note On April 11, 2019, the contracting limits for organizations and PSPC were updated to reflect a 25% increase to account for inflation (see Appendix C of the Contracting Policy).

Appendix B: Management action plan

Recommendation	Management action	Area responsible	Expected deliverables per action	Expected completion date
The Vice-President of the Finance and Corporate Management Branch (FCMB) should establish appropriate controls to oversee the management of procurement by:
a) Ensuring procurement files contain all documentation of business value;	FCMB will require all delegated managers / Cost Centre Managers (CCMs) to inform FCMB Procurement of any contracts or call-ups requested directly from Public Services and Procurement Canada (PSPC), in order to maintain a central record of all CBSA contracts. This will help FCMB Procurement ensure that the CBSA’s governance and quality assurance processes are adhered to (e.g. if oversight is required by the Agency’s Contract Review Board).	FCMB – Procurement	Update procurement document checklist and retention requirements and provide reminders to procurement staff. CBSA Procurement will provide guidance to CCMs on the key requirements, including the need to be notified of all contracts entered into by the Agency.	June 2023
	FCMB will review and distribute a revised contract documents checklist to all procurement staff and remind them of the requirements to complete and retain the necessary records (e.g. conflict of interest declarations, bid evaluations, etc.).		Annually communicate document checklist with procurement employees. Assessment and results of available Information Management related training products. Roll-out of training/guidance on Information Management practices to procurement employees.	June 2023 and ongoing
	FCMB will review the available procurement training products (PSPC, CSPS, etc.) training available to assess whether there are gaps related to the expected documentation, that need to be addressed and seek Financial and Investment Management Committee (FIMC) agreement on whether additional training is required for delegated managers (in addition to the mandatory Delegated Authority training e.g. CSPS COR-253/254) through supplemental guidance or training materials.		CBSA Procurement will document a gap analysis of the available training products (PSPC, CSPS, etc.) to determine whether they sufficiently cover the Information Management requirements for document retention and take action as required.	December 2023
	FCMB to perform quality assurance reviews on a risk-based sample of procurement files to ensure proper retention of necessary documentation to support S41 of the FAA.	FCMB Vice-President’s Office	A risk-based random sampling approach will be developed and reviews will commence.	December 2023
b) Obtaining greater assurance that Section 34 for contracts is appropriately carried out by managers;	FCMB will review and distribute additional guidance to all delegated managers on their roles and responsibilities regarding S34 authorization to clarify the importance of ensuring deliverables/services have been received prior to the approval of payment release and that all relevant deliverables are retained.	FCMB - AC	Distribution of additional guidance on delegated manager S34 roles and responsibilities.	July 2023
	FCMB Agency Comptroller (AC) will continue to deliver information sessions to CCMs to provide an overview of the Agency’s instrument of delegation of spending and financial authorities. These sessions will be repeated on an annual basis for newly appointed CCMs.		Annual delivery of mandatory information sessions on delegation of spending and financial authorities to all new CCMs and optional for current CCMs.	Ongoing
	FCMB developed a Quality Assurance (QA) framework (effective October 2022) related to section 34 delegated authorities, outlining roles and responsibilities and methodology for verifying accounts, to ensure expenditures are made in accordance with delegated authorities’ responsibilities and comply with CBSA and Treasury Board policies, guidelines and directives. This framework also includes an escalation protocol for remedial action for employees with multiple errors (non-compliance of the policy). The framework was communicated to all CBSA employees in fall 2022 and FCMB will continue to reinforce CCM’s compliance with this policy.		Annual review of the QA Framework to ensure that it is operating effectively.	April 2023
	FCMB will review its Section 34 non-compliance process and request a FIMC decision on whether it should be further strengthened (First error identified results in a written warning to the delegated manager; Second error results in a compliance notice to the VP/RDG; Third error results in the withdrawal of their Delegation combined with a suitable development plan).		Tabling and decision on S34 revisions at FIMC.	July 2023
c) Increasing management’s awareness surrounding contracting rules; and	FCMB will provide guidance to CCMs on the key requirements for initiation and administrating contracts.	FCMB - Procurement	Roll-out of contracting and documentation guidance to CCMs.	May 2023
	FCMB will remind all Delegated Managers / CCMs the importance of ensuring the Procurement Team is involved in any contracts or call-ups requested directly from PSPC, in order to maintain a central record of all contracts. This will assist CBSA Procurement in ensuring that the CBSA’s governance and quality assurance processes are adhered to (e.g. if oversight is required by the Agency’s Contract Review Board).		Reminder of CCM’s roles and responsibilities related to the contracting process, requirement to engage Procurement early on and consequences of non-compliance.	May 2023
d) Increasing oversight of the use of Standing Offers and Supply Arrangements in a risk-based manner.	FCMB will review the Terms of Reference for its Contract Review Board to provide oversight on contracts issued using certain PSPC Standing Offers and Supply Arrangements.	FCMB - Procurement	Revised Contract Review Board’s process, documents, forms, and Terms of Reference.	September 2023
	FCMB will review the risk-based methodology to assess which contracts will be reviewed by the Contract Review Board (e.g. task authorizations or call-ups for professional services and contract amendments greater than a specific threshold).		Tabling and decision on the revised Terms of Reference and risk-based methodology at FIMC.	November 2023

Appendix C: Breakdown of findings

Audit criteria	Audit assessment (Compliant, Partially Compliant, Not Compliant, Unable to assess, Not applicable)	Rationale for assessment
Audit objective 1: The integrity of the procurement process was maintained and consistent with adhering to the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest
1. Public servants and public office holders ensure that the integrity of the procurement process is maintained and consistent with the Values and Ethics Code for the Public Sector and the Directive on Conflict of Interest.	Compliant	We found no evidence that public servants or public office holders demonstrated behaviours that would contravene the Values and Ethics Code for the Public Sector or the Directive on Conflict of Interest. 1 of 4 files we reviewed contained conflict of interest declarations. Ensuring that these declarations are regularly completed, retained on file and action is taken to mitigate real or apparent conflicts of interest would improve the integrity of the process.
2. Contracting with former public servants and former public office holders is performed with integrity in accordance with the Directive on Conflict of Interest, Conflict of Interest Act and procurement policy instruments.	Not Applicable	There was no indication that any of the consultants were former public servants or former public office holders.
Audit objective 2: The procurements were conducted in a fair, open and transparent manner consistent with the TB Policy that was in place at the time (Contracting Policy or the Directive on the Management of Procurement)
1. Procurement: non-competitive - There is documentation to support the justification for non-competitive procurement contracts in accordance with section 6 of the Government Contracts Regulations.	Not Compliant	Section 32 was performed by the appropriate delegated authority on the contract. No justification to support the non-competitive call-up was found on file. The call-up procedures were not followed as a competition was held by CBSA management to assess the bidders.
2. Procurement: Competitive - Bid evaluation criteria were provided on Request for Proposal (RFP) documents and were used for contractor selection in an open, fair and transparent manner.	Not Compliant	Section 32 was performed by the appropriate delegated authority on the contract. The SoW and evaluation criteria were defined, written in an open, fair and transparent manner, and were challenged by the contracting authority. Evaluations of the bids and justification for awarding the contract to McKinsey were not available in the files. Evidence was found that CBSA officials were considering McKinsey prior to soliciting bids.
3. Contract Management - Contracts and contract amendments were approved prior to the receipt of any services or the expiration of the original contract and supporting documentation is retained on file. Documented monitoring and certification of the delivery of the services was implemented.	Not Compliant	Contracts were signed by all the parties. The vendor provided services and issued invoices before a formal Task Authorization was prepared and signed by both the client and the vendor. For all contracts, evidence was not available to show the client monitored and oversaw the vendor’s work or deliverables. Documentation was not available to confirm all McKinsey resources assigned to the contract had appropriate proof of security clearance prior to commencing work.
4. Certification Authority (section 34) - Certification authority is performed by someone with the delegated authority to do so, is accomplished in a timely manner and verifies the correctness of the payment requested (Section 34 of the FAA).	Partially Compliant	Section 34 authority was performed by the appropriate delegated authority on all contracts. Expenditures were appropriately supported by invoices to show that services were rendered. Documentation of all the deliverables required per the final contract or Task Authorization were not on file.
5. Proactive Disclosure - Contracts, including amendments, valued at over $10,000 meet minimum proactive disclosure requirements.	Compliant	All contracts and amendments were found to be proactively disclosed.
Audit objective 3: The procurements were conducted in a manner consistent with the organization’s internal processes and control frameworks (i.e., consistent with procurement management frameworks, financial controls, security controls)
1. Procurements are conducted in a manner consistent with your departmental internal processes and control frameworks.	Not Compliant	The CBSA Contract Review Board is presently not mandated to review procurements issued against Standing Offers or Supply Arrangements, which are considered low risk. Issues were noted with the use of these methods of supply in Objective 2 of this audit. Controls tested in Objective 2 of this audit include the CBSA’s procurement controls. Given that weaknesses were identified, this indicates that improvements are required.