Audit of Procurement and Contract Management Process

for the Office of the Privacy Commissioner of Canada

March 2013
Final

---

Executive Summary

Background and Context

The Office of the Privacy Commissioner of Canada (OPC) is responsible for overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law.

As an Agent of Parliament, OPC is committed to achieving organizational excellence, applying sound business management practices, and continually improving its performance. With respect to procurement and contract activities, OPC implements and respects Treasury Board Contracting Policy and Government Contract Regulations in a manner that does not compromise the Agency’s independence.

At OPC, the Corporate Services Branch is responsible for procurement and contracting activities and is managed by the Director-General, Corporate Services. Purchasing activities are managed by a Senior Procurement Officer and supported by a Junior Procurement Officer. As an Agent of Parliament and for reasons of independence and solicitor-client privilege, OPC has been granted independent contracting authority to enter directly into contracts with external legal agents without the approval of the Minister of Justice. The procurement and contracting activities of OPC legal services follows a separate tendering and contracting process, which is managed by OPC Legal Services.

The purpose of this audit was to provide assurance to the Commissioner on the effectiveness of governance, risk management and controls supporting the OPC procurement and contracting activities, including assessing:

• Oversight of contracting activities;
• Processes for soliciting bids and awarding contracts; and,
• Management of contracts in accordance with agreed terms and conditions.

During the audit period, between April 1, 2011 and September 30, 2012 (eighteen months), the Procurement Group managed approximately 900 contracts and amendments valued at approximately $12.4M. During that period, OPC also contracted approximately $190,000 on call-ups for legal counsel services.

Summary of Findings

The key findings with regards to the audit are provided below.

Strengths

• Generally, procurement and contract management and administration responsibilities are well managed and in accordance with Treasury Board Contracting Policy;
• Interviewees consistently expressed their satisfaction and appreciation for the support and advice provided by the Procurement Group;
• In November 2012, employees and managers with roles and responsibilities related to procurement and contracting activities were provided with mandatory, instructor-led training which was well received and addressed an organizational need; and,
• As part of the annual Business Planning exercise, where each Branch of the organization plans the next year’s funding allocations, human resources allocations, and strategic goal setting, the Senior Procurement Officer is invited to help proactively identify procurement needs and help ensure procurement activities are planned throughout the year.

Findings

• While no significant issues were observed, there is an opportunity to strengthen consistency and performance in authorization, approval, and segregation of duties;
• There is an opportunity to improve documentation of procurement sourcing rationale and justification; and,
• The Contract Review Committee (CRC) performs a review of contracting activity but is not yet a decision-making and approval body as outlined in the CRC Terms of Reference.

Conclusion

Based on the aforementioned observations and overall scope of the audit, the OPC has minor issues related to the effectiveness of its current risk management, internal controls, and governance processes that support the procurement and contracting process. The recommendations included in this report are intended to further strengthen these processes. Management responses are included at the end of each finding.

This report and audit were conducted for OPC management purposes. Use of this report for other purposes may not be appropriate.

Statement of Conformance

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada.

Audit Objective, Scope and Approach

Background

The Office of the Privacy Commissioner of Canada (OPC) is responsible for overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private-sector privacy law.

As an Agent of Parliament, OPC is committed to achieving organizational excellence, applying sound business management practices, and continually improving its performance. With respect to procurement and contract activities, OPC implements and respects Treasury Board Contracting Policy and Government Contract Regulations in a manner that does not compromise the Agency’s independence.

For the purpose of this audit, coverage included the following procurement and contracting instruments:

• Public Works and Government of Canada Services Canada contracts;
• Purchase Orders below $10,000;
• Purchase Orders $10,000 and above;
• Service Contracts below $10,000;
• Services Contracts $10,000 and above;
• Temporary help services;
• Call-ups below $10,000;
• Call-ups $10,000 and above;
• Confirming Orders;
• Construction or “Specific Service Agreements”;
• Supply Arrangements;
• Other contracts which include PS-Online and Letter of Agreements; and,
• Legal Services Procurement.

Within OPC, authority for the procurement and contracting process is delegated to various positions. This delegation is in accordance with the Delegated Signing Authorities Chart for Contracting Authority, as approved by the Commissioner and the Minister.

With the exception of legal services, OPC purchasing activities are managed by the Senior and Junior Procurement Officers (Procurement Group). The Procurement Group is responsible for training related to procurement and contracting activities; purchasing advisory services; issuance of all OPC contracts; and, primary purchaser for OPC, including office supplies.

In October 2011, OPC created a Contracts Review Committee (CRC) to act as an oversight body and a formal challenge mechanism for procurement and contracting activities. As per the CRC’s Terms of Reference, all proposed contracts are to be reviewed, weekly, by the CRC, with an emphasis on contracts over $10,000. In the first year of operation, the CRC reviewed contracts after they have been finalized to ensure compliance to Treasury Board Contracting Policy, and Government Contract Regulations as well as to ensure that the request for goods and services are in keeping with requirements in support of OPC’s mandate.

For reasons of independence and to protect solicitor-client privilege OPC has been granted independent authority to enter directly into contracts with external legal agents without the approval of the Minister of Justice. Delegated authority to enter into legal services contracts is limited to only a few senior staff. The Legal Services unit is responsible for the procurement and contracting activities of legal services. The procurement and contracting activities of legal services follows a separate tendering and contracting process and is not subject to CRC oversight. In keeping with the spirit of the Department of Justice Policy on Contracting for Legal Services and Legal Agent Appointment, OPC has developed an Expression of Interest process aimed at identifying and pre-qualifying private sector law firms and law practitioners with the necessary experience and knowledge required to support OPC’s mandate. A list of eligible legal firms has been established, based on level of experience, specific expertise, practice areas, value for money, accessibility, availability, language requirements, as well as absence of conflict of interest.

In May 2011, an in-depth external review of OPC’s legal services contracting practices was proactively conducted. The report concluded that the OPC had been fully compliant with the rules and regulations in effect at the time of contracting and OPC’s legal services contracting process represented a sound and prudent and fair approach.

As a smaller organization, OPC continues to make improvements to the procurement and contracting activities, while balancing OPC’s capacity and needs. In the summer of 2012, an additional resource was added to the Procurement Group, to provide additional support and oversight to the contracting process. Other planned improvements include enhancing the role of the CRC, conducting analysis into contracting expenditure trends, developing tools and guidance, and offering training on specific issues to admin staff and managers involved in the process.

Audit Objective

The purpose of this audit was to provide assurance to the Commissioner on the effectiveness of governance, risk management and controls supporting the OPC procurement and contracting activities, including assessing:

• Oversight of contracting activities;
• Processes for soliciting bids and awarding contracts; and,
• Management of contracts in accordance with agreed terms and conditions.

Audit Scope

The scope of this audit included all procurement and contracting activities, including contracting for legal services, performed by the Office of the Privacy Commissioner from April 1, 2011 to September 30, 2012.

During the audit period, between April 1, 2011 and September 30, 2012, the Procurement Group managed approximately 900 contracts and amendments valued at approximately $12.4M and OPC spent approximately $190,000 on call-ups for legal counsel services.

This audit excluded purchases made through acquisition cards given that there are a limited number of cards in use, the use of these cards follows a separate process, and no significant concerns associated with acquisition cards were identified during the Planning Phase of the audit.

Audit Approach

The approach and methodology used for the audit followed Internal Auditing Standards for the Government of Canada.

As an Agent of Parliament, the OPC strives to maintain a control framework that is reflective of industry leading practices. The framework of Core Management Controls and Audit Criteria (CMC) established by the Office of the Comptroller General of Canada (OCG) and the Management Accountability Framework (MAF VII) were leveraged to develop the audit criteria detailed in Appendix C. Audit criteria used for the audit were developed based on leading practices, CMCs, and Treasury Board Policy and Government Contract Regulations.

Based on risks identified in the planning phase of the audit, a risk-based audit program was developed to detail how the audit objective, criteria and risks would be addressed. The audit program included the following procedures:

• Interviews with OPC individuals to obtain a further understanding on specific aspects of the procurement and contracting process and gather perspectives on planning, reporting and training (refer to Appendix A).
• Review of the current and revised Terms of Reference for the Contract Review Committee.
• Review of current and planned policies, procedures, guidelines, directives related to procurement and contract management processes.
• Review of a sample of project / contract files. A total of 40 files were selected randomly and based on risk, complexity, dollar value, project descriptions and professional judgment. Given that the procurement of legal services follows a separate process, the 40 sample files included a sample of five legal services contracts. The sample represented approximately $1.4M in expenditures (refer to Appendix B for details).
• Review of training documentation.
• Review of financial reporting on contracting activity.

The audit was conducted within the following timelines:

• Planning Phase : September 25, 2012 – October 19, 2012
• Examination Phase: October 22, 2012 – November 30, 2012
• Reporting Phase: December 3, 2012 – March 31, 2013
• Presentation to the OPC Audit Committee: March 4, 2013

Findings and Recommendations

Strengths Noted

The following strengths were noted with regards to the procurement and contracting process:

• Generally, procurement and contract management and administration responsibilities are well managed and in accordance with Treasury Board Contracting Policy. Files are maintained appropriately and roles with regards to procurement, contract management and overall administration responsibilities are well understood.
• Interviewees consistently expressed their satisfaction and appreciation for the support and advice provided by the Procurement Group. Members of the Procurement Group are readily available to provide continuous procurement and contracting support that is appreciated by their clients. The Procurement Group is proactive in monitoring and notifying Project Managers when a contract is about to expire and asks if an amendment will be required.
• In November 2012, employees with roles and responsibilities related to procurement and contracting activities were provided with mandatory, instructor-led training which was well received and addressed an organizational need. Prior to November 2012, employees with procurement and contracting roles had been provided detailed procedures and information updates but never received any formal instructor-led procurement training.
• As part of the annual Business Planning exercise, where each Branch of the organization plans the next year’s funding allocations, human resources allocations, and strategic goal setting, the Senior Procurement Officer is invited to help proactively identify procurement needs and help ensure procurement activities are planned throughout the year.

Audit Findings

Finding 1: While no significant issues were observed, there is an opportunity to strengthen consistency and performance in authorization, approval, and segregation of duties.

Within OPC, authority for the procurement and contracting process is delegated to various positions. This delegation is in accordance with the Delegated Signing Authorities Chart, as approved by the Commissioner and the Minister.

As an Agent of Parliament and for reasons of independence and solicitor-client privilege, OPC has been granted independent contracting authority to enter directly into contracts with external legal agents without the approval of the Minister of Justice. To date, the procurement and contracting activities of OPC legal services follows a separate tendering and contracting process, which is managed by OPC Legal Services.

The audit examined a sample selection of 40 contracts, which included a sample of five legal services contracts. The expectation was that regardless of the contracting process, the controls used and demonstration of those controls are performed consistently for both processes.

In all samples reviewed, the audit expected to find that delegated Expenditure Initiation and Commitment of Funds (i.e. Financial Administration Act (FAA) Section 32) is obtained prior to issuing the contract and Authority to Confirm Contract Performance and Price, Eligibility, or Entitlement (i.e. FAA Section 34) is obtained before payment is issued. The audit also expected to find that Contracting Authority (i.e. FAA Section 41) is exercised appropriately. Lastly, the audit expected to find that duties are appropriately segregated; specifically, those who approve a contract (FAA Section 41) should not also confirm that services are rendered (FAA Section 34). For small organizations such as OPC, the segregation of incompatible duties can be sometimes challenging given the limited size of the organization.

While almost all 40 contracts reviewed included appropriate authorizations and approvals and segregation of duties, a few minor exceptions were noted with respect to timely evidence of Spending Authority approval (i.e. FAA Section 32, 41 or 34). The audit also found that the practice used to evidence that funds had been committed was not always done in the same manner in both contracting processes. Specifically, the FAA Section 32 sign-off form was not used for the legal services contracts reviewed.

Lastly, segregation of duties between Contract Authority approval (FAA Section 41) and confirmation of contract performance and price, eligibility or entitlement (FAA Section 34) was not obtained for one legal services contract reviewed; specifically, the person who approved the contract also confirmed the services were rendered.  Delegated authority to enter into legal services contracts is limited to only a few senior staff and in this one case, the same person exercised both delegations.

Impact

Without appropriate approval as per delegated authorities and adequate segregation of duties, there is a risk of non-compliance with the FAA and increased potential that contracting and procurement activities will not comply with Treasury Board Contracting Policy

Recommendation #1

Develop a practice to reinforce consistent application of authorizations, approvals and segregation of duties in all procurement and contracting processes.

Management Response and Action Plan	Responsibility / Deadlines
We agree with the recommendation.
Since November 2012, a practice has been reinforced where requests received by Procurement are returned/set aside before proceeding with the contracting process when signatures are missing or incorrect.	Corporate Services Branch (CSB), completed
As well procurement will have access to all signature cards from the delegation instrument to assure compliance with section 32 of the FAA.	CSB, March 31, 2013
Procurement training was provided in November 2012. Training material is currently being translated and will be posted on SharePoint as a point of reference for all those involved in the procurement process.	CSB, March 31, 2013
A section 32 sign-off form is now appended to every legal services contract, as is done for other OPC contracts in order to ensure consistency of practice.	Legal Services, Policy and Research Branch (LSPR), completed
Segregation of section 41 and section 34 signatures for legal services contracts is now ensured on a systematic basis, despite practical challenges sometimes associated with restricted number of delegated authorities.	LSPR, completed

Finding 2: There is an opportunity to improve documentation of procurement sourcing rationale and justification.

The principles applied within the Government of Canada are that except for a few limited conditions, all contracts must be let through open, competitive bidding. The contractor (the Federal government) is to obtain best value and provide fair opportunity for all qualified vendors to do business with the Crown to the contracting process. These principles are expressed in Government Contracts Regulations, and Treasury Board Contracting Policy. Sole source contracting, temporary help and investigative services are only to be used in specific circumstances. At OPC, the anticipated use of temporary help and investigative services is taken into consideration as part of the business planning process.

Of the 40 contracts tested, 22 were tendered competitively and 18 were sole-sourced. For the sole source contracting, the audit expected to find sufficient justification is retained for audit trail purposes to demonstrate support that the contracting did not fall under any of the exceptions which allow for bypassing competitive bidding. For the use of temporary help services contracting and other call-up contracting requests, the audit expected to find that consistent rational and justification is retained.

While almost all contracts reviewed included appropriate supporting documentation, minor exceptions were noted:

• In four (out of 18) sole-source contracts reviewed, sole-source justification was not maintained on file; and,
• In five (out of five) temporary help services contracts and two (out of two) investigation services contracts reviewed, justification to support the rationale for requiring temporary help or investigative services was not included in the file (e.g. temporary leave, in the process of staffing the position, or increased investigations) or not adequately linked to the rationale previously developed through the business planning process.

Similarly, the applied principle in Government Contracts Regulations and Treasury Board Contracting Policy is that the contractor (Federal government) continues to obtain best value for goods and services. For sole-source contracts, the audit found that OPC does not require a certification from the supplier that a fair price has been negotiated as required by the Treasury Board Contracting Policy. For recurring contracts such as those involving IT services, software licenses, etc., the audit expected that OPC would periodically obtain certification from the supplier to ensure OPC continues to obtain fair value.

During the period under audit, management noted that it was an OPC requirement to provide supporting justification for sole-source or temporary help services, regardless of the amount.

Impact

Sole source contracting, temporary help and investigative services are only to be used in specific circumstances. When adequate supporting justification is not properly maintained, there is increased risk OPC management will not be able to adequately demonstrate intent and rationale for selecting these contracting mechanisms and that their use meets approved, acceptable circumstances. This area for improvement was also noted in the OCG Horizontal Internal Audit of Contracting for Professional, Technical and Temporary Help Services in Small Departments and Agencies.

In the case of non-competitive, sole-source contracting, without periodic analysis or comparison, or certification that a fair price has been negotiated, there is increased risk that OPC does not continue to obtain fair value for goods and services purchased.

Recommendation #2

Develop a practice to ensure appropriate documentation is retained in order to justify sole source selection and rationale for requiring temporary help or investigative services.

Management Response and Action Plan	Responsibility / Deadlines
We agree with the recommendation.
In November 2012 the procurement request form was revised to make its checklist more prominent and to make sure contract requests are accompanied by appropriate documents, including proper sole-source justification. Sole source justifications are challenged by the procurement officers and /or by the Contract Review Committee (CRC). The sole source justification is kept in the paper/electronic file and posted on Sharepoint. A Temp Help Action Request form has been created where rationale must be provided and reviewed by Human Resources before being approved by the CRC.	CSB, completed

Recommendation #3

For recurring, non-competitive sole-source contracting, introduce a practice to periodically conduct an analysis, or obtain certification from the supplier, to ensure the negotiated price continues to be fair value.

Management Response and Action Plan	Responsibility / Deadlines
We agree with the recommendation.
A report on recurring contracts will be provided to the CRC for review, as required.	CSB, March 31, 2013
An appendix to the contract has been created for supplier certification of fair value pricing. This appendix is subject to review by the Conflict of Interest Working Group.	CSB, May 31, 2013
The contract and appendix will be signed and returned by the supplier.	CSB, June 30, 2013 and ongoing

Finding 3: The Contract Review Committee (CRC) performs a review of contracting activity but is not yet a decision-making and approval body as outlined in the CRC Terms of Reference.

The Contract Review Committee (CRC) was established in October 2011 to strengthen the governance over procurement and contracting activities, including approval of proposed contracts. The audit found that, since its inception, CRC reviewed contracts after they had been finalized to ensure compliance to Treasury Board Contracting Policy and Government Contract Regulations as well as to ensure that the request for goods and services are in keeping with requirements in support of OPC’s mandate.

At the time of the audit, the role of the CRC was being transitioned into a formal decision-making and approval body over procurement and contracting activities. The CRC Terms of Reference were revised on October 15, 2012 and CRC remains responsible for reviewing, discussing and approving all proposed requirements for goods and services over $10,000 as well as amendments that bring the original contract over $10,000. Under the updated CRC mandate, CRC members are expected to receive an agenda prior to the weekly meeting and during the meeting, the Senior Procurement Officer is expected to provide a completed Action Request Form and/or Statement of Work for CRC consideration. In the place of meeting minutes, the Senior Procurement Officer notes decisions taken during the CRC meeting and follow-up from the previous CRC meeting is the first agenda item at the following CRC meeting. Due to the timing of the CRC transition, which occurred during the audit fieldwork, there was insufficient elapsed time and evidence available for the audit team to adequately conclude on the adequacy and effectiveness of the new CRC role.

The audit noted three other areas for improvement in Contract Review Committee governance to support CRC in their role:

• In order to inform CRC approval decisions, information provided to CRC members prior to meetings could be improved to help CRC appropriately assess the contract intention. Specifically, the information provided could include details on supplier history, employer/employee relationships and quality of prior services rendered by the contractor. This will help reduce the risk of contract splitting and strengthen OPC’s ability to continuously ensure it receives value for money;
• To assist CRC in its oversight role, an analysis showing frequent purchases for goods/services by supplier may allow OPC to negotiate more favorable pricing or terms by sourcing these goods and services through a supply arrangement or standing offer (i.e. strategic sourcing). To date, CRC has not received reports or analysis on procurement and contracting activity to help identify trends and anomalies, or opportunities for increased procurement and contracting efficiency. CRC’s compliance role may also be improved by receiving and reviewing the results of periodic, risk-based quality assurance reviews of compliance to policy and OPC procedures; and,
• Lastly, CRC reviews all contracts and contract amendments but pays closer attention to those contracts over $10,000; however, there has not been an analysis conducted to determine if this threshold is appropriate, or whether a risk-based approach would help ensure a more efficient use of CRC member’s time and effort. As an example, contracts which undergo several layers of review and approval such as PWGSC Call-Ups could actually be lower risk, regardless of the dollar amount and may not require additional review and approval by CRC members. Similarly, lower dollar value contracts, which do not receive CRC approval, could pose a different set of risks to OPC besides just their materiality;

Impact

It is important that OPC continue with its implementation of CRC as a decision-making and approval governance body over procurement and contracting activities. Without adequate governance and oversight, or review and challenge of procurement and contracting activities, there is a risk that OPC procurement and contracting activities are noncompliant with relevant contracting policies, have needs which are not clearly defined or could be met by alternative contracting methods, or do not adequately support OPC in meeting its strategic objectives.

Recommendation #4

CRC should continue to evolve into a contracting and procurement approval body as per its approved Terms of Reference. The Committee should receive relevant, timely contracting information to support decision making and oversight of compliance and value for money.

Management Response and Action Plan	Responsibility / Deadlines
We agree with the recommendation.
Since November 2012, the CRC reviews and approves all contracts before they are finalized. Reports and supplemental documentation, such as sole source justification, are provided and reviewed during the CRC meetings. Decisions are recorded and kept on file. To further support the CRC”s strategic oversight role, its members will undertake the following: Review the Committee’s information needs to support informed procurement-related decisions; Review its approach to reviewing contracts to ensure it is undertaken with an appropriate risk-guided focus.	CSB, May 31, 2013

Appendix A - Interviewees

The following key individuals were interviewed as part of the audit process:

• The Chief Financial Officer
• The Senior Procurement Officer
• The Director, Financial and Administrative Services
• The Senior General Counsel, Legal Services
• The Director General, Communications Branch
• The Director, PIPEDA Investigations
• The Director, Information Management and Information Technology

Appendix B – Audit Sample

The following is a breakdown of the audit sample selected for this audit:

Procurement Type	Total Population ($)	Total # of contracts	Total # of contracts selected	Selected Sample ($)	Proportion of sample (% of $)	Proportion of sample (% of # of contracts)
PWGSC contracts	$890,990	11	1	$220,372	24.7%	9.1%
Purchase Orders below $10,000	$389,524	146	4	$6,995	1.8%	2.7%
Purchase Orders above $10,000	$345,567	18	2	$41,870	12.1%	11.1%
Service Contracts below $10,000	$745,699	227	4	$10,047	1.3%	1.8%
Service Contracts above $10,000	$3,618,771	122	7	$189,052	5.2%	5.7%
Temporary Help Services	$1,282,662	52	5	$533,590	41.6%	9.6%
Call-Up against Standing Offers below $10,000	$384,450	145	3	$34,101	8.9%	2.1%
Call-Up against Standing Offers above $10,000	$3,460,760	110	4	$134,928	3.9%	3.6%
Confirming Orders	$38,286	17	1	$2,627	6.9%	5.9%
Construction Contracts	$126,363	31	2	$6,007	4.8%	6.5%
Supply Arrangements	$323,556	15	1	$90,000	27.8%	6.7%
PS Online and Letter of Agreement	$515,959	16	1	$39,550	7.7%	6.3%
Legal Services Call-Ups	$190,000	23	5	$81,375	42.8%	21.7%
Total	$12,312,587	933	40	$1,390,514	11.3%	4.3%

Appendix C – Audit Criteria

The following audit criteria were used for this audit:

Audit Criteria	Core Management Controls Reference
Governance and Oversight
Adequate governance / oversight exists over procurement and contract management.	Governance-1 Governance-2
Procurement and contracting needs/requirements are identified in a coordinated and timely manner.	Stewardship-1
Procurement and contracting information used for reporting purposes is accurate and appropriate.	CFS-1 Governance-6
People
Employees are provided with the necessary tools and training to support their procurement and contract management responsibilities.	People-4
Contracting Activities
Procurement of services is acceptable and according to relevant contracting policies.	Accountability-1 Stewardship-10 Stewardship-13
An appropriate sourcing is undertaken and documented as appropriate.	Accountability-1 Public Service Values-1
All purchases are appropriately authorized.	Accountability-1 Stewardship-10
Payments are made only for services received and in accordance with contract terms and conditions and in the appropriate period.	Accountability-1 Stewardship-10 Stewardship-18 Stewardship-20
Duties are appropriately segregated.	Stewardship-13