Procurement & Contracting
Table of contents
Glossary and Abbreviations
- Contracting
- Procurement and Contracting
- OSFI
- Office of the Superintendent of Financial Institutions
- TBS
- Treasury Board Secretariat
- Administrative Services
- Administrative Services Group
- PSPC
- Public Services and Procurement Canada
- CPAA
- Contract Plan and Approval Form
- SRCL
- Security Requirements Check List
- SACC
- Standard Acquisition Clauses and Conditions
- SA
- Supply Arrangement
1. Background
Context
OSFI is assigned its contracting delegation from the Minister of Finance, who is granted authority to purchase goods by Public Services and Procurement Canada under the Department of Public Works and Government Services Act and the authority to purchase services by Treasury Board. OSFImust adhere to multiple acts and policies, and subsequently demonstrate its adherence through mandatory reporting in order to maintain its delegation.
The following two groups, under the Assistant Superintendent, Corporate Services, have authority to enter into contracts on behalf of OSFI:
- The Procurement and Contracting Division (the focus of the audit), is the primary group responsible for procurement at OSFI; and
- The Administrative Services Group has the delegated authority to purchase restricted goods and services (facilities related expenses, furniture, stationary supplies, etc.) limited to $25k.
Given that the scope of the audit focused on contracts issued by OSFI as a whole, a sample of transactions processed by Administrative Services was reviewed during the course of this engagement.
The business objective of Contracting is to procure goods and services in a transparent manner that achieves best value and enhances access competition and fairness. This is realized by:
- Providing advice and guidance to management, internal clients and colleagues on the applicable Government Contracts Regulations, Treasury Board Directives, International Trade Agreements (e.g. The North American Free Trade Agreement, etc.) and other contracting policy requirements;
- Adhering to external reporting requirements (e.g. quarterly Proactive Disclosure of Contracts, annual Procurement Activity Report, etc.)
- Maintaining OSFI contracting records and all related reporting requirements; and
- Training internal stakeholders within OSFI to ensure that processes are understood and adhered to.
Government-wide contracting continues to be subject to public scrutiny and, as a result, there is a continued expectation that the appropriate management systems and practices are in place to award, administer and monitor contracting compliance and contract performance on an ongoing basis.
This audit was based on a sample selection from the 604 procurement files for the period of Jan 1, 2017 – Dec 31, 2017, representing a total procurement value of $10.2M. The focus of the engagement entailed a review of core processes, operational procedures and practices followed, and the mechanisms employed to ensure that OSFI is in compliance with procurement policies and requirements. The audit did not focus on the bid evaluation process for vendor selection.
An audit of Contracting was recommended by OSFI's Audit Committee and approved by the Superintendent for inclusion in the OSFI 2018-19 Internal Audit Plan.
Objective
Provide assurance that Procurement and Contracting (Contracting) has an appropriate management control framework in place to administer, monitor and report on contracts on behalf of the organization, as required by the Government of Canada rules and regulations
Scope
The audit focused on:
- Contracting's management control framework in place, including a review of the core processes, operational procedures and practices followed.
- The oversight activities and controls built around the core processes to ensure Contracting's activities are appropriately monitored and meet its objectives; and
- Selected contracts issued by the Office of the Superintendent of Financial Institutions (OSFI) during the period of January 1, 2017 - December 31, 2017 to assess that the application of Contracting's procedures and/or practices were applied consistently and adhered to the Government of Canada mandatory purchasing requirements.
Statement of Conformance
The audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board Secretariat (TBS) Policy on Internal Audit and the Internal Auditing Standards of the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.
2. Results of the Engagement
Executive Summary
Based on sample testing of procurement files, reviews of relevant policies and procedures and interviews with departmental personnel, Procurement and Contracting was found to generally comply with the Government of Canada mandatory purchasing requirements; however, further consideration should be given to formalizing various procedures and practices identified in the following observations two, three and four.
Contracting officers are utilizing standard guidance tools for conducting contracting activities and Contracting has in place various mechanisms for communicating, educating and raising awareness of procurement objectives divisionally and across OSFI.
As OSFI's procurement activities are performed by two separate groups at OSFI, Administrative Services should consult with Procurement and Contracting to develop formalized procurement guidance to demonstrate adherence to procurement policies and regulations, facilitate training and management oversight, as noted in observation one.
3. Management Response
Management Response
Management would like to thank Internal Audit for their collaborative approach in conducting this Audit. The recommendations will help the Procurement and Contracting and the Facilities and Administrative Services teams to further strengthen their processes and controls to ensure OSFI's continued compliance with Government of Canada mandatory purchasing requirements.
4. Observations and Recommendations
1. Facilities and Administrative Services, in consultation with OSFI's Contracting group should develop formalized procurement guidance to demonstrate adherence to purchasing rules and regulations and help support facilitation of training and management oversight.
Medium Priority Observation
While the focus of the audit was on Procurement and Contracting practices, administrative services represented 56% (341 of 604) of the 2017 transaction volume and approximately 20% ($2.09M) of the overall spend. A sample of administrative procurement files was reviewed along with processes for ensuring that open, fair and transparent procedures were consistently being applied across OSFI procurement activities.
File Management and Documentation
Facilities and Administrative procurement files lacked evidence of documented support for a consistent audit trail. Although a large percentage of purchases conducted by Administrative Services fall under Public Services and Procurement Canada (PSPC) procurement vehicles, files lacked evidence to demonstrate the consideration of the procurement strategy in light of Government of Canada purchasing regulations, including consideration of security requirements and/or conflict of interest provisions.
In addition, discrepancies were noted in file administration where documentations lacked: evidence of original purchase orders (although amendments were included), origin of request, Supply Arrangement (SA) reference number and fulfillment of specific protocols as outlined in the SAs.
These discrepancies could be attributable to the high volume of transactions being processed without formalized guidance including tools, templates and quality assurance reviews. Clear levels of file expectations based on a risk-based approach appears not to be fully developed.
Training and Guidance
It is noted that no formalized training is established for the Administrative Services purchasing staff. Reliance is instead placed on peer-to-peer learnings, which may vary depending on the interpretations and experience of individuals and does not include tools and templates to aid in educating employees. Knowledge transfer is beneficial; however, without structured and formalized training it is difficult to determine whether personnel are receiving consistent and up-to-date policy and procedural information.
Oversight and Quality Assurance
In two of the selected sample files, it was noted that although the contracts were subsequently cancelled, one was still reported in the proactive disclosure listing reported publicly; and another disclosed in the annual procurement activity reporting to PSPC without a corresponding correcting entry noted in the following quarter. Inaccurate disclosures of procurement activity over inflates the commitments against the budget, and poses a risk of procurement decisions being made on inaccurate information.
Recommendation
Administrative Services, in consultation with the Contracting group should develop formalized procurement guidance that demonstrates adherence to purchasing rules and regulations. In developing the guidance, consideration should be given to creating tools that aid in file management, quality assurance reviews and as a training mechanism for new employees. Additionally, consultations with Contracting should also address coordinating efforts for strengthening reporting oversight in order to ensure accurate information is disclosed and utilized for decision making, along with ensuring relevant amendments are made, when required.
Management Action Plan
File Management and Documentation
The Facilities team has been working with the Procurement and Contracting group to develop a checklist process in order to ensure completeness of files and mitigate the risk of human error. In Q1 2019-20, the facilities team will have the checklist process defined, tested and staff trained in order to have it fully operationalized.
Training and Guidance
In order to provide effective training and guidance to Facilities staff, the following action will be taken:
- Facilities will develop a procurement Standard Operating Procedure by Q2 2019-20 in order to assist in knowledge capture and onboarding of new employees (or employees new to procurement)
- All Facilities staff involved in procurement will take "Introduction to procurement (M718)" offered by the Canada School of Public Service (CSPS) by Q4 2019-20, although this is subject to availability by CSPS.
Oversight and Quality Assurance
The Facilities team will ensure proper oversight and quality assurance by including a peer review by Q1 2019-20 as part of their procurement processes in order to mitigate any risks of human error and ensure files are complete and accurate.
The Facilities team will include in their Standard Operating Procedures (to be implemented by Q2 2019-20) a quarterly review to ensure that items are accurate for the reporting on proactive disclosure.
2. Peer reviewed files lacked demonstrated evidence of key procurement documents, requiring strengthening of file administration process to support its quality assurance and oversight function
Low Priority Observation
Contracting employs a peer review process on contracting files, which operates as a quality assurance control for ensuring file completeness and adherence to Government of Canada and OSFI procurement rules, as well as an oversight tool for when files require approval from senior management. To conduct the peer review, Contracting Officers utilize tools including the peer review checklist and the Contract Plan and Approval form (CPAA) which include considerations such as procurement strategy, trade agreements, mandatory contracting vehicles and mandatory documents that must form part of the contract file.
It was noted that the peer review is predominantly conducted on hardcopy folders, although the electronic folder is the official contracting record. In a number of sampled files reviewed, it was found that contract files either did not show or lacked clear demonstration of evidence of mandatory documentation, such as a reviewed and approved Security Requirements Check Lists (SRCL) and evaluator certifications, inconsistent with the noted acknowledgements of completeness in the peer review checklists. In particular, when key documentation to support peer reviews were in electronic files, it was not readily accessible amongst the large volume of correspondence within the files. With the peer review process operating as a key control for ensuring quality assurance, discrepancies between documentation in the contracting files and review evidence introduces the potential of undue reliance on the process.
Recommendation
Contracting should strengthen its file administration to facilitate clear linkages of evidence to support quality assurance reviews, allowing for realizing efficiencies in the process along with demonstrating clear evidence of documented support for maintaining an audit trail and management oversight.
Management Action Plan
To ensure clear linkages of evidence to support the quality assurance reviews, the Procurement and Contracting team will strengthen its file administration and quality assurance process by the end of Q3 2018-19.
This will be achieved by:
- Including hyperlinks on the Peer Review Check List to each document filed in eSpace, OSFI's electronic records and document management system. This will ensure that the appropriate documentation supports the quality assurance process and will facilitate the retrieval of evidence, when required.
- Updating the Peer Review Checklist to include a column for comments so that contracting officers can note when there is a valid reason for not having specific documentation on file.
3. As Contracting officers rely on OSFI templates for conducting procurement activities, Contracting should establish a formalized review process for ensuring OSFI templates reflect and align with policies and practices
Low Priority Observation
In the absence of formal operating procedures, it was noted that the Contracting team utilize templates to perform their duties. These templates include approval forms, checklists, and contract and request for proposal templates (including user notes for implementation guidance). The contract and request for proposal templates include PSPC templates as well as those created and maintained by OSFI. Templates owned and managed by PSPC are not updated by OSFI, and Contracting employs a process of retrieving the templates from the PSPC website to ensure that the most up-to-date version is used.
It was noted that OSFI documents periodically require updates as a result of policy changes, revisions to team procedures or updated guidance from TBS and/or PSPC. Interviews with procurement staff indicated that contracting officers rely heavily on these documents to ensure file completeness and inclusions of appropriate clauses. Although the approval template and peer review checklist are frequently updated, the OSFI contract and request for proposal templates are not formally reviewed and updated on a regular basis to ensure that clauses are kept current with respect to the Standard Acquisition Clauses and Conditions (SACC) manual and relevant Government of Canada procurement templates. Outdated templates pose the risk of OSFI being contractually bound by insufficient or inaccurate clauses.
Recommendation
Based on the reliance placed on OSFI templates, Contracting should institute a formal review cycle to ensure that the templates are up-to-date and relevant, as well as establishing a process to ensure that changes are also captured between reviews.
Management Action Plan
Management acknowledges the importance of performing a comprehensive and horizontal review of templates periodically to effectively support OSFI in its contractual relationships with external suppliers. Public Services and Procurement Canada develops new or updated clauses whenever major changes in legislation, policy and guidance occur, and in turn management reflects them in the appropriate templates to avoid exposing OSFI to undue contractual risks. Management agrees that instituting a formal review cycle of its templates would be of benefit.
The Procurement and Contracting team commits to finalizing the review of OSFI's Contract and Request for Proposal templates and make the revised versions available for use, in both official languages, by the end of Q1 2019-20.
The Procurement and Contracting team will also implement a biannual cycle whereby OSFI's Contract and Request for Proposal templates are reviewed in Q1 every two years to ensure that they remain up-to-date and relevant. Templates will continue to be updated between formal comprehensive reviews. The Procurement and Contracting team will add a quarterly item to their bi-weekly team meeting agenda, effective Q2 2019-20, to confirm if there have been any policy changes, updated guidance from TBS and/or PSPC, or revisions to team procedures that affect the templates. If changes are required, the Procurement and Contracting team will update the templates by the end of the following quarter.
4. Contracting should review the current vendor evaluation process for applicability as it is not currently fully implemented for obtaining feedback on vendor performance
Low Priority Observation
OSFI's Contracting Handbook outlines a vendor performance evaluation process, in line with the guidance in the TBS Contracting Policy, indicating that on completion of the work the Contracting Authority (and appropriate competent officials) should evaluate the performance of the consultant or professional, that the consultant or professional should receive the critique and be given the opportunity to respond. Audit procedures revealed that the established process for vendor evaluations is not currently being followed (post contract) as it is difficult for Contracting to facilitate the completion of evaluations by clients and no central system for retention exists to support analysis for facilitating future procurement strategies.
In discussions with management, it was noted that currently a government-wide vendor performance management policy does not exist; however, through the Procurement Modernization initiative, a policy and means of both assessing and addressing vendor performance is in development. In the interim, Contracting is managing the risk of poor vendor performance through early engagement, which includes an escalation process for notifying Contracting of a vendor issue along with the formation of an action plan to address deficiencies, and provisions built into the contract clauses to terminate, if required.
Without documented vendor evaluations, OSFI risks not having the opportunity to provide relevant feedback to vendors on their performance in meeting OSFI procurement expectations along with the opportunity to help identify potential lessons learned for mitigating risks to future procurements i.e. misalignment in expectations, lack of defined deliverables and timelines, lack of communication and established milestones, etc.
Recommendation
Contracting should review the current vendor evaluation process for applicability or create and communicate a risk-based process for obtaining feedback on vendor performance while OSFI awaits the government wide vendor management policy. Additionally, the Contracting Handbook should be reviewed and updated based on any changes made to the process.
Management Action Plan
Through the Public Services and Procurement Canada (PSPC) and the Treasury Board Secretariat (TBS)'s joint, Procurement Modernization initiative, a policy and means for assessing and addressing vendor performance is in development for use across the Government of Canada.
While OSFI awaits the finalization and implementation of the government wide vendor management policy, the Procurement and Contracting team will review the current documented vendor evaluation process and will update the Contracting Handbook by the end of Q3 2019-20 to reflect organizational practices.
Once the government-wide vendor management policy and tools are released by PSPC and TBS and adopted by OSFI, the Contracting Handbook will be updated to reflect the new requirements.
Appendix 1
Observation Ratings
Observations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.
Observations are ranked according to the following:
High priority - should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively or a significant operational improvement opportunity.
Medium priority – a control weakness or operational improvement that should be addressed in the near term.
Low priority - non-critical observation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort.
Individual ratings should not be considered in isolation and their effect on other objectives should be considered.