Audit of Procurement and Contracting

1. Background

Procurement is an essential corporate support activity at Office of the Superintendent of Financial Institutions (OSFI), with approximately 990 contracts awarded^{Footnote 1} and $56 million in expenditures^{Footnote 2} from April 1, 2019 to June 30, 2021. The ability to effectively carry out procurement activities is important for OSFI to achieve its strategic initiatives, as well as to support its day-to-day operational needs.

As a Government of Canada agency, OSFI’s procurement activities must respect the various policies and frameworks in place over government contracting, which include: the Treasury Board (TB) Contracting Policy, the Financial Administration Act (FAA), and OSFI’s own guidelines, such as the Contracting Delegation Chart.

The goal of these policies and frameworks is to enable financial stewardship and transparency through a multi-layered system of controls so that government contracting can withstand public scrutiny. The complexity of the controls is driven by a variety of factors, including contract value, trade agreements, solicitation methods, and the nature of procurement items.

Beyond compliance with these instruments, the procurement function is also responsible for enabling operational effectiveness, and transparency and accountability to the public. This is especially important as procurement authority is centralized within the Corporate Services Sector, where the agility and responsiveness of the procurement function is necessary to ensure that procurement client needs are met in a timely and efficient manner.

Procurement at OSFI

At OSFI, procurement authority rests primarily within the Corporate Procurement team, with the exception of procurement of specified goods and services which falls under the Security and Facilities Services (SFS) team’s area of responsibility. The Corporate Procurement team, which issued 598 contracts worth $35.38 million in the period audited, procures goods and services on behalf of procurement clients across OSFI. The Corporate Procurement team fulfills clients’ requests by managing the procurement process, including directing the contracts to the appropriate approval authorities.

Text description - Procurement process

Procurement clients first originate the request, along with s. 32 approval and supporting documents. Then the request is forwarded to the Corporate Procurement team, who validated the procurement strategy, verify documents and conduct the procurement process. It is then sent to the approval authority, who provides s. 41 approval and may be internal or external to OSFI. Once approved, the contract is managed by the procurement client, who also provides s. 34 approval.

Comparatively, the SFS team, which processed 361 contracts worth roughly $6.21 million (in addition to rent payments to Public Services and Procurement Canada worth $37.4 million) in the period audited, does not perform procurement on a request basis, but rather in service of its own operational needs. These include the provision of security services (such as employee background checks and commissionaire services) and facility needs (such as furniture, telecommunications, or supporting facilities investment projects such as PIVOT). Procurement activities performed by the SFS team are limited by contract value and procurement type thresholds.

Previous Audit Engagements

The most recent audit of procurement was the 2018-19 Audit of Procurement & Contracting, which found that while the design of contracting activities generally supported compliance, further work was needed to formalize procedures and practices, especially within the SFS procurement area. The 2016-17 Audit of Facilities and Administrative Services (now SFS) also recommended establishing additional documentation of procurement guidelines.

Since the 2018-19 audit, management has undertaken multiple activities to review processes and identify opportunities for improvement. These include a lean process review and a client survey, as well as leveraging lessons learned from an internal review of procurement files. Based on these activities, management has undertaken several initiatives to improve client guidance and update key documents.

2. About the Audit

2.1 Objective

The objectives of the engagement were to:

• Assess the adequacy, effectiveness and efficiency of the procurement and contracting processes; and

• Evaluate compliance with required policies and regulations.

2.2 Scope

The audit covered procurement activities conducted between April 1, 2019 and June 30, 2021, and assessed the following:

• Design and operating effectiveness of key contracting and procurement processes and controls;

• Compliance with applicable laws, directives, regulations, and policies; and

• Implementation of audit recommendations and management action plans from the 2018-19 Audit of Procurement and Contracting.

The audit covers the periods before and after the transition to the COVID-19 remote working environment, which required the procurement teams to shift from a largely paper-based process to a digital file management process. To ensure equal representation, contracts awarded before and after this shift were identified separately.

The scope of the audit excluded procurement and contracting activities performed by external contracting authorities, such as Public Services and Procurement Canada (PSPC) and Shared Services Canada (SSC), as well as accounts payable processes.

2.3 Approach and Methodology

The audit was conducted through performance of the following procedures:

• Reviews of applicable policies and procedures, including TB policies, OSFI-specific policies, as well as process and procedural documents;

• Walkthroughs and interviews with various employees on the procurement teams; and

• Testing of a statistically selected sample of 79 files, supplemented by a judgmental sample and data analytics-driven testing, where feasible.

2.4 Statement of Conformance

This audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the TB’s Policy on Internal Audit, and as supported by the results of the Quality Assurance and Improvement Program.

3. Overview of Audit Results

3.1 Summary of Results

Procurement processes at OSFI are generally compliant with both internal and external requirements, with no significant compliance differences between pre- and post-COVID sub-populations. Opportunities for improvement were identified in areas such as quality review, contract request triaging, exceptional contracts processing, and effectiveness of client service delivery.

3.2 Management Response

Management accepts the findings and has identified Management Action Plans for each recommendation as outlined in the relevant sections, with all recommendations to be addressed by March 31, 2023.

4. Observations and Recommendations

4.1 Overall Procurement Compliance

Government procurement activities must comply with established requirements, including the TB Contracting Policy, PSPC guidance on the use of procurement tools, and financial controls identified in the FAA, supported by OSFI’s Delegation of Financial Signing Authorities and the Contracting Delegation Chart.

Contracting processes are effective in ensuring general compliance with applicable laws, directives, regulations, and policies. A statistical sample of 79 files was selected and reviewed for compliance, with 40 contracts processed by the Corporate Procurement team, and 39 by the SFS Procurement area. Only three exceptions were noted, pertaining to the elements below:

• One contract was awarded by a contracting authority above their delegated limit.

• One contract did not obtain three quotes required by standing offer terms as a minimum.

• One administrative contract to share commissionaire fees was not signed before the fee-sharing term started.

These three exceptions were isolated in nature, with no recurrence in the sample. Overall, the design and implementation of contracting processes are sufficient to ensure general compliance.

4.2 Quality Review of Procurement Activities

Proactive Disclosure Reporting

The TB Guidelines on the Proactive Disclosure of Contracts require that all contracts and amendments over $10,000 in value be disclosed on a quarterly basis, as part of government-wide transparency initiatives.

OSFI’s current process relies on an SAP report designed specifically for proactive disclosure reporting, with a manual review performed on the report before eligible contracts are disclosed to the public. The proactive disclosure reports were assessed for completeness through comparison to contracts created in SAP. Over the audit scope period, 40 out of 547 reportable contracts were not disclosed.

Without reconciliation mechanisms, the current manual review process is not sufficient to identify completeness gaps, especially when the SAP report was found to be incomplete. Additionally, while contracts may be created in SAP after the reporting cut-off date, no mechanisms have been established to ensure that these contracts are properly included in the report.

Inaccurate or incomplete disclosures could lead to loss of public trust in reporting and increase OSFI’s exposure to reputational risk.

Quality Reviews

OSFI’s current quality review process for procurement transactions relies on two key instruments: the Contract Plan Approval and Authorization form (CPAA) and the Peer Review Checklist (PRC). These two instruments not only act as guidance for Procurement Officers, but also support checks for file completeness and appropriate authorization.

Within the Corporate Procurement team, these tools are consistently used and are effective in ensuring files have the required approvals and relevant supporting documentation.

The SFS Procurement team adopted these tools in November 2019 and have been performing quality reviews on procurement files since then. As a result, only 29 out of 39 SFS files tested were subject to the quality review requirements. Within the 29 SFS files:

• The CPAA was complete and on file 76% (22/29 files) of the time.

• The PRC was complete and on file 79% (23/29 files) of the time.

As the quality review tools were not consistently used, more discrepancies were identified within the SFS Procurement files, including missing documentation and SAP data errors (e.g. incorrect vendor names, contract award dates, etc.). Without sufficient quality reviews, procurement files are more likely to have errors and inconsistencies, which could lead to non-compliance with procurement requirements or process inefficiency.

4.3 Intake and Triage of Contract Requests

 

Procurement transactions processed by OSFI vary in nature, in dollar value, and in the complexity of controls based on TB Contracting Policy. In order to effectively prioritize resources, risk should be considered throughout the procurement process, from intake to award.

Corporate Procurement has established multiple instruments to triage contracts throughout different stages of procurement process, which include:

• The Work Allocation Guide that outlines how procurement requests should be triaged at intake;

• The Guideline on Procurement Strategy and Contract Approval (“Guideline”) that provides requirements for review and internal approval; and

• The Contracting Delegation Chart that defines the sub-delegated authority for contracting approvals (section 41 of the FAA).

Although these instruments classify contracts into different sub-groups, the factors driving these classifications are not consistent. Specifically, the Contracting Delegation Chart uses commodity type and dollar value to classify contracts, whereas the other two instruments have different classifications based on contract type, dollar value, and solicitation process. These instruments were developed and implemented at different times and have not been reviewed to ensure contracts are treated consistently throughout various procurement stages.

As a result, a contract can be subject to significantly different levels of involvement between preparation, review, approval, and award. For example, a sole-source service contract under $5,000 can be prepared and awarded by a Contracting Assistant according to the Work Allocation Guide and the Contracting Delegation Chart, which would be consistent with a low-risk contract. However, based on the Guideline, it must be escalated several levels up and reviewed by a Manager between preparation and award, which would be consistent with a high-risk contract.

Additionally, the Guideline requires that all contract types, except for some amendments and standing offer call-ups, be reviewed by a Lead Senior Contracting Officer or above. This requirement leads to almost all contracts being directed to a single point of review. Even though the intent of the Guideline is to enable triage of contracting approvals, it is not adequately designed to achieve this goal.

Without a consistent and risk-based approach to the triage and approval of procurement transactions, Corporate Procurement may not be able to prioritize effectively or deliver procurement in a timely and efficient manner.

4.4 Processing Exceptional Contracts

Use of Mandatory Standing Offers

The TB Contracting Policy requires that for specific commodities, all federal government organizations use standing offers established by PSPC, with limited exceptions. A standing offer exemption may be granted where there is a justifiable operational need that cannot be met by a vendor on the standing offer.

For mandatory standing offer exemptions, Corporate Procurement’s current practice is to seek senior management’s review and approval based on the justification provided by the procurement client. However, this practice has not been formalized, with no guidance on documenting justifications and no defined approval authorities for such exemptions.

Of all contracts awarded within a mandatory commodity group, three did not use an applicable mandatory standing offer, and no justification was on file to support the exemption. In addition, the three exemptions received different levels of approval, with only one instance demonstrating escalation outside of usual approval processes.

Without establishing a formal process to approve exceptional contracts, exemptions might be granted without the knowledge of the appropriate procurement authorities, and OSFI may not be able to adequately justify its decisions in case of vendor complaints or external review.

Emergency Procurement

Within the TB Contracting Policy, there are established exemptions to regular contracting processes when there is an emergency need for procurement, where a delay would be injurious to the public interest.

Currently, there is no established process on how emergency requisitions should be documented and approved. Four out of the 39 SFS procurement files tested were performed for emergency requisitions, and while the use of emergency exemptions was justified in these instances, supporting documentation on file was not sufficient to demonstrate the relevant justification or approvals obtained.

Without an established process for emergency requisitions, there is a greater operational risk of inconsistencies and errors, as well as reputational risk arising from situations where exemptions were granted without sufficient justification.

4.5 Client Service Delivery Effectiveness

Performance Measurement

As a centralized function, the Corporate Procurement team is responsible for the delivery of procurement services at OSFI. The team’s ability to effectively measure its performance can support both Corporate Procurement and procurement clients in their operational planning.

Several service standards have been developed, with an expectation that the standards should be met for 80% of contracting activities. However, these standards are only identified for the full procurement process and are not broken down into individual steps. For example, a traditional competitive Request for Proposal process is expected to be completed within 35 days from the date that complete documentation is submitted by the client. As the standard does not break out expected timelines for subsequent client inputs or involvement from external parties, it lessens the Corporate Procurement team’s control over meeting the service standards.

While service standards have been established, performance against these standards is not monitored, and processes and tools required to track performance have not been established. For example, while some milestone dates are identified in SAP and could be used to support service standard tracking, these fields are not consistently used, and thus cannot be used to reliably inform performance measurement.

In files tested where the contracting authority was within OSFI’s delegation, the number of days between contract request and contract approval ranged from one to 164 business days. However, as noted above, there is insufficient information in the files to definitively conclude on processing times.

Without a sufficient understanding of current performance, the Corporate Procurement team may not be able to identify areas of improvement or fulfil client needs in a satisfactory manner.

Client Guidance

As a centralized service function, the Corporate Procurement team is responsible for providing guidance to procurement clients on their roles and responsibilities in the procurement process.

In support of this role, the Corporate Procurement team has developed some training materials and tools for its clients for procurement and contract management. However, these materials and tools are not centrally placed or easily accessible to clients, and training is only delivered on an as-requested basis.

Consequently, clients who do not routinely perform procurement transactions must rely on ad-hoc guidance provided by the Corporate Procurement team. In the files tested, the client divisions with the fewest requests had the longest periods of time needed to prepare all the documents necessary to initiate contract processing.

In a June 2021 survey conducted by the Communications and Engagement Division (on behalf of the Corporate Procurement team), clients indicated a lack of understanding of procurement processes and expectations. In this survey, 39% of clients indicated that information on procurement processes was not easy to find. Clients were also unclear on timelines associated with the procurement process, with 50% of respondents indicating that contracts were awarded later than they had expected.

Limitations in client guidance also led to the issuance of the majority of confirming orders at OSFI during the audit scope period. 88% (15/17) of confirming orders were issued directly due to a lack of client knowledge, including not understanding when formal procurement processes were required, the client’s contract management responsibilities, and the appropriate approvals required.

Without sufficient guidance and training for procurement clients, there is a higher risk of errors and delays, as well as increased demands of resources from the Corporate Procurement team for support.

Appendix A – Recommendation Ratings

Recommendations are ranked in order to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

Recommendations are ranked according to the following definitions:

• High Risk: should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively) or a significant operational improvement opportunity.

• Medium Risk: a control weakness or operational improvement that should be addressed in the near term.

• Low Risk: non-critical recommendation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort. Individual ratings should not be considered in isolation; and their effect on other objectives should be considered.