2012-13 Continuous Audit of Procurement and Contracting

1.0 Executive summary and conclusion

Background

This audit report presents the findings of the National Research Council Canada's (NRC) 2012-13 Continuous Audit of Procurement and Contracting.

Audit objective

The objective of this audit is to provide independent assurance that the selected key management controls for NRC procurement and contracting included in the scope of the audit are designed and operating effectively. Opportunities for improving efficiency have also been noted where appropriate.

Raison d'être

Procurement and contracting was identified as a high audit priority area in the NRC 2012-13 to 2014-15 Risk-Based Internal Audit Plan. In fiscal year 2012-13, procurement personnel from the NRC's Administrative Services and Property Management (ASPM) branch executed a total of $118 million in new procurements and contracts. Within the Government of Canada, procurement and contracting activities are governed by a complex legislative and policy framework to enhance access, competition and fairness, and to ensure appropriate stewardship and probity of public funds. Procurement has been recently subject to increased scrutiny as a result of the Federal Government's Deficit Reduction Action Plan, which seeks to identify and implement cost containment measures to reduce the rate of growth in operating expenditures. Further, as result of NRC's ongoing Common Services transformation initiative, substantial recent changes have been made within NRC ASPM that affect the control environment for procurement and contracting. The audit findings are presented in this context.

Audit opinion and conclusion

Based on the audit work performed, the Office of Audit and Evaluation (OAE) found that the design and effectiveness of the selected key management controls for NRC procurement and contracting are adequate. We found that recent management actions and the reorganization of ASPM have strengthened the control framework and promoted standardization of processes across NRC. Particular strengths were noted with respect to high compliance with NRC / Government policies within the areas examined; the new reporting relationships for procurement personnel which promote greater oversight and process standardization; and the recent redesign of SAP procurement roles and access rights. There are opportunities to further strengthen the control framework with respect to values and ethics, training, monitoring, and to further leverage SAP functionalities for efficiency. NRC ASPM is encouraged to finalize its ongoing initiative to identify and realize opportunities for cost savings and efficiencies through consolidated purchasing and standing offers.

Table 1 below summarizes the audit conclusions by line of enquiry. Following this table is a list of related recommendations aiming to improve current business processes.

Table 1: Summary of Audit Conclusions

Lines of Enquiry	Assessment
1. Control Environment	Adequate
2. Authorization	Adequate
3. Processes	Adequate
Overall Audit Conclusion	Adequate

Summary of recommendations

1. Monitoring and Oversight by ASPM: ASPM should further strengthen the monitoring and oversight framework to include a comprehensive risk-based approach for all procurement and contracting activities, including clearly defined roles and responsibilities. [Priority: HIGH]
2. Training: ASPM should continue to develop and implement a comprehensive training strategy for procurement officers, and take interim measures to mitigate the risk of insufficient access to training, particularly for satellite office procurement personnel. [Priority: MODERATE]
3. Values and Ethics: ASPM should develop and implement a systematic approach to reinforcing Public Service values and ethics to manage conflict of interest risk. [Priority: HIGH]
4. Electronic Requisitioning: NRC should mandate the use of SAP purchase requisitions by all NRC offices and continue to provide training to the responsible positions. [Priority: MODERATE]
5. Procurements related to Legal and Patent Services: ASPM should work with Business Management Support (BMS) to strengthen, formalize and ensure sufficient oversight over the procurement process for legal and patent services. Strengthening should include formal delegation of an appropriate level of procurement authority to NRC patent agents. [Priority: MODERATE]
6. Security Classification: ASPM should coordinate with Information Technology and Security Services (ITSS) to clarify the security-related section of the SAP purchase requisition tool, and ensure end-users have ready access to guidance to support classification of contract security requirements. [Priority: MODERATE]

Statement of assurance

In my professional judgment as the Chief Audit Executive, the audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

Irina Nikolova, Acting Chief Audit Executive

NRC Audit Team Members:

Allison Bush, BA, CIA
Mayan Ismail, B.Com.

2.0 Introduction

This audit report presents the findings of the National Research Council Canada's (NRC) 2012-13 Continuous Audit of Procurement and Contracting. The decision to conduct this audit was approved by the President following the recommendation of the Senior Executive Committee and thereafter by the Departmental Audit Committee on June 26, 2012 as part of the NRC 2012-13 to 2014-15 Risk-Based Internal Audit Plan.

2.1 Background

Government procurement is governed by several policies, statutes and regulations including, but not limited to, the Treasury Board Contracting Policy, Directive on Delegation of Financial Authorities for Disbursements, Financial Administration Act (FAA), Government Contracts Regulations, North American Free Trade Agreement (NAFTA), Agreement on Internal Trade (AIT) and World Trade Organization – Agreement on Government Procurement (WTA). In addition, NRC has established internal procurement and contracting policies that employees must follow.

Within NRC, responsibility for procurement and contracting falls under the authority of the Material Management branch of Administrative Services and Property Management (ASPM). The Branch is responsible for procurement of goods, services and construction. NRC contracting authority has been delegated almost exclusively to ASPM procurement staff in the National Capital Region (NCR) and 12 satellite offices located across Canada. However, low risk and low value purchases under $5,000 may be acquired by non-procurement personnel with the use of a government acquisition card. Due to their nature, payments of certain expenditures (e.g. utilities, reimbursements to employees, transfer payments under agreements for science infrastructure, etc.) are processed without using purchase orders.

Table 2 below presents all new NRC procurements in fiscal year 2012-13. Procurements executed via purchase orders, standing offers and Public Works and Government Services Canada (PWGSC) contracts are processed by ASPM / PWGSC procurement personnel, whereas payments made without reference to a purchase order are processed by non-procurement personnel.

Table 3 below presents procurement activity for the NCR and satellite offices in fiscal year 2012-13.

Table 2: NRC Procurements by Amount and Type — Fiscal Year 2012-13

	Procurement via Purchase Order / Standing Offers / PWGSC Contracts  Table 2 note 1				Non-PO Payments
	Less than $5,000	$5,000 to 24,999	$25,000 and greater	Total Population	Expenditures in scope: PO may be required Table 2 note 2	Total Population
Net Value ($)	14,913,000	30,224,000	73,069,000	118,206,000	6,552,000	119,158,000
% of Net Value	13%	26%	62%	100%	5%	100%
Volume of Transactions	12,098	2,609	562	15,269	8,899	37,288
% of Transactions	79%	17%	4%	100%	24%	100%

Table 3: NRC Procurements by Location – Fiscal Year 2012-13

Procurement via Purchase Orders / Standing Offer / PWGSC Contracts Table 3 note 1
	National Capital Region (NCR)	Satellite Offices	Total
Net Value ($)	90,440,000	27,795,000	118,206,000
% of Net Value	77%	23%	100%
Volume of Transactions	7,427	7,842	15,269
% of Transactions	49%	51%	100%

2.2 Context

As a result of NRC's ongoing Common Services transformation initiative, substantial recent changes have been made within ASPM that affect the control environment for procurement and contracting. Previously, procurement staff in the regional offices outside of the NCR reported to their respective Institutes, Branches and Programs (I/B/Ps). Effective April 1, 2012, all procurement staff now report directly to ASPM. ASPM has established four regional branches, East, West, Quebec and Ontario, and is in the process of staffing Regional Manager positions to oversee these branches. The reorganization and standardization of procedures and practices is ongoing. This state of change was taken into consideration during the audit.

2.3 About the audit

Objective

The objective of this audit is to provide independent assurance that the selected key management controls for NRC procurement and contracting included in the scope of the audit are designed and operating effectively. Opportunities for improving efficiency have also been noted where appropriate.

Scope

The scope of the audit was determined using a risk-based approach. The audit's scope comprised of an assessment of selected entity-level and process-level procurement and contracting controls across NRC as well as transactions and processes in place during fiscal year 2012-13, including procurements within the NCR and three satellite offices (Victoria, St. John's and Saskatoon).

Procurement types within the scope of the audit included: procurements through NRC and PWGSC contracts / purchase orders, call-ups to NCR and PWGSC standing offers, and payments made without reference to a purchase order. Expenditures incurred on acquisition cards, transfer payments, and sensitive expenditures such as travel and hospitality were included within the scope of other ongoing audits and thus were excluded from the scope of this audit.

The audit's scope includes the following risk and control areas: select entity-level controls, procurement method selection, consolidated purchasing and standing offers, contracts, expenditure initiation (FAA Section 32), performance certification (FAA Section 34), amendments, security classification and records management. As a result of the findings of the risk assessment conducted in the planning phase, the audit's scope excludes the assessment of policies, tools and templates, the supplier proposal evaluation process, security verification process, goods receipt process and Accounts Payable (A/P) verification (FAA Section 33).

Approach and methodology

The audit was conducted in accordance with generally accepted professional auditing standards and the requirements set out in the Treasury Board Policy on Internal Audit. The audit criteria, presented in Appendix A, were derived primarily from the Office of the Comptroller General's core management controls ^{Footnote 1} and from relevant Government / NRC policies, acts and regulations such as the Treasury Board Contracting Policy and the Financial Administration Act (FAA). The audit criteria were discussed with management in advance of the audit.

Continuous auditing is an ongoing and independent assessment of control frameworks and risk management systems. Continuous auditing techniques have been successfully used by the NRC Office of Audit and Evaluation in recent years for a number of assurance audits identified in the annual risk-based audit plan. The audit scope and procedures target a localized set of audit criteria related to key controls that must work well. Audit tests and analyses are adjusted as the examination proceeds to address new risks as they emerge. Where potential concerns are identified, management is immediately alerted to allow for timely correction.

The audit addressed the audit criteria as they existed at the time of examination and, as applicable, any future plans. The audit methodologies were selected to ensure that the root cause of findings was identified and to ensure recommendations add value for NRC. Audit methodologies included the following:

• Review of (1) Government of Canada financial, procurement and contracting policies, statutes and regulations such as the Treasury Board Contracting Policy and the Financial Administration Act (FAA); and (2) NRC guides, manuals, checklists, meeting minutes and other documents relevant to procurement and contracting;
• Data mining on the population of in-scope procurement transaction types for the period of April 2012 to February 2013 to both inform sample selection and address audit criteria;
• Interviews with ASPM management, procurement, finance, IT and other operational staff from the NCR and three satellite offices (Victoria, St John's and Saskatoon);
• Review of the design and operation of selected SAP systems controls related to procurement and contracting;
• Review of results of financial controls testing executed by the NRC Financial Monitoring Division (FMD) for quarters 1 and 2 of fiscal year 2012-13; and
• Testing of 29 procurement files from the NCR and the three satellite offices. Files were selected on a judgmental, stratified sampling basis to ensure coverage of various subpopulations, risks, and control environments.

3.0 Audit findings

The table below presents the detailed audit findings with accompanying assessments. Suggested management priorities for addressing risks are identified as high, moderate or low.

Audit findings	Assessment
1. Control environment	Adequate
Criterion 1.1: The new ASPM reporting structure supports effective procurement and contracting control processes.
NRC's Chief Financial Officer (CFO) is the senior executive responsible for NRC procurement and contracting. The CFO is supported in this position by the ASPM Director General and the ASPM Director of Administrative Services. Effective April 1, 2012, all procurement personnel report centrally to ASPM and have been assigned to one of four regional branches. ASPM has recently established and is currently staffing Regional Manager positions for the Quebec, Eastern and Western regions. The Ontario Regional Manager position has already been staffed. As a result of several outreach and other proactive measures led by the Director of Administrative Services, we found that the new reporting relationships between ASPM and regional procurement personnel is both understood and accepted. We also found that good progress has already been made in strengthening communication between the NCR and satellite offices, moving toward increased process standardization and enhancing ASPM oversight of NRC procurement and contracting activities.	The new ASPM reporting structure for procurement and contracting is effective and supports greater oversight and process standardization. No opportunities for improvement were identified.
Criterion 1.2: The roles, responsibilities and authorities of procurement personnel are well defined, understood and applied, and support segregation of duties.
We found that current roles and responsibilities for personnel in the NCR are well defined, understood and applied. Prior to fiscal year 2012‑13, NCR buyers executed procurements for a particular client. ASPM has recently revised these roles and responsibilities as part of the transition to commodity-based procurement in the NCR, whereby procurement personnel are now responsible for executing procurements within a particular commodity family (e.g. IT, scientific, etc.) which is aligned with the PWGSC commodity management framework. Material Management personnel outside of the NCR have varying roles and responsibilities due to the limited number of personnel and the previous decentralized organizational model. Some job descriptions have not been reviewed for several years and may require revision as a result of recent changes in reporting relationships and evolving roles and responsibilities. ASPM intends to review the roles, responsibilities and job descriptions of satellite office staff following staffing of the Regional Manager positions. Due to limited number of personnel, satellite staff will continue to serve their respective offices rather than specializing by commodity. Audit testing found that procurement and contracting is executed within NRC's delegated contracting authority limits (FAA Section 41). However, several instances of insufficient segregation of duties related to procurement were identified. These conflicts developed over time as a result of limited personnel in satellite offices and the inconsistent review and updating of SAP roles/access rights. The issue of segregation of duty conflicts had also been identified by management. During FY 2012‑13, the Finance Branch (FB) Corporate Financial Systems and Reporting (CFSR) group, in consultation with ASPM, ITSS and other operational staff, systematically identified, reviewed and resolved segregation of duty conflicts within SAP. CFSR has created standard profiles for procurement and financial SAP roles/access rights that ensure segregation of duties and have established a formal requirement that Corporate Accounting review and approve all requests for conflicting roles. The redesign and standardization of SAP financial and procurement profiles has greatly reduced the number segregation of duties conflicts, and reduces the corresponding risk going forward. Although formal responsibility has been assigned for approving conflicting SAP role/access rights, an approach to monitoring these exceptions has not been developed.	Procurement and contracting is executed within NRC's delegated contracting authority limits (FAA Section 41). The roles, responsibilities and authorities of procurement personnel are well defined, understood and applied within the NCR. There is opportunity to update and clarify the roles, responsibilities and job descriptions of procurement staff. ASPM plans to conduct this review in 2013‑14, following staffing of the Regional Manager positions. There is appropriate segregation of duties for the majority of positions with procurement-related responsibilities, and a formal approval process for exceptions.
Criterion 1.3: ASPM has established monitoring and reporting mechanisms to ensure procurement activity is in compliance with NRC and Government of Canada policies, statutes and regulations.
Three mechanisms are in place to monitor and report on the compliance of NRC procurement activity: ASPM's Contract Review Committee (CRC), the work of the ASPM Policy, Systems and Monitoring Officer; and the procurement-related testing by FB's Financial Monitoring Division (FMD). The CRC is a formal committee chaired by the Director of Administrative Services with the mandate to review and/or challenge proposed contracts, review contracting activity reports and trends, recommend changes to contracting policy and to provide guidance and direction on an as-requested basis to procurement officers. Commencing in FY 2012‑13, committee membership has been expanded to include regional buyers on a rotating basis. The CRC has developed a systematic process for conducting and documenting its reviews and reporting on findings. The scope of monitoring activities performed by the CRC is, for the most part, limited to contracts that exceed certain thresholds and high complexity contracts. Although the CRC Terms of Reference state that other random contracts not meeting the specified criteria will be selected for post-contract-award review, the selection and review of such contracts is not being routinely performed. However, Procurement Officers regularly bring files to the attention of the CRC for guidance and direction on an informal basis. The ASPM Policy, Systems and Monitoring Officer position has been in place for less than two years and the role is evolving in conjunction with the recent reorganization and ongoing staffing of the Regional Manager positions. Given resource constraints, the focus of the Monitoring Officer to date has been primarily on policy, systems, reporting and supporting the CRC. If any potential issues of concern are identified in the course of this work, the Officer conducts ad hoc reviews of compliance. However, a systematic monitoring and reporting protocol for this position has not yet been established. As part of FB's work in support of the Policy on Internal Controls (PIC), FMD conducts walkthroughs of procurement processes and tests financial and select procurement elements of low-medium and high-risk payments. Instances of financial or contracting authority violations identified by FMD are recorded in FB's Offence Tracking Database and formally addressed through the Financial Oversight Committee.	The monitoring and reporting framework for financial compliance and high value and high complexity procurements is strong. However, there is a risk of insufficient monitoring and/or gaps in oversight for lower value and lower complexity procurements, particularly outside of the NCR. The risk of insufficient oversight is due to the threshold of the CRC's scope, the evolving roles of the ASPM Policy, Systems and Monitoring Officer and Regional Managers, and the fact that the mandate and objective of FMD's work is focused on financial, not procurement, compliance. There is opportunity to: Formally identify the required level of ASPM oversight required for each type of procurement activity, based on ASPM's risk tolerance level; Develop a consolidated ASPM monitoring and oversight approach that ensures systematic monitoring and oversight, including appropriate follow-up and reporting; and Ensure that ASPM roles and responsibilities for the consolidated approach are clearly defined between the CRC, the ASPM Policy, Systems and Monitoring Officer, and the Regional Manager positions. Refer to Recommendation 1
Recommendation 1: ASPM should further strengthen the monitoring and oversight framework to include a comprehensive risk-based approach for all procurement and contracting activities, including clearly defined roles and responsibilities. [Priority: HIGH]
Criterion 1.4: Procurement personnel have access to sufficient and appropriate training to fulfill their responsibilities.
NRC does not have a comprehensive approach to identifying and addressing all procurement training needs. In the NCR, ASPM has placed reliance on the knowledge and expertise of long-term personnel, mentoring, on-the-job training and periodic information sessions, including the annual ASPM Material Management conference. NCR personnel also have access to formal training opportunities through PWGSC, the Canada School of Public Service, and NRC SAP systems training. Satellite office personnel have primarily relied on self-training, on-the-job training, periodic advice from ASPM, the annual ASPM Material Management conference and/or on local PWGSC offerings, to varying degrees. All personnel have access to technical SAP training content through the NRC online OnDemand tool. Due to their remote locations and the previous decentralized organizational model, satellite personnel have often faced barriers to accessing formal training, including SAP systems training. Audit analyses identified cases of inconsistent recording of procurements in SAP by satellite office personnel, highlighting the need for additional and/or refresher systems training. Effective April 1, 2012, as part of the Common Services reorganization, ASPM's responsibilities have been expanded to include procurement training for satellite offices. Satellite staff have already benefited from several outreach activities carried out by ASPM in FY 2012‑13. ASPM is currently in the process of assessing the highest priority training needs and is planning several training sessions for both NCR and satellite procurement personnel, which includes SAP systems content. Plans are in place to develop a formal and comprehensive NRC training strategy, with completion planned for late FY 2013‑14. In the interim, ASPM plans to increase information sharing and learning through regular teleconferences between procurement staff across NRC.	Due to the previous decentralized organizational structure and their remote locations, procurement personnel outside of the NCR have not had consistent access to training. ASPM has identified the need to develop a formal and comprehensive training strategy for all procurement personnel and is currently addressing the highest priority needs. Several opportunities to mitigate the risk of insufficient access to training have been identified: The ASPM training strategy should address the barriers to accessing training by satellite office procurement personnel; Where feasible, the training approach should utilize IT resources (e.g. teleconferencing, videoconferencing, SAP OnDemand) to maximize the effectiveness and efficiency of limited resources; and As an interim measure to quickly address training gaps, ASPM should ensure regional procurement personnel have ready access to existing ASPM expertise, guidance, tools and templates, and best practices. Refer to Recommendation 2
Recommendation 2: ASPM should continue to develop and implement a comprehensive training strategy for procurement officers, and take interim measures to mitigate the risk of insufficient access to training, particularly for satellite office procurement personnel. [Priority: MODERATE]
Criterion 1.5: ASPM management continually reinforces the importance of Public Service and NRC values and ethics in procurement and contracting activities.
A commitment to values and ethics is an integral element of any organization's management control framework. Explicit and visible commitment by management to a clearly defined set of ethical principles and expectations establishes the standard for the day-to-day actions and decisions of staff. The commitment to ethics and integrity is especially important in procurement which involves the expenditure of public funds. To date, ASPM has primarily relied on the work of NRC's Secretary General in communicating and promoting NRC values and ethics. The Secretary General's Office communicated NRC's Conflict of Interest (COI) Policy during fiscal year 2012‑13 and the new Government of Canada Values and Ethics Code for the Public Service during late fiscal year 2011‑12. NRC's COI framework requires personnel to review their obligations whenever there is a significant change in relevant circumstances and at least once per year. Senior Contract Officers are subject to increased scrutiny due to the nature of their work. ASPM has periodically highlighted the importance of Public Service values and ethics, including conflicts of interest, such as during the annual ASPM conference. The CRC, in reviewing compliance and taking prompt and appropriate remedial action where required, also serves to demonstrate ASPM's commitment to Public Service and NRC values and ethics. As well, a standard clause has been included in NRC's contract templates requiring suppliers and contractors to disclose any conflicts of interest. However, a systematic approach to reinforcing Public Service values and ethics in procurement and contracting has not been implemented.	Opportunities exist for ASPM to strengthen its values and ethics framework and activity. Specifically: There is a need to develop an overall ASPM approach to continually reinforcing the importance of NRC values and ethics. This approach should be aligned with NRC's values and ethics framework and plan, and could be developed by building on the work of PWGSC Footnote 2; The approach should ensure that operational level expectations related to values and ethics in procurement and contracting are clearly communicated; and The approach should consider the need to define the roles and responsibilities of the newly created Regional Manager positions for communicating and reinforcing values and ethics. Refer to Recommendation 3
Recommendation 3: ASPM should develop and implement a systematic approach to reinforcing Public Service values and ethics to manage conflict of interest risk. [Priority: HIGH]
2. Authorization	Adequate
Criterion 2.1: Procurement processes ensure that funding sources are committed and procurements are approved by the appropriate budget holder (FAA Section 32) prior to initiation.
NRC must have access to timely and accurate financial information so that timely resource allocation and reallocation decisions can be made. Although access to such information is always important, it is especially critical for NRC in this time of budget pressures and significant internal reorganization and change. The effective exercise of expenditure preapproval (FAA Section 32) is a key control in ensuring the accuracy of financial information. The audit found that Section 32 delegated authority was properly executed for initial procurements and amendments, based on the audit of selected files from the NCR and three satellite offices. During this period NRC, was undergoing significant change including the implementation of a new financial model and authorities. Typically, expenditure preapproval is executed by various positions across NRC. However, during this transition period, delegated authority was primarily executed by Senior Management and therefore the applicability of the above finding is limited. The use of SAP requisitions is an important tool in ensuring the availability of timely and accurate budget status information. The SAP requisition, which supports procurements executed via purchase order ($118 million in FY 2012‑13), automatically verifies the availability of and commits funding with relevant information only input once. The mandatory use of SAP electronic requisitions is a long-standing ASPM requirement within the NCR. Satellite offices are not mandated to use and have received only limited training on SAP requisitions. Audit analysis found that SAP requisitions are used on a consistent basis within the NCR and in 4 of the 12 satellite offices. The remaining 8 offices use electronic requisitions occasionally or not at all, and instead rely primarily on paper-based requisitions or email preapprovals.	Going forward, as authorities continue to be delegated downward within the organization, it is important that ASPM and FB continue to maintain sufficient oversight over the proper execution of financial authorities. An opportunity exists for NRC to formally mandate the use of SAP requisitions across NRC for all procurements executed via purchase order. Reliance on paper-based requisitioning creates workflow inefficiencies. As well, non-use of SAP requisitions increases the risk of over-commitment and the risk that management does not have access to timely and reliable financial information. Refer to Recommendation 4
Recommendation 4: NRC should mandate the use of SAP purchase requisitions by all NRC offices and continue to provide training to the responsible positions. [Priority: MODERATE]
Criterion 2.2: Only valid and legitimate invoices are approved for payment (FAA Section 34).
The audit found that NRC's delegated authorities for performance certification (FAA Section 34) were properly executed, based on the audit of selected files from the NCR and three satellite offices. During this period NRC was undergoing significant change including the implementation of a new financial model and authorities. Typically, performance certification is executed by various positions across NRC. However, during this transition period, delegated authority was primarily executed by Senior Management and therefore the applicability of the above finding is limited.	Going forward, as authorities continue to be delegated downward within the organization, it is important that ASPM and FB continue to maintain sufficient oversight over the proper execution of financial authorities.
Criterion 2.3: NRC procurement processes ensure that any amendments to existing contracts are done in accordance with NRC and Government of Canada procurement policies, laws and regulations.
There are many instances where the legitimate need arises to amend an existing contract or agreement. Gaps or weaknesses in the authorizing or processing of amendments can result in non-compliance with NRC / Government of Canada procurement requirements, over-commitment of funds and/or the inefficient use of NRC resources. Our audit testing found that contract amendments were reasonable and compliant with Government of Canada / NRC requirements. We found that the ability of procurement personnel to effectively administer and manage amendments is well supported in the NCR by processes and templates that include prompts for considering the necessity of future amendments and/or renewals, and by the referral of potentially controversial amendment requests to the CRC for review and approval. In the satellite offices we found that amendment processes were appropriate. Satellite office procurement staff are proactive in advising clients at the start of major procurements of the need to avoid unnecessary amendments and also review and challenge amendment requests.	Amendments are performed in accordance with NRC / Government of Canada procurement policies, laws and regulations. No opportunities for improvement were identified.
3. Processes	Adequate
Criterion 3.1: Procurements are carried out using the most appropriate procurement method.
Procurements executed via Purchase Order Through review of ASPM Contract Review Committee annual reports for fiscal years 2011 and 2012, interviews with NCR and satellite office procurement personnel, and review of a sample of procurement files, we found that Government of Canada competitive procurement requirements are being followed. Specifically, we found consistent and appropriate application of policy requirements with respect to Advance Contract Award Notices, sole source, tendered competitive, and open competitive procurements. While in conformance with Government of Canada competitive procurement requirements, we found a high volume of similar, reoccurring transactions under $25,000, as identified under criterion 3.2 below. Payments without Reference to a Purchase Order To increase efficiency, NRC has identified selected procurement types that can be made without reference to a purchase order (also referred to as non-PO purchases), which means that an SAP purchase order (PO) is not required and ASPM procurement officers are not involved in the procurement process. The total amount of payments without reference in fiscal year 2012‑13 was $119.2 million. Of this population, $112.6 million was for expenditure types which do not require a PO such as include utilities, commercial leases, travel, and hospitality. The remaining $6.6 million includes expenditure types which may require a PO and further analysis was conducted to assess the appropriateness of the procurement method. Through a review of trends in payments without reference to a PO, testing of specific transactions and a review of FMD testing results, the audit found that payments without reference to a PO are being generally utilized as intended and are not being used to circumvent appropriate procurement processes. Although there continues to be some instances where procurements are inappropriately made without reference to a PO, these instances are isolated, and are sufficiently addressed through the combined efforts of ASPM guidance and FB monitoring and oversight (i.e. Accounts Payable and FMD). Legal and Patent Services Payment for legal and patent services related to the registration and protection of patents are often made without reference to a PO. The total net expenditures in FY 2012‑13 was $2.8 million and of this amount, $1.7 million was procured and paid for without reference to a PO. NRC's Business Management Support (BMS) branch is responsible for procuring these services. BMS retains the specialized expertise of small firms on an as required basis, using a fairly standard competitive process, where 3 bidders are requested to submit bids in response to a statement of required services prepared by the NRC patent agent. We found that the current procurement process followed by BMS respects Government of Canada procurement principles and is designed to obtain best value for NRC. However, we found that the BMS procurement process is not fully documented and has not been formally approved by ASPM. As well, BMS officers do not have delegated procurement authority and have not been provided with procurement-related training.	Procurements via purchase order are executed in accordance with Government of Canada competitive procurement requirements. Payments without reference to a PO are generally being made in accordance with NRC procurement requirements. Although there are isolated instances of non-compliance these instances are not material and are addressed through FB monitoring. There is an ongoing need for continued monitoring of non-PO payments by FB to ensure purchases are consistent with NRC policies and are accurately coded. Opportunities for strengthening the procurement process for legal and patent services have been identified, including the need: To fully document the procurement process followed; For ASPM to formally approve the procurement process and to provide periodic oversight; and To ensure that NRC patent agents are delegated the appropriate procurement authority and provided with sufficient procurement-related training. Refer to Recommendation 5
Recommendation 5: ASPM should work with BMS to strengthen, formalize and ensure sufficient oversight over the procurement process for legal and patent services. Strengthening should include formal delegation of an appropriate level of procurement authority to NRC patent agents. [Priority: MODERATE]
Criterion 3.2: Similar or recurring purchases are consolidated and/or standing offers are used.
The consolidation of similar or recurring procurement requirements and/or the establishment and use of standing offers, where appropriate, contributes to the efficient and effective use of NRC resources, both in terms of administrative costs and obtaining best price. Through data mining and subsequent analysis of all NRC procurement activity during fiscal years 2011‑12 and 2012‑13, the audit found a high volume of reoccurring purchases both within certain regions and across NRC. For procurements executed by satellite offices, we found purchases were often made through small, local distributors. Processes did not consistently demonstrate due diligence for ensuring competitive pricing for purchases under $25,000, which represents 38% of the value and 96% of the transactions in FY 2012‑13. Analyses identified potential opportunities within both the NCR and several satellite offices for consolidated purchasing, procuring through larger suppliers to benefit from economies of scale, and increased use of standing offers. Some of these opportunities are being, or will be, considered as part of ASPM's transition to a commodity specialization approach for procurement personnel within the NCR. In the past, NCR procurement officers were organized by client (i.e. by Institute), which, in the absence of a fully integrated procurement and business planning process, limited their ability to identify the potential for consolidated purchasing and/or identifying the need to establish new standing offers. Implementation of the new ASPM commodity specialization approach, in which NCR buyers will be responsible for specific commodity families, has commenced and will be completed within fiscal year 2013‑14. With respect to procurement outside of the NCR, ASPM plans to assess the feasibility of developing regional or NRC-wide standing offers and/or consolidating purchasing within fiscal year 2013‑14.	There is a need to review value for money of purchasing activity. Specifically there are opportunities to establish new and/or better utilize existing standing offers, use consolidated purchasing and procure from larger suppliers to benefit from economies of scale. ASPM has begun to address this need by implementing a commodity specialization model within the NCR and plans to assess the feasibility of additional regional and NRC-wide standing offers and consolidated purchasing.
Criterion 3.3: Security requirements are appropriately defined for contractors and service providers to ensure NRC interests are protected.
In instances where contractors or other service providers will have access to NRC information, assets, or premises, the procurement officer, in consultation with the requisitioner, is responsible for identifying the level of security clearance required. Security classification and clearance requirements are reasonably well understood by procurement personnel. However, there is a lack of understanding by requisitioners, who are responsible for initially identifying the need to consider security requirements. Although the SAP requisition form contains built-in security prompts, there is insufficient guidance to ensure security requirements are properly considered. In satellite offices where the electronic requisition may not be used, responsibility for ensuring security requirements are properly considered, classified and documented rests with the procurement officers.	Opportunities for improvement exist for clarifying the security-related section of the SAP purchase requisition and providing easily accessible guidance to end users to support the appropriate classification of security requirements. The ambiguities in the current process increase the risk of improperly classifying security requirements, and thereby increase the risk of loss or damage to NRC information, assets or property (including intellectual property) and/or compromising of health and safety of NRC employees. Further, the absence of clear and accessible guidance may lead to inefficiency. Refer to Recommendation 4 Refer to Recommendation 6
Recommendation 6: ASPM should coordinate with ITSS to clarify the security-related section the SAP purchase requisition tool, and ensure end-users have ready access to guidance to support classification of contract security requirements. [Priority: MODERATE]
Criterion 3.4: Procurements and contracts use the approved NRC standard contract terms and conditions.
NRC has standard templates for contracts, terms and conditions, tendering documents and other procurement activities, derived from PWGSC standard templates and policies. Use of standard templates helps ensure that the terms and conditions of procurements are consistent with applicable policies, statutes and trade agreements and that NRC's interests are protected. NRC's standard procurement templates are available to procurement staff via a central repository. Through review of a sample of procurement contracts, we found that the appropriate standard templates were used for NCR and satellite office procurements.	Procurements and contracts use the approved NRC standard contract terms and conditions. No opportunities for improvement were identified.
Criterion 3.5: NRC has established a process to ensure conformance with new Government requirements for contracts with former public servants.
The Treasury Board Contracting Policy sets out a number of policy requirements governing contracts with former public servants to ensure such contracts reflect sound contracting practices including fairness in selection and compensation. In fall 2012, the Treasury Board Secretariat issued new reporting requirements regarding service contracts with former public servants in receipt of a Public Service Superannuation Act (PSSA) pension effective late 2013 and early 2014. As the new requirements had not taken effect at the time of the audit, the processes and systems in place to meet these requirements, rather than actual compliance, was assessed. We found that ASPM has developed appropriate processes and systems within the SAP Material Management module and have clearly assigned senior-level roles and responsibilities in order to meet the new reporting requirements including quarterly and annual reporting and public disclosure. As well, we found that ASPM management has adequately communicated and procurement personnel understand and are applying the new policy requirements.	NRC has established a process to ensure conformance with new Government of Canada requirements for contracts with former public servants. No opportunities for improvement were identified.
Criterion 3.6: Documentation and record keeping related to NRC procurements is sufficient and appropriate to support effective operations and demonstrate due diligence.
Proper records management practices ensure that corporate records are efficiently managed, support accountability and transparency, minimize disruptions in the event of employee turnover and ensure compliance with legal and regulatory obligations. We found that the structure, content and storage practices for procurement files differ across NRC. Lack of standardization is at least partly due to the previous decentralized reporting structure as well as differences in the level of procurement volume. For procurement files selected from the NCR and three satellite offices, in all cases the key documents were available to support the transactions. Within the NCR, a standard file process has been mandated and is followed. Within satellite offices, records management practices differ between offices and records are not always easily accessible in a central repository with a standard structure. ASPM recommends that staff follow the PWGSC guidelines for file structure organization, and this recommendation has recently been communicated to regional buyers. ASPM has identified opportunities for standardizing key records management practices across the organization and has begun analyzing practices in regional offices.	Sufficient and appropriate procurement documentation is maintained in order to demonstrate due diligence. ASPM is undertaking an initiative to establish records management standards across NRC in order to support the effectiveness and efficiency of the procurement function. No further opportunities for improvement have been identified.

4.0 Conclusion

Overall, we found that the design and effectiveness of the examined controls for procurement and contracting are adequate and in compliance with applicable Government of Canada and NRC requirements. Control activities are generally strong within the National Capital Region and adequate within the satellite offices examined. However, control processes are not yet standardized across NRC, which increases the risk of inefficiencies and in the event of staff turnover, increases the risk of errors and non-compliance.

ASPM has developed a strong control framework for the National Capital Region. Following the recent amalgamation of satellite office procurement personnel within ASPM, we found there is a need for ASPM to continue strengthening and standardizing the control framework across satellite offices.

Particular strengths were noted with respect to:

• high compliance with Government of Canada / NRC requirements for the areas examined, including amendments, requirements for contracting with former public servants and use of standard contract templates;
• the transition to buyer commodity specialization in the NCR, which will promote buyer expertise and higher conformance with Government / NRC requirements, and supports the identification of opportunities for consolidated purchasing and standing offers;
• the new reporting relationships and establishment of regional manager positions which will encourage greater oversight over procurement as well as standardization of the control framework and activities; and
• the recent redesign of SAP procurement roles and access rights.

Opportunities for improving the procurement and contracting control framework were identified with respect to:

• increasing the scope of ASPM monitoring and oversight, particularly for lower risk and lower value procurements;
• developing and delivering on a comprehensive training plan;
• management reinforcement of the importance of Public Service and NRC values and ethics related to procurement;
• mandating the use of SAP electronic purchase requisitions across NRC; and
• clarifying tools and providing additional guidance to support the appropriate classification of security requirements.

ASPM is also encouraged to finalize its ongoing initiative to identify and realize opportunities for cost savings and efficiencies through consolidated purchasing and standing offers.

Appendix A: Audit criteria by line of enquiry

Lines of enquiry
1. Control environment
1.1 The new ASPM reporting structure for procurement and contracting is effective. 1.2 The roles, responsibilities and authorities of procurement personnel are well defined, understood and applied, and support segregation of duties. 1.3 ASPM has established monitoring and reporting mechanisms to ensure procurement activity is in compliance with NRC and Government of Canada policies, statutes and regulations. 1.4 Procurement personnel have access to sufficient and appropriate training to fulfill their responsibilities. 1.5 ASPM management continually reinforces the importance of Public Service and NRC values and ethics in procurement and contracting activities.
2. Authorization
2.1 Procurement processes ensure that funding sources are committed and procurements are approved by the appropriate budget holder (FAA Section 32) prior to initiation. 2.2 Only valid and legitimate invoices are approved for payment (FAA Section 34). 2.3 NRC procurement processes ensure that any amendments to existing contracts are done in accordance with NRC and Government of Canada procurement policies and regulations.
3. Processes
3.1 Procurements are carried out using the most appropriate procurement method. 3.2 Similar or recurring purchases are consolidated and/or standing offers are used. 3.3 Security requirements are appropriately defined for contractors and service providers to ensure NRC interests are protected. 3.4 NRC procurements use the approved NRC standard contract terms and conditions. 3.5 NRC has established a process to ensure conformance with new Government requirements for contracts with former public servants. 3.6 Documentation and record keeping related to NRC procurements is sufficient and appropriate to support effective operations and demonstrate due diligence.

Appendix B: Potential overall ratings

Management attention required

There are significant weaknesses in the design and effectiveness of management controls that require management's attention. Practices and processes are not in compliance with Government of Canada and NRC laws, regulations, policies and directives pertaining to procurement and contracting.

Needs improvement

The design and effectiveness of management controls needs improvement. Some areas of practice and processes are in compliance with Government of Canada and NRC laws, regulations, policies and directives pertaining to procurement and contracting but many deficiencies exist.

Adequate

The design and effectiveness of management controls is adequate. Most of the areas of practice and processes are in compliance with Government of Canada and NRC laws, regulations, policies and directives pertaining to procurement and contracting but there are opportunities for continuous improvement.

Strong

The design and effectiveness of management controls is strong. All areas of practice and processes are in compliance with Government of Canada and NRC laws, regulations, policies and directives pertaining to procurement and contracting. No areas for improvement were identified.

Appendix C: Management action plan

Priority of recommendation definitions

High

Implementation is recommended within six months to reduce the risk of potential high likelihood and/or high impact events that may adversely affect the integrity of NRC's governance, risk management and control processes.

Moderate

Implementation is recommended within one year to reduce the risk of potential events that may adversely affect the integrity of NRC's governance, risk management and control processes.

Low

Implementation is recommended within one year to adopt best practices and/or strengthen the integrity of NRC's governance, risk management and control processes.

Recommendations