PDF version (428 KB)
Executive Summary and Conclusion
This audit report presents the findings of the National Research Council Canada's (NRC) Audit of Procurement and Contracting in the Interim Operating Environment.
The objective of the audit was to provide just-in-time independent assurance to NRC Senior Management that controls remained effective in the Interim Operating Environment (IOE) and to allow NRC to make necessary corrections before fiscal year-end.
In July 2014, a cyber-intrusion led to the shutdown of NRC's IT network and systems. NRC then implemented Interim Operating Environment (IOE) controls to enable the organization to continue to deliver services and value to clients and the Canadian public. Four audits of the IOE were approved by the President outside of the NRC 2014-15 to 2016-2017 Risk-Based Internal Audit Plan. These audits under the IOE are: Expenditure Management, Industrial Research Assistance Program (IRAP), Acquisition Cards and Procurement and Contracting.
Audit findings are presented within the context of a compromised operating environment with interim business continuity measures until which time a new network and steady-state business processes are in place.
Procurement and contracting activities allow NRC to obtain the necessary goods and services to run its programs and deliver services to Canadians. Ensuring that procurement activities continue to respect NRC, Treasury Board Secretariat (TBS), and Government of Canada requirements subsequent to a cyber-intrusion upholds NRC's commitment to transparency, fairness, and value-for-money for the benefit of Canadians.
Audit Opinion and Conclusion
Within the limitations of the samples drawn and the audit procedures performed, the audit found that interim operating processes overall were sufficient to demonstrate transparency, control and due diligence over procurement and contracting activities. The audit found that NRC contracting activities decreased from previous years due to the impact on research activities by the cyber-intrusion but NRC maintained compliance with established procurement limits and controls defined by internal and external-to-NRC parties. We noted areas for improvement with regard to approval of funding commitments and delegated authorities for contracting; contract splitting; and the definition of security requirements for contracts and adequate file management to demonstrate fulfilment of security requirements. We noted that efforts are ongoing as of April 2015 to return to steady-state business processes which are expected to rectify some of the issues identified through the audit.
Summary of Recommendations
No recommendations were identified in the course of the audit. As the control environment will change as NRC moves towards implementing a new, secure network, we expect the use of interim controls to be a temporary action to ensure the continuity of business activities until which time stead-state business processes are introduced.
Statement of Conformance
In my professional judgment as the Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the audit opinion and conclusion. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.
Alexandra Dagger, CIA, Chief Audit and Evaluation Executive
NRC Audit Team Members:
Irina Nikolova, FCCA, CIA, CISA, Audit Manager
Andy Lang, CIA, Senior Auditor
Michelle Le, B.Sc, Student Auditor
The 2014-15 Audit of IRAP under the IOE was approved by the President outside of the NRC 2014-15 to 2016-2017 Risk-Based Internal Audit Plan following a cyber-intrusion that resulted in the shutdown of NRC's IT network and systems.
NRC procurement activities occur under numerous policies, statutes, and regulations including, but not limited to, the Treasury Board (TB) Contracting Policy, Directive on Delegation of Financial Authorities for Disbursements, Financial Administration Act (FAA), Government Contracts Regulations, trade agreements, and NRC's internal procurement and contracting policies and directives.
Within NRC, responsibility for procurement and contracting falls under the authority of the Material Management business unit of Administrative Services and Property Management (ASPM). The unit is responsible for procurement of goods, services and construction. NRC contracting authority has been delegated almost exclusively to ASPM procurement staff in the National Capital Region (NCR) and 12 satellite offices located across Canada. Low-risk and low-value purchases under $5,000 may be acquired by non-procurement personnel with the use of a government acquisition card. The acquisition card limit was subsequently increased to $10K following the cyber-intrusion. Due to their nature, payments for certain expenditures (e.g. utilities, reimbursements to employees, transfer payments under agreements for science infrastructure, etc.) are processed without using purchase orders.
The cyber-intrusion resulted in the shutdown of NRC's enterprise financial management and material management systems (SAP). Beginning in October 2014, key users were provided access to an isolated secure network to access financial and material management systems. ASPM introduced a centralized processing system where procurement staff in the National Capital Region (NCR) procured for local needs as well as on behalf of regional staff until secure workstations were made available across the country beginning in January 2015. A key element to the interim operating environment was the use of manual, paper-based, purchase requisitions instead of the SAP Material Management (MM) module workflow.
The lack of systems access also slowed project work and the definition of procurement needs, reducing purchase order volumes and values following the cyber-intrusion (Figures 1 and 2). As noted in Figure 4, the cyber-intrusion required alternative means to acquire business-critical procurement needs thus the increased use of acquisition cards compared with purchase orders. Concurrently, as noted in Figure 3, for a selection of applicable expense accounts related to payments without reference we noted a decreasing trend in volume and a jump in dollar value spending over the same period.
Long description for figure 1.
Figure 1 provides a graphical breakdown by dollar value between National Capital Region (NCR) managed procurements and regional procurement activities. The total value of contracts managed by regional authorities increased between FY2013 and FY2014 but declined following the cyber-intrusion.
Long description for Figure 2
Figure 2 provides a description of procurement processing by volume between the National Capital Region (NCR) and regional offices. Between FY2013 and FY2015, regional offices have processed a similar volume of transactions than NCR procurement authorities but of smaller values.
Long description for Figure 3.
Figure 3 provides a comparison of spending and volume for the use of payments without reference to a purchase order. Between FY2013 and FY2015, the use of payments without reference to a purchase order has declined while the monetary value of transactions has increased.
Long description for figure 4.
Figure 4 provides a breakdown of spending between FY2013 and FY2015 using acquisition cards. The use of acquisition cards to pay for goods and services increased significantly in 2015 due to the cyber-intrusion.
|Spending in $M|
1.2 About the Audit
The objective of the audit was to provide just-in-time independent assurance to NRC Senior Management that controls remained effective in the Interim Operating Environment (IOE) and to allow NRC to make necessary corrections before fiscal year-end.
The audit scope was defined using a risk-based approach. The audit scope includes an assessment of transaction-level procurement and contracting activities based on interim processes in place in FY2015. In-scope procurement activities included NRC and PWGSC-managed contracts, call-ups of NRC and PWGSC standing offers and supply arrangements, and payments made without reference to a purchase order. Procurements made under acquisition cards were included within the scope of another interim operating environment audit and thus excluded from scope.
The audit focused on contracts signed and awarded between July 29, 2014 and January 9, 2015 and payments without reference to a purchase order processed between August 1, 2014 and December 31, 2014 representing a total of 4,527 purchase orders for a total value of $48M dollars and 2,444 payments without reference to a purchase order representing $12.3M dollars. Risk and control areas the audit reviewed included the appropriateness of procurement tools and methods, expenditure initiation (FAA Section 32), contracting authority (FAA Section 41), performance certification (FAA Section 34), management of amendments, financial and procurement coding, and records management. The risk assessment excluded the following elements from audit scope: assessments of policies, tools, processes and templates; proposal evaluation process; application of National Mandatory Standing Offers (NMSO); contract security verification process; goods receipt process; and Accounts Payable verification activities (FAA Section 33).
Approach and Methodology
The audit was conducted in accordance with generally accepted professional auditing standards of the Institute of Internal Auditors (the IIA) and the standards and requirements set out in the Treasury Board Policy on Internal Audit. The audit criteria, presented in Appendix A, were primarily derived from the TB Contracting Policy, TBS Audit Criteria Related to the Management Accountability Framework: A Tool for Internal Auditors (2011) and, as applicable, the NRC Financial Management Manual. Criteria were discussed with senior management in advance of the audit.
The audit addressed the audit criteria as they existed at the time of examination. Audit recommendations take into account ongoing internal initiatives to create a secure NRC IT network. A sample of 57 randomly selected contracts was chosen for key procurement control testing alongside a further 25 randomly selected samples of payments without reference to a purchase order. Data mining procedures were used to select a targeted sample of 24 contract sets to test for adequate risk management of contract splitting.
The audit methodologies were selected to ensure that the root cause of findings was identified and to ensure and any resulting recommendations add value for NRC. Methodologies are detailed in Figure 5 below.
Table 1: Overview of audit methodologies
- Reviewing procurement documentation such as interim operating environment framework documents, policies, guidelines, business cases, process maps, manuals, minutes, records of decision, reports to management and submissions to NRC governance committees and Treasury Board including MAF
- Interviews with key staff
- Reviewing and testing a sample of contracts and related supporting documents
- Leveraging SAP and business intelligence capabilities for data analytics and trend analyses
2.0 Audit Findings
Overall, we found that interim procurement authorization controls were adequate to demonstrate adherence to Treasury Board commitment, funding approval and contracting requirements.
While the audit noted minor issues in relation to contracting authority approvals, they did not materially impact the overall audit conclusion for this criterion.
In support of our conclusion we noted adequate compliance for the following:
- FAA Section 32, fund commitment approval – 59/61 (97%)
- FAA Section 41, delegated contracting authority – 50/55 (91%)
- FAA Section 34 performance certification approval – 72/74 (97%)
- Approval of amendments – 8/10 (80%)
Continuing efforts to implement a secure network and the introduction of new delegated authority management tools are expected to provide increased assurance that only properly trained and delegated authorities enter into contracts on NRC's behalf.
An effective management control framework for procurement and contracting includes clear procedures and guidelines over the authorization and award of contracts supporting transparency and stewardship over public funds. The awarding of construction, goods and service contracts must stand the scrutiny of oversight bodies and the Canadian public to demonstrate value for money and enhance fairness and competition. The audit examined interim controls in place for compliance with fund commitment, performance certification and contracting authority requirements as set out in the Federal Administration Act, Sections 32, 34, and 41 respectively. Payments without reference to a purchase order follow the same approval authorities except for FAA Section 41 contracting authority and may include additional manual scrutiny by NRC processing and monitoring functions.
Proper fund commitment
According to Section 32 of the Financial Administration Act, financial agreements or arrangements cannot be entered into without sufficient funds available to settle related obligations. In general, we found that NRC had defined an interim delegation of authority system to ensure proper commitment of funding, awarding of contracts, and certification for performance of contract requirements.
In 51 applicable contracts reviewed, we noted one instance where funding was not properly secured and approved before the contract was awarded. The budget holder had omitted signing the requisition when providing the necessary documentation for processing. The budget holder did have the necessary signing authority for the requisition.
As part of a sample of 25 payments made without reference to a purchase order, we noted one instance where the budget holder lacked delegated financial authorities commensurate with their role as an "Acting Director".
We found that NRC's online delegated authority system is not fully up-to-date with gaps in authorities for individuals both in acting as well as continuing capacities. The lack of an updated delegated authority matrix to define roles and contracting value limits hinders contract approvals and dilutes the strength of clearly defined roles and responsibilities.
Entering into contracts
In 55 contracts reviewed for appropriate Section 41 authority, delegated authority to enter into contracts on NRC's behalf, we found five instances where the contracting authority exceeded their contracting limits. Of the five instances, three were related to a single contracting officer who was later delegated increased authorities as part of their promotion. In one of the cases, the contract was signed by another procurement officer with the proper delegated authorities after the fact. In the remaining two cases that occurred in regional offices, both procurement officers exceeded their delegated authority for contracting dollar limits.
Payment of goods and services
Section 34 of the Financial Administration Act requires that payment for goods and services not be made without a delegated authority of the Crown certifying that the goods and or services have been received and that the payment is eligible under the terms and conditions of the contract. In general, we found that NRC remained in compliance with Section 34 of the FAA. In 72 of 74 invoices, we noted that the invoice had been reviewed and was approved by an individual with the proper delegated authority. Of the two instances of Section 34 non-compliance, one instance related to an individual who lacked signing authority but was part of the project team. In the second instance, insufficient documentation was on file to demonstrate proper sign-off and sign-off was provided prior to certification that all goods / services had been received.
We identified instances where purchase order invoices were paid more than once but internal monitoring processes identified and subsequently corrected the error. Finance Branch currently maintains invoices sequentially and not in the contracting file. There are opportunities to improve records management by organizing invoices by purchase order reference to reduce the likelihood of duplicate payments. Management informed us that once NRC introduces a secure environment, invoices will be digitized eliminating the need for the current paper-based records management structure.
We found financial coding to be adequate with the majority of purchase orders being coded to the correct expense accounts. In regards to payments without reference to a purchase order, we noted that coding practices were less consistent than purchase order procurements. Consistently, we found payments without reference being coded to diverse expense accounts precluding proper classification of expenditures for analyses such as spending on safety and health.
Amendments were found to have been adequately authorized and justified as demonstrated in file documentation. In 8 of 10 instances where amendments were used, we identified adequate documentation to justify the amendment, to demonstrate that the contractor ratified the amendment, and that amendments were approved by an NRC delegated authority with sufficient cumulative authority. We noted two instances where the NRC contracting authority exceeded their contracting values; both instances were for regionally managed contracts where delegated authorities in the post-cyber intrusion environment were less clear. In both instances the expenditure was requisitioned and certified for payment by an approved delegated budget holder.
2.2 Contract Management
Overall, we found that interim procurement controls were sufficient to demonstrate appropriate use of procurement tools and transparency in procurement and contracting activities.
While the audit noted some minor issues in relation to contract splitting, increased need for training on Government procurement rules and requirements, and document management in relation to security requirements, they did not materially impact the overall conclusion for this audit criterion.
In support of our conclusion we noted the following:
- Appropriate use of procurement tools – 78/80 (98%)
- Evidence of potential contract splitting – 2/24 (8%)
- Disclosure of awarded contracts – 23/24 (96%)
- Documentation on file to demonstrate security requirements – 30/42 (71%)
The full implementation of NRC's new secure electronic working environment is expected to re-enable oversight capabilities from NRC's previous workflow arrangements.
Effective oversight of the procurement process includes the use of mandated Government of Canada standing offers where appropriate and the use of the most effective procurement tools while maintaining compliance with the spirit of Government of Canada contracting rules and regulations. The audit examined interim controls for the awarding of contracts including the use of appropriate procurement tools such as use of mandatory standing offers and adequate justification for sole source contracts.
We noted that the decentralized structure of ASPM's procurement function required that National Capital Region (NCR) resources process contracts and payments from October 2014 when NRC re-initialized its financial and material management system until regional employees received secure network access and workstations beginning in January 2015.
Appropriate use of procurement tools
We noted that NRC had not applied for any exemptions from Public Works or Treasury Board to reduce restrictions on the use of mandatory standing offers. Instead, ASPM was able to obtain alternative means to access the Government of Canada network allowing access to procurement tools available through PWGSC until secure network resources were made available beginning in January 2015. In general, we found that NRC purchased goods and services according to established guidelines and used standing offers where applicable and available.
In general, we found that payments without reference to a purchase order were managed according to established guidelines. We did not find evidence that payments without reference were used to circumvent the procurement process. In our sample of 25, we noted three instances where a payment without reference was used in lieu of a purchase order. In two instances, the payments without reference to a purchase order were made for construction related services which require purchase orders; one of them was identified by NRC Accounts Payable as part of regular monitoring activities. In another instance, the payment without reference was made due to an error in processing of a related purchase order. While the vendor was at fault, a delegated NRC authority approved the expenditure. We noted in 18 of 25 payments without reference, the use of an acquisition card may have been more appropriate in terms of administration and processing time.
Through data analytics, we noted instances of incorrectly coded procurements based on commodity types. Incorrect commodity type coding hinders the ability to track and report on procurement activities and types to central agencies in support of more competitive contracts. We noted that ASPM has already moved to fix the coding issues as part of their regular monitoring activities. We also identified instances of duplicate contracts where procurements were initiated for the same good or service. In all identified cases, payments had not been processed and ASPM cancelled duplicate procurements as they were identified.
In 2 of 24 samples reviewed, we identified evidence of potential appearance of contracting splitting whereby two or more separate contracts were awarded for the same, similar or related procurements thereby avoiding NRC's sole source contracting limits. In one instance, the requestor noted that the procurement was time sensitive in support of potentially life-saving outcomes but documentation on file was lacking to establish the use of Section 6 of the Government Contracting Regulations where the "need is one of pressing emergency in which delay would be injurious to the public interest". In the second instance, a quote was processed as two separate contracts to meet NRC's sole source contract limits. In 1 of 24 samples, we identified a sample set of three contracts that were awarded to perform similar work at different locations. The contracts had different statements of work but did not respect the spirit of the TB Contracting Policy with regard to "clear outputs or performance requirements", contributing to the appearance of contract splitting. Contract splitting circumvents established controls and limits over sole source contracting, circumvents Government of Canada, TB and NRC approval processes, and reduces competition and transparency.
We noted that following the cyber-intrusion, ASPM created a centralized procurement processing centre with select staff processing on behalf of the entire organization regardless of commodity type. The interim process reduced visibility over procurement requests hindering frontline procurement staff in the identification of potential contract splitting activities by budget holders and requestors. In January 2015, NRC provided secure workstations to procurement staff allowing contracting officers to return to commodity based specialization which is expected to increase monitoring and reduce instances of contract splitting. We found that while the NRC Contract Review Committee (CRC) has not met regularly since the cyber-intrusion, the Head of Procurement and Contracting has undertaken review sessions to assess contracts that fall under CRC oversight requirements.
Supporting Government transparency, contracts over $10K in value, including amendments, are posted to NRC's extranet and are available for public viewing. We found that in 24 eligible cases, 23 disclosures were up-to-date and reflected all amendments on file according to the TB Guidelines on the Proactive Disclosure of Contracts. In one instance, we could not identify the contract award listing on NRC's Proactive Disclosure page.
Contracting security considerations
Due to the cyber-intrusion, NRC instituted a security awareness program and additional security measures to safeguard assets, information and personnel. We noted that the reversion to manual purchase requisitions resulted in inconsistent information being obtained from budget holders and procurement requestors, especially in relation to security requirements. Budget holders and procurement requestors are required to define any and all security requirements related to their contract requirements. Within one geographical region using its own paper-based purchase requisitions, we noted that the requisition did not prompt requestors to identify security requirements. In 12 of 42 (29%) instances, either the purchase requisition was not completed properly to define security requirements or the documentation was incomplete or not on file to demonstrate that all necessary security requirements had been completed. NRC revised security practices following the cyber-intrusion by implementing new physical security safeguards and procedures and communicating them across the organization. While the documentation was not always complete or available, NRC had mitigating controls to protect its staff, information and assets. As of April 2015, NRC has reintroduced electronic purchase requisitions which include a template security requirements box to standardize information collection.
Appendix A: Audit Criteria
|Line of Enquiry||Audit Criteria|
|2.0 Contract Management||