Audit of Contracting (excluding exceptional contracts)

Background

Treasury Board's Contracting Policy states that "the objective of government procurement contracting is to acquire goods and services and to carry out construction in a manner that enhances access, competition and fairness and results in best value, or if appropriate, the optimal balance of overall benefits to the Crown and the Canadian People". It states that contracting is to be conducted in a manner that will:

• Stand the test of public scrutiny in matters of prudence, probity, facilitate access, encourage competition and reflect fairness in the spending of public funds;
• Ensure the pre-eminence of operational requirements;
• Support long-term industrial and regional development and other appropriate national objectives, including aboriginal economic development; and,
• Comply with the government's obligations under the North American Free Trade Agreement, the World Trade Organization – Agreement on Government Procurement and the Agreement on Internal Trade.

Government goods and services contracting activities are governed by several policies, statutes and regulations, including the Department of Public Works and Government Services Act, the Financial Administration Act (FAA), the Contracting Policy, the Government Contracts Regulations Act, and the Code of Conduct for Procurement and the Values and Ethics Code for the Public Service.

The Audit of Contracting was identified as a priority because contracting is financially material given the magnitude of goods and services procured through contracts, and that it can be subject to intense public scrutiny. The most recent audits on Contracting at Aboriginal Affairs and Northern Development Canada (AANDC or "the Department") were in 2006-07 and 2011-12. Since the last audit period, there has been a realignment and centralization of the procurement and contracting function and a migration of the integrated financial management system, which includes procurement and contracting, from an Oracle-based platform called OASIS to SAP. AANDC's SAP implementation is a shared system hosted by Health Canada.

Audit Objective and Scope

The audit objective was to provide assurance over the adequacy and effectiveness of the management controls supporting the processing of goods and services contracts, and that the goods and services are procured in a manner that is in compliance with Treasury Board and departmental policies and procedures and applicable laws and regulations.

For sampling purposes, the scope of the audit included contracts (and any amendments) that were established and/or were active between April 1, 2014 and December 31, 2014. AANDC established 1,443 contracts with contract start dates between April 1, 2014 and December 31, 2014, for a total value of $288 million^{Footnote 1}. The audit used a risk-based approach to examine a sample of contracts (50 total), selected from Regions and Sectors for this period. Audit fieldwork was conducted at AANDC Headquarters (HQ) in the National Capital Region and at the British Columbia (BC) Procurement Hub in Vancouver.

The audit excluded:

• contracts that were established under the Exceptional Contracting Limits Authority (exceptional contracts) as those contracts were covered under the Audit of Exceptional Contracting Limits Authority performed in 2014-15;
• contracts of Indian Oil and Gas Canada (IOGC) given that IOGC is a Special Operating Agency with a separate procurement function, and the organization has been the subject of recent audit activity;
• acquisition cards activity as it is a procurement vehicle which follows a different process from contracting.

Statement of Conformance

This audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

Positive Observations

Throughout the audit fieldwork, the audit team observed examples of how controls are properly designed and applied effectively by AANDC. This resulted in several positive observations as follows:

• Governance and oversight exists over contract activities to ensure adherence to contracting policy requirements through the use of the Procurement Review Committee (PRC), centralized Procurement Hubs and trained Contracting Officers.
• Guidelines and expected practices for the contracting of goods and services are described in the Procurement and Contracting Desk Guide for Managers and are consistent with TBS Contracting Policy.
• Employees are provided tools to support their contract management responsibilities. Guides were prepared on how to use SAP in the procurement process during the SAP implementation and ongoing support is being provided to staff to help resolve issues and explain the process, which is well received and appreciated.
• Responsibility for procurement functions and related SAP access have been clearly defined.
• The SAP P2P functionality has automated the FAA Sections 32, 41, 34 and 33 approvals and has, therefore, improved the accuracy and timeliness of these approvals compared to pre-SAP manual processes.
• Actions have been taken to address observations found in the 2011-12 Audit of Contracting relating to retention and tracking of contracts, monitoring of procurement and contracting activities, and segregation of duties between FAA Section 41 and Section 34.

Conclusion

Generally, the audit found that there are adequate and effective controls in place to support the efficient and effective management of contracts, and to ensure that contracts are in compliance with the contracting regulations and guidelines from Treasury Board and AANDC. Opportunities for improvement were noted to strengthen management controls in the following areas: Procurement Review Committee, procurement planning, client service standards, training, tools and support, contract administration, SAP procurement-related access and additional procurement process improvements.

Recommendations

The audit identified areas where management control practices and processes could be improved, resulting in the following seven recommendations:

1. The Chief Financial Officer should:
   • Ensure the membership of the PRC includes the BC Procurement Hub;
   • Review the current oversight and approval process for the PRC and determine if the key reviews performed can be performed earlier in the process;
   • Ensure that documents for the PRC review and approval follow a risk-based approach, which could include Task Authorizations issued against AANDC or PWGSC awarded contracts. The description of the PRC in departmental procedure guides and the PRC Terms of Reference should be updated accordingly; and,
   • Ensure that the Procurement Hubs obtain and maintain PRC approvals on file, when required.
2. The Chief Financial Officer should continue to work towards improving the accuracy and usefulness of information submitted in procurement plans, including procurement actions for goods and services, and promote good planning by: reinforcing the importance of procurement plans to adequately align resources; to require that any additional contracting activity representing a material change to the procurement plan be accompanied by an explanation; and to identify potential efficiencies in a timely manner.
3. The Chief Financial Officer should reassess the client service standards to more accurately reflect actual demand, available resource capacity and affordability, and implement a method to accurately and efficiently measure performance of both Procurement Hubs.
4. The Chief Financial Officer should complete a needs assessment for end user training for SAP-enabled processes and use the results as input to the development of a SAP training strategy to support the Department's ongoing SAP training needs.
5. The Chief Financial Officer should:
   • Address administrative issues to ensure that FAA section 41 approval is performed prior to the contract start date;
   • Ensure the Security Requirements Checklist (SRCL) is completed prior to the start of the contract or clearly document and retain the decision documentation on file if the SRCL is not required; and,
   • Ensure corrective controls are in place to address instances where inappropriate FAA Section 34 approvals have been detected through the post payment verification process. Corrective controls can include targeted RCM training to clarify and reinforce FAA roles and responsibilities.
6. The Chief Financial Officer should review the processes for review and removal of SAP access from departed employees and employees who have changed positions within AANDC, to ensure that all access to SAP is removed in a timely manner. In addition, the CFO should determine whether there is a need for Health Canada's master users to access AANDC's data, and if so, define who is responsible for approving such access. Further, a process should be defined for ongoing monitoring of access to ensure Health Canada's access to AANDC's data is appropriately restricted, and that any approved Health Canada user access is exercised in line with management's intentions.
7. The Chief Financial Officer should assess the current SAP-enabled end-to-end procurement processes to identify potential process improvements and clarifications. This could include, but is not limited to:
   • clearly defining the process to activate Acting FAA Delegation of Authorities in SAP; and
   • identifying a process to ensure the attachments in the SAP repository for procurement are valid.

Management Response

Management is in agreement with the findings, has accepted the recommendations included in the report, and has developed a management action plan to address them.

1.1 Background

Treasury Board's Contracting Policy states that "the objective of government procurement contracting is to acquire goods and services and to carry out construction in a manner that enhances access, competition and fairness and results in best value, or if appropriate, the optimal balance of overall benefits to the Crown and the Canadian People". It states that contracting is to be conducted in a manner that will:

• Stand the test of public scrutiny in matters of prudence, probity, facilitate access, encourage competition and reflect fairness in the spending of public funds;
• Ensure the pre-eminence of operational requirements;
• Support long-term industrial and regional development and other appropriate national objectives, including aboriginal economic development; and,
• Comply with the government's obligations under the North American Free Trade Agreement, the World Trade Organization – Agreement on Government Procurement and the Agreement on Internal Trade

Government goods and services contracting activities are governed by several policies, statutes and regulations, including the Department of Public Works and Government Services Act, the Financial Administration Act, the Contracting Policy, the Government Contracts Regulations Act, and the Code of Conduct for Procurement and the Values and Ethics Code for the Public Service.

The procurement and contracting function at AANDC is under the responsibility of the Chief Financial Officer (CFO) Sector. In 2012, the procurement function, along with accounting operations, within the Sector were realigned and centralized to achieve more consistency and efficiencies through centralization and to develop centres of expertise. The projected outcome of the centralization was the provision of consistent and timely advice, the standardization of business processes and coding, and improvement of compliance with policy and regulations. As a result of the centralization, procurement and contract processing were consolidated into two Procurement Hubs: one in British Columbia (BC Procurement Hub) serving the British Columbia, Alberta, Saskatchewan, Manitoba and Yukon regions; and, one in the National Capital Region (HQ Procurement Hub), serving the Headquarters, Ontario, Quebec, Northwest Territories, Atlantic and Nunavut regions. The HQ Procurement Hub has functional authority over the BC Procurement Hub (although BC Procurement Hub staff report directly through BC Regional Office). Any contracts identified as higher risk are transferred by the BC Procurement Hub to be processed by the HQ Procurement Hub.

AANDC has migrated from an Oracle based application, OASIS, to SAP effective April 1, 2014. AANDC's SAP implementation is a shared system hosted by Health Canada. The SAP system supports the planning, processing and reporting for finance and materiel management. Specifically it replaces the OASIS application and support budgets, commitments, procurement, accounts payable (A/P), accounts receivable (A/R), and the tracking of assets. Two of the key impacts to procurement as a result of this migration are changes to the supporting system and related process, and changes to the coding structure. The accountabilities of the procurement function remain unchanged. In addition to the migration to SAP, a new electronic SAP P2P functionality was introduced at AANDC on April 1, 2014 that allows for electronic signatures for FAA Section 32 (expenditure initiation and commitment of funds), Section 41 (contracting authority), Section 34 (authority to certify, before payment, contract performance and price, entitlement or eligibility for the payment) and Section 33 (authority to requisition payments). AANDC and Health Canada are the first GOC departments to implement P2P.

Within the Materiel and Assets Management Directorate (MAMD), the Procurement Services Section (PSS) is responsible for providing functional leadership, guidance, advice and services to Responsibility Centre Managers^{Footnote 2} (RCMs) with regards to procurement and contracting functions, in order for RCMs to obtain the necessary goods and services for their programs and/or functions. RCMs define their requirements for goods and services by providing required information and supporting documentation to the Business Management Unit (BMU) or Regional Corporate Services staff who are, in turn, responsible for creating purchase requisitions in SAP. Once created, the purchase requisition is routed through SAP P2P workflow for the RCM electronic approval under Section 32 of the FAA.

Procurement/Contracting Officers in the applicable Procurement Hub (HQ or BC) create a purchase order in SAP, or a contract agreement, where applicable, which is routed through SAP P2P workflow for the appropriate electronic approval under Section 41 of the FAA. Procurement/Contracting Officers then award the contract and issue the contract documents to the vendor. Where a competitive process is involved, the Procurement Hub interfaces with the bidders and manages the competitive process. In some instances, the contract and/or amendment also requires signature from the vendor to be effective.

In line with the contract, the vendor supplies goods and/or services to the RCM and issues invoices for these deliveries. The BMU in the Sectors or Corporate Services staff in the Regions (Regional Corporate Services) provide the date when the goods/services or invoice are received and the purchase order number on the invoice, then forward it to the Accounting Hub for scanning and entry into SAP. Once entered, the invoice is routed through SAP P2P workflow for the RCM electronic approval under Section 34 of the FAA.

Financial Officers in the Accounting Hub audit and verify the invoices against standard criteria, identify and select invoices for payment on their due dates, and provide approval under Section 33 of the FAA using SAP P2P workflow. Once approved, the payment requests are batched and sent to the Receiver General for issuance of the payment.

The most recent published report on the GOC Purchasing Activity in calendar year 2012 provides a snapshot of the number of contracts that were competitive and non-competitive within the GOC by department. AANDC established 4,163 contracts in that year, which is 1.1% of the total number of contracts established within the GOC (386,601). In terms of contract value, AANDC, with a total contract value of $256 million accounted for 1.7% of the total GOC contract value ($15 billion) ^{Footnote 3}.

2.1 Audit Objective

The objective of the audit was to provide assurance over the adequacy and effectiveness of the management controls supporting the processing of goods and services contracts, and that the goods and services are procured in a manner that is in compliance with Treasury Board and departmental policies and procedures and applicable laws and regulations.

2.2 Audit Scope

The scope of the audit included contracts (and any amendments) that were established and/or are active between April 1, 2014 and December 31, 2014. AANDC established 1,443 contracts with contract start dates between April 1, 2014 and December 31, 2014, for a total value of $288 million^{Footnote 4}. A breakdown by document types is presented below.

The rationale for choosing this period is to take into account the change in processes that occurred with the centralization of the procurement function in the fall of 2012 as well as the implementation of SAP and the integrated SAP P2P functionality in April 2014. Management action plans from the 2011-12 Audit of Contracting were also reviewed to ensure the risks identified in that audit are mitigated.

Audit fieldwork was conducted at the HQ Procurement Hub in the National Capital Region and at the BC Procurement Hub in Vancouver.

This audit scope also included the period when the Department migrated to SAP. In this regard, the audit scope included SAP automated controls related to procurement, which includes both application security controls and configuration controls. Application security controls ensure access to perform key functions is restricted to appropriate users to reduce the risk of invalid, inaccurate, and/or incomplete data (i.e. create/modify master data and transactions related to procurement). Application security controls also include segregation of duties between incompatible functions in SAP. Configuration controls reduce the risk of data being inappropriately added to the system as well as ensure the integrity of the data (for example, required fields, approval workflows, etc.).

The audit excluded contracts that were established under the Exceptional Contracting Limits Authority (ELCA) as those contracts were covered under the Audit of Exceptional Contracting Limits Authority performed in 2014-15.

The audit excluded contracting activity established by Indian Oil and Gas Canada (IOGC) given that IOGC is a Special Operating Agency with a separate procurement team and IOGC has been the subject of recent audit activity.

The use of acquisition cards as a procurement vehicle follows a different process from contracting and is typically intended for use for lower risk procurement activities. As such, acquisition cards have been excluded from the scope of this audit. As part of the strategy to direct some of the low value and low risk procurement activities to acquisition cards, AANDC has raised the per transaction limit of acquisition cards from $5,000 to $10,000. The use of acquisition cards may be examined in a separate audit at a future date.

The audit used a risk-based approach to examine a sample of contracts (50 total), selected from Regions and Sectors for the period April 1, 2014 to December 31, 2014.

5.1 Procurement Review Committee (PRC)

Oversight and governance practices should be in place to ensure compliance with financial management and procurement policies and authorities. The governance structure should include an optimal balance of knowledge and skill sets as well as specific knowledge of contracting and procurement policies.

The audit found that governance and oversight exists over contract activities to ensure adherence to contracting policy requirements through the use of the PRC, centralized Procurement Hubs and trained Contracting Officers. At AANDC, the PRC is used to ensure effective management and oversight of AANDC procurement activities, to demonstrate sound stewardship and risk management in the control of public funds administered through procurement, and to ensure that procurement is used effectively and efficiently in meeting program needs. The PRC is accountable to the Director General, Corporate Accounting and Materiel Management (CAMM) and to the CFO. The PRC meets on an "as required" basis, which is often weekly.

Based on a review of the PRC Terms of Reference, it was noted that some of the key responsibilities of the PRC include:

• Providing oversight of the procurement and contracting activities of the Department in a manner that reflects an appropriate balance between risk and control;
• Approving strategic sourcing initiatives for goods and services;
• Reviewing and approving procurement strategies for certain competitive and non-competitive contracting requirements for goods and services in accordance with thresholds established in the PRC Terms of Reference; and,
• Complying with all statutory, regulatory and policy requirements and the government's broader national, social and economic goals.

Permanent PRC voting members include the Director, MAMD, and the Manager and Team Leaders from the PSS at HQ.

During the audit, the audit team assessed the adequacy of the PRC as a governance mechanism for contracting and procurement activities and examined whether the role of the PRC is being carried out as intended. The audit found that there are established dollar thresholds for review and approval of contracting activities by the PRC.

The audit found, however, that the PRC does not currently have adequate visibility and oversight early in the contracting process (e.g. at the RFP stage) and does not review all types of contracting activities. Specifically, the PRC does not currently review TAs issued against AANDC or PWGSC awarded contracts.

The audit also found that PRC membership currently only includes MAMD management and staff from HQ. Although management intends to extend membership to include the BC Procurement Hub, at the time of the audit this has yet not occurred.

The audit found that the description of the PRC mandate and responsibilities in the 2012 Procurement and Contracting Desk Guide for Managers differs from the description for the PRC which appears in the 2014 PRC Terms of Reference (i.e. dollar thresholds for review and approval of contracting activities). Lastly, through testing, it was noted that for one Call-Up against a Standing Offer that should have been reviewed by the PRC as per the PRC Terms of Reference, there was no evidence that the PRC's approval had been sought.

Without adequate PRC membership, and review and approval authority of all types of contracting activities through a risk-based framework, there is an increased risk of terms and conditions of contracts not being consistent or aligned with relevant policies and regulations.

5.2 Procurement Planning

It is important that contracting needs be identified in a timely manner in order to manage long-term procurement and contracting activities. Sector and Regional procurement and contracting needs should be consolidated into a departmental procurement plan in order to be efficiently addressed and serviced by the Procurement Hubs.

Within AANDC, individual procurement plans are developed and updated as part of the annual departmental Integrated Business Planning process. Documentation is made available to employees to explain the steps and requirements of the various procurement options to help in planning, and to provide information on the various timelines and documents required to process contracting requests. Based on plans and priorities, RCMs prepare and draft a procurement plan (3-year plan which is updated annually) for their individual business unit which is rolled up by the BMUs and provided to each Sector ADM/SADM for review and approval. The individual procurement plans are consolidated by MAMD and reviewed by the Director, MAMD and the PRC. MAMD reviews contracting and procurement actions to determine procurement strategies and contracting timelines required to optimize the value for money and reduce the risk of gaps in contract establishment to meet operational needs. After analyzing procurement plans and determining and assigning annual work load to Contracting Officers, the Contracting Officers meet with RCMs to discuss their plans.

Although improving, the audit found that procurement plans submitted to the Procurement Hub do not yet provide sufficient, useful information for planning and anticipating Procurement Hub Contracting Officer workloads or procurement actions for good and services. In addition, there are no incentives to RCMs for submitting an accurate procurement plan, nor are there any consequences to RCMs if they do not make a reasonable attempt to accurately report planned contracting activity. Interviewees expressed that actual procurement activity can be very different from the initial plan, and although some activity is unplanned (e.g. emergencies etc.), poor planning by management is still considered a key contributing factor in some business units. Unlike other AANDC Service Hubs (e.g. Regional HR Service Centres) where all planned activity must be included in the annual plan otherwise justification is required to explain why it was missing from the plan, this is not the case with Procurement Hubs. Given that Procurement Hubs are required to interrupt planned contracting activity to service and support unplanned contracting requests, this makes achieving client service standards more difficult (refer to Section 5.3)

Without a practice to coordinate and consolidate procurement requirement information, there is an increased risk that RCMs will obtain similar goods and/or services without a concerted effort to identify potential efficiencies in procurement requirements, savings opportunities, or adhere to department approved standards and practices. In addition, without more accurate and predictable procurement planning information, there is an increased risk that Procurement Hub client service standards will not be attainable.

5.3 Client Service Standards

The goal of the PSS is to provide services on a timely basis; however, some procurement and contracting methods are more complex than others and require more involvement and time, both from PSS and RCMs. Accordingly, RCMs must plan to make their requests sufficiently in advance of the date that their goods or services are needed. It is important that service standards be established to set expectations for procurement processing times.

Estimated timelines that should be allowed for the processing of procurement and contracting transactions have been established based on the various contracting mechanisms used. The estimated timelines include the Department's expected standards for the time required by PWGSC for processing transactions (where involved) and are conditional upon PSS having received all required documentation to support the procurement activity. Performance against service standards is shared and reported periodically to the Operations Committee.

The audit found that for some procurement types, service standards are not being met, in particular for the HQ Procurement Hub, based on the most recent available published service performance report (April 2013 to March 2014). The performance for some procurement types are significantly below expectations, at around 20% or more below the targeted timely completion of 80% of contracts (e.g., for traditional competitive, open bidding, PWGSC Purchase Order (9200), and Call-ups against PWGSC Standing Offer. Many interviewees were not aware that service standards are reported. There is also currently no formal process to measure client satisfaction with the Procurement Hubs (e.g. client satisfaction survey).

Management reports that the measurement of client service standards was supposed to be performed in SAP but this functionality is not currently implemented. As such, the calculation of client service standard performance is performed manually, and in some cases, the results reported sometimes include steps of the process which are not intended to be reported in the standard, for example security clearance processing which is conducted by a third party. MAMD management expressed that it is time consuming to cleanse the client service data and as such, client service standard performance reported may not be 100% accurate. Client service standards are also not reported separately for the HQ and BC Procurement Hubs. Interviewees expressed that the BC Procurement Hub is likely meeting the existing client service standards.

Attaining service standards for the HQ Procurement Hub is recognized to be a challenge due to the current level of demand and available resource capacity. While the BC Procurement Hub is fully staffed, due to the CFO sector staffing freeze, the HQ Procurement Hub is understaffed by as much as 30-40% (as compared to the HR Plan) and multiple positions have remained vacant for extended periods of time. MAMD has begun investigating as to other possible causes, such as urgent requirements generating additional work and delaying other files, delays caused by additional security clearance requirements, etc. MAMD is currently revising client service standards to demonstrate expected service standards at various Procurement Hub resource capacity levels and intends to present their analysis to the Operations Committee for consideration and approval.

Without reasonable client service standards which reflect actual demand, resource capacity and affordability as well as a method to accurately and efficiently measure performance, there is an increased risk that the Department will not be able to assess and determine if efficiencies are being gained by the Procurement Hubs or identify areas where process modifications can be made to further improve performance.

5.4 Training, Tools, and Support

Given the introduction of Procurement Hubs in the Department and the migration to SAP, it is critical that employees are provided with the necessary tools and training to support their contract management responsibilities.

Within AANDC, employees with delegated contracting and financial authorities are required to take and pass a series of courses based on their position and level to obtain and/or maintain their delegation(s) of authorities. A formal training curriculum is also followed for Contracting Officers. Training sessions, presentations on the fundamentals of contracting, Q&As, and lessons learned sessions have been offered to educate employees on their contract management responsibilities. Policies, guides, procedure descriptions, and templates are also available to assist RCMs and BMUs in fulfilling their contracting process requirements. Guides were prepared on how to use SAP in the procurement process during the SAP implementation.

Training was made available to staff during the migration to SAP, but training offered has been reduced now that SAP is implemented. The training approach used by the Department was to 'train the trainer' for the regions, and the training was divided into technical sections and made very specific to the role/function being performed (e.g. BMU, RCM).

The audit found that interviewees have mixed responses on the adequacy of the training that was offered. Some BMUs interviewed considered the training to be reasonably adequate and targeted to their specific roles and responsibilities. These BMU staff reported to have received sufficient training and there are ongoing monthly conference calls among BMUs where new procurement and contracting issues can be discussed. Other BMUs interviewed, however, expressed that more training could be provided to both RCMs and BMUs to better explain the overall end-to-end contracting process and targeted training could also be offered to some RCMs to better explain the responsibilities and accountabilities of the RCM (e.g. further education on which contract type to use). Comments were received that the training that was provided was too "piecemeal" and only focused on the "how" but not the "why" in the contracting process. Interviewees expressed that the training offered on how to use SAP was disconnected from understanding the overall end-to-end contracting process. Training has not been as widely offered since the implementation of SAP and a needs assessment was suggested as something required to identify training gaps now that SAP has been in use for over a year in the Department. It was also expressed that consideration should be given to customizing training offerings to end user profiles (e.g. classification level, function, etc.).

Face-to-face interaction is considered the best method of training but it is a challenge to provide sufficient and adequate communication and training due to travel budget cuts. MAMD management has visited regional offices to better understand the challenges and the face-to-face meetings have been appreciated.

Without the specific and necessary training to support end users in their contract management responsibilities, there is an increased risk that the Department will not successfully achieve the desired efficiencies and SAP process improvement benefits, or will not be compliant with contracting policy and procedure requirements.

5.5 Contract Administration

The AANDC Procurement and Contracting Desk Guide for Managers is a reference guide which outlines a description of roles and responsibilities, the expected process to be followed, and the information required to be provided and retained. The Desk Guide requires that appropriate contract file documentation be retained for internal tracking purposes, to facilitate internal and external audits, and to conform to Treasury Board's Policy Framework for the Management of Assets and Acquired Services, which requires that supporting evidence be available to sustain the test of an audit. The audit found that guidelines and expected practices for the contracting of goods and services described in the Procurement and Contracting Desk Guide for Managers are consistent with TBS Contracting Policy.

Evidence of approval by a delegated authority must be retained to ensure compliance with the FAA and the Summary of Delegated Financial and Contracting Authority matrix. Delegated approval must be given in a timely manner to ensure that due diligence is performed prior to the start of a contract or procurement activity. The audit found the SAP P2P functionality has automated the FAA Sections 32, 41, 34 and 33 approvals and has, therefore, improved the accuracy and timeliness of these approvals compared to pre-SAP manual processes.

During the audit, a sample of contract files was selected to test for overall compliance with TBS Contracting Policy and AANDC policies, directives, guidance and operational procedures and to ensure evidence was available that clearly supported contracting and procurement activities throughout the contract life-cycle.

During the audit, a sample of 50 contract files were tested to ensure that evidence was available that clearly supported delegated approvals and to ensure all required documentation was properly retained. The audit found that an appropriate sourcing process was undertaken and documented as appropriate (e.g. justification for non-competitive contracts, systematic process used for competitive contracts). Generally, the audit testing concluded that evidence exists in the contract files to support and demonstrate compliance; however, testing noted minor exceptions in a small number of files in the following areas:

• FAA Section 41 was obtained shortly after the contract start date, reflecting administrative process delays;
• Security Requirement Check Lists (SRCLs) were not found on file nor was there documented evidence as to whether one was required; and,
• FAA Section 34 was signed off on invoices that were either for services rendered prior to the start of the contract or that did not have sufficient evidence on file to support the invoiced amount at the invoiced date.

There is an increased risk that without proper supporting documentation for reviews, decisions, approvals and monitoring in the contract file, the Department will be non-compliant with the Treasury Board Policy Framework for the Management of Assets and Acquired Services.

Without appropriate approval as per delegated authorities and AANDC's policy, there is an increased risk of non-compliance with the FAA and increased potential that contracting and procurement activities will not comply with AANDC's policy.

5.6 SAP Procurement–related Access

It is important that access to procurement-related SAP functionality is appropriately restricted. Application security controls ensure access to perform key functions is restricted to appropriate users to reduce the risk of invalid, inaccurate, and/or incomplete data (i.e. create/modify master data and transactions related to procurement). Application security controls also include segregation of duties between incompatible functions in SAP.

As described above, AANDC began using SAP on April 1, 2014. AANDC is on a shared SAP system that is hosted and supported by Health Canada. SAP support, including granting access and functional support, is provided by Health Canada.

Responsibility for procurement-related SAP functionality, including maintaining vendor master records, purchase requisitions, purchase orders and contracts, activation of specimen signature cards and invoice entry has been clearly defined by AANDC and in general, audit testing found that SAP access has been assigned in line with the defined responsibilities.

Audit testing found that some clean-up of access is required, as a small number of users with access to procurement-related functionality no longer required this access (i.e. departed employees or employees who have changed positions within AANDC). This included access to maintain purchase requisitions, maintain vendor master records, and enter invoices.

Audit testing also found that a number of Health Canada master users have access to procurement-related functionality for AANDC's production data. This included access to maintain purchase orders and contracts, and to activate specimen signature cards. Further, it was not clear what the process was or is for approving and monitoring Health Canada access to AANDC's data.

When access is not removed in a timely manner from employees who no longer require such access, or when access is assigned to support users without established procedures and ongoing monitoring, there is an increased risk of unauthorized transactions being entered or data being modified in SAP.

5.7 Additional Procurement Process Improvements

With SAP being implemented and in use at AANDC for over a year, it is expected that some process improvements be identified to optimize use of the system or to clarify new SAP-enabled processes. Two examples of this were noted during the course of the audit, as described below.

The audit found that a process is in place, supported by SAP P2P functionality, to allow for acting staff to obtain the appropriate FAA Delegation of Authority through the establishment of anticipatory specimen signature cards. While this established process has led to efficiency in assigning acting FAA Delegation of Authority, it was noted that there is currently no documented guidelines to describe the process and controls in place to activate an anticipatory specimen signature card, nor is there a listing of eligible AANDC employees that are permitted to authorize the activation of such specimen signature cards.

The audit found that SAP is configured to require mandatory attachments for a procurement request. For example, a completed Procurement and Contracting Checklist and SRCL is scanned and attached to a Purchase Requisition before the Purchase Requisition can be submitted in SAP. It was noted that the system cannot validate that the attached documentation is sufficient and appropriate to process the procurement request. Through observation, it was noted that there were instances where documentation attached to the procurement requisition in SAP was inappropriate, such as a blank document.

Without adequate and clear processes in place to support the use of the SAP system, there is an increased risk that the system is not used as intended, which can affect the efficiency of the process or the validity and accuracy of transactions processed within the system.