Common menu bar links
Breadcrumb Trail
ARCHIVED - Horizontal Internal Audit of Large Departments and Agencies: Contracting Information Systems and Monitoring
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Detailed Findings and Recommendations
Finding 1: Reliable Information
Information, for the most part, is adequately captured and reliable systems and processes are in place to help ensure data is accurate. More work is required by the LDAs to specifically identify and document risks and key controls related to data accuracy.
Reliable information is necessary to support sound planning, decision-making and reporting. By implementing appropriate controls over data accuracy and completeness, and ensuring such controls are documented, applied and tested, management can derive further assurance of the reliability of the information received.
The audit team examined the key controls supporting data accuracy and completeness, including the establishment of formal contracting processes, the documentation of risks and key controls, and the application of automated controls related to contracting information systems. The audit team observed that contracting processes have been documented for the majority of the LDAs while the remainder have informal procedures documented for certain portions of the process.
The majority of the LDAs examined have various processes in place to assess and mitigate risks related to data accuracy. These processes range from the establishment of a joint committee between IT and Finance to identify and control data risks at a strategic level to the identification of data weaknesses at the operational level. A number of LDAs reviewed, on a sample basis, transactional data and reconciliations to identify potential inaccuracies. None of the LDAs specifically identified nor documented risks and key controls directly related to their contracting processes. As a result, while the processes to assess and mitigate data accuracy risks may help identify some issues and improvement opportunities, identifying and documenting significant risks and key controls would enhance the ability of management to ensure that appropriate controls are in place and that they are functioning as intended. Also, the audit found that roles and responsibilities for data integrity related to contracting activities have not generally been formally assigned.
The vast majority of the LDAs examined have contracting systems that employ the use of automated controls to reduce the risk of inaccurate data input. As well, several other good practices have been observed including: the documentation of contracting processes and practices in flowchart format which includes the identification of control activities and key decision points; the use of on-line contracting and procurement tools; as well as the use of system exception reports to identify inconsistent information between systems.
Recommendations:
1. LDAs should formally document their contracting processes, with specific identification of key controls related to data integrity. Once documented, monitoring and testing should be performed to ensure controls continue to be appropriate and that they are effective.
2. LDAs should establish and document roles and responsibilities with respect to the capturing, processing, monitoring and testing of contracting data.
Finding 2: Relevant Information Requirements
All LDAs have identified information required to meet ad hoc requirements related to contracting activities; the vast majority of the LDAs have not identified contracting information needs to support decision making and risk management at the entity level.
In order to ensure that relevant information is available to meet the needs of managers for monitoring and reporting on contracting activities, the audit team expected that information needs would be identified. In order to identify information needs, we expected to find that LDAs would have considered the goals and objectives of the function, as well as the reporting and monitoring requirements.
The audit team found that, other than Central Agency reporting requirements for quarterly disclosure and year-end reporting, and ad hoc report requests focusing at the transactional level, information requirements have not been formally identified. Some LDAs have identified a list of planned or “wish list” information needs on an ad hoc manner. Very few of the LDAs have identified or defined the contracting information required to support risk management and decision making related to contracting activities. For those who have, the focus was at the transactional level.
Contracting information to support risk management and decision making at the entity level could include the following:
- contracting data and trends to understand the types of services being outsourced;
- extent and use of standing offers;
- instances of not using a standing offer where such a vehicle should have been used;
- proportion of sole sourced contracts under $25K;
- amendment analysis by vendor;
- contracting in excess of $25K that was sole sourced; and
- number of contracts and value of contracting over a period of time by vendor.
It is essential that management in federal departments and agencies have the right contracting information on a timely basis. This information will support their monitoring practices, oversight activities, day-to-day and long term planning decisions. It will also enhance their ability to support their risk mitigation strategies with respect to the contracting function.
Recommendation:
3. LDAs should establish a formal process to define information requirements related to contracting to support decision-making and risk management processes. Key data requirements should be identified and the continued relevance of information requirements should be reviewed on a regular basis.
Finding 3: Monitoring
The audit observed that the LDAs assessed do not have a formal risk-based approach to monitor contracting risks at the entity level. Contract monitoring exists only at the transactional, project and/or branch level.
The TB Policy on Active Monitoring requires that departments establish a capacity to actively monitor, on an ongoing basis, management practices and controls by developing and maintaining an ability to detect and communicate within the organization, as early as possible, significant risks, potential and actual control failures, and other significant management vulnerabilities. The audit team expected to find appropriate mechanisms for monitoring contracting risks at all levels, including the risks of compliance with applicable policies and regulations.
The audit team observed that the majority of the LDAs have implemented some form of monitoring mechanisms to assess compliance with contracting policies and regulations at the transactional level. These monitoring mechanisms include senior management meetings and various oversight committees that meet weekly and/or monthly. These mechanisms generally include monitoring of individual contracts, specific procurement vehicles used, contracting spend status, and potential non-compliance issues.
In general, monitoring requirements related to contracting risks are informally identified and documented and/or considered through the transactional and procedural activities that are performed. Further, key compliance risks are monitored more on a detective basis and this monitoring tends to be more financially focused. For instance, monitoring of compliance risks includes post-payment verification activities and/or invoice-based monitoring to identify billing discrepancies and trends. The audit team expected that LDAs would have a formal, documented process in place to identify, assess, and update key contracting risks at all levels within the organization. Such an approach could provide a departmental perspective of the risks related to contracting activities. For instance, contracting trends analysis within a department could provide information about potential risks surrounding contract splitting and employer/employee relationships. The audit team found that LDAs audited do not have a formal risk-based approach for contract monitoring.
Furthermore, the audit considered how LDAs are incorporating compliance with the Policy on Green Procurement in contract monitoring activities. While many LDAs have identified Green Procurement as a consideration in their contracting process, monitoring with respect to the compliance with the Green Procurement policy was observed in only one LDA.
It should be noted that some of the LDAs are in the process of developing monitoring indicators and performance measures at the entity level in support a risk-based monitoring approach. A risk-based approach to monitor contracting activities at the entity level can help organisations identify and manage risks in a more effective and efficient manner. Such an approach increases the organization’s ability to evaluate overall contracting performance, analyze trends, and amalgamate contracts across the departments. This may result in achieving opportunities for cost savings, as well as reducing contracting risks such as contract splitting, sole source challenges, and make/buy decisions.
Recommendation:
4. In addition to the transactional, project, and/or contract level monitoring that is performed, LDAs should develop monitoring mechanisms that address contracting risks and compliance requirements at the entity level. Specifically, LDAs should identify, document, and assess their key contracting risks and determine the nature and extent of compliance and risk monitoring that is required. This process and related results should be documented. The effectiveness of the monitoring performed should be evaluated periodically and updates to information requirements identified and implemented.
Finding 4: Reporting
The audit noted that reporting was generally ad hoc and transactional in nature. Departmental reporting requirements were not defined.
Effective reporting enables timely and effective action to assess performance, address trends and deficiencies in management practices and controls and enable better communication to effect change. The expectation was that departments had established effective reporting systems, including standard contract reporting generated regularly and in a timely manner focussing at the departmental, operational and transactional level.
The audit team observed that other than Central Agency reporting requirements for quarterly disclosure and year-end reporting, there were little or no other systematic reporting generated to provide information for management decision making and contract related risk management at the entity level. The majority of the LDAs produce contracting reports at the transactional level or branch level and related compliance with the Financial Administration Act. Reports are periodic, ad hoc and reactive in nature. Further, none of the LDAs have implemented a formalized process to assess the continued relevance of the contract reporting that was being completed.
It was also noted that contract reporting generally requires significant manual intervention. Few LDAs generate reports directly from their Enterprise Resource Planning (ERP) system. The process typically begins with a data extract from the ERP system followed by use of a spreadsheet to manipulate and present the information requested. In the majority of LDAs, there is a general belief that the systems are in place to meet some reporting requirements; however, the full capability of the systems is not fully exploited.
The absence of appropriate and timely financial and non-financial reporting related to contracting activities does not support an effective governance structure that is required to ensure that management identify, analyze and act on trends and issues.
Recommendation:
5. LDAs should define reporting requirements related to contracting activities. Reporting requirements should be defined taking into account the need for timely and effective action to assess performance, address risks, trends and deficiencies in contracting practices and controls, and enable better communication to effect change.