Internal Audit of Procurement

Audit Objective

The objective of this audit was to assess the adequacy and effectiveness of the management control framework for procurement at Invest in Canada (IIC) to ensure that:

• Contracts are processed in compliance with IIC’s procurement policy;
• Contracts stand the test of public scrutiny in matters of prudence and probity, facilitate access encourage competition and reflect fairness in the spending of public funds;
• Value for money is considered throughout the procurement process; and
• The management control framework that supports procurement activities is appropriate, complete and effective.

Audit Scope

The scope of the audit focused on IIC’s effectiveness in applying its procurement policy, specifically within the time period of May 28, 2019 (official approval of the Policy on Procurement by IIC’s Board) to March 31, 2021 (end of fiscal year 2020-21).

The audit sample focused on contracts over $10,000 and that are proactively disclosed on IIC’s website. 

Statement of Assurance

This audit engagement was conducted according to the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Audit. 

The internal audit will also address the requirements of the Government’s Federal Accountability Act.

In our professional judgment, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusion provided and contained in this report. The conclusion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The conclusion is applicable only to the entities examined and within the scope described herein.

Audit Activities

As part of the audit, BDO conducted analysis through the following activities:

• Reviewed documentation including, but not limited to: the listing of disclosed contracts over $10,000 for fiscal year April 1, 2019 to March 31, 2020 and fiscal year April 1, 2020 to March 31, 2021; Specimen Cards for IIC Chiefs; Business Unit Plan 2019-20; 2020-21 Business Plan Presentation to Audit Committee; IIC Enterprise Risk Profiles; IIC – Procurement 101; Organizational Chart; Duties and Responsibilities – Procurement Team; IIC Policy on Procurement; Delegation of Spending & Financial Authorities Instrument; Method of Supply; Procurement Process Maps; 2021 – Procure to Pay – RACI; and IIC Contract Professional Services Template;
• Conducted interviews with the Chief Administrative Officer (CAO) and Interim Chief Executive Officer (CEO), Director of Finance, Procurement Officer, Director of Branding, Manager of Information Technology;
• Performed testing to assess process compliance, effectiveness and efficiency of the selected sample of vendor contracts with IIC’s Policy on Procurement;
• Conducted a walkthrough of IIC SharePoint and Salesforce tool to assess if procurement information is well documented and stored in a timely manner as well as the accuracy and completeness of the procurement information;
• Reviewed a sample of contracts to determine if provisions are present within the contracts to ensure that the quality of services can be monitored and that value for money is being obtained; and
• Conducted a comparative analysis between the Canadian Museum of Nature, Canada Council for the Arts, Treasury Board Secretariat Policy, and IIC.

Audit Conclusion

IIC’s procurement policy and procedures are relatively new, only having been implemented in fiscal year 2019-20. As such, the level of maturity of these processes and practices within the organization are appropriate and effective to support its procurement activities with some opportunities for enhancement identified as part of the audit.

IIC’s governance, roles and responsibilities related to procurement are clearly defined, documented and appear to be understood by employees throughout the organization. IIC’s Policy on Procurement documents the roles and responsibilities of key individuals related to the procurement process and delegated financial and signing authorities for the organization are also defined based on expenditure category. Further, a responsibility assignment matrix (i.e. RACI matrix) is in place for the procurement process.

The design of the IIC’s policies and procurement procedures is adequate and aligned to industry practices. Process maps are available to IIC employees that document the flow of IIC’s procurement process from the initial request for procurement to the finalization and completion of the official contract. Further, it was noted that IIC has developed a template for all contracts related to professional services which includes sections that allow IIC to hold Contractors responsible for the work highlighted in the contract. However, there is limited training and guidance materials, such as standardized requirement checklists, provided to employees in support of their awareness and understanding of procurement activities.

Risk management is established and appropriate for IIC’s current needs although opportunities exist to implement a conflict of interest validation procedure for IIC employees as part of the procurement process. Despite this, there are other mechanisms in place to mitigate conflict of interests, such as the Confidentiality/Non-Disclosure Agreement and the mandatory annual conflict of interest training for all IIC employees. IIC also leverages third-party service providers for the procurement of goods and services which adds a layer of control to reduce the overall procurement risk at IIC.

To increase transparency of IIC’s procurement activities, IIC proactively discloses procurements over $10,000.00 on IIC’s website. It was noted that if the same supplier is leveraged for various contracts, IIC ensures that there is sufficient supporting documentation readily available.

Finally, the tools and systems in place to manage IIC’s procurement information is sufficient for its current needs and maturity. IIC currently manages its procurement information in two systems/tools: SharePoint and Salesforce, which have limited integration between each other and other organizational systems, ultimately limiting the efficiency and consistency of information management related to procurement.

Recommendations and Management Responses

General

As outlined in the Invest in Canada Act (IICA), for the purpose of supporting economic prosperity and stimulating innovation in Canada, IIC’s mandate is to:

• Promote foreign direct investment in Canada and attract and facilitate that investment; and
• Coordinate the efforts of the government, the private sector and other stakeholders with respect to foreign direct investment in Canada.

IIC is expected to position Canada as a top destination for global investment and promote its economic brand through various initiatives, including participating in and producing signature events. In carrying out its mandate, key functions of IIC are to:

• Develop and implement a national strategy to attract foreign direct investment to Canada;
• Create and maintain partnerships with departments, boards or agencies of any government in Canada, the private sector in Canada or any other Canadian stakeholder with an interest in foreign direct investment to optimize the benefits of any programs, resources and services that are offered with respect to foreign direct investment;
• Plan, direct, manage and implement activities, events, conferences and programs to promote Canada as an investment destination;
• Collect, prepare and disseminate information to support the decisions of foreign investors with respect to foreign direct investment in Canada; and
• Provide services in a coordinated manner to foreign investors with respect to their actual or potential investments in Canada.

As established in its enabling legislation, IIC has its own authority over the procurement of goods and services outside of the federal public administration. In May 2019, IIC developed its Policy on Procurement which was approved by the Board of Directors and was presented to Treasury Board in January 2020 along with its request for ongoing funding. As a condition of the funding approval, IIC is required to submit an internal audit of its procurement activities.

Concurrently, in 2019-20, IIC developed an Enterprise Risk Management (ERM) framework to identify organizational risks and subsequently presented the ERM to its Board of Directors in February 2020. As a response to the ERM, IIC developed a Risk-based Internal Audit Plan (RBAP) with the aim of mitigating organizational risks over time. As indicated in the RBAP, 2021-22’s internal audit focus is on IIC’s Policy on Procurement.

Overview of Procurement at IIC

As part of its enabling legislation, the IICA was implemented to provide IIC with the authority to develop its own procurement policy to enable the efficient and effective procurement of goods and services to ultimately support corporate requirements. It is important to note that although IIC has its own contracting authority, IIC has access to Public Service and Procurement Canada’s (PSPC) procurement tools and processes for Supply Arrangements/Standing Offers.

As per the IICA, IIC is not subject to Section 9 of the Public Works and Government Services Act and as such may procure goods and services from outside the federal public administration. However, as an agent of the Crown, IIC must exercise prudence, probity and transparency such that all procurement is conducted in a manner that stands the test of public scrutiny in matters of judgement and honesty; facilitates access; encourages competition; and, reflects fairness in the spending of public funds.

IIC’s Policy on Procurement states that goods and services must be acquired in a manner that enhances competition, access, and fairness, and is in accordance with applicable legislation and the Canadian Free Trade Agreement (CFTA). IIC’s obligation under the CFTA include the requirement to:

• Compete procurements for services that are over $100,00 (which also applies to contract amendments);
• Compete procurements for goods that are over $25,000 (which also applies to contract amendments); and
• Leverage the electronic tendering service and go out to the market for procurements with values that fall outside of the aforementioned thresholds.

The objective of IIC’s Policy on Procurement is to:

• Establish the authority and clarify accountabilities for the procurement of goods and services; and
• Provide clear guidance to IIC staff regarding the procurement of goods and services.

The Finance Team within the Corporate Services Group (CSG) is responsible for overseeing and administering the procurement function at IIC. The Finance Team is led by the Director of Finance and the procurement role is supported by one Procurement Officer. To alleviate internal capacity constraints for IIC, IIC’s Finance Team has an agreement with an external vendor to support procurements that go through the competitive process.

There are several levels of authorities related to the procurement function at IIC. The Delegated Managers (Chiefs) are responsible for reviewing all procurement requests submitted by employees within their groups, regardless of value. The Chiefs are required to provide their approvals within the Salesforce system. For procurement requests that are less than or equivalent to $100,000 (including taxes), approvals from the respective Chief and the Procurement Officer are required to develop an agreement. Procurement requests that are over $100,000 (including taxes) also require approvals from the respective Chief and Procurement Officer. However, these procurement requests are required to be formally competed. To amend existing agreements, employees are also expected to submit their requests through the Salesforce tool for Chief and Procurement Officer approvals. The typical timelines for procurement requests to be completed are as follows:

• One week for procurements under $100,000
• Two to three months for procurements that require the use of the PSPC vehicles;
• Four months for procurements that must be competed.

Finding 1: Governance, Roles and Responsibilities

IIC’s governance, roles and responsibilities related to procurement are clearly defined, documented and appear to be understood by employees throughout the organization.

IIC has documented roles, responsibilities and expectations of IIC employees related to the procurement process. The primary responsibilities for the Procurement Officer, the Director of Finance, and third-party consultants who provide support for IIC’s competitive process are clearly defined, documented and appear to be well understood throughout the organization.

Further, IIC’s Policy on Procurement identifies the authorities and responsibilities of IIC’s Board of Directors, Chief Executive Officer (CEO), Chief Administrative Officer (CAO), Chiefs, Corporate Services Division, Legal Services, Procurement Officer, and all IIC employees in conducting procurement activities. All IIC employees are responsible for following the Policy on Procurement and this appears to be understood throughout the organization, as it was noted during interviews with staff that IIC employees are aware of who should be engaged for upcoming procurement needs and sign offs.

IIC has documented the delegated financial and signing authorities for the organization, which assigns varying authorities (i.e. full authority, restricted authority based on thresholds, or no authority) to the CEO, COO, Chiefs, Deputy Chief Financial Officer (DCFO), and Director of Human Resources depending on the expenditure category. The delegation instrument also notes that all contracts must be drafted and approved by the Procurement Officer prior to execution. To support the delegation instrument, IIC has developed supporting notes which provides further details and clarification regarding financial signing authorities. Additionally, it is noted that any individuals that has been delegated financial signing authorities can only exercise such authorities upon completion of training as established by IIC.

IIC has also developed a RACI matrix to demonstrate those who are responsible, accountable, consulted, and informed throughout the procurement process. The roles for the Procurement Officer, IIC Employees, IIC Chiefs, Senior Management, DCFO, and Finance Team are clearly documented for procurements over $10,000 and under $100,000, procurements over $100,000, and amendments to existing contracts, respectively.

Finding 2: Policies and Procurement Processes

IIC’s procurement policies and procedures are appropriately designed, adequate and aligned to industry practices. However, there could be increased training and guidance materials provided to employees to enhance their awareness and understanding of procurement activities and requirements.

As part of its enabling legislation, IIC was provided with the authority to develop its own procurement policy and is not subject to Section 9 of the Public Works and Government Services Act. In May 2019, IIC established its Policy on Procurement which includes the objective, scope, requirements and authorities for procurement activities within IIC. Further, IIC is recognized as a departmental corporation and as such, is required to comply with the Treasury Board’s regulations and policies related to financial management. However, IIC is provided exemption from the Treasury Board’s regulations and policies related to “contracts, communications, travel, hospitality, conferences, events, and other general administrative policies.” Processes and controls have been established and documented within IIC’s delegation financial signing authorities instrument to ensure that appropriate financial management is nonetheless carried out, such as IIC’s Procurement Officer having responsibility for drafting and authorizing all contracts prior to execution of section 32 by the delegated authority.

Process maps have also been developed to document IIC’s procurement process throughout its lifecycle, from the initial request for procurement to the finalization and completion of the official contract. In addition, there is documentation that demonstrates the updated procurement process map which includes the use of the newly implemented tool, Salesforce. Some templates for key documents within the procurement process have been developed in order to support consistency within the organization.

As part of the procurement policy, it is the responsibility of the CAO for ensuring that staff is informed and obtain adequate training where appropriate. The Corporate Services Division is responsible for providing training on the procurement policies and processes. As such, it would be expected that periodic training is provided and guidance material be made available to staff with procurement responsibilities and authorities. Although training is provided to employees with delegated financial signing authorities, there is limited training provided to all employees to support their awareness and understanding of the procurement policy and process within IIC. As IIC has a high reliance on external support and expertise, it is valuable to develop a broader awareness of procurement policies, procedures and requirements amongst employees. Additionally, although the process maps exist to support awareness of steps within the procurement process, there is limited training and guidance provided to employees beyond this.

Further, there are no standardized requirement checklist that outline the requirements and supporting documentation that should be created and stored in the SharePoint folders or uploaded by requestors as part of the procurement case on Salesforce for each contract. Such practices would support further maturity and enhancement of the procurement process.

As part of the audit, a sample of twenty (20) contracts were reviewed from fiscal years 2019-20 and 2020-21were reviewed (representing 10% of contracts during this time period) over $10,000 which are required to be proactively disclosed on IIC’s website. The sample of the contracts included procurements for various goods and services such as advertising services, acquisition of computer equipment, information technology specialist services, public relations services, and research contracts. As part of this, the audit identified that documentation provided for open tendering competitive processes were more standardized and consistent than smaller or lower value procurements executed through other procurement mechanisms. However, overall, there was a lack of documentation regarding the initial request for procurement, the respective approval to initiate the procurement, as well as the formal justification of the procurement mechanism. It is to be noted that with the recent implementation of the Salesforce tool, these types of details are recorded for each procurement case. Requests and approvals are completed directly within the Salesforce tool. However, corresponding screenshots of these procurement activities in Salesforce are not stored in SharePoint.

Procurement Best Practices

As part of the audit, IIC’s Policy on Procurement was compared against the procurement policies of the Canadian Museum of Nature (CMN), Treasury Board of Canada Secretariat (TBS), and Canada Council for the Arts (CCA).

The audit found that overall, the design of IIC’s procurement policy is well aligned with industry practices. Key elements related to thresholds, low value purchase, bidding and selection process were all included and adequately designed to suit the needs of the organization.

Quality of Services

The audit reviewed the sample of twenty (20) contracts to determine if provisions are present within the contracts to ensure that the quality of services can be monitored (e.g. required contractor compliance reporting and service level agreements) and that the value for money is being obtained (e.g. required contractor performance reporting, performance incentives or penalties). It was identified that IIC has developed a template for all contracts related to services procurement by the organization. The Contract for Professional Services Template dated June 2020 highlights Article 14 (Work). Article 14 describes the approval process in which IIC’s approval of any part of the work outlined in the Contract will not relieve the Contractor of its responsibility to meet all Contract requirements. Additionally, it was identified that all work provided by the Contractor is subject to IIC’s inspection and acceptance. IIC has the right to reject any work that is not in accordance with the requirements of the contract and will require correction or replacement at the expense of the Contractor. This is an important feature of the policy because it allows IIC to hold Contractors responsible for providing quality goods and services aligned with the contract requirements, as well as mechanisms to assess and reject quality and performance where required.

In addition, the IIC Contract for Professional Services Template also includes sections on:

• Excusable Delay (Article 1): Excusable delay is the delay in the performance of the Contractor of any obligation under the Contract that is caused by an event that is beyond the reasonable control of the Contractor; could not reasonably have been foreseen; could not reasonably have been prevented by means reasonably available to the Contractor; and occurred without the fault or neglect of the Contractor. This Article also identifies the measures that must be taken by the Contractor in situations of excusable delays.
• Suspension of Work (Article 2): Suspension of Work allows IIC to suspend the work of the Contractor at any time for up to 180 calendar days.
• Default by the Contractor (Article 3): Default by the Contractor allows IIC to terminate part of or the entire contract by default if the Contractor is in default in carrying out any of its obligations under the Contract. Additionally, it allows IIC to immediately terminate for default if the Contractor becomes bankrupt or insolvent, makes an assignment for the benefit of creditors, or takes the benefit of any statute relating to bankrupt or insolvent debtors, or if a receiver is appointed under a debt instrument or a receiving order is made against the Contractor, or an order is made or a resolution passed for the winding down of the Contractor.
• Termination for Convenience (Article 4): This Article states that any time before the completion of work, IIC may terminate the contract or part of the contract for convenience.

Finding 3: Risk Management

Risk management related to procurement is established and appropriate for IIC’s current needs. Although there is a high-level conflict of interest training as well as a conflict of interest declaration for competitively tendered procurement process, further opportunities exist to implement a conflict of interest validation procedure for IIC employees as part of all procurement processes.

Conflict of Interest

All IIC employees are required to complete an annual Values and Ethics Foundations for Employees training, which includes a section dedicated to conflict of interest. Additionally, as part of the evaluation process for competitive processes, all evaluators are required to review the Confidentiality and Instructions to Evaluation Team Members on Bid Handling and sign the Confidentiality/Non-Disclosure Agreement.

Within IIC’s contract template for professional services, Article 22 includes standard conflict of interest provisions. The provisions demonstrate IIC’s mitigation measures in its contracts with suppliers including the ability of the Contracting Authority to terminate the contract is a conflict of interest is identified. As part of the audit, zero instances of potential conflict of interest were observed from the sample of twenty (20) contracts. However, based on audit procedures it was noted that there is no documented process or requirement to identify potential conflicts of interest between IIC employees and potential suppliers at the time a procurement is initiated. This lack of internal verification as part of the procurement process can pose a reputational risk to IIC, which may lead to the potential loss of ability of leverage the existing procurement flexibilities, thus impacting IIC’s ability to deliver on its overall organizational mandate. Additionally, IIC should consider implementing an annual conflict of interest disclosure process for all IIC employees as part of the annual Values and Ethics Foundations training in order to identify any potential conflicts of interest in a proactive manner and ensure that appropriate controls are in place to mitigate any disclosed conflicts.

Third-Party Procurement Service Providers

IIC leverages several third-party service providers for the procurement of goods and services. For instance, Shared Services Canada’s existing procurement process is leveraged for IIC’s IT related goods and services procurement needs. The Procurement Law Office was also identified as a third-party service provider that provides guidance and supports the execution of complex competitive processes for IIC. Additionally, for open tendering competitive processes, IIC is able to leverage Public Services and Procurement Canada’s supply arrangements or standing offers as procurement mechanisms. The audit noted that leveraging these third-party procurement service providers is a method of control to reduce overall procurement risk at IIC related to conflict of interest and reputation impacts.

Contract Splitting

As per IIC’s Policy on Procurement, procurements over the $10,000 are disclosed on IIC’s website, regardless of procurement mechanism, to provide visibility for the public into the types of procurements IIC is conducting. This also contains details of the contract such as contract name, procurement value, term, description, reference number, and amendment details. It was identified that if the same supplier is leveraged for various contracts, IIC ensures that there is sufficient supporting documentation readily available (i.e. internal communication and different quotes received) to provide justification for the award of work to the same supplier. The audit reviewed a sample of twenty (20) contracts in order to assess the population of contracts and amendments based on the sample selected to ensure that there have been no instances of contract splitting. This included an assessment of contract characteristics (e.g. timing, value, purpose) and changes made to contracts through amendments. As part of the audit, no instances of contract splitting were identified.

Finding 4: Procurement Information Management

The tools and systems in place to support the management of IIC’s procurement information are sufficient for the organization’s current needs and maturity. In order to optimize procurement information management, opportunities exist for further system integration and/or streamlining information management of procurements into one system.

SharePoint

SharePoint was implemented in April 2019 to support the management of IIC’s procurement related data. Access to the Procurement SharePoint folders is limited to individuals who have been provided specific access. These individuals include the Procurement Officer, Finance Clerk, Finance Officer, and the Director of Finance. For each procurement, default folders are created in SharePoint based on the procurement type (i.e. competitive process and non-competitive process). The folder structure identified in SharePoint for competitive processes includes the following folders: contract; emails; RFP; sample RFPs; and a zip file containing additional files related to the competitive process. For the non-competitive process, the folder structure includes the following folders: additional documents; communication; contract; emails; RFP; and security validation. However, it is unclear as to whether these default folders are being consistently created and populated for each procurement request.

Additionally, it was noted that files are required to be manually uploaded into the respective SharePoint folders by the Procurement Officer to ensure that documents are appropriately stored and readily available for the employees with access to the SharePoint, which is not efficient on an ongoing basis. Upon the finalization of contracts (i.e. once the contracts have been signed), the financial details of the procurement are then inputted into IIC’s financial system, the GX system. However, it was noted as part of the audit that documents are not able to be uploaded into the GX system. This results in two systems/tools being relied on to manage procurement information and may potentially lead to inefficiencies in the procurement process or errors if the information is inconsistent between the two systems.

Salesforce

Salesforce was integrated as part of IIC’s procurement function in July 2021. Salesforce serves as a tool to formally request and track the details of the front-end process for the procurement of goods and services. Due to its recent implementation, the integration of Salesforce as part of the procurement process and among existing systems is not yet mature.

When a procurement request is initiated, “procurement cases” are created through Salesforce by requestors who have access to the system. Within IIC, this access is limited to Managers and Executive Assistants. The requestors are expected to input the details of the procurement requests in the Salesforce tool, which include: preferred supplier; amount of the contract; description of the requirements/services to be provided; financial coding; approvals required; and background documentation that provide information as to the what the procurement is related to. There is no limit for the number of documentations that can be uploaded per procurement case on Salesforce and can be uploaded at any time. Upon submission, the procurement case goes through various levels of approvals within the tool until it reaches the Procurement Officer for their review and approval. Once the final approvals are provided in the Salesforce tool, SharePoint folders are created to store the purchase orders and the commitment letter from the GX system is also uploaded into the SharePoint folder. Salesforce provides the ability to track procurement cases by date, allowing the Procurement Officer to take a forward-looking approach and determine which contracts are nearing the end one month prior to their end date and reach out to Contract Authorities to determine next steps.

IIC employees can only review procurement cases within their respective groups. For example, a request submitted by an employee within the Information Technology (IT) team can only be viewed by IT team members and the Chief. By limiting the access to the procurement cases by groups, this serves as a control in reducing the risk of sensitive information being shared with non-key individuals.

Additionally, the Salesforce tool has not been integrated with SharePoint. When there is a need to upload files from Salesforce into SharePoint, it requires manual effort from the Procurement Officer to ensure that the files are uploaded in both tools.

COVID-19 Impacts

Prior to the COVID-19 pandemic, many of IIC’s procurement related documents were maintained as paper copies and physically stored in the office. IIC relied on a service provider which supported the migration of paper files to digital files. Although the files were noted as having been scanned for digital storage, there was no organization of the files internally at IIC. Further, there have been efforts made by IIC to digitize newly issued contracts although the audit found that not all files have been digitized and remain as physical copies.