Issue notes: Standing Committee on Public Accounts—Report 1, ArriveCAN (May 14, 2024)

Excerpt from CBSA Code of Conduct on Conflict of Interest

Refer to the CBSA Code of Conduct: Chapter 2 - Conflict of Interest

Steps taken to revalidate Conflict of Interest declarations

The CBSA is taking steps to re-validate the Conflict of Interest declarations of its employees and further strengthen controls to ensure any dual employment arrangements do not generate a conflict of interest.

The CBSA is working to implement a process through which all employees will re-validate their Conflict of Interest attestation forms in fiscal year 2024 to 2025. A recurring process will then be put in place through which the accuracy of the information in every employee's Conflict of Interest form will be re-validating annually
With respect to procurement practices specifically, the CBSA is implementing a process through which all employees involved in procurement activities - whether that be as the Technical Authority, a bid evaluator, or any other associated role – will be required to certify that they do not have any conflicts of interest related to every procurement to which they are involved
Externally, a process is being put in place that will require that all vendors with active IT services contracts certify that none of the resources that they provide to the CBSA are active public servants

CBSA Assessment and Revenue Management (CARM) Project

Timeline

October 2007: OAG report identifying issues with CBSA revenue collection system
March 2010: $371 million allocated to develop CARM
January 2015: Contract awarded, competitively, to Deloitte for CARM Phase 1
January 2016: CARM Phase 1 (ARL) released
February 2018: Contract awarded, competitively, to Deloitte for CARM Phase 2
January 2021: CARM Phase 2 R0 deployed
May 2021: CARM Phase 2 R1 deployed
June 2022: Legislative amendments for CARM Phase 2 R2 receive royal assent via 2022 BIA
November 2022: Proposed regulatory amendments for CARM Phase 2 R2 published in CG1
October 2023: OAG report identifying need to replace aging IT systems
March 2024: Proposed regulatory amendments for CARM Phase 2 R2 published in CG2
May 2024: CARM Phase 2 R2 deployed for internal CBSA use

Costs

Project Approval/Expenditure Authority to develop the CARM (April 2010 to May 2024): $526.8 million
Expenditures to develop CARM (April 2010 to December 2023): $438.4 million
- Professional and Special Services: $271.6 million
- Deloitte: $226.2 million
Authority for maintenance for CARM (April 2015 to March 2024): $179.5 million
Expenditures for maintenance for CARM (April 2015 to December 2023): $118.4 million

Contracts

Since April 2010, 114 contracts have been entered into specifically for the development of CARM
Deloitte is the primary contractor for the development of CARM, accounting for 83% of professional and special services development expenditures

R2 Delays

April 2021 to May 2022: Cascade effect from R0 delays; necessity to align w/ CRA deployment windows
May 2022 to October 2023: Legislative amendments not ready, insufficient onboarding
October 2023 to May 2024: Industry concerns around busiest season, insufficient onboarding
May 2024 to October 2024: Labour Disruption

ArriveCAN costs

Border public health measures costs: From April 1, 2020 through to March 31, 2023 (in millions $)
ArriveCAN related forecast and actuals	Forecast	Actual
ArriveCAN 1.0 (Initial version)	0.08	0.08
70+ Releases of the app and website Development and support of 3 versions of the app: one for iPhones, one for Androids and a website for users without smartphones - over a period of 2.5 years to meet changing public health rules.	8.8	8.5
Service Canada call centre Calls and emails from travellers on the COVID health measures in general and the app answered on behalf of PHAC and CBSA.	7.5	6.1
Data management For PHAC and CBSA to collect data, report, monitor and ensure compliance with COVID border measures.	5.2	7.9
Indirect costs Payments to SSC and PSPC for internal project-related activities and for employee benefits, accommodations, and payments to SSC.	4.9	7.8
Proof of vaccination credential development To authenticate and verify, in real time, using the industry standard "Smart Health Card," the traveller's proof of vaccination delivered by provinces and territories, as well as international ones.	4.6	4.9
Data storage and cloud services 18 million downloads, 60 million travellers over 2.5 years.	4.6	6.4
IT support Technical call center support for airlines, airports and travellers for the app.	4.5	5.4
Other CBSA systems To integrate ArriveCAN information into other CBSA systems that were built, modified and maintained to support the border health measures with real time linkages to core border administrative systems.	4.5	4.4
Security To ensure it meets Government of Canada standards on cyber security.	2.3	2.4
Accessibility To make the application and website accessible for users with disabilities.	1.7	2.3
Program and project management PHAC and CBSA program, policy and project coordination and legal services.	1.6	0.9
Future readiness Government decision to ensure readiness to restore the public health functionality of the app in the event it requires it following the removal of public health code in October 2022.	-	2.4
Data migration Data transfer to PHAC, and automation of data deletion to adhere to the requirements of the federal Privacy Act and Privacy Regulations.	-	1.7
Contingency	3.8	-^{Tablenote 1}
Total	54	55
Changes to IT systems related to health measures (Unrelated to ArriveCAN)	Forecast	Actual
Changes to core CBSA IT systems to manage health measures, such as random testing and contact tracing as prescribed by Orders in Council.	-	6.8
tablenote Tablenote 1 Contingency goes to zero at the end of an initiative as there are no more unknowns. Return to tablenote 1 referrer

ArriveCAN vendor costs

ArriveCAN contracts: April 1, 2020 to March 31, 2023
Vendor	Spent for ArriveCAN ($)
49 Solutions	455,665
Adirondack Information Mgmt	382,358
Advanced Chippewa Technologies Inc	416,335
Altair Electronics	4,658
Amazon Web Services Inc.	7,975,971
BDO Canada LLP	1,792,254
BIR Consulting Inc	62,775
Bluink Ltd	100,776
CDW Canada Corporation	18,903
Dalian Enterprises and Coradix Technology Consulting, in Joint Venture	4,837,653
Donna Cona Inc.	450,364
Emerion	494,771
Ernst & Young LLP	121,755
Experis/Veritaaq	407,433
GC Strategies Incorporated	13,486,644
Google Cloud	75,606
Guardsquare Canada Ltd.	183,092
Ibiska telecom Inc	217,511
Le Groupe Conseil Bronson	322,871
Makwa Resourcing Inc.	485,015
MapleSoft Group	48,902
MGIS Inc.	675,858
Microsoft Canada Inc.	1,313,232
Modis Canada Inc.	343,124
Nisha Technologies Inc.	100,292
Nova Networks	5,640
Pure Spirit Solutions Inc.	1,008
S.I. Systems	175,039
Sada Systems Canada, Inc.	378,848
SoftSim Technologies Inc.	28,371
TekSystems Canada Corp.	2,773,385
TPG Technology Consulting Ltd	47,778
Total	38,183,887

Contract grid: Dalian-Coradix-GC Strategies

GC Strategies / Dalian / Coradix – Contract grid
Contract	Purpose	Date	Company	Vehicle	Initial value ($)	Amended value ($)	Expenditures ($)
2017001080	Programmer support for a Primary Inspection Kiosk (PIK) application.	2016-09-09	104774 : Coradix Technology Consulting Ltd	Competitive – open bidding	460,497	920,995	920,995
47419-206529-001-EL	Business and systems analysis, mobile and web development, mobile and web testing, problem management and release coordination for ArriveCAN	2019-10-07	172813 : Dalian Enterprises Inc.	Competitive - Selective Tendering (PSPC)	4,510,484	23,443,480	23,443,480
47419-226879-004-EL	Informatics Professional Services for Traveller's Program Information Technology Projects	2020-10-05	199235 : Coradix Technology Consulting Ltd	TBIPS Omnibus	9,189,998	9,650,315	9,650,315
47419-226879-005-EL	Informatics Professional Services for Traveller's Program Information Technology Projects	2020-09-14	104774 : Coradix Technology Consulting Ltd	TBIPS Omnibus	9,650,315	9,650,315	9,650,315
47419-202719-001-EL	IT Professional Services to develop mobile solutions (not ArriveCAN) to address health and safety risks for front-line BSOs	2020-06-29	198085 : GC Strategies Inc.	Sole sourced through PSPC	4,433,250	11,144,450	11,144,450
47419-212524-001-EL	IT Professional Services for the development of three versions and 70 revisions to ArriveCAN, Proof of Vaccination, Accessibility and Cyber Security.	2020-04-08	198085 : GC Strategies Inc.	Sole sourced through PSPC	2,350,000	13,936,800	13,936,800
47419-215022-001-EL	IT Professional Services for ArriveCAN (specific to accessibility) and other projects including NextGen Handheld, Mobile Border and the CBSA's low value shipment application.	2020-12-18	198085 : GC Strategies Inc.	Sole sourced through PSPC	2,892,800	5,904,284	5,904,284
47419-211699/002/ZG	Informatics Professional Services resources to work on projects related to the Canadian Export Reporting System (CERS); Postal Modernization; X-Ray Analysis; E-Commerce; Cargo Preclearance; Secure Corridor Concept (SCC) Pilot; Guns and Gangs; and Opioids.	2021-12-20	104774 : Coradix Technology Consulting Ltd	contract against Standing offer	4,100,544	4,100,544	4,100,544
47060-197627-004-ZL	IM/IT resources to perform various tasks in ArriveCAN, including business and systems analysis, mobile and web development, mobile and web testing.	2021-07-13	198037 : Dalian Enterprises Inc.	Competitive - Selective Tendering (PSPC)	5,850,000	13,500,000	13,500,000
CW2233973	IT professional resource services to support changes to the operational environment to better respond to public safety needs given the threat of Covid19 and its variants	2022-05-16	198085 : GC Strategies Inc.	Competitive - Selective Tendering (PSPC)	25,377,165	25,377,165	25,377,165
47419-206529-002-EL	IT resources for Business Analysis, Mobile and Web development for ArriveCAN	2019-08-26	172813 : Dalian Enterprises Inc.	Competitive - Selective Tendering (PSPC)	496,386	3,497,265	3,497,265

McKinsey contracts: Summary sheet

Contract: 2017000230
Competitive process using a PSPC Supply Arrangement
Purpose	Business Consulting/Change Management Services contract that resulted in Business Case for CARM
Contract period	Award date: May 2016 End date: October 2016
$ Value / Spent (dollars)	Contract value: $1.99 million Amount spent: $1.8 million
Notes	CBSA received a benefits framework to measure the effectiveness and efficiency of adopting digital processes to improve Revenue Management of Duties and Taxes on imported goods.
Additional information	1) What advice did the CBSA follow from McKinsey as a result of this contract? Advice was received, considered, and actioned with respect to establishing a framework to move forward with the CARM project. 2) Why were external resources required to accomplish this work? The expertise required to consider the full scope and complexities of developing a modernized approach to revenue collection was best outsourced.

Contract: 2018001129
Competitive process using a PSPC Supply Arrangement
Purpose	Contract for Executive Transformation Services
Contract period	Award date: October 2017 End date: October 2018
$ Value / Spent (dollars)	Initial contract value: $791,000 Amended contract value: $1.8 million Amount spent: $1.6 million
Notes	Executive Transformation Services to maximize the potential benefits of multiple transformation initiatives underway at the CBSA as well as to provide guidance toward the development of a Renew Al Strategy and potential implementation.
Additional information	1) What advice did the CBSA follow from McKinsey as a result of this contract? Advice was received, considered, and actioned with respect to renewal strategies to deal with an expected increase in volume of work resultant from multiple ongoing transformation initiatives. 2) Why were external resources required to accomplish this work? In this case the vendor provided experience and perspectives based on international comparators in this space in a way that in-house resources could not.

Contract: 4741987760
Competitive process managed by PSPC
Purpose	Contract for value (vendor) management work plan
Contract period	Award date: August 2018 End date: August 2020
$ Value / Spent (dollars)	Contract value: $1.33 million Amount spent: $978,000
Notes	Establishment of a Value Management Office strategy and work plan to support the CARM project.
Additional information	1) What advice did the CBSA follow from McKinsey as a result of this contract? Advice was received, considered, and actioned with respect to global experiences and best practices in the 'value management' space that augmented CBSA's Why were external resources required to accomplish this work? In this case the company brought global experience (public and private) to augment the experience and knowledge of the CBSA's in-house resources.

Contract: 47419236755
Competitive process managed by PSPC
Purpose	Benchmarking contract that was canceled before any work completed
Contract period	Award date: October 2022 Initial end date: March 2023 Amended date: December 2022 Contract ended with no expenditures
$ Value / Spent (dollars)	Contract value: $1.98 million Amount spent: $0
Notes	Establishment of benchmarking services for the CARM project. This contract was canceled without expenditures after it was determined that the work would be completed with in-house resources.
Additional information	1) What advice did the CBSA follow from McKinsey as a result of this contract? None. This contract was ended without expenditures and internal resources were used to accomplish the work. 2) Why were external resources required to accomplish this work? Internal resources were, in fact, utilized for this work after the CBSA decided to end this contract early without expenditures.

Botler AI chronology

February 2021: the CBSA entered into a contract with Coradix in joint venture with Dalian designed to explore an approach to increase awareness and access to information regarding workplace misconduct, violence and harassment. Discussions about if/how to pursue this work followed
September 2021: the CBSA requested to the vendor, Coradix in joint venture with Dalian, that the work be suspended until later in the year due to internal constraints
27 September 2021: Botler email to CBSA regarding contractual matters between Botler/Coradix/Dalian/GC Strategies; seeking payment for work performed; and seeking a renewed contractual arrangement for further work
28 September 2021: CBSA correspondence exchange with all contractors urging swift resolution of payment issue
6 December 2021: Botler email to CBSA reiterating contractual concerns raised on 27 September; alleging retaliation by Coradix/GC Strategies; and seeking a discussion on new contracting arrangements with CBSA
December 2021: the vendor was informed and acknowledged that the TA was cancelled, in accordance with the cancellation terms outlined in the contract
20 October 2022: Botler email to CBSA announcing that they had "uncovered substantial misconduct" and were "now in a position to share our findings from the last 36 months with you and discuss our proposed strategy for the next steps"
16 November 2022: Botler summary of the work performed on the pilot project, suggesting they had "detected and validated wide-ranging instances of misconduct"; recommending a risk assessment; and suggesting a Government of Canada wide contract for Botler's product
24 November 2022: Botler sends detailed allegations to CBSA
25 November 2022: CBSA Professional Integrity Division launches an administrative investigation into the allegations made by Botler
13, 21, 28 December 2022 and January 2023: CBSA Professional Integrity Division holds preliminary discussions and shares information with the RCMP
31 January 2023: CBSA Professional Integrity Division sends formal written referral to the RCMP

McKinsey fact sheets: OPO

May 10, 2024

Objective

To present key facts related to the Office of the Procurement Ombud (OPO) Procurement Practice Review of Contracts Awarded to McKinsey & Company completed in March 2024.

Key facts

List of CBSA contracts awarded to McKinsey & Company since January 1, 2011 sampled by OPO:

List of CBSA contracts awarded to McKinsey & Company since January 1, 2011 sampled by OPO
Purpose of contract	Contract dates	Contract amount (including amendments)	Amount spent	Tendering
Executive Support Services	2017-10-23 to 2018-10-31	$1,796,700.00	$1,590,000.00	Competitive
Creation of a Value Management Office	2018-08-31 to 2020-08-31	$1,332,000.00	$977,700.00	Competitive
Benchmarking Services	2022-10-21 to 2022-12-19	$1,975,270.50	$0.00	Non-competitive

The following table summarizes key facts related to the internal audit report:


Subject	Key facts
Favouritism	OPO found that the procurement strategy was changed for two contracts, including one led by the CBSA, after it was discovered that McKinsey would have been ineligible to bid had the department, issued the solicitation using a procurement vehicle for which McKinsey could bid, creating a strong perception of favoritism. As part of the recommendations of its internal audit of consulting contracts awarded to McKinsey & Company, the CBSA has strengthened its controls over the management of procurement: increased management awareness of contracting rules and requirements by mandating training, refreshing guidance and ensuring procurement officer involvement in all contracting increased oversight of the use of standing offers and supply arrangements in a risk-based manner established a Procurement Review Committee to review and approve contracts and task authorizations at each stage of the procurement process to satisfy operational requirements rather than engaging specific suppliers
Search results	For one contract where the procurement was conducted by CBSA, Centralized Professional Services System (CPSS) search results were missing from the file. The consequence of not documenting CPSS search results is that Contracting Authorities cannot demonstrate that invited suppliers were qualified supply arrangement holders at the time of solicitation or that they were appropriately selected in accordance with CPSS rules. In response, the CBSA's procurement team has been issued a revised document checklist to ensure that all documents of business value, such as CPSS search results, are retained appropriately. The new Assurance Program in 2024 to 2025 will ensure the consistent application of the new guidance and the documentation held in the procurement files; the results of the Assurance reviews will be presented to the CBSA's executive committee on a quarterly basis beginning on July 31, 2024.
Bid evaluations	The report indicates that in one contracted awarded by CBSA, records of the evaluation of bids were deficient as documentation regarding individual and consensus bid evaluations were incomplete or absent from the file. In response, the CBSA's procurement team has issued a revised document checklist to ensure that all documents of business value, such as bid evaluations, are retained appropriately. The new Assurance Program in 2024 to 2025 will ensure the consistent application of the new guidance and the documentation held in the procurement files; the results of the Assurance reviews will be presented to the CBSA's executive committee on a quarterly basis beginning on July 31, 2024.
Contract Security Program	The report indicates that of the 6 competitive contracts with security clauses, one contract awarded by the CBSA did not have a record (in other words, email) showing that the contract with a PSPC security clause had been provided to PSPC's Contract Security Program (CSP). In response, the CBSA's new Procurement Directorate has prepared and communicated guidance to help ensure that each step is completed throughout the procurement process, including the need to share contract information with the Contract Security Program.
Contract amendment	OPO found that an amendment to a CBSA contract was not on file and it could not be confirmed that work under the amendment was consistent with the scope of the original contract. On November 28, 2023, PSPC suspended the CBSA's authority to issue its own TAs on currently active professional services contracts for which PSPC is the contracting authority. The CBSA has established a Procurement Review Committee which, together with the Contract review committee, will be responsible for approving all contracts and task authorizations above $40,000 at every stage of the procurement process. This new governance structure will serve to strengthen oversight and ensure sound stewardship of public funds. Additionally, the Agency has issued a revised document checklist to our procurement team to ensure that all documents of business value, including amendments and task authorizations, are retained appropriately. Procurement training products have also been refreshed to address gaps related to documentation.
Status of implementation of audit recommendations	The review recommended the following: CBSA and ISED should implement procedural controls to ensure procurement strategies are centered on satisfying operational requirements rather than engaging specific suppliers. The management action plan was completed at the time of the review's publication. As part of the recommendations of its internal audit of consulting contracts awarded to McKinsey & Company, the CBSA has strengthened its controls over the management of procurement: increased management awareness of contracting rules and requirements by mandating training, refreshing guidance and ensuring procurement officer involvement in all contracting increased oversight of the use of standing offers and supply arrangements in a risk-based manner the CBSA's improved governance over procurement includes a new Procurement Review Committee to review and approve contracts and task authorizations the new governance structure provides additional oversight on all contracting activities, focusing on delivering value for money and alignment with procurement and project management policies The new Executive Procurement Review Committee and its sub-committee, the Contract Review Committee, are responsible for approving all contracts and task authorizations above $40,000 at each stage of the procurement process, covering the procurement strategy, project initiation, and at contract award, which includes a review of the professional services experience and qualifications requirements The new governance structure ensures that procurement strategies are centred on satisfying operational requirements rather than engaging specific suppliers

May 10, 2024

Objective

To present key facts related to the CBSA Internal audit of federal government consulting contracts awarded to McKinsey & Company published on March 30, 2023.

Key facts

List of CBSA contracts awarded to McKinsey & Company since January 1, 2011:

List of CBSA contracts awarded to McKinsey & Company since January 1, 2011
Ref. #	Purpose of contract	Contract dates	Contract amount (including amendments)	Amount spent	Tendering
1	Business Consulting Services	2016-05-02 to 2016-10-30	$1,999,998.30	$1,769,910.00	Competitive
2	Executive Support Services	2017-10-23 to 2018-10-31	$1,796,700.00	$1,590,000.00	Competitive
3	Creation of a Value Management Office	2018-08-31 to 2020-08-31	$1,332,000.00	$977,700.00	Competitive
4	Benchmarking Services	2022-10-21 to 2022-12-19	$1,975,270.50	$0.00	Non-competitive

The following table summarizes key facts related to the internal audit report:


Subject	Key facts
Favouritism	The report indicates in contracts 2 and 4, evidence was found that McKinsey was being considered by CBSA management prior to the issuance of the request for proposal. This raises questions as to the overall fairness and openness of the processes as it could be perceived that McKinsey's bids were favoured by the CBSA. In response, the CBSA has implemented the following controls: increased management awareness of contracting rules and requirements by mandating training, refreshing guidance and ensuring procurement officer involvement in all contracting activities increased oversight of the use of standing offers and supply arrangements in a risk-based manner improved governance over procurement includes a new Procurement Review Committee to review and approve contracts and task authorizations
Responsiveness to bidders	The report indicates that in contract 3, bidders requested extensions and asked whether experience on a smaller project could be accepted. Both requests were denied by the CBSA, with no clear rationale. When the bidding period closed, only one bidder had submitted a proposal: McKinsey. Providing additional context when responding to bidders would have contributed to improving the transparency of the process. In response, the CBSA has taken the following actions: Ensuring procurement files contain all documentation of business value Increasing management's awareness surrounding contracting rules Increasing oversight of the use of Standing Offers and Supply Arrangements in a risk-based manner
Bid evaluations	The report indicates that evaluations of the bids and justification for awarding the contracts to McKinsey were not available in the files. In response, the CBSA has taken action to ensure procurement contain all documentation of business value, including bid evaluations. This includes performing quality assurance reviews on a risk-based sample of procurement files to ensure proper retention of necessary documentation.
Conflict-of-interest declarations	The report states that only 1 of 4 files reviewed contained conflict of interest declarations. In response, the CBSA has taken action to ensure procurement contain all documentation of business value, including conflict-of-interest declarations. This includes performing quality assurance reviews on a risk-based sample of procurement files to ensure proper retention of necessary documentation.
Security clearances	The audit found that documents were not available to clearly show that all security clearances were obtained prior to work commencing or that individuals responsible for contract oversight monitored and oversaw the performance of the contractor. The internal audit indicated that "we were unable to verify the security clearance status of all McKinsey consultants within the time constraints of this audit." On May 9, 2024, as part of the OAG audit, the CBSA provided evidence to the OAG regarding security clearances obtained for all listed consultants for the three contracts sampled (#1-3).
Status of implementation of audit recommendations	The audit recommended the following: The Vice-President of the Finance and Corporate Management Branch (FCMB) should establish appropriate controls to oversee the management of procurement by: Ensuring procurement files contain all documentation of business value Obtaining greater assurance that Section 34 for contracts is appropriately carried out by managers Increasing management's awareness surrounding contracting rules Increasing oversight of the use of Standing Offers and Supply Arrangements in a risk-based manner The current status of the management action plan is as follows: Completed Due July 2023. Outstanding items: b.2 (delivery of information sessions to cost centre managers to provide an overview of the Agency's instrument of delegation of spending and financial authorities) and b.4 (review of Section 34 non-compliance process and request of a FIMC decision on whether it should be further strengthened) Completed Completed

MRAP for IAPED Audit of procurement and contracting

Report date: January 2024
Period covered by the audit: April 2022 to July 2023
Start of the reporting phase: December 2023

Overall Management Response

The Finance and Corporate Management Branch (FCMB) thanks the Internal Audit and Evaluation Directorate for this audit and accepts the findings of this audit and has already launched a number of improvement initiatives in context of the other audit exercises that have been ongoing in parallel. The Finance and Corporate Management Branch has developed a management improvement plan to strengthen the various Agency controls including procurement planning and reporting, financial management and compliance mechanisms.

Recommendation 1

The Vice-President of Finance and Corporate Management Branch should strengthen the procurement planning process by:

Tracking unplanned procurement requests and use this data to determine required procurement capacity
Assessing Procurement and Contracting Directorate's capacity including developing and communicating services standards to the Agency for each procurement type
Assessing workplace health and determining the measures required to help improve employee retention
Modifying and communicating existing guidance to Cost Centre Managers to clarify the level of detail required for planned procurement as part of the Integrated Business Plan exercise
Reviewing planned procurements with a strategic focus to identify potential efficiencies, provide advice/recommendations and plan for longer-term procurement needs

Management response

Agreed. The Finance and Corporate Management Branch recognizes that a strong procurement planning process ensures both short term and long term value for money. The CBSA's improved governance over procurement will review and approve Branch Procurement Plans, to be included in each Branch Integrated Business Plan.


Management Action Plan	OPI	Completion date
1.1 The CBSA 's improved governance over procurement includes a new Procurement Review Committee to review and approve planned contracts and task authorizations. Recognizing the need to ensure sound stewardship of public funds, the new governance structure will provide additional oversight on all contracting activities, focusing on delivering both short term and long term value for money and alignment with procurement and project management policies. The Procurement Review Committee will not only act as challenge body for procurement decisions, but also provide strategic advice to ensure procurement strategies fit the agency's long term needs.	FCMB – Procurement and Contracting Directorate	Completed
1.2 In addition, the Vice-President of the Finance and Corporate Management Branch will work to strengthen the procurement planning process by: Presenting a yearly Procurement Plan to CBSA's new Procurement Review Committee and highlighting expected volumes and capacity assessment. [Starting May 2024 and then ongoing] Utilising the yearly Procurement Plan to collect and track planned requirements. [Starting May 2024 and then ongoing] Utilizing the planning cycle set by CBSA's Integrated Business Plan exercise and ensuring expectations on the level of detail of the plan are communicated. [September 2024] Establishing service standards and communicating them on the intranet for each type of procurement action. [September 2024]	FCMB – Procurement and Contracting Directorate	September 2024
1.3 The Procurement and Contracting Directorate has, as part of its Public Service Employee Survey response, put in place outreach initiatives with employees, the formalization of the Employee Engagement Committee, established skip meetings at various levels of the structure, and will continue to monitor as part of the next Public Service Employee Survey to ensure workplace health. The Procurement and Contracting Directorate has drastically reduced its attrition rate, stabilizing the workforce and will utilise its new committee to monitor the situation. A presentation on workplace health will be built using the Public Service Employee Survey and presented to the new Procurement Review Committee.	FCMB – Procurement and Contracting Directorate	April 2025

Recommendation 2

The Vice-President of Finance and Corporate Management Branch should strengthen the contract management processes by:

Communicating the expectations for monitoring contracts to all delegated Cost Centre Managers
Developing a centralized storage solution for all required contract management documentation
Periodically conducting spot checks to verify that contract management activities are occurring, as well imposing corrective actions where/if required

Management response

Agreed. The Finance and Corporate Management Branch recognizes the need to strengthen contract management processes. The CBSA's procurement function was nationalized in March 2021, and regrouped under one organization. This new central organization, the CBSA Procurement and Contracting Directorate, has since launched a comprehensive improvement plan to further strengthen management controls at all levels across the Agency and it has already improved governance across the procurement functions.


Management Action Plan	OPI	Completion date
2.1 The Vice-President of the Finance and Corporate Management Branch launched a comprehensive improvement plan to further strengthen management controls at all levels across the Agency. One of the plan's main points is the CBSA's improved governance over procurement, which includes a new Procurement Review Committee to review and approve contracts, and to provide a reminder that all procurement actions need to go through the Procurement and Contracting Directorate.	FCMB – Procurement and Contracting Directorate	Completed
2.2 The Vice-President of the Finance and Corporate Management Branch will update its guidance and establish clear responsibilities for cost centre managers and procurement officers on the use of a centralized storage solution in Apollo for all contract management documentation. The CBSA Procurement and Contracting Directorate will perform assurance reviews to ensure the new requirement is being followed.	FCMB – Procurement and Contracting Directorate	December 2024
2.3 The Vice-President of the Finance and Corporate Management Branch has updated and communicated a Guide to the Management of Contracting intended for Cost Centre Managers (CCM). The purpose of this guide is to equip CCMs with the knowledge and the tools they need to manage their procurement requirements and contracts. The guide was released to all CBSA employees on August 11, 2023, via the CBSA Daily Insider. An annex with a detailed table of roles and responsibilities reminds CCMs to work with CBSA Procurement and Contracting Directorate on all contracts and task authorizations.	FCMB – Procurement and Contracting Directorate	Completed
2.4 The Vice-President of the Finance and Corporate Management Branch will monitor contract management activities through regular quality assurance reviews to assess the adequacy of documentation and compliance with procurement processes. The results of the Assurance Reviews, and any recommendations for corrective action, will be presented to a governance committee on a quarterly basis starting in July 2024.	FCMB – Procurement and Contracting Directorate	July 2024

Recommendation 3

The Vice-President of Finance and Corporate Management Branch should strengthen the Agency's efforts to reduce the risk of fraud by developing measures to proactively monitor systems and processes to identify and mitigate potential instances of fraud, including sharing the results of any misconduct or wrong doing investigations or quality assurance activities with all CBSA employees to demonstrate the efforts taken to address unethical behaviours.

Management response

Agreed. The Vice President of Finance and Corporate Management Branch will continue ongoing efforts to reduce the risk of procurement fraud and determine what more can be done to prevent the occurrence of fraud and to mitigate fraud.


Management Action Plan	OPI	Completion date
3.1 Enhance the Agency's Fraud Risk Profile, which assesses the Agency's top internal fraud risks (including procurement fraud) by: Tabling an updated Fraud Risk Profile to the Executive Committee with recommendations to help reduce the Agency's overall exposure to procurement fraud and to strengthen controls for fraud risks of heightened concern (which includes procurement fraud). (September 2024) Provide the Executive Committee with an update on the implementation of the Fraud Risk Profile action plans on a quarterly basis beginning June 2024. (June 2024)	FCMB – Agency Comptroller	September 2024
3.2 FCMB to perform quality assurance reviews on a risk-based sample of procurement files. (Completed)	FCMB – Procurement and Contracting Directorate	February 2024
3.3 Perform a review of CBSA's system based internal controls and accesses for procurement, close any gaps identified, including removing access to procurement and contracting functionalities from individuals who do not require them.	FCMB – Procurement and Contracting Directorate	September 2024
3.4a Develop a procurement process map that clearly identifies accountabilities and responsibilities of executives and mangers in general, technical authorities, project authorities and section 32 and 34 authorities to help ensure everyone understands the requirements of their position vis-à-vis procurement. 3.4b Implement and communicate the procurement process map and establish a repository of signed attestation forms acknowledging accountabilities and responsibilities identified in the document.	FCMB – Procurement and Contracting Directorate	September 2024
3.5 Develop a communication strategy to share the results of misconduct investigations with all employees to deter unethical behaviours from reoccurring. Present the strategy to the appropriate governance committee for approval.	FCMB – Security and Professional Standards	September 2024

Recommendation 4

The Vice-President of Finance and Corporate Management Branch should:

In consultation with Business Process Owners, review the Segregation of Duties Matrix to confirm conflicting roles
Review the role approval process to ensure that incompatible roles are not granted, and justification is obtained if incompatible roles are required
Develop procedures to monitor users who have been granted incompatible roles to ensure the access privileges are not being used inappropriately

Management response

Agreed. The Vice-President of the FCMB will, in consultation with other subject matter experts, develop business processes to assign, manage and review the Segregation of Duties (SoD) related to roles management. This will provide reasonable assurance to ensure access privileges are well managed and that mitigation strategies exist for granted exceptions to minimize the risk of fraud. The Agency will also be moving to SAP4/ HANA which will allow a more efficient way to manage system accesses in the long run.


Management Action Plan	OPI	Completion date
4.1 Clean-up existing conflicting roles by removing unnecessary access and ensuring only those who require conflicting roles are granted access with appropriate justification maintained on file.	FCMB – Agency Comptroller	June 2024
4.2 Update the CAS roles catalogue including definitions and clear descriptions of authorized accesses for each role.	FCMB – Agency Comptroller	September 2024
4.3 Develop and communicate guidance to clarify the BPO's roles and responsibilities related to role approval and regular monitoring of users with incompatible roles.	FCMB – Agency Comptroller	September 2024
4.4 Review the CBSA SoD Matrix with BPOs to confirm conflicting roles and also identify any additional conflicting roles that may exist for the CBSA environment. Obtain VP FCMB approval of final SoD Matrix.	FCMB – Agency Comptroller	September 2024
4.5 Based on the revised CBSA SoD Matrix, clean-up additional conflicting roles that may have arisen from the review	FCMB – Agency Comptroller	November 2024
4.6 Develop and communicate a monitoring strategy and process to monitor users who have been granted incompatible roles to ensure the access privileges are not being used inappropriately.	FCMB – Agency Comptroller	December 2024

IAPED Audit of McKinsey contracts

Refer to the Internal audit of federal government consulting contracts awarded to McKinsey & Company

Summary of MRAP actions

Internal Audit of Federal Government Consulting Contracts Awarded to McKinsey & Company

Summary of Recommendations

a) Ensuring procurement files contain all documentation of business value
b) Obtaining greater assurance that Section 34 for contracts is appropriately carried out by managers
c) Increasing management's awareness surrounding contracting rules
d) Increasing oversight of the use of Standing Offers and Supply Arrangements in a risk-based manner

Summary of CBSA Management Response and Action Plan

All delegated managers / Cost Centre Managers (CCMs) are required to inform FCMB Procurement of any contracts or call-ups requested directly from PSPC, in order to maintain a central record of all CBSA contracts. (Completed)
A revised contract documents checklist was distributed to all procurement staff and remind them of the requirements to complete and retain the necessary records (for example, conflict of interest declarations, bid evaluations, etc.). (Completed)
Available procurement training products (PSPC, CSPS, etc.) were reviewed to assess whether additional training is required for delegated managers through supplemental guidance or training materials. (Completed)
Quality assurance reviews were performed on a risk-based sample of procurement files to ensure proper retention of necessary documentation to support S41 of the FAA. (Completed)
Additional guidance was distributed to all delegated managers on their roles and responsibilities regarding S34 authorization to clarify the importance of ensuring deliverables/services have been received prior to the approval of payment release and that all relevant deliverables are retained. (Completed)
A Quality Assurance (QA) framework was developed related to section 34 delegated authorities, outlining roles and responsibilities and methodology for verifying accounts, to ensure expenditures are made in accordance with delegated authorities' responsibilities and comply with CBSA and Treasury Board policies, guidelines and directives. (Completed)
Guidance to cost centre managers (CCMs) was provided on the key requirements for initiation and administrating contracts. (Completed)
All Delegated Managers / CCMs were reminded of the importance of ensuring the Procurement Team is involved in any contracts or call-ups requested directly from PSPC, in order to maintain a central record of all contracts. (Completed)
The Terms of Reference of the Contract Review Board were reviewed to provide oversight on contracts issued using certain PSPC Standing Offers and Supply Arrangements. (Completed)
The risk-based methodology was reviewed to assess which contracts will be reviewed by the Contract Review Board (for example, task authorizations or call-ups for professional services and contract amendments greater than a specific threshold)

Outstanding action items:

FCMB Agency Comptroller (AC) will continue to deliver information sessions to CCMs to provide an overview of the Agency's instrument of delegation of spending and financial authorities. These sessions will be repeated on an annual basis for newly appointed CCMs. (Due Date: Ongoing)
FCMB will review its Section 34 non-compliance process and request a FIMC decision on whether it should be further strengthened (First error identified results in a written warning to the delegated manager; Second error results in a compliance notice to the VP/RDG; Third error results in the withdrawal of their Delegation combined with a suitable development plan). (Due Date: July 2023)

OAG Audit of ArriveCAN

Summary of Recommendations

1. Accurately coding and allocating expenses to projects to ensure proper financial records.

2. Documenting interactions with potential contractors and rationales for non-competitive procurement processes.

3. Having the CBSA's Procurement Directorate review all contracts and task authorizations for compliance with policies.

4. Ensuring that potential bidders are not involved in preparing requests for proposals.

5. Ensuring that contracts and task authorizations specify the required experience and qualifications for resources.

6. Ensuring that tasks and deliverables are clearly defined in contracts and related task authorizations.

7. Ensuring that all resources under contract have valid security clearance on file before starting any work and that prior to payment, supporting evidence is maintained on file to validate the work performed.

8. Carrying out and documenting testing prior to releasing an application or update, as well as obtaining release approval.

Summary of CBSA Management Response and Action Plan

The CBSA's Procurement function was centralized and regrouped under one organization
Launched a comprehensive improvement plan to further strengthen management controls at all levels
Require contractors to clearly identify the relevant financial codes on their invoices by March 31, 2024
Develop and implement procedures to ensure the financial coding is consistently being applied across all areas of the Agency by March 31, 2024
Established a new Contract Review Board to review and approve contracts and task authorizations.
- responsible for approving contracts and task authorizations at each stage, covering procurement strategy, project initiation, and at contract award, which will include assurance that the tasks and deliverables are clearly defined in the contracts. (Completed)
Implement a requirement for staff to report interactions with potential vendors by March 31, 2024
The Procurement Directorate will act as the single window for interactions with vendors in the context of the procurement process.
- It will also monitor compliance by developing regular risk-based reviews of contracting files
- The new Assurance Program in 2024 to 2025 will ensure the consistent application of the new guidance by reviewing the documentation held in the procurement files
All headquarters staff with procurement responsibilities have completed four training courses
Employees with procurement responsibilities will be required to attend a Code of Conduct and Values and Ethics awareness session to ensure a clear understanding of expectations to minimize potential apparent and real conflicts of interest
A procedure for streamlined testing documentation will be developed and implemented that will increase agility in emergency situations while at the same time ensuring sufficient controls are in place to document testing results prior to release to production
In addition, the Information, Science and Technology Branch will review and update existing testing procedures to ensure control steps are introduced and documentation is complete before any system or application is released to production

OPO Procurement Practice Review of ArriveCAN

Summary of Recommendations

4. CBSA should establish a quality control process to ensure mandatory criteria are not overly restrictive and do not undermine the fairness and openness of the bid solicitation process.

5. PSPC and CBSA should ensure adequate procedures are in place for sharing contract information with the Contract Security Program. These procedures should be communicated with all procurement personnel and monitored for compliance.

7. CBSA should ensure the qualifications and experience of all resources proposed in response to a TA request are consistently assessed against the requirements for the applicable category and level as set out in the contract and document results of the assessment in the file.

10. CBSA should not authorize any TAs without first confirming resource(s) named in the TA meet(s) all security requirements and retaining the confirmation in the contract file.

13. CBSA should ensure the completeness and accuracy of proactively published contract information as required under the Directive for the Management of Procurement.

Summary of CBSA Management Response and Action Plan

The Agency has created a new Executive Contract Review Board, which is responsible for ensuring that mandatory criteria are not overly restrictive for all contracts above $40,000
In addition, contracts above $1 million are approved by the CBSA's Executive Committee to ensure they do not undermine the fairness and openness of the bid solicitation process. (Completed)
The CBSA's new Procurement Directorate has prepared and communicated guidance (including a checklist) to help ensure that each step is completed, including the need to share contract information with the Contract Security Program. (Completed)
The CBSA's new Procurement Directorate has prepared and communicated guidance to ensure that each step is complied with, including the need to consistently assess qualifications and experience and document the results of the review are recorded in the contract file. In addition, all managers in headquarters, with procurement responsibilities, were required to undertake mandatory training in 2023. (Completed)
The CBSA's new Procurement Directorate has prepared and communicated guidance to ensure that each step is complied with, including the need to confirm that resources meet the security requirements and the results of the review are recorded in the contract file. (Completed)
- The consistent application of the new Standard Operating Procedures will be assessed as part of the regular Assurance Reviews. (April 1, 2024)
The CBSA's new Procurement Directorate has performed a review of proactive disclosure to ensure the transparency over external reporting and ensure full compliance with the proactive disclosure requirements. Since mid-2023, monthly data validation takes place to support the completeness and accuracy of proactively published contract information. (Completed)
To provide further assurance that the CBSA meets its legislative requirements, regarding proactive disclosure, the CBSA will develop new reporting capabilities in the Agency's Financial System to ensure the completeness and accuracy of proactively published contract information. (April 1, 2025)

OPO Procurement Practice Review of Contracts Awarded to McKinsey & Company

Summary of Recommendations

1. CBSA and ISED should implement procedural controls to ensure procurement strategies are centered on satisfying operational requirements rather than engaging specific suppliers.

Summary of CBSA Management Response and Action Plan

The following management action plan has been implemented:

As part of the recommendations of its internal audit of consulting contracts awarded to McKinsey & Company, the CBSA has strengthened its controls over the management of procurement:
- Increased management awareness of contracting rules and requirements by mandating training, refreshing guidance and ensuring procurement officer involvement in all contracting
- Increased oversight of the use of standing offers and supply arrangements in a risk-based manner
- The CBSA's improved governance over procurement includes a new Procurement Review Committee to review and approve contracts and task authorizations
  - The new governance structure provides additional oversight on all contracting activities, focusing on delivering value for money and alignment with procurement and project management policies
  - The new Executive Procurement Review Committee and its sub-committee, the Contract Review Committee, are responsible for approving all contracts and task authorizations above $40,000 at each stage of the procurement process, covering the procurement strategy, project initiation, and at contract award, which includes a review of the professional services experience and qualifications requirements
  - This new governance structure ensures that procurement strategies are centred on satisfying operational requirements rather than engaging specific suppliers

Internal Audit of Contracting and Procurement

Summary of Recommendations

1. Procurement Planning by ensuring that branches and regions identify all relevant procurement requests in the procurement planning process and the volume of unplanned requests is better understood. Additionally, developing service standards and ensuring that workplace heath and employee retention is addressed will help ensure the Agency's future procurement requirements can continue to be met.

2. Contract Management by reinforcing expectations, verifying expectations and implementing corrective measures if needed.

3. Corporate Culture and Proactive Monitoring by demonstrating the actions management has taken to address behaviour that does not align with CBSA values, and shifting from being reactive to proactive in terms of fraud management.

4. Segregation of Duties by validating the definition of conflicting roles, minimizing the approval of and cleaning up existing incompatible roles and monitoring those whose conflicting access is required for their day-to-day responsibilities.

Summary of CBSA Management Response and Action Plan

The CBSA's improved governance over procurement will review and approve Branch Procurement Plans, to be included in each Branch Integrated Business Plan. (September 2024)
The Procurement and Contracting Directorate will develop a presentation on workplace health to be built using the Public Service Employee Survey and presented to the new Procurement Review Committee. (April 2025)
The CBSA's Procurement and Contracting Directorate has launched a comprehensive improvement plan to further strengthen management controls at all levels across the Agency and it has already improved governance across the procurement functions. The Directorate has also updated and communicated a Guide to the Management of Contracting intended for Cost Centre Managers (CCM). Future actions include:
- The CBSA will update its guidance and establish clear responsibilities for cost centre managers and procurement officers on the use of a centralized storage solution in Apollo for all contract management documentation. (December 2024)
- The CBSA will monitor contract management activities through regular quality assurance reviews to assess the adequacy of documentation and compliance with procurement processes. (July 2024)
The CBSA will continue ongoing efforts to reduce the risk of procurement fraud and determine what more can be done to prevent the occurrence of fraud and to mitigate fraud. (September 2024)
The CBSA will develop business processes to assign, manage and review the Segregation of Duties related to roles management. This will provide reasonable assurance to ensure access privileges are well managed and that mitigation strategies exist for granted exceptions to minimize the risk of fraud. The Agency will also be moving to SAP4/ HANA which will allow a more efficient way to manage system accesses in the long run. (December 2024)

Technical explanation: ArriveCAN quarantine error

From June 28 to July 20, 2022, 10,200 ArriveCAN users out of the approximate 2,000,000 ArriveCAN submissions, despite having submitted all the required information and their proof of vaccination using the ArriveCAN app, received automated quarantine notifications when they should not have when they crossed the Canadian border.

This issue was related to a defect in the iOS version of the application that had incorrectly defaulted a field "quarantine_exempt", to false. This flag is used by the ArriveCAN back-end system to send automated quarantine notifications to travellers.

The defect was introduced in ArriveCAN version 3,0 for iOS and was caused in a very specific scenario, where a user:

started the "public health" data submission flow
added the traveler information and their corresponding vaccine information
exited the "public health" flow
and then later returned to continue the submission

Essentially, if the user began their submission, stopped and returned later, they would be flagged for quarantine.

When the user resumed the submission, the app used the default value of the "quarantine_exempt" flag, instead of the modified value based on the traveler's data and vaccine information. This defect was not detected during testing because this scenario was not a part of the ArriveCAN test cases.

In response to this defect, the CBSA updated their testing to cover this scenario and invested resources in building an automated testing capability for ArriveCAN so that more time can be dedicated to testing new features where defects such as this could be introduced.

The CBSA resolved this issue in 4 stages:

On July 20, 2022, a resolution was implemented to the vaccination flow for all new submissions. From that point on, newly created submissions were not falsely flagged as going into quarantine
On July 23, 2022, a resolution was applied to correct the ArriveCAN submissions of users who had not yet crossed the border so t they hat they would not receive false quarantine notifications when cross the border
On July 25, 2022, a fix was implemented to stop sending false quarantine notifications to travelers who had arrived and were receiving them
On the July 27, 2022 the CBSA sent corrected data files reflecting the true quarantine status to PHAC to ensure that PHAC's IT systems used to manage quarantine cases were in synchronization with CBSA's data

Page details

Date modified:: 2024-10-07