Overview: Standing Committee on Public Accounts—Report 1, ArriveCAN (May 14, 2024)

How much did the CBSA spend on contracted services last year?
In the 2022 to 2023 fiscal year, the CBSA publicly reported (in the Public Accounts) spending about $510 million on professional and special services. Of this total, about $165 million was directly billed to CBSA by external contractors for informatics services. The CBSA also transferred about $120 million to other government departments for IT services.

The balance of the spending is non-IT contracting that covers a broad range of services, some through other government departments, including: repairs, maintenance and janitorial costs at custodial ports of entry; health and welfare costs at detention facilities; legal costs; security and protection services; training and education services; and interpretation costs at ports of entry.

On May 13, 2024 the Globe & Mail recently reported that Dalian, Coradix, and GC Strategies have received $1 billion in contracts from the Government of Canada since 2011. What is the total value of contracts with these three companies for the CBSA during that period of time?
Since 2011 the CBSA has entered into contracts with GC Strategies, Coradix, and Dalian and Coradix in joint venture valued at $125.7 million. This is the total maximum value of all contracts, not actual expenditures against those contracts.

The total value of these contracts is broken down by vendor as follows:

• GC Strategies: $56.4 million
• Coradix: $27 million
• Dalian/Coradix in joint venture: $42.3 million

How many people does the CBSA have working on "staff augmentation" contracts?
The CBSA has about 175 consultants working in IT-related areas and the Agency is rebalancing its use of internal and external IT resources. The CBSA maintains more than 180 IT systems. They are critical systems that ensure the movement of people and goods across the border. Like many critical systems across government, some of our systems are old. As such, we need to make sure that in decreasing our use of contractors, the CBSA does not open up a gap in the technical knowledge required to service these systems.

Has the CBSA provided the Government Operations and Estimates Committee with all materials that have been requested?
In response to the Committee's requests, the CBSA has collected over 30,000 pages of material for disclosure, all of which is required to be translated. As of May 13, over 9,000 pages of translated materials have been provided to the Committee in support of its study on the ArriveCAN application. The Agency will continue to provide bilingual materials as the become available.

Has the CBSA provided the Public Accounts Committee with all contracts requested on December 12, 2023?
On February 1, 2024 the CBSA produced to the Public Accounts Committee with all contracts between the CBSA and Dalian, Coradix, Dalian/Coradix in joint venture, and GC Strategies going back to January 2012.

Why did the CBSA include the "English essential" language requirement in its call for tenders, that was later used for work on the ArriveCAN application in April, 2020?
The CBSA used a procurement vehicle administered by Public Services and Procurement Canada to launch this call for tenders. The instructions under this vehicle provide three options for the language of work: English, French or both. The option chosen by the CBSA was English since the concepts and terminology in the technological field are primarily in English and this language had to be mastered to carry out the technical work requested. This is distinct from the ArriveCAN product offered to travellers in French, English and Spanish, as of its launch in April 2020. In addition, 18 languages are offered at CBSA primary inspection kiosks at international airports.

What has the CBSA done to respond to the Auditor General's finding that financial records and controls were deficient and good management practices in the contracting, development, and implementation of ArriveCAN were not followed?
The audit points to some important gaps in procurement processes and controls and its recommendations will serve as guideposts to addressing them. The CBSA has started to strengthen its processes and controls related to procurement planning, contract administration, corporate culture and proactive monitoring to reduce the risk of fraud.

Better controls and oversight have been put in place, including having those with procurement authority in headquarters retake their training, having a senior committee review all Task Authorizations exceeding $40,000, and centralizing procurement responsibilities within the organization.

How does the CBSA respond to the OAG's statement that the costs incurred to develop and maintain ArriveCAN through professional services and external expertise resulted in higher costs and low value-for-money?
It's hard to disagree. CBSA has always relied on outside expertise for skills it cannot recruit. CBSA still needs to outsource to some degree – but as an organization, we are working to rely less on contractors.

The OAG audit found deficiencies in the security testing of ArriveCAN. What is CBSA doing to ensure to improve its IT testing procedures?
Test plans, test results, and outstanding issues for each release are now being clearly documented and signoff is obtained prior to release into the production environment. The Agency is making sure these processes can be adapted for rolling out mobile applications and for ensuring documentation and controls suitable for emergency situations.

Both the OPO and the OAG audit raised issues about security clearances of contractors. What safeguards are in place to mitigate potential security risks?
All contract resources that were listed on a Task Authorization that worked on ArriveCAN had valid security clearances prior to beginning work. The Procurement Ombuds found that there were some resources; however, that worked on ArriveCAN that were not listed on Task Authorizations.

An internal review conducted by the CBSA found that these resources had the same access to the application as any member of the public, and at no time where they given access to any system code or software. As such, CBSA assesses that any potential security risk was minimal. However, it remains that, without authorization, a contractor assigned resources to work on ArriveCAN who were not listed on Task Authorizations and were not security cleared. This is a serious matter and this information has been provided to the PSPC Contracting Security program who is reviewing the compliance of vendors with security requirements.

What are the roles and responsibilities of the CBSA's new Executive Procurement Review Committee?
The Committee assesses all contracts and task authorizations above $40,000, approving and challenging proposed approaches with the goal of ensuring the best value for money in contracts and ensuring that mandatory criteria for vendors are not overly restrictive. The board is made up of a number of CBSA Vice-Presidents and Directors General from the Finance, Security, Information Technology, and Communications teams.

The number of releases of ArriveCAN between 2020 and 2022 in the OAG's audit is 177 (including 25 major updates), but the CBSA's website says there were more than 70 releases. How is this difference explained?
As COVID-19 Border Public Health Measures evolved there were more than 70 releases of ArriveCAN across three platforms (Android, iOS and web), including 25 major updates.

Those 70 releases equated to changing the various platforms 177 times (in other words, not all platforms needed to be changed for each release).

What has the CBSA done to respond to the Auditor General's finding that inadequate testing of ArriveCAN resulted in 10,000 travellers being sent to quarantine despite having provided proof of vaccination?
Given the constantly evolving pandemic environment and the requirement for 177 changes to the ArriveCAN application in 36 months, testing documentation was insufficient.

By June 2024 a procedure for streamlined documentation will be in place to increase agility in emergency situations while ensuring sufficient controls to document testing results prior to release to production.

What has the CBSA done to respond to the Auditor General's finding that GC Strategies was involved in the development of the requirements that were included in the Request for Proposal for their competitive contract?
This is not an acceptable practice. The CBSA has taken steps to ensure that all requirements flow through its Procurement team and that the CBSA's requirements will be posted, in a transparent manner, where companies can bid on them.

What has the CBSA done to respond to the Procurement Ombuds' finding that mandatory criteria for the contract that GC Strategies won for ArriveCAN were overly restrictive and undermined the fairness and openness of the bid solicitation process?
Overly restrictive criteria can give rise to an actual or perceived sense that a contracting decision has already been made. Procurement policies and guidance are clear on this point and the CBSA, aided by its new Procurement Review Committee, will abide by them.

What has the CBSA done to respond to the Procurement Ombuds' findings that 41% of contracts sampled were not proactively disclosed?
The CBSA has performed a review of to ensure that all contracts required to be proactively disclosed had been disclosed. Regular data validation is taking place to support the completeness and accuracy of proactively published contract information.

What has the CBSA done to respond to the Procurement Ombuds' findings that approximately 76% of resources proposed in winning bids did not perform work on the contracts?
To be clear, this doesn't mean no work was done. However, replacing individuals named on a vendor's solicitation bid is an allowable practice that is governed by the "Replacement of Specific Individuals" clause. While there may be legitimate reasons for some proposed resources being no longer available, we are reviewing these replacement resources to determine whether they did meet the qualifications set out in the contract.

What steps is the CBSA taking to re-validate the Conflict of Interest declarations of its employees and further strengthen financial and procurement controls to ensure that dual employment arrangements do not generate real, apparent, or perceived conflicts of interest?
The CBSA is working to implement a process through which all employees will validate or re-validate their Conflict of Interest attestation forms in fiscal year 2024 to 2025. A recurring process will then be put in place through which the accuracy of the information in every employee's Conflict of Interest form will be reviewed, re-validated, or updated as appropriate every six months.

With respect to procurement practices specifically, the CBSA is implementing a process through which all employees involved in procurement activities - whether that be as the Technical Authority, a bid evaluator, or any other associated role – will be required to certify that they do not have any conflicts of interest related to every procurement to which they are involved.

Externally, a process is being put in place that will require that all vendors with active IT services contracts certify that none of the resources that they provide to the CBSA are active public servants.

Some employee's name appears online as an employee of both CBSA and another department. How is this possible?
There are situation where employees may be employed in more than one department at the same time. For example, an office assistant at the CBSA may also work part-time for the Pay Centre on weekends.

This is referred to as dual remuneration and each case like this is reviewed on its own merits and mitigation measures are issued as required.

Will the CBSA's internal audit provide more information than the OAG and the Procurement Ombuds' reports, and when will it be complete?
The CBSA's internal audit is to go beyond the ArriveCAN procurement to more broadly assess the adequacy and effectiveness of the Agency's procurement planning processes, key contract management activities and fraud controls in place to support contracting and procurement activities between April 2022 and July 2023.

The completed audit is expected to be published online in the spring of 2024.

What is the status of the CBSA's internal investigation into the Botler allegations?
The internal investigation was begun in November 2022 and made known to the individuals under investigation in October 2023 following publication of information about the investigation in the media.

I would like to conclude the internal investigation as quickly as possible. However, as you may be aware, there is now an application for judicial review concerning the investigation before the Federal Court.

The Committee has heard about disciplinary action taken by other departments. Has there been disciplinary action taken for any CBSA employees?
Investigations are still ongoing, once complete, should there be founded allegations of misconduct, the investigation reports will be forwarded to the appropriate departments or agencies for their consideration of any action that might be appropriate.

Could the cost of the ArriveCAN application be higher than the $59.5 million identified by the OAG?
The Auditor General has acknowledged that it's difficult to be certain of total cost as a result of poor recordkeeping and management practices. CBSA has reported on the cost of ArriveCAN as a Border Public Health Measure while the OAG counted costs that included activities that occurred in parallel to, and following, the time period in which ArriveCAN was used as a Border Public Health Measure. The cost of ArriveCAN, as a Border Public Health Measure, was $55 million.

It has been reported that contractors working on ArriveCAN were paid for doing no work – how does the CBSA respond to this?
No contractors were paid for work that was not performed, including contractors who were brought in to replace contractors listed on bid solicitations who didn't ultimately work on a given Task Authorization.

Did any of the CBSA executives involved with ArriveCAN receive bonuses for their work?
CBSA executives may receive bonuses through the Performance Management Program for Executives, which encourages performance excellence by setting objectives, evaluating results, recognizing and rewarding performance, and providing a framework for performance management. Executives whose performance does not meet expectations or cannot be evaluated are not eligible for the performance award.

Retroactive revisions to a bonus are also possible and determined by deputy heads and managed at the level of each department or agency.

Precise information about an individual's compensation is considered personal information. Aggregate information about payments to executives is available publicly online for the CBSA and for other federal organizations, as is information about the salary ranges of executives.

How many times has ArriveCAN been used?
From April 2020 to March 2023 – the period of time in which it was being used as a Border Public Health Measure - the application was downloaded 20 million times and was used to facilitate over 60 million entries in to Canada.

From April 1 2023 to April 30, 2024 (post-Border Public Health Measures) travellers have used the optional customs declaration feature of the mobile application almost 4.5 million times to facilitate entry in to Canada. Currently, 15% of travellers arriving at participating airports are voluntarily submitting their declarations pre-arrival.

Now that it is no longer being used as a public health measure, what does the CBSA plan to do with its mobile application going forward?
The CBSA mobile application is now an optional tool for travellers who want to save time at the airport by providing their customs declaration in advance to the CBSA. This option is currently available for those who arrive at the Toronto, Vancouver, Montreal, Winnipeg, Halifax, Calgary, Edmonton, Québec City, Billy Bishop Toronto City and Ottawa international airports. The CBSA continues to expand use of mobile technology to make it easier and faster for travellers to come through the border.

What is the forecast annual cost of ArriveCAN?
At the outset of this fiscal year, the annual forecast for the maintenance of the mobile application that now helps us process travellers was approximately $3 million. The CBSA continues to report on these costs through quarterly Financial Statements.

According to the Auditor General's report, GC Strategies received $19.1 million for work on ArriveCAN while the CBSA's President has testified that they received less – how does the CBSA explain this difference?
The Auditor General has assessed costs from contractors, like GC Strategies, more broadly to include work that was taking place in parallel to, and after, ArriveCAN was being used as a Border Public Health Measure. Consequently, the Auditor General's assessed costs are higher because they include work on other projects like Mobile Border and the post-pandemic use of ArriveCAN as an optional tool for travellers to make customs declarations.

What is the status of any contracts the CBSA has in place with GC Strategies?
In November 2023, the CBSA asked PSPC to temporarily suspend all CBSA contracts with GC Strategies and two other companies. The relevant clause allows for this suspension for up to 180 days.

As a result of this request one contract with GC Strategies and six contracts with two other companies were temporarily suspended before being terminated, by PSPC, in March 2024.

What was the basis for the National Security Exception request that was used to justify the sole source contract that was put in place with GC Strategies to work on ArriveCAN?
At the onset of the pandemic, the National Security Exception in the Government Contracts Regulations was used for this contract based on the justification that the need was a pressing emergency in which delay would be injurious to the public interest.

What work did GC Strategies do on ArriveCAN?
CBSA staff were responsible for the management of the development of ArriveCAN. GC Strategies provided 37 resources as part of staff augmentation who worked alongside the CBSA team to develop ArriveCAN – this included work on the development of three versions and 70+ releases of ArriveCAN, as a Border Public Health Measure.

What projects has GC Strategies worked on for the CBSA?
Over the past 4 years CBSA had 4 contracts with GC strategies in which they provided resources to work on several projects, including: ArriveCAN; e-Commerce solutions for the CBSA's commercial programs; Mobile Border enhancements; and, testing and development work to implement accessibility enhancements to software.

What's the total amount the CBSA has spent on contracts with McKinsey & Company?
Since 2016 the CBSA has contracted with McKinsey & Company on three separate contracts (a fourth was ended before work began) at a combined value of $4.53 million. All of the work initiated under the CBSA's contracts with McKinsey & Company since 2016 has been completed. There are no additional costs pending for any of the contracts entered into with McKinsey & Company by the CBSA.

What expertise was provided by McKinsey for these contracts?
Like a number of companies the CBSA has contracted with, McKinsey & Company offered expertise that is not easily replicated with in-house resources. As a provider of specialized services in global trends and international standards and comparators, McKinsey & Company utilized proprietary tools and data unavailable to in-house resources to supplement and inform decision making.

However, the Agency will be looking into training staff to reduce its reliance on contractors. For example, whenever a contractor would be hired to complete a task on a project that requires a specific skill, the contractor would also cross-train in-house staff which will allow them to take over and complete the project instead of retaining that contractor long term.

How was McKinsey & Company selected for this work?
The CBSA's contracts with McKinsey & Company were awarded via competitive processes. In the case of the contracts for Business Consulting/Change Management Services and for Executive Transformation Services the Agency leveraged a Public Services and Procurement Canada (PSPC) supply arrangement. For the contract for a Value Management Office, a competitive process, run by PSPC, was used.

Did the CBSA change its procurement strategy in order to allow for McKinsey & Company's participation in the procurement process for contract 2018001129?
Contract 2018001129 – a contract for executive transformation services – was awarded following a competitive procurement process in which more than twenty companies were invited to submit bids during the request for proposal process. Upon the conclusion of the request for proposal process, McKinsey & Company was the only company to submit a bid. While documentation on file does not conclusively indicate that the CBSA changed its procurement strategy in order to allow for McKinsey's participation in the procurement process for contract 2018001129, it does raise concerns that McKinsey & Company could have been favoured by the CBSA during the procurement process.

As identified by both the Office of the Procurement Ombud and the CBSA's own internal audit function, documentation on file suggests that senior officials in the CBSA's then Chief Transformation Officer Branch had expressed a clear desire to ensure that McKinsey & Company was included in the request for proposal process. After having learned that McKinsey & Company was only pre-qualified under a solution-based supply arrangement and not a task-based supply arrangement, the Statement of Work was revised from a task-based requirement to a solution-based requirement. Documents outlining specifically why this change was made could not been located. The CBSA recognizes that the appearance of favouritism can undermine the perception of a fair, open, and transparent contractor selection process and acknowledges that there were shortcomings in the manner in which contract 2018001129 was managed.

Was all work completed under contract 2018001129 authorized via the use of a task authorization?
No, some of the work completed under contract 2018001129 was completed following receipt of instructions from representatives of the CBSA's project authority rather than following the issuance of a task authorization. This does not align with the standards outlined in the contract which required that work only be commenced following the issuance of a task authorization.

Concerns regarding this approach and poor recordkeeping with respect to the issuances of task authorizations under contract 2018001129 have been noted by both the Office of the Procurement Ombud and the CBSA's internal audit function. As of this year, the CBSA's Procurement Directorate has begun regular risk-based assurance reviews of procurement files in order to ensure that files are being maintained in a complete and consistent manner. This is one of a number of initiatives being undertaken to strengthen the Agency's procurement processes.

What is the CBSA Assessment and Revenue Management (CARM) project?
CARM is a multi-year project to replace the CBSA's 36-year old legacy systems used for the collection of duties and taxes at the border. The system, which will go live in May of 2024, will be responsible for the collection of approximately $40 billion per year in duties and taxes and protect and grow over $800 billion in annual cross-border trade.

Has the CBSA produced all documentation related to CARM requested by the Standing Committee on Government Operations and Estimates on March 18, 2024 and by the Standing Committee on International Trade on March 19 and 21, 2024?
Document production orders with respect to CARM from both the Standing Committee on Government Operations and Estimates and the Standing Committee on International Trade exceed 30,000 pages of material, the majority of which is technical documentation that is particularly challenging to translate.

A first tranche of materials was provided to the Standing Committee on Government Operations and Estimates on April 3, 2024 and to the Standing Committee on International Trade on April 11, 2024. All outstanding material is in the process of translation and will be provided to both Committees as it becomes available.

CARM Release 2 was supposed to go live for Trade Chain Partners on May 13, 2024 but has now, instead, been delayed to October 2024 – what is the reason for this delay?
As planned, CARM successfully launched for use by CBSA employees on May 13, 2024. With this launch, the CBSA will be able to begin using CARM to advance the Agency's compliance and enforcement efforts through improved identification of errors and discrepancies in duty and tax submissions, helping the CBSA to protect and grow almost $40 billion in revenue each year.

While the CBSA was looking forward to also launching CARM for trade chain partners on May 13, 2024, the strike vote activity underway by the Public Service Alliance of Canada has prompted the Agency to reschedule the launch of CARM for trade chain partners to October 2024. Doing so will help to ensure that in the days and weeks following the launch of CARM for trade chain partners, all of the CBSA will be available and ready to support the Agency's partners as they adjust to CARM.