ARCHIVED - Horizontal Internal Audit of Large Departments and Agencies: Contracting Information Systems and Monitoring

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

Introduction

The Treasury Board Policy on Internal Audit, which came into effect April 2006, requires the Comptroller General to lead horizontal audits in large departments and agencies (LDAs).  Horizontal audits are designed to address risks that transcend individual departments in order to report on the state of governance, controls and risk management across the federal government. This report presents the results of the horizontal audit of Contracting Information Systems and Monitoring.     

The principal authoritative reference governing Contracting is the Treasury Board Policy on Contracting, as well as key government policies and frameworks including the Management Accountability Framework, the Policy on Responsibilities and Organization for Comptrollership, the Policy on Active Monitoring, and the Policy on Risk Management. 

The objectives of the audit were to provide reasonable assurance that management receives reliable and relevant information on contracting to support informed decision making, and risk management, and effective disclosure, and that governance structures are in place to review and act upon contracting trends and risks. The scope of this engagement included contracting information systems and monitoring mechanisms that were in place between January 2008 and September 2008 in nine LDAs.  

Why It’s Important

Contracting and procurement are used extensively by all LDAs to acquire the goods and services needed to help achieve their goals and objectives, and to deliver their mandates.  Contracting and procurement have traditionally been higher risk activity areas, given the complexity of the compliance environment and rules and regulations established by the Central Agencies.  More recently, government-wide contracting and procurement practices have come under increased public scrutiny.  Canadians and Central Agencies expect that federal organizations have appropriate management systems and practices in place to monitor contracting compliance, performance, and risks on an ongoing basis.  It is expected that these management systems protect the integrity of contracting information, as well as provide senior management with reliable and relevant information to make informed decisions regarding the management of contracting and procurement activities within their departments.

In order to meet these expectations and meet the accountability requirements for contracting, it has become increasingly important to obtain relevant, reliable, and timely contracting information for decision-making.  It is essential that senior management in federal departments and agencies have the right contracting information to support their oversight roles, long term planning decisions and risk mitigation strategies with respect to the contracting function at various levels within the department.

Overall Assessment

Governance and management practices of contracting information systems and the monitoring of these activities were the focus of the audit engagement. In plain language, the audit team sought to respond to the question:    

“Does management have access to adequate information and do they have measures in place to monitor and act upon trends and emerging risks regarding contracting?”

While LDAs are beginning to make strides to have the appropriate structure and measures in place to act upon trends and risks regarding contracting, the audit identified an opportunity to move contracting information management from a transactional focus to a more strategic and integrated focus.  A more strategic approach that focuses on risks and trends at the entity level would support monitoring and risk management activities and allow departments to respond to changes and priorities more effectively.

Overall, the audit found that information, for the most part, is adequately captured and reliable systems and processes are in place to help ensure data is accurate.  However, the contracting data is not being used to the fullest extent to produce the required reporting and information for management decision-making.  The contracting data is used to support monitoring activities; however most of the monitoring is directed at the contract, project or branch level or related to Central Agency requirements such as proactive disclosure.  The majority of LDAs examined are not showing evidence of active monitoring at the entity level to identify department-wide risks and trends.  For instance, trends analysis could provide relevant information to identify potential savings or changing risk levels.

The focus of most LDAs is on transactional based activity including ensuring that individual contracts approval and management processes are in place and are operating effectively.  This transactional focus is evident from the operating level up to senior management level.  For example, the focus and mandate of many Contract Review Committees is to approve specific large contracts or monitor specific risks on a single contract. 

There in an opportunity to advance to a strategic based model of monitoring and risk management that would improve management effectiveness and apply the principles of active monitoring with regards to contracting activities.

Innovative and good practices were identified during the audit.  Documentation of contracting processes which included the identification of key control activities supporting data reliability practices was observed.   Several LDAs have established a contract management committee or review board to deal with difficult issues, help to ensure contracting instruments are being properly utilized and provide general oversight of contracting to assist in risk mitigation.  The other departments examined are in the process of establishing a contract oversight review committee.    

Statement of Assurance

In my professional judgment as Executive Director, Systems, Forensic and Horizontal Audits, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the nine LDAs examined. The evidence was gathered in compliance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.  

 

Main Findings

Reliable Information:  Information, for the most part, is adequately captured and reliable systems and processes are in place to help ensure data is accurate.  Contracting processes are documented for the majority of LDAs, while the remainder have informal procedures documented for certain portions of the process.  Also, automated controls are in place to mitigate data integrity risks.  Improvement opportunities exist related to the documentation of data integrity risks and key controls.  Further, roles and responsibilities related to the capturing, processing, monitoring and testing of contracting data need to be clearly defined. 

Relevant Information Requirements:  All LDAs have identified information required to meet ad hoc requirements related to contracting activities.  The vast majority of the LDAs have not identified contracting information needs to support risk management and decision making at the entity level.  As a result, the information required to monitor and act upon trends and emerging risks regarding contracting is not readily available.  Improvement opportunities exist to clearly identify the information requirements and fully exploit the capability of existing information systems to ensure that the right contracting information is available in a timely manner which can be relied upon to support day-to-day monitoring practices, oversight activities, and long term planning processes. 

Monitoring:  The majority of LDAs have implemented monitoring mechanisms.  However, the focus is generally at the transactional, project or branch level to assess compliance with relevant policies and regulations.  The LDAs do not have a formal risk-based approach to contract monitoring.  There in an opportunity to advance to a strategic based model of monitoring and risk management to improve management effectiveness and apply the principles of active monitoring with regards to contracting activities.

Reporting:  Reporting is generally ad hoc and transactional in nature.  Other than Central Agency reporting requirements, there are little or no other systematic reporting generated to provide information in support of decision making and risk management processes.  There is an opportunity to implement strategic reporting processes to support LDAs in their assessment of performance, in their ability to address trends and deficiencies in management practices and controls, and to enable better communication to effect change. 

Audit Objectives and Scope

The objectives of the audit were to provide reasonable assurance that:

• management receives reliable and relevant information on contracting to support informed decision making, risk management, and effective disclosure; and
• governance structures are in place to review and act upon contracting trends and risks.

The scope of this engagement included contracting information systems and monitoring processes that were in place between January 2008 and September 2008 in nine LDAs.   The engagement did not assess grants and contribution arrangements nor interdepartmental arrangements.

Audit Approach

The work completed under this audit included various tests, as considered necessary, to provide reasonable assurance that audit objectives were achieved.  Consultants were engaged to support the Office of the Comptroller General audit team in the conduct of this horizontal audit engagement.  The consultants assisted in the planning, conduct and reporting phase of the audit.       

The audit engagement work was completed in two phases.

Phase 1:  This phase consisted of a preliminary survey, identification of risks and key audit criteria, and the development of the audit program.  During this phase, contracting data was gathered from all LDAs for a risk assessment to assist in the selection of organizations to include in the audit engagement. 

A questionnaire was sent and responses received from all LDAs.  The questionnaire focused on contracting risks, controls, reporting, monitoring and governance.  Documents were gathered to support the responses.  Based on the contracting data, documents provided and analysis of the responses received, departments and agencies were selected for the audit based upon higher risk.  Specifically, organizations were selected based a spectrum of organizational complexity, procurement and contracting complexity, degree of formalized processes and proportion of service contracts.  Based on these selection criteria, nine LDAs were selected for the conduct phase of the audit.  See ANNEX A for a list of LDAs included in this audit.

As part of the audit program, audit criteria were established to measure practices against established and accepted sound management practices.  Audit tools and testing procedures were developed and applied for each of the criteria for this audit and included the gathering of evidence and analysis related to the criteria listed in ANNEX B. 

Phase 2:  The conduct and reporting phases consisted of the execution of the audit program.  Audit procedures were used including interviews with key stakeholders, documentation review and analysis.  Documentation and interview notes were analyzed and compared to key controls for each criterion for the purpose of assessing results and findings.  The nine LDAs were then assessed as to whether they fully met the audit criteria, met them with some exceptions, or did not meet them.  This provided a basis for reporting results horizontally and identifying trends and patterns. 

Management Action Plans:  The findings and recommendations of this audit were presented to each department included in the scope of the audit.  These departments have reviewed the recommendations, provided responses and developed management action plans as they deemed necessary.  The Departmental Audit Committees of those departments will be briefed on the audit findings and the departmental responses.  They may also be requested by the deputy head to recommend for approval the management action plans.  The Departmental Audit Committees will periodically receive reports from management on the actions taken where management action plans are in place.

Deputy heads of other large departments will take into account the results of this horizontal internal audit and will ensure that management action plans are developed where they deem necessary.  The Departmental Audit Committee of these departments will be briefed regarding this audit.

• Previous Page
• Table of Contents
• Next Page