Executive summary

The Canada Revenue Agency (CRA) Act provides the commissioner with full authority to contract for goods and services (with the exception of legal services and specific IT hardware, software, telecommunications, and telephony products and services). Once contracts are awarded, contract administration ensures that all parties fulfill their obligations by monitoring performance, verifying deliverables, managing amendments, and ensuring compliance with the terms of the contracts and the relevant legislation.

Contracted goods and services spending within the CRA (excluding catalogue purchases) amounted to $197.7 million in fiscal year 2022 to 2023 and $190.2 million in fiscal year 2023 to 2024. Effective contract administration is essential to ensure that goods and services are delivered as stipulated, resources are used efficiently, and contractual obligations are met in alignment with policies and regulations.
The audit objective was to provide the Commissioner, CRA management, and the Board of Management with assurance that awarded contracts are managed and executed through to completion in accordance with agreed upon terms and conditions and applicable CRA policies and procedures.

Overall, the audit concluded that processes and procedures are in place to support the execution and management of awarded contracts in compliance with agreed upon terms and conditions and applicable CRA policies and procedures through to completion. Using data analytics and a risk-based approach, the audit highlighted opportunities for enhancing the efficiency and effectiveness (including compliance) of the contract administration process. While the findings are reflective of the selected transactions reviewed and should not be interpreted as representative of the entire population of contracts, they revealed opportunities to strengthen monitoring, increase compliance awareness, improve documentation practices, and ensure data integrity.

Summary of recommendations

To enhance the efficiency and effectiveness (including compliance) of the contract administration process, improvements are recommended in the following areas:

• reviewing the Procurement Planning and Administration Procedures and addressing gaps to ensure that the CRA's contracts are properly managed, and that issues are identified and addressed in a timely manner
• improving procurement policies and practices for managing professional services consultants by:
  • maintaining proper documentation and justification for contracting decisions related to task authorizations
  • ensuring appropriate separation between employees and consultants
  • considering implementing measures to support risk-based monitoring of long-term consultants, and
  • considering integrating knowledge transfer requirements into the contract administration process
• enhancing data integrity within the Corporate Administrative System by reviewing and updating controls to ensure information is accurate and complete, and that data integrity issues are identified and addressed in a timely manner

Management response

The Finance and Administration Branch agrees with the recommendations in this report and has developed related action plans. The Audit, Evaluation, and Risk Branch has determined that the action plans appear reasonable to address the recommendations.

Introduction

The Canada Revenue Agency (CRA) Act provides the commissioner with full authority to contract for goods and services (with the exception of legal services and specific IT hardware, software, telecommunications, and telephony products and services). Once contracts are awarded, contract administration ensures that all parties fulfill their obligations by monitoring performance, verifying deliverables, managing amendments and ensuring compliance with the terms of the contracts and the relevant legislation.

The Administration Directorate under the Finance and Administration Branch (FAB) has the functional authority for procurement and contracting activities within the CRA. This includes responsibility for the strategies, plans, and management approaches needed to satisfy the CRA's procurement requirements, as well as the management, administration, and reporting obligations involved.

The CRA's Procurement Policy provides direction on the guiding principles and objectives of CRA procurement, as well as related management and reporting obligations and associated roles and responsibilities.

The CRA's Procurement Policy also specifies the roles and responsibilities of the project authority, who is responsible for ensuring that contract management is consistent with procurement policy and processes as well as functional direction and processes. As defined in the Procurement Planning and Administration Procedures, the contracting authority is responsible for the overall management and administration of the contract, while the project authority oversees the technical aspects of the contract, playing a key role in monitoring performance and verifying and approving deliverables.
The Financial Administration Act is the cornerstone of the legal framework for financial management and accountability in the Government of Canada. Section 34 of the Financial Administration Act is a key element of procurement and requires project authorities with delegated financial authorities to certify that work was performed, goods or services were rendered, and the price charged is in accordance with the contract.

Contracted goods and services spending within the CRA (excluding catalogue purchases) amounted to $197.7 million in fiscal year 2022 to 2023 and $190.2 million in fiscal year 2023 to 2024. Effective contract administration is essential to ensure that goods and services are delivered as stipulated, resources are used efficiently, and contractual obligations are met in alignment with policies and regulations.

Focus of the audit

This internal audit was launched on December 28, 2023, and was included in the 2023-2024 Risk-Based Assurance and Advisory Plan, which was approved by the Board of Management (Board) in March 2023. The Assignment Planning Memorandum was approved by the Commissioner on September 16, 2024.

Importance

This audit is important because contract administration involves multiple stakeholders, there is a high volume of contracts, and significant spending on contracted resources (professional services). Effective contract administration is critical to ensuring sound financial management, compliance with policies and regulation, and the successful delivery of services to Canadians.

Objective

The audit objective was to provide the Commissioner, CRA management, and the Board with assurance that awarded contracts are managed and executed through to completion in accordance with agreed upon terms and conditions and applicable CRA policies and procedures.

Scope

The audit covered valid contracts and amendments awarded between April 1, 2022, and March 31, 2024.

Audit criteria and methodology

The audit criteria and methodology can be found in Appendix A.

The examination phase of the audit took place from July 2024 to October 2024.Footnote 1

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.

Findings, recommendations, and action plans

The recommendations presented in this report address issues of high significance or mandatory requirements.

The Finance and Administration Branch agrees with the recommendations in this report and has developed related action plans. The Audit, Evaluation, and Risk Branch has determined that the action plans appear reasonable to address the recommendations.

Adherence to policy instruments

Background

CRA contract administration activities must comply with established requirements defined in the procurement policy suite and with financial controls identified in the Financial Administration Act. The Financial Administration Act is supported by the CRA's Directive on Delegation of Spending, Financial and Other Authorities for Agency and Administered Activities.

According to Section 34 – Certification Authority (Account Verification) of the Financial Administration Act, before a payment is made, managers exercising their financial authorities must ensure that work specified in contracts has actually been performed, that goods have been received, and that the amount(s) charged agree with the price stipulated in the contract.

To support individuals with delegated authority under Section 34, the Administration Directorate provides functional advice, guidance, and support to assist CRA employees in carrying out their delegated procurement authority.

Findings

The audit expected that contracts and related payments are managed in accordance with CRA policies and guidelines, and that goods and services are delivered in accordance with the provisions, and within the duration, of the contract or amendment.

Documentation to support Section 34

For a sample of 25 contracting expense transactions incurred during the scope period, the audit found that sufficient appropriate evidence was on file to indicate that the project authority had adequately exercised their certification authority (section 34 of the Financial Administration Act). This included confirming that goods and services were delivered in accordance with the provisions and within the duration of the contract or amendment.

Risk-based testing

The Administration Directorate conducts ongoing monitoring of contracting activities, including reviews to identify situations when employees acquire goods or services from a supplier without having a legally binding contractual document in place.

The audit team performed risk-based analysis and testing of the contracting data and identified situations in which no contract was in place at the time when goods or services were acquired. The majority of these non-compliant transactions had been identified by the Administration Directorate as part of their monitoring, however, there are a few exceptions that were not captured (refer to Appendix C for details). In addition, the audit found an instance where the contract awarded value was exceeded without a valid and approved amendment document.

The audit team also performed risk-based analysis and testing of the combined payments and contracting data and found other errors, including payments for goods or services made without a valid contract, services provided before the contract was awarded, and invoice allocated against the wrong contract (see Appendix C for detailed test results).

Why it matters

Policies and procedures for effective contract administration ensure compliance, accountability, and transparency in managing public funds. Non-adherence to these can result in potential misappropriation of public funds, diminished public trust and reputational damage.

Draft recommendation #1

The Finance and Administration Branch (FAB) should review the Procurement Planning and Administration Procedures and address gaps to ensure that the CRA's contracts are properly managed, and that issues are identified. The review should include, but is not limited to, strengthening awareness of procurement policy instruments as well as reviewing the monitoring algorithms to ensure issues related to the validity and timing of contract payments are addressed.

Management Response #1

The FAB has monitoring practices in place that allow for the detection of non-compliance as demonstrated by the audit findings. The FAB agrees that opportunities exist to further strengthen adherence to policy instruments and the Branch is committed to addressing the audit recommendation via the following action plan.

Action plan #1

The FAB will review and update existing policy direction to ensure the roles and responsibilities of cost centre managers (CCM) and business owners/project authorities (clients) as they relate to the management of contracts are more clearly articulated. This includes further clarifying expectations around the proper validation and approval of invoices relating to contracts. The FAB will also increase communication of key elements of established procurement processes and policies to CCMs, clients, and contracting authorities in order to increase awareness and support enhanced compliance. Additionally, and in order to further increase oversight over non-compliant after-the-fact (ATF) contracting situations, the FAB will share their annual ATF dashboard with the Procurement Review and Oversight Committee.

Expanding and clarifying roles and responsibilities of CCMs and clients, coupled with creating greater awareness on how to avoid unauthorized contracting actions, will reduce the risk of after-the-fact contracting situations and ensure the CRA's procurement activities withstand public scrutiny.

The key FAB deliverables will be centered around the following three themes:

Policy review and update:

• Enhance the Procurement Planning and Administration Procedures by incorporating a detailed roles and responsibilities matrix covering key parties such as CCMs and clients. The matrix will outline responsibilities across the procurement lifecycle from contract award through to contract administration, including clarity around the validation of invoices to ensure accuracy – to be completed by March 2026

Communication and awareness:

• Communicate the new roles and responsibilities matrix to all CCMs – to be completed by April 2026
• Disseminate key elements of procurement processes and policy requirements to contracting authorities, specifically regarding timely contract amendments – to be completed by April 2025
• Incorporate best practices and cautionary advice on contract management into the annual Contracting Awareness Month presentations – starting November 2025, and continue annually

Monitoring and oversight

• Share the annual ATF dashboard with the Procurement Review and Oversight Committee to increase visibility and awareness of non-compliance scenarios – Starting September 2025, and continue annually

Management of professional services through task authorizations and long-term professional services consultants

Background

The CRA relies on task authorizations under the Professional Services Supply Chain (PSSC) to procure professional services, with $59.9 million spent on such contracts in fiscal year 2022 to 2023 and $58 million spent in fiscal year 2023 to 2024. This represents 30% of the total spent on contracted goods and services, excluding catalogue purchases. See Appendix D for a breakdown of PSSC spending by CRA branch.

As stipulated in the CRA's Contracts Directive, procurement decisions should be risk-based, appropriate, and driven by business needs. In addition, according to the Procurement Planning and Administration Procedures, a CRA procurement contract must not result in the establishment of an employer-employee relationship. To implement this requirement, the Contracting Division of the Finance and Administration Branch sends an email to the project authorities to provide guidance outlining appropriate interaction between employees and consultants. The Contractor Identification Protocol clause in professional services contracts also requires consultants to self-identify as such in all their electronic interactions with CRA employees.

Although not mandatory for the CRA, the Treasury Board Directive on the Management of Procurement, updated in May 2024, outside the scope of the audit period, now requires project authorities to "consider and document alternative approaches to procurement for achieving organizational goals as well as how the potential procurement approach aligns with their organization's mandate, priorities and plans". The Treasury Board Directive on the Management of Procurement also outlines the requirement for project authorities to consider what knowledge is required to be transferred from the consultant to the organization when developing statements of work and descriptions of tasks, and, if applicable, include such requirements in the contract or task authorization.

Findings

The audit expected that the CRA has well-defined roles and responsibilities and a documented process to manage task authorizations, which ensures that business needs align with strategic goals, and maintains transparency when managing consultants, including controls to prevent employer-employee relationships and accurate identification of professional services consultants in the CRA's email system.

The audit found that CRA policy instruments generally define the necessary monitoring roles and responsibilities for project authorities and contracting authorities. However, the CRA's Contracts Directive requirement for procurement decisions to be risk-based, appropriate, and driven by business needs does not apply to contracted professional services delivered through task authorizations, as they are a procurement instrument against an existing contract, authorizing specific work by a consultant on an "as-and-when-requested" basis. The audit could not identify clear guidance and enforcement for documenting procurement decisions prior to issuing task authorizations.

Furthermore, the audit found that there is insufficient documentation and processes to support awareness of mitigating the establishment of employer-employee relationships with consultants, particularly when there is a change in the project authority over the duration of the task authorization. Additionally, only 54% of PSSC consultants were appropriately identified as "Consultant" or "Contractor" in the CRA's email system.

During the scope period, there was no requirement to track long-term consultants. Although a repository of PSSC consultants exists updates to the repository are manual and prone to human error. The audit reviewed the repository of PSSC consultants and identified errors in 15% of entries.

The audit reviewed the relevant CRA policy instruments governing the administration of contracting activities and noted that there are currently no requirements to assess and specify what knowledge should be transferred from the professional services consultant to the CRA when developing statements of work and descriptions of tasks.

Why it matters

Effective management of task authorizations and long-term professional services consultants is critical to ensuring transparency, accountability, and the efficient use of public resources within the CRA. Specifically:

• gaps in documentation increase the risk of not being able to demonstrate due diligence in decision-making, such as consideration of over-reliance on external resources, and the organization's capacity to build internal expertise
• misrepresentation of the relationship between the employer and the consultant could result in legal, financial or tax liabilities for the CRA or the consultant
• the lack of an accurate central repository of professional services consultants could lead to reduced transparency and accountability and could increase the risk of conflicts of interest or overbilling
• the lack of knowledge transfer from consultants to employees could hinder the organization's ability to build internal capacity, thus increasing reliance on external expertise

Draft recommendation #2

The Finance and Administration Branch (FAB), in collaboration with relevant branches and regions, should improve its Procurement Planning and Administration Procedures to ensure that appropriate supporting documentation and justification for issuing task authorizations are maintained in the contract files.

The FAB should also:

• update its direction on roles and responsibilities and develop and disseminate associated communication materials to ensure project authorities are informed of their contract administration responsibilities, including appropriate separation between employees and consultants
• consider implementing measures to support risk-based monitoring of the use of long-term consultants
• consider reviewing and updating procurement corporate policy instruments to incorporate elements of the Treasury Board Directive on the Management of Procurement as applicable (including knowledge transfer process requirements)

Management Response #2

The FAB procurement policy instruments generally define the necessary roles and responsibilities of key partners involved in contracting activities including raising awareness of the risk of establishing an employee-employer relationship with consultants. Recognizing that the majority of contracted resources are IT consultants, and that IT consultants currently represent only 4% of total IT resources at the CRA (with employees making up the rest), the FAB does not deem the risk of over-reliance on IT consultants to be high. However, the FAB agrees that opportunities exist to further strengthen the policy requirements related to the use of consultants and is committed on addressing the audit recommendations via the following action plan.

Action plan #2

The FAB will review and update existing policy direction to ensure the roles and responsibilities of CCM and clients as they relate to the management of professional services contracts are clearly articulated and well communicated. This will be supplemented with an annual communication to CCMs outlining best practices for managing contracted resources. Additionally, the FAB will update its standard communication to clients upon the award of such contracts to better articulate the risks of employer-employee relationships and how best to avoid them. The FAB will also develop and implement a new requirement for all clients to complete a pre-procurement justification form outlining their rationale for requiring the services of contracted resources.

The FAB will also update its policy direction to require that knowledge transfer plans be considered in professional services contracts, as appropriate, and will update its contracting templates to include clauses and associated instructions supporting the incorporation of such plans in professional services contracts and task authorizations.

Additionally, the FAB will formalize its current monitoring and reporting activities as they related to the use of long-term consultants engaged under the CRA's Professional Services Supply Chain (PSSC). While the CRA engages consultants through other contracting arrangements, the risk of establishing long-term contractual relationships with consultants is most significant under the PSSC.

Expanding and clarifying roles and responsibilities of CCMs and clients relating to the management of professional services contracts, strengthening communications regarding the risks of managing contractor resources, coupled with the introduction of greater scrutiny and oversight around the need to engage contracted resources and the subsequent requirement to consider the implementation of knowledge transfer plans when such resources are engaged will not only strengthen compliance with procurement policy direction and reduce the risks associated with such activities, it will also support informed and transparent decision making and ensure that the CRA can build its internal capacity in support of reducing the risk of dependence on contracted resources. Additionally, having greater visibility over long-term consultants will ensure greater awareness and oversight and allow for informed decision making as well as the implementation of mitigation measures, as deemed necessary.

Key FAB deliverables will be centered around the following three themes:

Policy and template updates:

• Review and update the Procurement Planning and Administration Procedures to:
  • Expand and clarify roles and responsibilities of CCMs and clients in managing professional service contracts – to be completed by March 2026
  • Include provisions for integrating knowledge transfer plans in contracts and task authorizations – to be completed by March 2026
• Enhance service contracting templates with clauses mandating the consideration of relevant knowledge transfer prior to contract completion, as applicable – to be completed by April 2026

Monitoring, justification, and oversight:

• Develop and implement a pre-procurement justification form, requiring CCMs and clients to document service requirements, including cost-benefit analysis and risk assessment – to be completed by April 2026
• Formalize reporting of all long-term consultants under the CRA's Professional Services Supply Chain – to be completed by April 2025

Communication enhancement:

• Update standard communications to CCMs and clients upon contract award to better articulate the risks of employer-employee relationships and share best practices – to be completed by December 2025
• Send an annual communication to CCMs emphasizing best practices for managing contracted resources starting – starting January 2026
• Communicate updates to the Procurement Planning and Administration Procedures, new knowledge transfer clauses, and the pre-procurement justification form to contracting authorities and CCMs – to be completed by April 2026

Systems integration and data integrity

Background

Under the CRA Procurement Planning and Administration Procedures, contracting authorities are responsible for ensuring that procurement files are kept up-to-date and fully documented to show how, why, and when decisions were made.
The CRA relies on multiple systems to manage contract data, amendments, and financial transactions, including the Procurement Approval and Oversight tool, the Corporate Administrative System (CAS), Fieldglass, and Synergy 2.0. See Appendix B for more information on these systems.

Accurate data entry and integration across these systems are critical for maintaining the integrity of the contract administration process.

Findings

Given that the CAS is the main system of record, the audit expected that information in the CAS is accurate, complete, and free of data anomalies.

The audit identified data accuracy and integration issues across the CAS, Fieldglass, and Synergy 2.0, as well as a lack of a repository of amendments. Refer to Appendix E for detailed test results. As data integrity issues across systems may have implications and significance beyond the scope of the transactions reviewed in this audit, they were identified to the Finance and Administration Branch for analysis and follow up.

Why it matters

It is important that transaction data for contracting activities be recorded in an accurate manner in the CAS to support decision making and oversight. The impact of any inaccuracies in external reporting was not assessed as part of the audit.

Draft recommendation #3

The Finance and Administration Branch (FAB) should review and update its controls to ensure that information in the Corporate Administrative System (CAS) is accurate and complete, and that data integrity issues are identified and addressed in a timely manner.

Management response #3

The FAB has controls in place to ensure the accuracy of data in support of invoice payments and disclosure on the Open Government Portal. Given that the impact on external reporting was not assessed during the audit, the FAB reviewed the accuracy of the information contained in the 203 contracts identified in the audit report. No inaccuracies were identified with respect to amounts paid and publicly disclosed. The FAB agrees that opportunities exist to further enhance the system integration issues identified and the Branch is committed to addressing the audit recommendation via the following action plan.

Action plan #3

The FAB actions will be centered around three themes that aim to promote accurate and transparent reporting, essential for internal and external disclosures, including responses to parliamentary and media inquiries, Access to Information and Privacy requests, and maintaining public trust:
Policy and instructional updates:

• Review and update CAS procurement coding instructions to ensure they are streamlined, clear, and user-friendly, thus reducing misunderstandings and supporting compliance – to be completed by March 2026

Data integrity and monitoring:

• Conduct quarterly data integrity reviews to identify coding errors or issues, reporting findings to the director of the Contracting Division and the director general of the Administration Directorate – to be completed by January 2026
• Enhance the monthly procurement data validation process:
  • Implement conditional formatting and color coding to highlight fields that may require correction or posing a risk of inaccuracy – completed in July 2024
  • Engage the Client Support Section of the Contracting Division to review data for potential inaccuracies and anomalies, annotating reports sent to assistant directors for further validation by their teams – completed in July 2024 and ongoing

System integration and improvement:

• Collaborate with the Information Technology Branch (ITB) to deploy a temporary manual solution for data integrity risks, while ITB works on a permanent technical solution – to be implemented in February 2025

Other Areas Tested

The audit found that project authorities were monitoring vendor performance and any performance issues were resolved in a timely manner. In addition, contracting for professional services through task authorization was supported by an assessment of qualification requirements, clear deliverables, task descriptions as well as estimated costs related to the contracted activity.

Conclusion

The audit concluded that processes and procedures are in place to support the execution and management of awarded contracts with agreed upon terms and conditions and applicable CRA policies and procedures through to completion. However, to enhance the efficiency and effectiveness (including compliance) of the contract administration process, improvements are recommended in the following areas:

• reviewing the Procurement Planning and Administration Procedures and addressing gaps to ensure that the CRA's contracts are properly managed, and that issues are identified and addressed in a timely manner
• improving procurement policies and practices for managing professional services consultants by:
  • maintaining proper documentation and justification for contracting decisions related to task authorizations
  • ensuring appropriate separation between employees and consultants
  • considering implementing measures to support risk-based monitoring of long-term consultants, and
  • consider integrating knowledge transfer requirements into the contract administration process
• enhancing data integrity within the Corporate Administrative System by reviewing and updating controls to ensure information is accurate and complete, and that data integrity issues are identified and addressed in a timely manner

Acknowledgement

In closing, the Audit, Evaluation, and Risk Branch would like to acknowledge and thank the Finance and Administration Branch and the Information Technology Branch for the time dedicated and the information provided during the course of this engagement.

Appendices

Appendix A: Audit criteria and methodology

Audit criteria

Based on the Audit, Evaluation, and Risk Branch's risk assessment, interviews and document reviews, the following lines of enquiry were identified:

Audit criteria

Criteria	Sub-criteria
1. Contracts are managed in accordance with CRA policies and procedures.	1.1 Roles and responsibilities for oversight and monitoring of contract delivery are defined and documented.
	1.2 Goods or services are delivered in accordance with the provisions and within the duration of the contract/amendment.
	1.3 Vendor performance is monitored, and any performance issues are resolved on a timely basis.
	1.4 Task authorization contracts are supported by an assessment of qualification requirements, clear deliverables, task descriptions as well as estimated costs related to the contracted activity.
2. Amendments to existing contracts are processed in compliance with relevant contracting policies and procedures and are in the best interest of the Agency.	2.1 Amendments are properly justified, documented and issued before the contract expiry date.
3. Contracting for professional services is based on identified need and supported by risk-based benefit analysis	3.1 The decision to use professional services contractorsFootnote 2 is justified and documented and there is a process in place for knowledge transfer and handover of the final product.
	3.2 The use of long-term contractors is risk-based, appropriate and driven by business needs.

Audit methodology

A limited number of contracts and amendments were selected for testing based on professional judgment and risk factors, following the internal audit's sampling methodology. Based on the high percentage of professional service contracts managed in the information technology space, the sample included a higher percentage of contracts managed by the Information Technology Branch.

The methodology used in the examination included the following:

• Documentation and file review: reviewed and analyzed contract and amendment documentation, including policy instruments, Corporate Administrative System (CAS) entries, invoices, packing slips, statements of work, qualification requirements, resource categories, timesheets, task authorizations, amendment justifications, meeting records, monitoring evidence, procurement risk assessment analyses, and knowledge transfer plans.
• Roles and responsibilities review: reviewed the different stakeholders' roles and responsibilities related to the contract administration process.

• Data analysis: reviewed and analyzed data from the systems and tools used in contract administration, including the CAS, Fieldglass, and Synergy 2.0.
• Process review: reviewed and analyzed the contract administration process in place in branches and regions and its related controls.
• Governance review: reviewed the monitoring and oversight process and controls related to contract administration.
• Interviews: interviewed select management and staff at Headquarters.

Appendix B: Glossary

Glossary

Term	Definition
Contract	An agreement between the CRA and a person or firm to provide a good, perform a service, construct a work, or to lease real property for appropriate consideration.
Contract amendment	An agreed addition to, deletion from, correction of, or modification of a contract.
Contracting authority	A CRA employee who is a designated specialist with responsibility for contracting for goods and services on behalf of the CRA.
Consultant	An individual contracted to provide specialized advice, expertise, or service to the CRA.
Corporate Administrative System (CAS)	An enterprise resource planning system that serves as the central repository for most of the Agency's corporate human resources, material, facilities, and financial data, including procurement and related financial transactions (for example, purchase requisitions, purchase orders, and payments).
Fieldglass	A cloud-based e-procurement tool that is used to hire and manage resources contracted under the Professional Services Supply Chain (PSSC) arrangement, including the awarding of task authorizations, the approval of timesheets, and the payment of invoices.
Procurement Approval and Oversight tool	A web-based tool used to develop and monitor procurement approval forms, as well as to provide compliance oversight.
Professional Services Supply Chain (PSSC)	The CRA's supply arrangement for the provision of information technology and administrative professional services. It is designed to respond to requirements resulting from increased workloads, the need for outside expertise, and to satisfy short-term project requirements.
Project authority	The officer assigned the responsibility for all matters concerning the technical or pedagogical content of the work under a contract, including reviewing and approving the output.
Purchase order	A contract document in the CAS, used to authorize expenditures, track procurement activities, and ensure that purchases are made in compliance with the contract terms.
Statement of work	The definition of the work to be performed under a proposed or actual contract.
Synergy 2.0	A cloud-based e-procurement tool that provides a complete procure-to-pay solution at the CRA.
Task authorization	A procurement instrument against an existing contract (such as a PSSC master agreement), authorizing specific work by a consultant on an "as-and-when-requested" basis. It is used when the precise nature and timing of the need could not be established in advance during the initial contract award process.

Appendix C: Detailed test results – Adherence to procurement policy instruments

The audit team performed risk-based testing on the contracting data using data analysis, as detailed below.

The audit performed a test for cut-off and identified 30 purchase orders for which the award date was after the contract validity date, out of 3,381 purchase orders issued against contracts valid between April 1, 2022, and March 31, 2024. The team tested these purchase orders to assess whether the goods and services were delivered before the contract award. 21 out of 30 purchase orders tested were non-compliant, and the contract should have been amended or a new contract should have been awarded.

Detailed test results – Adherence to procurement policy instruments

Instances identified by data analytics	Issue	Non-compliant purchase orders
		Identified by the audit	From the transactions identified by the audit, the number of transactions identified by FAB monitoring activities
30 purchase orders for which the award date was after the contract validity date	The goods or services were provided to the project authority outside the agreed upon contract period	10/30	8
	Payments were approved by the delegated manager/project authority against a purchase order without an existing contract, and not in compliance with CRA contracting policies	10/30	10
	The contract awarded value was exceeded by the project authority without proper authorization documented on file	1/30	1

Data analysis performed by the audit identified 27 cases where the date at which the invoice was issued appeared to be prior to the contract award date, from the total of 16,841 payments made against contracts valid between April 1, 2022, and March 31, 2024. The audit team tested 13 invoices from the 27 potential anomalies (not previously identified by FAB monitoring activities) by examining supporting documentation for these invoices to verify whether the invoiced work fell within the contract or amendment period. The team identified the following issues.

Issues identified

Instances identified by data analytics	Issue	Non-compliant transactions
27 invoices that were issued prior to the contract award date	Payments were approved by the delegated manager/project authority against a purchase order without an existing contract	3/13
	The vendor provided the delegated manager/ project authority services before the contract was awarded	2/13
	The transaction was allocated against the wrong contract with the same vendor by the project authority	1/13

The audit team also reviewed documentation for 5 contract amendments out of a targeted population of 262 in the Corporate Administrative System that were approved after the contract expiry, out of 2,446 amendmentsFootnote 3. In 1 out of 5 amendments reviewed, the contract awarded value was exceeded without a valid and approved amendment document.

Appendix D: Professional Services Supply Chain spending by branch

Figure 1 shows the amounts spent on professional services contracting using task authorizations under the PSSC from April 1, 2022, to March 31, 2024. The Information Technology Branch spent $100.9 million or 85% of the total amount, the Public Affairs Branch spent $6.8 million or 6%, the Security Branch spent $3.3 million or 3%, and other branches spent $6.9 million or 6%.

Figure 1: Amounts spent on professional services contracting

Appendix E: Detailed test results – Data integrity and accuracy of information

Contracts

The audit team made a judgmental selection of 20 contracts out of a population of 203 contracts for which the amount delivered exceeded the contract-approved value in the CAS for fiscal years 2022 to 2023 and 2023 to 2024. In all cases, the amounts delivered did not actually exceed the approved contract value. However, for 12 out of 20 contracts, variances were due to data integration issues between the systems.

Failure rate from a judgmental selection of 20 contracts

Expected procedure	Failure rate
Total approved amount entered in Fieldglass matches the amount in the CAS	10/20
Total delivered amount (sum of goods or services receipt) entered in Synergy 2.0 matches the information in the CAS	2/20

From the population of contracts that were valid between April 1, 2022, and March 31, 2024, the audit team reviewed 30 purchase orders for which the award date was after the contract validity date. Six out of 30 purchase orders had incorrect award or validity dates entered in the CAS.

In addition, the audit team made a risk-based selection of 13 invoices from the payments made against contracts valid between April 1, 2022, and March 31, 2024, out of the 27 for which the invoice was issued prior to the contract award date. Four out of 13 sampled transactions contained the incorrect document or contract award date in the CAS.

Amendments

The audit team reviewed 20 amendment transactions out of a population of 2,446 amendment transactions from the CASFootnote 4. For 8 of the 20 amendment transactions, information entered in the CAS included errors in amendment type, amount, or date.

These issues were caused by data integration issues, system limitations, and manual input errors.

Issues caused by data integration issues, system limitations, and manual input errors

Issue	Affected amendment transactions
Errors due to system integration issues or system limitations	4/20
Manual input errors	3/20
Combination of manual input errors and system limitations	1/20

In addition, of the 20 amendment transactions in the CAS, 9 were not actual amendments. The audit team also observed that the existing processes do not require all amendments to be recorded in the CAS.