Procurement practice review of Shared Services Canada New

Mandatory criteria

In all but 1 file, mandatory criteria were aligned with requirements; however, a majority of files did not contain clearly stated, demonstrable and measurable mandatory criteria. As well, in 3 files, the mandatory criteria were overly restrictive.

20. In 19 of 21 applicable files reviewed with mandatory criteria , the criteria were aligned with requirements. However, in 13 of 21 files, mandatory criteria were not communicated in a clear, precise and measurable manner. There were an additional 3 files in which the mandatory criteria were overly restrictive.

Unclear or unmeasurable mandatory criteria & misalignment with requirements

21. Unclear mandatory criteria can undermine the transparency and openness of the bid solicitation process and can cause bidders to submit non-compliant proposals because the requirements are not well understood. It also limits SSC’s effectiveness in assessing a supplier’s ability to meet the essential elements of the work to be performed and substantiating the disqualification of a bid for not meeting these vague criteria. As well, when mandatory criteria are not aligned with the requirement, SSC runs the risk of disqualifying potentially capable bidders or conversely, awarding contracts to bidders that may not be qualified to undertake the work. Examples of mandatory criteria that were unclear or unmeasurable and misaligned with the requirement included the following:

1. In 1 file, mandatory criteria were not aligned with the requirements. The solicitation process issued under the supply arrangement for Task and Solutions Professional Services (TSPS) was seeking resources in multiple categories including the TSPS Stream 4 resource category of “Financial/Cost Specialist for Real Property". The estimated number of resources for Stream 4 outlined in the volumetric data was equal to the estimates for all other resources categories sought (i.e. 8 resources per year). However, there were no mandatory corporate criteria included in the solicitation related to Stream 4. Other than references to the name and descriptor of the Stream and Category, the term “Financial/Cost Specialist for Real Property" only appeared once in the Statement of Work (SOW) under the description of support services. As the TSPS search result list only included suppliers qualified on all the selected categories, the inclusion of this category may have impacted the number of suppliers invited to bid on this requirement.
2. In 5 files, mandatory criteria required bidders to demonstrate ‘experience’ but did not specify the type of experience or the amount of experience that was required. For example, in a solicitation for facilitator consultants, mandatory criteria required the proposed resource to have “experience facilitating virtual sessions.” However, the amount of experience required was not specified in the criterion. As a result, as little as one day of experience would have resulted in the criterion being met. In such circumstances, the requirement should be tailored to specify the amount of experience that was essential to perform the work. Further, in 2 files, mandatory criteria did not clearly specify the type of experience required to satisfy the criteria. For instance, in a file for IT technical services, the mandatory criteria required either a three year college diploma or university degree at the Bachelor level in certain explicitly stated fields but would also “…accept from another IT related field.” It would be difficult for SSC to find a bid non-compliant to this criterion if a proposed resource held a degree in any field.
3. In 10 files, the mandatory criteria involved the bidder stating something in its bid which could only be assessed based on an event occurring in the future. For example, in a file for an Enterprise Perimeter Security (EPS) Solution, a mandatory criterion required the bidder to “seek consent from an authorized person or representative of SSC to transmit any information (e.g. usage statistics, URLs visited, etc.) outside the SSC corporate network.” As the transmission of information would be conducted by the contractor in the future once the contract is underway, this cannot be demonstrated beforehand at the solicitation stage. Such requirements belong in the contract awarded to the successful bidder as they relate to the performance of the required services in the future, whereas mandatory criteria are used to confirm skills or experience held by the supplier at the time of bid closing.

Restrictive mandatory criteria

22. Overly restrictive mandatory criteria can undermine the fairness and openness of the bid solicitation process by restricting the number of suppliers capable of submitting a compliant proposal. Such criteria further limit SSC’s ability to obtain competitively priced alternatives capable of meeting its operational requirements.

23. There were 3 files for which the mandatory criteria were unnecessarily restrictive or appeared to unnecessarily favour a bidder or group of bidders. As a result even though these were competitive procurement processes, there was little opportunity for competition:

1. In 3 files, the mandatory criteria appeared to favour a bidder or bidders by requiring the bidder to demonstrate past delivery of services specifically for SSC. For example, in one file a point-rated criterion advised bidders that points would be awarded according to their delivery of services to “SSC’s branches” using one of the contracts provided by the bidder under the mandatory criteria. This creates restrictiveness in the mandatory criteria since in order to obtain points for this point-rated criteria, at least one of the contracts presented under the mandatory criteria must have been for the delivery of services to SSC. In another file, a mandatory criterion required that the proposed resource demonstrated one project with “senior executives at SSC within the last two (2) years where senior executive is defined as at the Director General level or above.” It is noted that only one bid was received to this requirement despite over 30 suppliers having been invited to participate. These types of restrictive criteria may limit competition and create real or perceived instances of favouritism. The Canadian Free Trade Agreement (CFTA), which applied to both of these procurement processes, prohibits limiting participation in a procurement only to suppliers that have previously been awarded one or more contracts by the procuring entity. A third file (to which the CFTA did not apply) details similar criteria and is captured in the point-rated criteria section of this report.
2. In 1 file, the mandatory criteria was overly restrictive in the experience required of the bidder’s proposed resources. In the solicitation process referenced in the second example above, the mandatory criterion required the bidder to propose a senior project executive with “…a minimum of twenty (20) years of professional consulting experience with Canadian public sector organizations where a minimum of ten (10) years is with the Government of Canada within the last 25 years.” The TSPS flexible grid for a senior Project Leader/Executive category requires 100 minimum points, of which 65 points can be gained if the resource has more than 10 years of experience. As such, the requirement for the resource to have 20 years of experience far exceeds the TSPS flexible grid for this category and strongly hints at bias in favour of a preferred supplier. As previously noted, despite inviting more than 30 suppliers, only one bid was received and deemed compliant.

Point-rated criteria

For the most part, point-rated criteria were not overly restrictive, were aligned with the requirement and reflected the relative importance of the criteria; however, point-rated criteria and scoring grids could be improved to increase clarity and minimize subjectivity.

24. Section 10.7.25 of the TBCP states that “criteria should identify accurately all the performance elements significant to the success of the project and should measure both the competence of the firm and the worth of its particular technical approach.”

25. In 13 of 15 applicable files reviewed, point-rated criteria were aligned with requirements and reflected the relative importance of the criteria. However, in 6 files, the point-rated criteria and scoring grids were not clearly communicated in the solicitation document. As well, 3 files were found to contain overly restrictive point-rated criteria.

26. The 3 files which contained point-rated criteria that were overly restrictive and not aligned with the requirement were the following:

1. In 1 file for the provision IT professional services using Task-Based Informatics Professional Services (TBIPS), a supplier raised concerns surrounding the fact that multiple resource requirements in point-rated criteria were inconsistent with the TBIPS resource categories and this was “extremely limiting to the pool of qualified candidates providing bidders little chance of qualifying without previous knowledge of this requirement.” The point-rated criteria required the B.2 Business Architect to have experience including data integration and modeling. In the TBIPS category descriptions, these tasks align with those of an I.4 Database Modeller / Information Management Modeller and are not found in the description of the B.2 Business Architect. The supplier requested that the solicitation be amended to add a separate stream to accurately reflect the requirement. SSC responded that the requested resources needed to have this experience and no changes were made to the requirement. Another supplier also noted an apparent misalignment of tasks compared to the resource categories sought which appeared to better align with a different resource category. There was no direct response from SSC to this point. These misalignments may have made it difficult for suppliers to propose resources with the requested experience and may have restricted competition. Ultimately, the incumbent won this requirement and achieved full points for the applicable resources under these criteria.
2. In 2 files, the point-rated criteria required the bidder demonstrate past delivery of services for SSC. For example in 1 file, a corporate point-rated criterion awarded points for work “performed directly for SSC under 3 or more distinct resource categories” by the proposed resource. This experience was to be demonstrated using a reference contract to be provided under a mandatory corporate criterion. This is restrictive because in order to obtain maximum points under the point-rated criterion, the reference contract used under the corresponding mandatory criterion had to have been awarded by SSC. Further, this point-rated criterion awarded points if the reference contract included work performed by resources under “3 or more” distinct resource categories. However, this requirement was only seeking one resource category. As such, it’s not clear why additional points would be awarded for demonstrating the ability to provide more than one resource category as this does not appear relevant to the requirement.

27. In 6 files, point-rated criteria or scoring grids could be communicated in a clearer and more precise manner to minimize subjectivity. Examples included the following:

1. In 2 files, scoring grids contained conflicting statements regarding the maximum number of points to be awarded. For instance, in one file for IT professional services, the solicitation document stated “Total available points for all resources is 270.” However, since only 3 resources were to be assessed out of 70 points each, there were only 210 total available points for all resources.
2. In 4 files, the point allocation scheme was unclear. For example, in a file for the provision of non-IT professional services, a point-rated criterion was separated in two parts, Part A and Part B, with the maximum points for each “part” being 200 points. The bidder was asked to provide up to 4 unique reference contracts (i.e. contracts that had not been referenced in the bidder’s responses to the mandatory criteria). For both Part A and Part B, the scoring scheme stated “for each different contract 45 points” and went on to state “for each different contract 5 points - Note to the Bidder: A maximum of four (4) reference contracts will be evaluated. No extra points will be awarded for additional reference contracts”. It is unclear how the additional 5 points would be applied or why the scores were not simply 50 points per reference contract. In another file, points for a corporate point-rated criterion were awarded (in part) depending on the bidder’s ability to provide a “detailed description of the Bidder’s resources”. The number of points awarded depended on if the description was “detailed”, “standard” or simply “a description…elements are missing”. It is unclear what would constitute a “standard” description versus a “detailed” one.
3. In 2 files, the point-rated criteria contained vague or undefined terms. For example, in a file for Enterprise Business Analytics Program services, the point-rated criteria stated “The Bidder should demonstrate that the proposed resource has three (3) years of experience interfacing with a Government of Canada and/or a large private sector organization’s Human Resource and Finance systems to load a Data Warehouse.” It is not clear what would constitute a “large” organization as no definition was provided.

28. When evaluation criteria are communicated in a clear, precise and measurable manner, it enables bidders to know the requirements and the methods by which their proposals will be evaluated. Failure to adequately define evaluation criteria at the outset carries the additional risk that evaluators may struggle to interpret these criteria during the evaluation process. It can also be difficult to defend against external challenges to the evaluation process, as it is more difficult to demonstrate that criteria have been strictly adhered to when the criteria are unclear and open to multiple interpretations.

Recommendation 1:

Selection methodology

The selection methodology was aligned with the requirement in all files and was clearly communicated in all but 1 file.

29. In all files, selection methodologies were aligned with requirements and common methodologies were used such as “lowest priced responsive bid” and “highest responsive combined rating of technical merit and price”. In 1 file, the selection methodology in the solicitation contained contradictory statements.

1. In 1 file for non-IT professional services, the selection methodology was not clearly communicated in the solicitation document. The selection methodology was 70% for technical merit and 30% for price. The Basis of Selection stated “The total possible Final Technical Score is 80 while the total possible Final Financial Score is 20.” Contradictory information such as this makes it difficult for potential bidders to know how to structure the technical and financial components of their bids.

Line of enquiry 2: To determine whether solicitation documents and organizational practices during the bid solicitation period were consistent with applicable laws, regulations and policies

30. The TBCP sets out detailed procedures to ensure that government contracting is carried out in a manner that enhances access, competition and fairness and results in best value. Section 10.7 of the TBCP includes the minimum requirements to be included in the solicitation document as well as mandatory elements related to the design and execution of the process.

31. The DMP states CAs are responsible for conducting procurements on behalf of the department or agency, and establishing contracts and contractual arrangements based on sound procurement principles, including fairness, openness and transparency to obtain best value.

32. Solicitation documents must contain work descriptions or specifications defined in terms of clear outputs or performance requirements. Solicitation documents should include: bidder instructions; bid preparation instructions; clear evaluation procedures; certification requirements; security and financial requirements; resulting contract clauses; and instructions informing bidders they may request information on the results of solicitation processes and how their bid was evaluated. Clarity of provided information is key in supporting the Government of Canada’s obligations laid out in the TBCP and the DMP.

33. This LOE applied to 35 of the files reviewed. Solicitation documents (excluding evaluation criteria and selection plans that were assessed under LOE 1) were assessed to determine whether they, among other things, contained a clear description of the requirement and instructions necessary to prepare a compliant bid. The assessment of organizational practices included factors such as whether the solicitation was open to the appropriate number of bidders and for the required duration, and whether communications with suppliers supported the preparation of responsive bids.

Solicitation documents and processes

Most of the files reviewed included clear and complete information about the requirement and instructions for submitting compliant bids, and the majority of files met the documentation and process requirements.

34. In 28 of the 30 applicable files, solicitation documents included clear and complete information and instructions to permit the submission of compliant bids. However, in 2 files, the solicitation did not contain a clear description of requirements. In addition, 2 files contained inappropriate or incomplete instructions to bidders.

35. An example of a solicitation that did not contain a clear description of requirements was the following:

1. In 2 files the terms of the resulting contracts were not clearly communicated to bidders. For example, in a file for the provision of non-IT professional services, the solicitation document stated “It is intended to result in the award up to two (2) contracts (sic) for two (2) year period, plus four (4) additional one (1) year irrevocable options allowing Canada to extend the term of each contract.” For the purposes of the financial evaluation, the bidders were asked to include their per diem rates into a table. However, the table only provided for option periods 1, 2 & 3 – not option period 4. The resulting contracts included four (4) 1-year options; however, bidders were never required to provide their per diem rates for the fourth option year in their bid. As such, it was unclear as to what rates would be applied if SSC were to exercise the fourth option year. In SSC’s response to this observation, SSC confirmed this was an administrative error and stated the contracts would be amended to reflect three 1-year option periods.

36. Examples of solicitations that contained inappropriate or incomplete instructions to bidders included the following:

1. In 1 file for the provision of data center equipment, there was no bid enquiry period. The solicitation document stated “All enquiries must be submitted in writing to the Contracting Authority no later than ten (10) calendar days before the bid closing date. Enquiries received after that time may not be answered.” The solicitation was released on March 15 and closed on March 22 (8 calendar days). As a result, effectively there was no bid enquiry period.
2. In another file for the provision of IT infrastructure components, the solicitation document did not provide any details regarding the bid enquiry process. As detailed further below, the exclusion of this information impacted the supplier’s ability to seek clarification during the solicitation period.

Communication with suppliers

In 14 of the applicable 22 files (i.e. those with communications with suppliers during the solicitation period), there was evidence communications with suppliers were appropriate; however, there were 5 files where this was not the case. Issues regarding the communication of solicitation results were also identified.

37. Section 2 of the TBCP states: “Government contracting shall be conducted in a manner that will: (a) stand the test of public scrutiny in matters of prudence and probity, facilitate access, encourage competition, and reflect fairness in the spending of public funds.” Section 12.3.1 of the TBCP states: “Procurement files shall be established and structured to facilitate management oversight with a complete audit trail that contains contracting details related to relevant communications and decisions…” Section 4.10.1 of the DMP also states the Contracting Authority is responsible for “…ensuring that accurate and comprehensive procurement records are created and maintained on the contract file to facilitate management oversight and audit…” These requirements apply to all aspects of the procurement process, including interactions with suppliers.

38. For procurements subject to the Canadian Free Trade Agreement and the World Trade Organization—Agreement on Government Procurement, section 12.3.2 of the TBCP requires contracting authorities ensure all communications with bidders are supported by complete documentation and records to demonstrate that the procurement process was carried out in accordance with the agreements. Any significant information given by a contracting authority to a supplier with respect to a particular procurement must also be given simultaneously to all other interested suppliers. Details of OPO’s review are presented below.

39. There were 22 files which contained communications with suppliers. However, of these 22 files, 3 were missing documentation which prevented OPO from assessing the communications under this LOE. Of the remaining files, 2 files indicated not all suppliers were provided with the same information at the same time, and the bid enquiry process and/or responses from SSC in 4 files did not support the preparation of responsive bids.

Unequal Access to Necessary Information in 2 files

40. In 2 files, not all bidders had access to the same information at the same time. For example, in 1 file for branded equipment, suppliers were permitted to bid equivalent products. The original equipment manufacturer (OEM) asked if SSC would accept a substitute of the same branded equipment sought “…equal in functionality and also supports an additional feature…” This question was sent to the Technical Authority who first inquired “Who is asking (sic) question…the reason I asked is because individually they might be similar but how well do the proposed substitute work with other components? I don’t see an issue if the proposal is put forth by (the OEM) for they are the subject experts but will be hesitant if it’s suggested by (the other supplier).” In response, the Contracting Authority confirmed that the OEM had posed the question. Ultimately, the technical team confirmed that the answer to this question would be “yes” and this response was only shared with the OEM (not the other supplier). Firstly, the identity of the supplier posing questions should not be disclosed to the Technical Authority and the answers to questions posed prior to bid closing should be the same, regardless of who poses the question. Second, responses to such questions must be provided to all potential bidders at the same time. The failure to do so in this case both denies other suppliers the opportunity to bid equivalent products, and jeopardizes the fairness and transparency of the procurement process.

Responses to supplier questions or the related process did not support the preparation of responsive bids in 4 files.

41. In 2 files, the bid enquiry process was problematic:

1. In 1 file for IT infrastructure components, the bid enquiry process was unfair. In an apparent effort not to delay the requirement after having received various questions, the Contracting Authority advised the suppliers that any vendors who had not submitted any questions could “…submit up to 5 questions by end of business day today.” The purpose of the bid enquiry period is to allow suppliers an opportunity to clarify the process and/or requirement in order to help support the submission of responsive bids. The restriction imposed by SSC to only allow for 5 questions to be asked within an extremely short time frame (i.e. “end of business” that same day) after only having been provided the solicitation the previous day, does not support this aim. By imposing this deadline, suppliers were also not permitted the opportunity to pose further follow-up questions on the answers SSC would be providing the next afternoon. Further, only suppliers who had “not submitted any questions” were permitted to submit up to 5 questions. This arbitrary restriction put any supplier who had asked previous questions at a disadvantage. Had all suppliers been made aware of the bid enquiry deadline from the beginning, a supplier who asked questions previously may have chosen to include additional questions in their original submission since it was their only opportunity to do so.
2. In another file, a supplier question asked during the bid enquiry period was not answered. The solicitation document stated: “All enquiries must be submitted in writing to the Contracting Authority no later than five (5) calendar days before the bid closing date. Enquiries received after that time may not be answered.” Before being extended to July 28th, the original closing date was July 14th and the deadline for questions was July 9th. On July 9th, the bid closing date was extended to July 28th, effectively also extending the deadline for questions to July 23rd. On July 10th a supplier asked a question and in response, the Contracting Authority advised the bid enquiry period had closed and felt that further clarification was not required. The question should have been accepted and response shared with all invited suppliers.

42. In 3 files, responses to suppliers were not clear. For example:

1. In 1 file for branded equipment where equivalent products could be proposed, a supplier asked “What is needed to substantiate that we are providing equivalent? Do we have to demonstrate the whole solution or at an individual part level?” and in response, SSC stated “…Whatever the vendor proposes as equivalent must meet/exceed the capacity and performance…” After this response was provided to bidders, a member of the SSC team raised concerns about this phrasing of “meet/exceed” as it was felt that the vendor may require further insight into what may be required to demonstrate equivalence and that ‘exceeding’ the requirement was not required. This concern was not addressed based on the emails on file and the response from SSC regarding the need to “meet/exceed” was never modified.
2. In 1 file, the response provided by SSC to a question posed by a supplier did not address the question posed. A supplier asked “Is the Crown looking for a contract of over 60+ months where the bidder resources worked “with project stakeholders on governance frameworks and transformation project change management performance management” or a combination of projects amounting to 60+ months in the past 5 years?”. In response, SSC simply stated “Confirmed”. It is unclear based on this response which of the two scenarios outlined in the supplier’s question SSC was looking for.

43. Further, communication of solicitation results was found to be inconsistent or did not occur in all applicable files. In 5 files to which domestic and/or international trade agreements applied, a contract award notice was not published on the government electronic tendering system (GETS) (i.e. www.buyandsell.gc.ca) as required. For 3 of these files, SSC has confirmed to OPO that contract award notices will be posted in short order. In 1 of the other 2 files, SSC acknowledged the oversight, however it is not clear based on their response if an award notice is forthcoming. In the other file, SSC provided OPO with a link to the award notification published in their internal procurement system; however, trade agreements require contract award notices be published to GETS. Publishing contract award notices provides transparency in the award process, informs potential suppliers on the state of the market and the goods and services currently being procured by the federal government, and allows unsuccessful bidders to seek detailed debriefings or avail themselves of potential recourse mechanisms such as OPO or the Canadian International Trade Tribunal.

Recommendation 2:

Bid evaluation

Inconsistencies in the evaluation of bids and deviations from the planned approach were noted in over half of applicable files.

48. In the 31 applicable files reviewed, 16 files showed inconsistencies in the evaluation of bids and deviations from the planned approach. As well, of the files reviewed several were impacted by the absence of key documents including the solicitation and complete bid evaluations which meant file documentation did not always support the evaluation of bids and the selection of the successful supplier. These files are discussed in further detail in the file documentation section below. There were also multiple instances in which the evaluation was not carried out in accordance with the solicitation, as presented below.

49. In 3 files, contracts were not awarded in accordance with the basis of selection detailed in the solicitation or in the related standing offer or supply arrangement. For example:

• In a file for provision of network testing equipment, the terms of the Supply Arrangement (SA) contracting procedure were not followed and the resulting contract was inappropriately sole sourced and should have been competed. SSC sought a quote from a supply arrangement holder. The total price of the quote was $24,706.39. Using the exact quote amount for SSC’s estimated expenditure value, SSC completed the Sole Source and Limited Tendering Certification (SSLTC) form.
  It is noted that in order to protect the fairness of the procurement process, departments should not contact prospective suppliers, share information about an upcoming requirement and request pricing information through a non-competitive process prior to establishing an estimate for the acquisition of the goods or services. These estimates should have been established and documented on file prior to contact being made. Further, per the terms of the SA, “For requirements where the estimated price is between $5,000 and $25,000, all-inclusive (taxes included): Bid solicitations are to be issued by the Identified User (IU) to at least three (3) Supply Arrangement holders authorized for the region of delivery.” As such, a sole source process was not appropriate in this case and a competitive process should have been conducted.
• In the 2 other files, based on the limited documentation, SSC could not demonstrate that the basis of selection was followed. For example in 1 file, the standing offer stipulated that when the value is $25,000 or less, the technical authority can choose a selection methodology of “right of first refusal” or can issue a call-up directly to a listed SO-holder regardless of ranking. When the value is above $25,000, the “right of first refusal” method must be used. As the resulting value of the call-up was $26,400, it appears that “right of first refusal” method should have been used. However, based on the documentation on file, there was no evidence that this process was followed.

50. In 3 files, bids incorrectly underwent financial evaluation. In 2 files, bids were evaluated and identified as non-compliant based on technical criteria, then underwent financial evaluation. In both of these cases, SSC responded to OPO’s finding and stated “This was addressed in subsequent requirements where only the compliant bids were financially evaluated.” The example below details another file where a non-compliant bid was incorrectly assessed and identified as compliant to the technical criteria and was further reviewed as part of the financial evaluation.

• In 1 file, a bid was evaluated as not having met the minimum point requirement for the corporate point-rated criteria (the bid obtained 85 points, but needed a minimum of 129.5 points to pass). However, the evaluators continued to assess the bid against the resource point-rated criteria. Further, the bid did not meet the overall combined minimum score for both the corporate and resource point-rated criteria (minimum was 227.5 points and the bidder scored 225 points). However, the bidder’s financial bid was then evaluated and was determined to have finished 10th place of 11 bids. Of these 11 bids, the highest ranked 6 bidders were awarded contracts. Since the financial evaluation was done using median bands limits which are based on the firm per diem rates proposed by all technically responsive bids, the inclusion of this bidder’s firm per diem skewed the median band limits to be applied. It was noted that while the inclusion of this non-compliant bidder’s rates impacted the scoring, in this case the same 6 suppliers would have been awarded the contracts even if this bidder’s proposal was not included in the assessment.

51. In 1 file, based on the limited documentation, it appears that bid repair was permitted. Clarifications which do not change the substance or price of a bid may be requested and accepted. However, if a response provided leads to a substantial change in the bid, this is considered bid repair.

• During the evaluation period, the Contracting Authority sent the sole bidder a request for clarification on their bid as permitted under the terms of the solicitation. However, in the request, the Contracting Authority advised “Please find attached (the)…Compliance Matrix Clarification Spreadsheet for full detail and return…Note that the absence of the aforementioned information did not permit SSC to complete its Technical Evaluation of your proposal submission.” The document provided was a Microsoft Word document which included all of the various SOW sub-criteria to be addressed by the bidder. As SSC asked the bidder to provide additional information that was “absent” from their original bid submission in order to complete their evaluation, the request extended beyond that of simple bid clarification. Per the SSC Procurement Manual, “Any response, which leads to a substantial change in the bid is considered bid repair and must not be considered in the bid evaluation.”

52. In 9 files, the evaluation grid was not identical to the evaluation criteria found in the solicitation document (3.1.1) Examples included the following:

• In 3 files, clarifications made to criteria during the bid enquiry period were not reflected accordingly in the evaluation grids and do not appear to have been taken into account by the evaluators.
• In 2 files, the evaluation grids did not reproduce the full text of the criteria and as a result, opting instead to using keywords or phrases to represent the criteria to evaluators. It is not clear that evaluators assessed all relevant elements of the criteria. In 1 file, the available points for point-rated criteria were not accurately reflected in the evaluation grid.
• In 3 files, the evaluation grids wholly excluded criteria that were to be assessed. For example, in 1 file the solicitation document stated that bids needed to meet all Corporate and Resource mandatory criteria and obtain the required minimum of 70% for the Corporate and Resource point-rated criteria. However, the completed evaluations only included the corporate mandatory and corporate point-rated criteria (not the resource mandatory or resource point-rated criteria).

53. Further, in 7 files, the financial bid evaluation process was not carried out in accordance with the planned approach. In these files, only one Enterprise IT Procurement (EITP) employee was involved in the financial evaluation of the bids. Per SSC’s Procurement Manual, “For any competitive procurement requiring contract entry approval of the DG or above, more than one EITP employee must be involved in the financial evaluation of the bids.” SSC has acknowledged this breach of policy and replied that they will ensure that there is an additional review on the financial evaluation on future solicitations that require DG approval.

54. Evaluations not conducted consistently and in the manner prescribed by the solicitation call into question the integrity of the procurement process. By not adhering strictly to the evaluation criteria, SSC has exposed itself to the risk that ambiguities in the selection process result in the contract being wrongly awarded. It also means SSC may not be able to defend and explain its decisions and actions and prove that they were made in accordance with the applicable laws, regulations, and policies.

Recommendation 3:

File documentation

In the majority of files, file documentation was incomplete.

55. Section 12.3.1 of the TBCP requires that procurement files facilitate management oversight with a complete audit trail containing details related to relevant communications and decisions, including the identification of the involved officials and contracting approval authorities. Section 4.10.1 of the DMP also states the Contracting Authority is responsible for “…ensuring that accurate and comprehensive procurement records are created and maintained on the contract file to facilitate management oversight and audit…” SSC’s Procurement Manual further states that the Contracting Authority has the “responsibility to ensure current electronic procurement files[…] are complete.” The requirement to ensure adequate file documentation extends to the actions undertaken during the solicitation period, the evaluation of bids, as well as the overall procurement file.

56. In 18 out of the applicable 32 files, sufficient documentation was not on file to support the evaluation of bids. This included instances where: individual or consensus evaluations were missing evaluator names, signatures, and/or dates; documents were absent (e.g., missing individual, consensus and financial evaluations); and no or few comments in consensus evaluations supporting findings of non-compliance or the assessment and allocation of points for point-rated evaluation criteria. More specifically in the case of contracts awarded through SSC’s Network Solutions Supply Chain (NSSC) vehicle, which awards contracts to agreement holders using an RFQ process based on lowest price, documentation did not always support the financial evaluation and the selection of the successful supplier. For example:

• In 2 files, evaluation documents on file were inadequate to support that the prescribed process was followed. In both of these files, the evaluators were not identified.
• In one of these files, there was insufficient documentation on file to confirm that the lowest price bid was selected. SSC has noted an evaluation form specific to the NSSC vehicle is being developed to strengthen the electronic procurement records.

57. Further, procurement file documentation was found to be incomplete in 19 out of 37 files. Examples of incomplete file documentation included missing conflict of interest documents signed by all evaluators, procurement and contracting approval documents, finalized versions of solicitation documents shared with bidders, and SSC committee minutes supporting procurement strategy review and endorsement.

58. Incomplete procurement files result in inadequately supported procurement actions that risk undermining the integrity, fairness and transparency of the procurement process. Keeping complete and detailed evaluation records is crucial for demonstrating that evaluation criteria have been applied equally to all competing bids, and demonstrating that the procurement has been carried out in a manner consistent with SSC’s obligations under the TBCP, DMP, SSC Procurement Manual and applicable trade agreements. SSC’s Procurement Manual does provide guidance regarding electronic record keeping including document and folder naming conventions and provides lists of the documentation that should be saved in procurement files.

Recommendation 4:

Have oversight bodies been established and communicated?

Oversight bodies have been established and communicated; however, opportunities for improvement regarding quorum requirements and governance committee minutes were identified.

62. Oversight within the Framework is accomplished through several internal governance committees. These committees act in an advisory capacity, provide guidance and oversight, and perform a challenge function with regard to the proposed procurement strategy for all procurements subject to governance review. Governance committee review is triggered by the responsible procurement officer completing a risk assessment, which will prompt the need for governance oversight depending on risks selected.

63. Three SSC governance committees fulfill key controls in the Framework. Each committee is responsible for reviewing and endorsing the procurement strategy based on the procurement’s identified risk level:

• The Procurement Executive Committee reviews and endorses all “Risk Level 1” procurements,
• The Procurement Review Board reviews and endorses all “Risk Level 2” procurements, and
• The Finance, Investment and Internal Management Board reviews and endorses all “Risk Level 3” procurements.

For all risk levels, endorsement must be provided before the solicitation process can be initiated. These roles are clearly established in the Terms of Reference for the Procurement Executive Committee and the Procurement Review Board, with responsibility resting with the chair of the committees, who, in both cases, is the Director General, EITP.

64. The Finance, Investment and Internal Management Board is SSC’s executive financial management, investment and internal services forum, whose mandate extends beyond procurement to include the oversight of financial resources, investment activities, corporate wide plans, strategies, policy frameworks and reports. The Terms of Reference for this committee delegates authority to the co-chairs (Executive Vice-President and Assistant Deputy Minister/Chief Financial Officer) for monitoring compliance with TB policies including procurement. The Terms of Reference do not explicitly state that the committee must endorse all level 3 procurements prior to the initiation of the process; however, all procurements submitted to the committee for review must be accompanied by a presentation deck that clearly indicates what decision is being sought (i.e. endorsement of the procurement activity). This mitigates the risk that the committee may be unprepared to review procurement files.

65. Risk assessments are carried out in accordance with the Procurement Governance Framework Risk Ladder Model, which categorizes procurements according to three levels of risk that correspond to the presence of one or more pre-determined criteria. These criteria include risk factors such as the use of SSC exceptional authorities, invocation of the National Security Exception (NSE), if the requirement is for new (and renewed) methods of supply, if the estimated value of the procurement is above certain dollar thresholds, among other factors that increase the risk, complexity, or scope of the procurement. Procurements meeting the criteria for risk levels 1, 2, or 3 are subject to review by the applicable governance committee(s). Procurements can also be raised for governance committee review at the discretion of an executive from EITP. In each case where governance committee review has been triggered, the procurement activity must be endorsed by the applicable committee(s) prior to the initiation of the solicitation process. The following table details how the identified risk level is addressed within the governance structure:

66. Quorum requirements are clearly documented in the Terms of Reference for the Procurement Review Board and the Finance, Investment and Internal Management Board but not for the Procurement Executive Committee. As the Procurement Executive Committee fulfills a key control and endorses the procurement strategy for all “Risk Level 1” procurements, there is a risk that attendance at any given meeting is insufficient and does not support informed decision-making.

67. Terms of Reference for the three key committees under the Framework allow members to designate a delegate, and either specify the minimum level (e.g. director or above) or require delegates to be approved, which is a good practice. The sampled files under this version of the Framework included “Risk Level 1” and “Risk Level 2” procurements which were subject to Procurement Executive Committee or Procurement Review Board oversight. Committee minutes reviewed did not identify levels of members or who delegates were, if applicable, and in the case of the Procurement Review Board, did not indicate that quorum requirements were verified. This increases the risk that both quorum and level requirements are not consistently respected to ensure appropriate attendance by individuals with the knowledge and expertise to detect procurement risks and support informed decision-making.

68. In order to improve procurement planning and reduce instances of last-minute renewals, extensions and “urgent” procurements, SSC has established the Contract Management Review Committee. A sub-committee of the Procurement Review Board, the Contract Management Review Committee reviews active contracts that are approaching expiry or exhausting funds more quickly than anticipated and raises procurement files to the Procurement Review Board at the discretion of the Chair. This committee supports strategic planning by enabling coordination between contracting authorities and SSC business lines in the contract administration phase.

69. An additional layer of control is fulfilled by another governance committee, the Information Technology Infrastructure Review Board, that operates outside of the Framework, acting as the business and technical challenge function in the early stages of project definition. This committee is co-chaired by the Chief Technology Officer, Assistant Deputy Minister of Data Centre Services and the Assistant Deputy Minister of Network and Security Services. Membership includes the Assistant Deputy Minister of Corporate Services and EITP as well as the Director General, EITP. The Information Technology Infrastructure Review Board is mandated to review and challenge planned network infrastructure requirements where it appears necessary to source the requirement from an Original Equipment Manufacturer (OEM). This committee was established to ensure alignment with SSC’s Network and Security Services and Data Centre Services equipment procurement strategy, and to review and challenge the justification of direct OEM business requirements with an estimated value in excess of $1M prior to submission to EITP.

Is the management of procurement risks integrated into the project planning cycle?

70. In order to meet the departmental obligations required by the DMP, SSC’s Framework must incorporate performance results, lessons learned and best practices to inform procurement decision-making.

71. OPO examined the Framework to determine whether a process exists and is operating effectively to identify, assess and manage procurement risks. OPO identified the following elements within the Framework regarding key oversight, planning and reporting requirements: the Procurement Summary and Risk Assessment (PSRA) tool, the ProTracker, the governance committee framework, SSC’s e-procurement platform Procure-to-Pay (P2P), and the Compliance and Quality Assurance Program (CQAP). OPO’s assessment of these elements is found below.

Weaknesses were identified in the Procurement Summary and Risk Assessment tool, limiting the effectiveness of SSC’s control framework.

72. As mentioned, procurement officers must complete a risk assessment for all planned procurements. This risk assessment must be completed using the PSRA tool and should be completed during the procurement planning stage to allow sufficient time for governance committee(s) review and endorsement, if required.

73. The PSRA is a ‘smart’ form developed by SSC to document strategic considerations, including the identification of procurement process risks, proposed mitigation strategies, and key decisions to facilitate management review and approvals. The PSRA tool contains several versions or sub-forms that are tailored to the characteristics of the procurement. Collectively, the PSRA and its sub-forms allow procurement officers to capture relevant information to enable management oversight and approvals, and document key decisions at different stages of the procurement process.

74. The PSRA is intended to function as a key control in the Framework by determining whether the procurement will be subject to oversight by one of SSC’s governance committees. The “Governance risks” section of the PSRA requires procurement officers to identify whether the procurement contains any of the pre-determined risk factors contained in the Procurement Governance Framework Risk Ladder Model. If any of the governance risk criteria are selected, the form is designed to trigger a notification prompting the procurement officer to add the procurement to the ProTracker (spreadsheet for monitoring procurements requiring governance committee oversight) and submit the file to the EITP Governance and Strategic Planning team.

75. OPO reviewed the PSRA template and found that while the prompt to submit the file to the EITP Governance and Strategic Planning team was operating effectively, the prompt to add the procurement to the ProTracker management report was not functioning consistently. The prompt to add the file to the ProTracker only appears if one of five (out of a possible 13) governance risks is selected. Selection of any of the other governance risk criteria, including “Enterprise-wide transformations”, “Advanced Contract Award Notice (ACAN)” and “Contracting with a former public servant”, would not prompt the procurement officer to add the file to the ProTracker, which could result in a procurement not being reviewed by the required committee. Furthermore, while the governance risks are aligned with the criteria in the risk ladder, the smart form does not compute the resulting risk level of each procurement (levels 1, 2, or 3). However, the requirement to submit the form to the EITP Governance and Strategic Planning team, that will confirm the resulting risk level, is designed to act as a compensating control. SSC also noted to OPO that it distributes a weekly communication to prompt procurement officers to update the ProTracker with any new applicable procurements and that the EITP Governance and Strategic Planning team also reviews PSRAs for any procurements that were not added to the ProTracker but should have been.

76. An additional compensating control exists in the requirement to have the appropriate authority within EITP sign off and approve the form. Approval of the PSRA is designed to align with SSC’s delegation of authority and is determined by the estimated value of the procurement. When the PSRA-Procurement Planning Approval Request is signed by the appropriate delegated authority, the procurement strategy is considered approved to proceed. If governance committee review is required, the PSRA-Procurement Planning Approval Request must be signed by the appropriate delegated authority before the solicitation is posted and as soon as possible after endorsement from the appropriate committee has been obtained. The PSRA Writing Guide states that the PSRA should be signed by all levels up to the delegated authority. For example, if the PSRA requires Director General-level approval, the form should also be signed by the procurement officer, team-lead, manager and director. The risk level of the procurement, which is the trigger for governance review, does not impact the approval authority required for the PSRA. As a result, the PSRA for a competitive procurement that contains one or more governance risks, would not necessarily be subject to approval at the executive level (Director level and above) unless the estimated value exceeded $2M.

77. Neither the PSRA form, the PSRA Writing Guide, nor the Procurement Governance Framework Risk Ladder Model specify whether the estimated value of the requirement for governance endorsement is inclusive of taxes. According to SSC’s delegation of authority, financial signing authority is limited to a specific dollar value for each transaction and “this amount represents the maximum expenditures, including any Goods and Services Tax, Quebec Sales Tax or Harmonized Sales Tax that may be authorized by a delegation holder.” Since the Financial Details section of the PSRA form is not linked to the governance risks, the procurement officer must manually select the button denoting that the procurement is valued at or above $5M in order to trigger governance committee review, and the requirement to submit the PSRA form to the EITP Governance and Strategic Planning team that provides oversight. OPO noted two instances where the estimated value of the procurement including taxes exceeded $5M and the procurement officer had not selected the governance risk “procurement valued above $5M (including amendments)”. In both cases, the procurements were not subjected to the required governance committee review.

78. The PSRA contains a number of fields that must be populated before the form can be saved. One such field requires procurement officers to identify potential process risks for the procurement. SSC defines procurement process risks to be considerations that may arise during the procurement process that pose a threat to the established procurement plan, and/or the organization at large. These are described as dynamic risks that should be reviewed and assessed during the governance process and documented in the PSRA and, if governance committee is required, the ProTracker. To assist procurement officers in this risk assessment exercise, SSC’s EITP Governance and Strategic Planning team has developed a Process Risk Guide and Matrix document as an annex to the Framework. This guide provides step-by-step instructions for procurement officers and examples of procurement process risks and mitigation strategies to illustrate the risk assessment exercise.

79. When completing the Procurement Process Risk section of the PSRA form, procurement officers are required to identify the process risk, assess the impact and probability of the risk, and propose a mitigation strategy. Once the impact and probability of the risk have been entered, it produces a risk heat score from 1-3. These identified risks do not automatically trigger additional oversight, regardless of their risk heat score, however the responsible executive in the EITP group can choose to raise a file for additional oversight if deemed necessary. While procurement files can be raised for governance review by an executive or their delegate, this is discretionary and an acceptable procurement risk heat score has not been established. As a result, a procurement with a high risk heat score, that does not contain any of the pre-determined factors that trigger governance committee review (i.e. governance risks), could be approved through the standard approval process without any additional oversight.

Procurement Summary and Risk Assessment forms were not always completed at the appropriate time and did not accurately reflect solicitation documents and processes.

80. Twelve (12) of the sampled files fell under this version of the Framework. These files were reviewed to assess the timeliness, completeness and accuracy of information in the PSRA including approval by the appropriate authority and committee endorsement.

81. In all 12 files, a PSRA was on file and approved but the form was not always completed at the appropriate time, calling into question its value. As the PSRA is used to document the risk assessment of all planned procurements and to obtain approval to proceed with a procurement process, it should be prepared early in the process and prior to the solicitation phase. In 5 files, the PSRA was prepared late in the process including 1 file where the PSRA was approved after suppliers were solicited, and 4 files where the PSRA was approved after the contract was awarded or after the Crown’s signature on the contract. Completing the risk assessment and obtaining required approvals after awarding contracts brings into question the due diligence applied to the risk assessment and risks the potential termination of these contracts and delays to the receipt of the required goods and services.

82. Based on the Procurement Governance Framework Risk Ladder Model, 10 of the 12 files reviewed were subject to governance committee review. As previously noted in paragraph 77, there were 2 files where the estimated value of the procurement including taxes exceeded $5M and the procurement officer had not selected the governance risk “procurement valued above $5M (including amendments)” and the procurements were not subjected to the required governance committee review (the Procurement Executive Committee in both cases). All but 1 of the other 8 files were endorsed by the appropriate committee before the start of the solicitation period. The remaining file was mentioned in the paragraph above as having received committee endorsement after the bid solicitation closing date.

83. OPO’s review found that the PSRA did not accurately reflect the solicitation document and process in 9 of the 12 files reviewed. Examples of inaccuracies include the following:

1. In 4 files, the description of the requirement in the PSRA was different from the description in the solicitation document. This included, for example, differences between the PSRA and the solicitation document with respect to the number of resources required, the resource categories, number of option periods, and whether substitute products would be permitted.
2. In 1 file a covering email used to send a PSRA for approval indicated the requirement had received committee approval. This was inaccurate since the requirement had initially been presented to the Procurement Executive Committee as a contract amendment and was not endorsed. The requirement then proceeded as a new procurement under a different vehicle valued over $5M which did not receive Procurement Executive Committee endorsement before proceeding.
3. In 2 files, the PSRA stated that the solicitations would include a rated advantage for bidders who demonstrate their commitment to providing opportunities, assistance and encouragement for any under-represented group. No such criteria, however, were included in the solicitations. SSC clarified to OPO that these were administrative errors that should not have been included in the PSRAs. In one of these files, the Procurement Review Board minutes of the meeting where endorsement was obtained indicate that this rated advantage would be included in the solicitation.

84. Inaccurate information in the PSRA is concerning as this form is a key control in SSC’s Framework in determining whether a procurement will be subject to oversight by SSC’s governance committees. It is also through this form that procurement strategy approval is obtained as well as approval to proceed with the procurement. Inaccurate PSRAs can result in procurements not being subject to the appropriate oversight and can also result in officials providing approvals to proceed based on inaccurate information, jeopardising the integrity of SSC’s procurement practices.

85. OPO also observed a weakness in the approach to completing the PSRA when the planned strategy is to award multiple contracts to satisfy a requirement. SSC will use such a strategy when there is a need to have multiple suppliers deliver goods or services to create redundancies, ensure continued service delivery and increase supplier access to federal procurement opportunities. SSC’s value-related governance risks in the PSRA are considered in the context of individual contract values as opposed to the total value of the requirement when multiple contracts are planned to be awarded. For example, a PSRA with a planned strategy to award two contracts for a $12M requirement ($6M per contract) would need to be endorsed by the Procurement Executive Committee. In the absence of other governance risks, however, the same $12M requirement would not require committee endorsement if the strategy was to award three $4M contracts because each contract individually would be below the $5M threshold. Similarly, a $30M requirement awarded as a single contract would require Procurement Review Board endorsement but the same requirement awarded as two $15M contracts would only require Procurement Executive Committee endorsement. This creates the opportunity to structure a procurement to avoid governance oversight or a higher level of oversight and could give rise to the possible perception of unnecessarily dividing, or further dividing, an aggregate requirement into a number of smaller contracts, thereby avoiding contract approval authorities.

86. In 5 of 12 files reviewed requiring a PSRA, the intent was to award multiple contracts to satisfy the requirement. In 3 of these files, the procurements may have benefited from additional oversight due to their significant financial investments. For example, in 1 file for the provision of IT professional services, the procurement strategy was to award 6 contracts each estimated at a value of $32.72M, for a total requirement value of $196.35M. The only identified governance risk in the PSRA was “Procurement valued equal to or greater than $20M” and one procurement process risk was identified (related to the contract limitation of the previous contract) which did not result in any additional oversight.

87. Further, the PSRA form does not allow for situations where the intent is to award multiple contracts as the financial details entered in the form determine the required approval level based on the approval value for one contract. In the example provided above, if the values of all 6 contracts and option periods are entered, the PSRA form indicates “The approval amount has exceeded the approval Authority level – Seek Treasury Board Approval.” While SSC’s PSRA Writing Guide does not address these situations, as a workaround used when multiple contracts are planned to be awarded, the procurement officer will enter all of the planned contracts in the PSRA but will only provide the financial values of one contract with the others included as $0. The number of contracts to be awarded, their estimated values and the total value of the requirement are entered in a text box in the “Requirement” section of the form. As a result, the total value of a requirement, regardless of its size, will never trigger additional oversight so long as each individual contract remains within SSC’s delegated authority and the file isn’t raised by an EITP Executive or governance committee for consideration.

As a manually updated tool, procurements requiring governance review may be inadvertently omitted from the ProTracker.

88. The ProTracker is an excel spreadsheet that functions as the primary management report for monitoring high-risk, high-complexity procurements. It includes information on planned procurements that require governance committee oversight, such as current status, governance reviews, procurement schedules, financial values, and key issues. The ProTracker is managed by the EITP Governance and Strategic Planning team and used to schedule committee reviews. Under the Framework, the Contracting Authority is responsible for ensuring that all planned procurements requiring oversight by governance committees (i.e. assessed as risk level 1, 2, or 3 in accordance with the Risk Ladder Model) are accurately captured on key Senior Management reports, such as the ProTracker. While other reports are shared with EITP’s operational directors for information (e.g., monthly Contract Expiry Report, Purchase Requisition Report, and Executive Procurement Dashboard), the ProTracker is the primary management report that provides visibility on planned procurements that require governance review.

89. When governance risks are identified in the PSRA form, the form prompts the procurement officer to add the procurement to the ProTracker; however, as mentioned in paragraph 75 above, this prompt is not operating effectively and only 5 out of 13 possible governance risks produce this prompt. Because the ProTracker is manually updated by the Contracting Authority, as opposed to generated by the P2P system, there is a risk that procurements requiring governance oversight are omitted or inadvertently deleted from the ProTracker, effectively bypassing the governance framework.

SSC captures and tracks the status of all action items resulting from governance committee review.

90. Decisions rendered by governance committees are captured in committee minutes as well as the ProTracker. The Governance and Strategic Planning team within EITP has developed a Governance Action Register (GAR)^{Footnote 1} – a tool to capture and track the status of all action items resulting from governance committee review. The GAR is a record of each agenda item presented to the Procurement Executive Committee and Procurement Review Board, the meeting date, and the action items identified during the meeting. Unlike the ProTracker that is filled out by each procurement officer, the GAR is maintained by the EITP Governance and Strategic Planning team. For the Finance, Investment and Internal Management Board, the Board’s Secretariat distributes records of decision which are presented and approved at subsequent meetings and an Executive Committees Action Tracker is used to track outstanding action items.

SSC’s Procurement Governance Framework control measures are inadequately supported in SSC’s e-procurement system.

91. SSC implemented their e-procurement system in 2016 using Procure-to-Pay (P2P) commercial off-the-shelf software. The majority of SSC’s procurement and contracting process occurs in P2P (full end-to-end supply chain process). P2P integrates accounts payable and procurement processes, provides end-to-end electronic financial approvals (i.e. commitment, transaction and certification authorities) and is linked to SSC’s financial system as well as Buyandsell.gc.ca (now CanadaBuys). Purchase requisitions are created in P2P by the client, (including other government department clients) and are assigned to a procurement officer by a workload manager. The solicitation document is created in P2P and the solicitation process, including Q&A and the submission of bids occurs in the P2P system. If a solicitation used open tendering, questions can be received via P2P but responses will be published on Buyandsell.gc.ca (now CanadaBuys). While bid evaluation occurs outside of P2P, there are system controls that prevent financial bids from being opened until the technical evaluation has been completed and a bid has been deemed compliant. Contracts, purchase orders and invoicing are also created, approved and managed in P2P.

92. The Framework requires that committee endorsement of the procurement strategy be received before a solicitation process can be initiated; however, there is no mandatory control in the P2P system that requires this certification be made prior to soliciting bids. The system does require that the procurement officer confirm that the PSRA has been completed by checking the applicable box and providing a link to the procurement file (including any link in this field would satisfy the system requirements). However, these fields are only required to be completed in order to generate the contract for award. There is no control within P2P that prevents bids from being solicited prior to the completion of the PSRA, or confirmation that committee endorsement was obtained, if applicable. P2P also does not identify whether a procurement was identified as high risk (levels 1, 2, 3) and subject to governance oversight, nor are the procurement process risks identified in the PSRA tracked in P2P.

93. There is a risk that procurements can be initiated in P2P without the required governance committee endorsement. There is also a risk that procurement process risks are not being managed throughout the procurement process as these are not tracked in the system.

Compliance and Quality Assurance Program reviews are not being completed at the opportune time.

94. SSC’s Compliance and Quality Assurance Program (CQAP) was implemented “to ensure that procurements respect SSC’s procurement governance framework, relevant Treasury Board and SSC procurement policy instruments, applicable legislation, regulations and trade agreements.” Quality assurance reviews are mandatory for procurements requiring governance committee review and are conducted at the pre-solicitation, pre-contract award and/or post-contract award stages. The ProTracker is used to identify files requiring mandatory quality assurance reviews. Procurement files not requiring governance committee review may be reviewed under the CQAP and senior management may also request a quality assurance review on an ad-hoc basis.

95. According to SSC’s CQAP Strategic Direction: “Pre-contract award and post-contract award file review is mandatory for all procurements meeting SSC’s Procurement Governance Framework (PGF) criteria.” This is not reflected in SSC’s CQAP Process Guide which is silent as to when mandatory reviews will be performed in the process. In order to mitigate risk and remedy any identified issues as soon as possible, CQAP reviews should be completed early in the process (i.e. prior to contract award). In the 10 files previously mentioned that were subject to governance committee review (and therefore subject to CQAP review), 8 had a CQAP review completed at the post-award stage and none were completed at the pre-award stage. The other 2 files are the same 2 previously mentioned that were not subjected to the required governance committee review because the PSRA failed to identify that the procurements were valued above $5M. As a result, the files were not added to the ProTracker and CQAP reviews were not completed as required. At the time of OPO’s review, SSC reported that 44 post-contract award reviews had been performed to date in 2022-23 but that no pre-solicitation or pre-contract award reviews had been performed.

96. SSC has had 2 EITP staff members performing reviews under the CQAP. While SSC reports that this number is expected to go up and that they are actively working to staff vacancies, the number of staff performing reviews appears to be a factor in the lack of reviews performed at the pre-award stage.