Procurement Practice Review of ArriveCAN New

Centralized Professional Services System e-portal search results

20. When using one of these PSPC supply arrangements (i.e., TBIPS or TSPS), the Contracting Authority is required to conduct an initial CPSS search using criteria based on the requirement (e.g., resource categories and security requirements) to identify a pool of potential suppliers that are qualified under the selected supply arrangement. For procurements above certain dollar thresholds, (currently $3.75 million) all suppliers appearing on the CPSS search results list are eligible to bid. For procurements below this threshold, a second CPSS search is conducted to identify a minimum of 15 suppliers that will be invited to bid. From the initial CPSS search results, the Contracting Authority in consultation with the business owner manually selects 10 suppliers with the remaining 5 suppliers being selected randomly by the CPSS Client Module. Contracting Authorities must retain records of searches conducted to demonstrate that CPSS e-portal common business rules have been applied.

21. For the 23 competitive contracts issued under the TBIPS and TSPS supply arrangements, 14 contract files included the required CPSS e-portal search results, while search results were out of date or missing for 9 contracts (3 awarded by CBSA and 6 awarded by PSPC on behalf of CBSA) that resulted from 7 procurement processes. For these 9 contracts, this means procurement files did not confirm that bids were only accepted from pre-qualified suppliers, or in some cases that invited suppliers were qualified to bid. In response to OPO’s observations, PSPC re-performed CPSS searches for the 6 contracts it put in place to demonstrate that bids were only accepted from eligible suppliers. While OPO appreciates PSPC’s efforts in this regard, the following examples are based on available documentation that existed at the time of the procurements:

1. Three contracts reviewed had resulted from 2 separate re-tendered solicitations, under the TBIPS supply arrangement. One solicitation was issued by PSPC and the other by CBSA. The re-tenders were necessary because the initial processes did not result in the award of a contract. In these cases, the CPSS search results on file were from the original solicitation process. There was no record of CPSS search results for the re-tender and the search results from the first solicitation were out of date. If the search had been conducted closer to the re-tender date, the resulting list of potential suppliers may have been different.
2. For 2 contracts reviewed, the solicitation was sent by CBSA directly to 15 invited suppliers. In both cases, there were no initial or final CPSS search results on file, meaning there was no way to confirm whether the 15 invited suppliers were qualified TBIPS supply arrangement holders or that they were appropriately selected in accordance with CPSS e-portal common business rules.
3. For 4 other contracts awarded by PSPC on behalf of CBSA, there were also no CPSS search results on file. Unlike the example above, the solicitations were posted to the Government Electronic Tendering System (GETS), rather than being sent directly to a limited number of invited suppliers. All qualified TBIPS supply arrangement holders were eligible to bid; however, in absence of search results on file, there was no way to confirm that only bids from eligible suppliers were considered for contract award.

Achievement of ‘Best Value’ in the selection methodology

22. The contractor selection methodology must be clearly identified in the solicitation and should support access, competition and fairness, and best value to the Crown. While price is a factor, on its own the lowest price is not always representative of best value.

23. All 23 contracts awarded through a competitive solicitation process clearly identified the method for selecting the successful supplier. In all cases, the selection methodology was one of the commonly used methods, that being highest combined rating of technical merit and price among all responsive bids. Most often (21 of 23 contracts) technical merit accounted for 70% of points available with the remaining 30% being determined based on the bidder’s proposed price. For the remaining 2 contracts, the selection methodology used a 60% technical merit and 40% price ratio for allocating points. While it is recognized that having a greater emphasis on technical merit could result in a price premium being paid by Canada when using a 70/30 technical merit/price ratio rather than a 60/40 ratio, the use of a 70/30 ratio is not unreasonable.

Overly restrictive median bands

24. For 10 of the 23 contracts, the use of “median bands” in the selection methodology, more specifically in the allocation of points for the financial (i.e., price) evaluation may have resulted in higher rates being proposed by the bidders. When median bands are used in the financial evaluation of bids the proposed price has to be within a specified range around the median price from all responsive bids. For the contracts reviewed, the median bands were applied to the proposed per diem rates for each resource category, level and period specified in the solicitation. In general, use of median bands in the financial evaluation of bids is not inappropriate and can limit “low-ball” bids or excessively high bids. As stated in the solicitation, experience has shown, “bidders will from time to time propose rates at the time of bidding for one or more categories of resources that they later refuse to honour, on the basis that these rates do not allow them to recover their own costs and/or make a profit.”

25. The issue at hand is related to the design of the median bands used for these 10 contracts, which were highly restrictive on the low-end and quite flexible on the high-end. The median bands commonly required bidders to propose resource rates that were no more than 10% below the median (-10%) or no more than 30% above the median (+30%), with the upper band being as high as median plus 100% in 1 case. This methodology disincentivized bidders from proposing competitive rates due to the increased potential of receiving zero points for any rates below the lower median band. Simply put, it was less risky to propose a higher rate.

26. All but 1 of the solicitations for these 10 contracts included a “price support” clause describing a process that would permit Canada to require bidders to substantiate proposed rates that fell below the lower limit of the median band. However, with 1 exception, the clause specified that substantiation, if requested, would be sought from all otherwise responsive bidders that had proposed a rate that was at least 20% lower than the median rate. This was not of much use when the lower band was median minus 10%. The substantiation clause was never applied, nor was there any indication in these 10 contract files that substantiation of rates was even considered during the bid evaluation process.

27. PSPC advised OPO that the “price support” clause has proven to be ineffective to address the issue in the past as the bidders were able to provide evidence from previous contracts where they applied the same low-ball pricing strategy. PSPC also noted that the standard range for median bands is median -20% to +30%. PSPC stated it would typically seek justification from the Client to use median band limits that are more restrictive and that justification may have been sought in these cases. OPO found there was limited or no justification on file for solicitations using these median bands.

28. For 4 of the 10 contracts, the restrictive lower median band had a significant impact on the outcome of the solicitation process. For example:

1. In 1 case, OPO noted the 2 highest ranked technical bids lost a significant number of points in the financial evaluation, and were ultimately unsuccessful, because their proposed per diem rates for various resource categories were between 85% and 90% of the median (i.e., median -15% to -10%) and thus received no financial points for those resource categories. The outcome of this solicitation process could have been different had PSPC applied a “price support” clause and permitted bidders with rates below median -10% to substantiate their proposed rates with evidence (e.g. recent invoices and references) to demonstrate their rates were not unreasonably low.
2. In another case, a bidder received zero points for 2 resource categories because its proposed rates were between 88% and 89% of the median. Similar to the previous example, if PSPC had applied a “price support” clause and this bidder was able to substantiate its proposed rates, it would have been the first ranked bidder. Use of this overly restrictive median band without providing an opportunity for bidders to substantiate the reasonableness of their more competitive rates did not demonstrate achievement of best value.

Recommendation 1:

Recommendation 2:

Proposed resources did not work on ArriveCAN contracts

29. In 76% of the applicable contracts, some or all of the resources proposed by the successful supplier did not perform any work on the contract.

30. Of the 23 contracts issued through a competitive process, 18 required bidders to propose resources for some or all resource categories included in the solicitation. The number of resources and categories required in the bid varied from one solicitation to another and included as few as 1 to as many as 10 resources. In all cases, these resources were evaluated against applicable mandatory and point-rated criteria and had a significant influence in determining the winning bidder. As mentioned previously, the basis of selection for most of these contracts placed a great emphasis on the technical component of the bid, and much of that technical component was related to the demonstrated knowledge and experience of proposed resources. Simply put, bidders that proposed higher quality resources had a much greater chance of winning the contract.

31. The above noted 18 contracts resulted from 13 solicitation processes. Among these 13 solicitations, 10 included certification clauses regarding the availability of proposed resources that stated, with some minor variation, “by submitting a bid, the Bidder certifies that, if it is awarded a contract as a result of the bid solicitation, every individual proposed in its bid will be available to perform the Work as required by Canada's representatives and at the time specified in the bid solicitation or agreed to with Canada's representatives.” The 3 remaining solicitations indicated certification of resource availability would only be required at the TA stage.

32. Resources proposed in the winning bid were not named in the resulting 18 contracts. Resources were only added through a TA issued to the contractor by CBSA on an “as and when requested basis.” Excluding 1 contract awarded by CBSA that OPO could not review because the file did not include the winning bid, for 9 of 17 contracts (53%) none of the resources proposed in the successful supplier’s bid performed any work on the contract. Further, for 4 of 17 contracts (24%) a portion of the resources proposed in the successful supplier’s bid did not work on the contract. Note that OPO’s analysis for this finding considered all TAs for these contracts, not just the TAs under which work was performed for ArriveCAN.

33. It is possible that proposed resources may have become unavailable for legitimate reasons between the date the bid solicitation period closed and the date the TAs were issued. There was, however, nothing in the files to explain why resources proposed in the winning bids were not included on TAs issued for the same resource categories. Under the “Replacement of Specific Individuals” clause, a replacement for an individual named in the contract must have qualifications and experience that meet or exceed those obtained for the original resource.

34. Individuals (i.e. resources) not included in the bid that were added through TA did have to meet mandatory criteria and the minimum pass score for point-rated criteria applicable to the resource category. However, because the contract had already been awarded there was no longer a competitive pressure on the supplier to propose the best possible resource that would be more qualified, and score higher, than resources from other suppliers.

Recommendation 3:

Technical evaluation criteria

35. Section 10.7.27 of the Treasury Board Contracting Policy stated that “competing firms should be told the measurement criteria and the weighting assigned to them. […] Fairness to all prospective contractors and transparency in the award process are imperative.” The language used in the new Directive on the Management of Procurement differs from the former Contracting Policy, but it serves the same purpose. Section 4.3.1 of the Directive identifies contracting authorities as being responsible for conducting procurements and establishing contracts based on sound procurement principles, including fairness, openness and transparency. Further, section 4.5.3 of the Directive identifies contracting authorities as being responsible for “simplifying solicitation documents wherever possible to support streamlined processes.” In practice, application of these principles results in solicitation documents that use clear and precise language to define evaluation criteria that helps bidders prepare a responsive bid and evaluators to apply the same criteria equally to all bidders.

Communication with potential bidders

44. Among the 23 competitive contract files reviewed, 20 included sufficient evidence to demonstrate that the solicitation had been appropriately made available to potential suppliers either directly via email or on-line posting to GETS and that bidders were provided an appropriate period of time to submit their bids. In 3 cases, all of which were solicitations issued by CBSA under the TBIPS supply arrangement, file documentation mentioned that the solicitation had been sent directly to invited suppliers; however, the email showing to whom the solicitation was sent was not retained on file.

45. OPO also reviewed files to determine whether solicitation amendments, including responses to questions from potential bidders were appropriately communicated. In all 23 competitive contract files, there was an indication that questions and answers were exchanged with suppliers during the solicitation period. Most often, responses were posted to GETS in the form of solicitation amendments. A good practice observed in multiple files was the use of an electronic registry to record key information regarding supplier questions received during the bidding period. The more advanced versions of these registries recorded information such as the question asked, receipt date, supplier name, response to the question and the date the response was published or communicated.

46. There were 4 files that included questions and answers pertaining to the solicitation, but there were no records to indicate when or from whom the questions were received or if, when or to whom responses were provided. In 8 other files, the documentation of questions and answers was incomplete. For these 8 files, there was a record of responses being provided to suppliers; however, the origin of some or all questions was unknown due to incomplete records (i.e., emails with supplier questions were not on file). In these cases it is unknown who, when, or how these questions were asked. Recording this information in the file is important as it can demonstrate that all potential bidders were treated equally. A properly documented file would include a complete record of all questions received from suppliers, development of responses, and communication of questions and responses to all potential bidders.

Evaluation of bids and contract award

47. In order to ensure the fairness and defensibility of evaluation processes, both the Treasury Board Contracting Policy and the Directive on the Management of Procurement require due diligence in the evaluation of bids. This includes strict adherence to evaluation criteria and equal application of criteria for all bidders. Failure to ensure the consistent evaluation of proposals increases the risk that ambiguities in the selection process result in the contract being wrongly awarded. Inconsistent evaluations may also call into question the integrity of the procurement process.

Communication with the Public Services and Procurement Canada Contract Security Program

55. All government departments that award contracts with security requirements under their respective delegated contract authority and who used the PSPC Contract Security Program’s contract security services must send a copy of their contract to the Contract Security Program, including copies of any subsequent contract amendments. This is done to ensure the integrity of the contract security process, as well as the timely and efficient delivery of security screening services to suppliers, their personnel and their subcontractors. Only 6 of 27 (22%) applicable competitive and non-competitive contract files demonstrated that a copy of the contract had been provided to the Contracting Security Program. However, on December 14, 2023, PSPC provided OPO with an Excel table stating that 21 of the 23 PSPC awarded contracts had been provided to the Contracting Security Program, albeit not all in a timely manner.

Recommendation 5:

Consistency with Government Contracts Regulations exceptions that permit non-competitive contracting

60. For all 13 non-competitive (sole-source) contracts, the reason cited for awarding without competition was either GCR section 6(a) “the need is one of pressing emergency in which delay would be injurious to the public interest” (8 contracts); section 6(d) “only one person [supplier] is capable of performing the contract” (1 contract); or sections 6(a) and 6(d) were both cited (4 contracts). Files for all 13 contracts included written justification for the sole-source procurement strategy.

Transparency of decision-making for sole-source contracts

61. Decision making associated with sole-source procurements is typically less transparent than open competitive processes, making it even more important for departments to maintain diligent records of actions taken and decisions made. For most of the 13 sole-source contracts reviewed, OPO found the files contained adequate records of the non-competitive procurement process. However, for 2 sole-source contracts there was a lack of documentation regarding communication between PSPC or CBSA and the supplier in the period before the contract was awarded:

1. In June 2020, PSPC awarded a non-competitive contract to GC Strategies Inc. on behalf of CBSA. The contract was for informatics professional services and was valued at $11.1M. There was no written record of a request or non-competitive solicitation being sent to the supplier. The only record of communication between the Crown and the supplier prior to signing of the Contract was an email from the supplier with quoted rates for various IT professional resource categories. The file included a contract award e-mail stating the supplier had been selected for contract award based on the proposal it submitted. While a draft statement of work and contract were on file, there was no record of either PSPC or CBSA sending a request to the supplier to obtain a proposal.

2. In August 2021, PSPC awarded a non-competitive contract to 49 Solutions Inc. on behalf of CBSA. The contract was for IT consulting services and was valued at $1.725 million. File records showed that PSPC had initially denied a request from CBSA to award the contract without competition. CBSA had proposed using GCR 6(c) “it would not be in the public interest to solicit bids” to justify awarding the contract directly to a single supplier. The PSPC Contracting Authority, however, did not agree that CBSA had established strong enough justification to merit a sole-source contract award and challenged CBSA on their proposed procurement strategy. CBSA responded with a revised justification, but PSPC remained unconvinced. In a July 21, 2021 email, PSPC provided alternative approaches to CBSA that did not include a sole-source procurement option.

   There was a subsequent July 21, 2021 email indicating a discussion had occurred between CBSA and PSPC regarding PSPC’s refusal to conduct a sole-source procurement; however, there is no record of that discussion on file. There was a gap in the emails on file between July 21 and August 4, at which time PSPC no longer objected to a sole-source procurement. In an August 4, 2021 email, PSPC stated there was a blanket National Security Exception (NSE) in place and that it needed to be referred to in the approval documents. There was no documentation on file to demonstrate why PSPC proceeded with the sole-source procurement, after initially opposing it.

   For the same contract, CBSA had entered into discussions with the supplier before a sole-source procurement strategy had been approved by PSPC. The supplier had submitted proposed rates for various IT resource categories that would be provided on an ‘as and when needed basis’. There were no records on file of discussions or negotiations between CBSA and the supplier that led to receipt of the proposal. There was a second (updated) proposal, dated August 6, 2021, after PSPC had approved the non-competitive procurement strategy. The revised proposal appeared to reflect discussions or negotiations with CBSA or PSPC regarding the requirement. Again, there was a lack of records of discussions or negotiations between CBSA or PSPC and the supplier regarding this revised proposal.

62. In April 2020, PSPC invoked the NSE and awarded a contract without competition to GC Strategies Inc. on behalf of CBSA. The contract was for informatics professional services and was valued at $13.9 million. The contract stated “the Contractor must, at all times during the performance of the Contract, hold a valid Designated Organization Screening (DOS) with approved Document Safeguarding at the level of Protected B.” File documentation showed GC Strategies Inc. did not meet the Document Safeguarding Capability security requirement when it was awarded the contract. An email on file dated April 6, 2020 from PSPC Security indicated the GC Strategies’ Document Safeguarding Capability as “NIL”. OPO noted that the Document Safeguarding requirement was removed through a contract amendment issued 14 months later, in June 2021. In response to this observation, PSPC stated that the Client (CBSA) advised in April 2021, 12 months after contract award, that the document safeguarding did not apply. This does not explain, however, why the contract was issued to a supplier that did not meet the security requirement in effect when the contract was awarded.

Cloud services Service Orders

63. SSC has established a procurement tool known as the GC Cloud Framework Agreement to provide client departments with access to multiple commercially available public cloud services. Through these agreements suppliers, referred to as Cloud Services Providers, provide access to cloud services on an as and when requested basis. To procure these services, client departments send their request to SSC where they are processed by SSC’s Cloud Brokering Service. SSC procures the services on behalf of the Client by issuing a Service Order to a Cloud Services Provider. Each Service Order forms a separate enforceable contract between Canada and the applicable Cloud Services Provider.^{footnote 1}

64. Service Orders must be issued in accordance with the GC Cloud Framework Agreement Service Order ordering process. Under this process, when the total estimated cost of a requirement is $500,000 or less, SSC can issue a Service Order directly to a single Cloud Services Provider. For requirements valued above $500,000 to $4.5 million, SSC must compare a minimum of 3 Cloud Services Providers to determine which offers the best solution for the requirement. This process may include consideration of factors such as technical capabilities, performance levels, enhanced security and continuation of services or other criteria, as applicable to the requirement. Above $4.5 million, all Cloud Services Providers must be invited to respond to the request.

65. CBSA informed OPO that 16 ArriveCAN-related Service Orders were issued to Cloud Services Provider, Amazon Web Services (AWS). These Service Orders included 5 for cloud hosting services and 11 for advisory services over a period of almost 2 years. Of note, the 11 service orders for advisory services were treated as stand-alone requirements and were valued at $500,000 each. On 3 occasions 2 Service Orders were issued on the same date to AWS. Given the values were set at $500,000 these fell under the first tier of the GC Cloud Framework Agreement Service Order ordering process that allowed for service orders to be issued directly to AWS. While it may not have been the intent, the manner in which these ArriveCAN advisory services were acquired gives the appearance that requirements may have been divided into a number of smaller contracts (e.g., contract splitting), thereby avoiding controls on the duration of assignments or contract approval authorities.

66. SSC requires client requests under the GC Cloud Framework Agreement to be associated with a “Cloud Business Requirement” (CBR) that indicates the project for which the services are being used. SSC provided OPO with a list of the brief (one sentence each) CBR descriptions for these Service Orders. From the information SSC received from CBSA, it appeared these were all unique and unrelated requirements as they all referred to different CBSA systems. There was no indication that they were all linked as services that would be used for ArriveCAN. By treating them as a series of unrelated requirements, the procurement process bypassed the provisions for competitive procurement that are built into the GC Cloud Framework Agreement Service Order ordering process.

67. The total value of ArriveCAN-related Service Orders issued directly to AWS was more than $7 million, with most (approximately 70%) of that amount being for advisory services. There was, however, no indication that CBSA had developed a procurement strategy to address its cloud services requirements to support ArriveCAN and no indication that SSC questioned CBSA’s many requests for advisory Service Orders all valued at $500,000. There was also no indication on file that CBSA or SSC was using provisions in the GCR that allow for contracts to be awarded without competition in certain circumstances, for example when the need was one of pressing emergency or only one supplier is capable of performing the work.

68. In response to OPO’s observations, CBSA confirmed that the Service Orders in question were associated with the development and expansion of the ArriveCAN platform as requirements evolved. Despite there being a process for issuing Service Orders to Cloud Services Providers under the GC Cloud Framework Agreement, CBSA stated it had only obtained interim authority to operate exclusively on the AWS platform during the implementation of ArriveCAN. CBSA advised that AWS was the only option available.

69. Further, CBSA stated “it’s important to highlight that different divisions or directorates within CBSA were responsible for distinct elements of ArriveCAN. The platform, given its complexity and criticality, naturally involved multiple facets of our organization. Each division or directorate had its own unique objectives and deliverables, while all aligning with the overarching goal of creating and enhancing a robust, user-friendly, and secure platform. As ArriveCAN had already been designed, released into production, and was being continuously enhanced, it was essential to maintain consistency in its development. Introducing multiple vendors by distributing portions of the project could have jeopardized the platform's stability and uniformity. Given that we [CBSA] were building on top of an existing product, the continuity in design, functionality, and security could only be ensured by keeping the development process unified under a single GC Cloud FA [Framework Agreement] holder.”

70. For its part, SSC informed OPO that the GC Cloud Framework Agreement had been put in place in 2019 before the Government of Canada had embarked on widespread cloud adoption. According to SSC, “when the COVID-19 pandemic began in March 2020, the demand for cloud services grew exponentially beyond what could have been predicted when the procurement vehicle was established in 2019 and remained in a state of uncertainty until the public health crisis stabilized.” SSC is currently in the process of updating the Framework Agreement to enhance best practices and implement lessons learned.

71. CBSA informed OPO that it decided to expand its cloud footprint to include Microsoft Azure and that Cloud Service Provider, Microsoft Canada, had also performed work for ArriveCAN. However, OPO received very little information about these procurements. SSC provided 3 Service Orders that were issued to Microsoft under the GC Cloud Framework Agreement. The value of these Service Orders was $394,000, $712,691, and $250,000. The first Service Order (valued at $394,000) was for ‘advisory services’. OPO was able to trace this Service Order to an invoice CBSA had tabled with the OGGO committee. The second Service Order (valued at $712,691) indicated it was for ‘PowerApps – SaaS [Software as a Service]’ and the third Service Order (valued at $250,000) indicated it was for ‘Cloud Services – PaaS [Platform as a Service]’. The second and third Service Orders may be associated with 2 other invoices CBSA had tabled with OGGO, but it was not clear based on the documentation provided. Little else could be gleaned from the file information made available.

72. Other than CBSA advising OPO that they decided to expand their cloud footprint to include Microsoft Azure, and to invest in securing Authority to Operate (ATO) for multiple service providers, there was no indication that CBSA had developed a procurement strategy for these ArriveCAN-related procurements and there was no indication that any of these Service Orders with a combined value of over $1.3 million were competed among GC Cloud Framework Agreement holders.

Recommendation 6:

Task Authorizations

73. Of the 41 files reviewed, 28 were for contracts with TAs under which work was performed for ArriveCAN. For the most part, these were professional services contracts that were not established specifically for ArriveCAN. The contracts provided CBSA with access to professional resources needed to support a variety of technology-related initiatives. Throughout this section, unless otherwise noted, observations pertain specifically to TAs, identified by CBSA, through which work was performed for ArriveCAN.

74. The table below shows the number of ArriveCAN-related TAs that were issued under these 28 contracts. For example, 9 contracts had only 1 TA, 5 contracts had 2 TAs, etc. During the review scope period, work was performed for ArriveCAN through 143 TAs. Roughly half of the TAs were issued under only 3 contracts, which were awarded to GC Strategies Inc. or Dalian Enterprises and Coradix Technology Consulting, in Joint Venture.

75. TAs are issued using a TA form that must include key details of the activities to be performed, including but not limited to:

• the task number;
• the categories of resources and the number of resources required;
• a description of the work for the task outlining the activities to be performed;
• the start and completion dates;
• the number of person-days of effort required;
• the level of security clearance required of resources; and
• the price payable to the supplier for performing the task.

76. For amendments to TAs, the TA form must indicate the amendment number and the reason for the amendment. The work described in a TA must be in accordance with the scope of the contract and the supplier must not commence work until a valid TA has been issued by Canada. Each contract has clauses describing the steps and documentation required for the TA process. As most of these contracts were established by PSPC on behalf of CBSA, they generally had the same or similar requirements with respect to issuing TAs.

Task Authorization forms

77. OPO found contract files provided a complete record of TAs issued for ArriveCAN. Of the 143 TAs and TA amendments from the 28 applicable contracts reviewed, there was only 1 instance where a TA document was not located on file. Additionally, OPO found key components of these TAs (e.g., resource categories and levels, per diem rates, timeframes) were consistent with the underlying contracts. However, OPO identified 3 TAs with security requirements that deviated from the contract. In 2 files, the contract required personnel to be cleared at the Secret level, but the TA only required resources to have a lower ‘Reliability Status’ security clearance. For 1 of those files, OPO did note that a contract amendment was issued soon thereafter changing the personnel security requirements to permit Reliability Status or Secret, as required. For the third file, the contract required that resources be cleared to Reliability Status, whereas a TA required Secret clearance. For this latter contract, the proper course of action would have been to issue a contract amendment that included various security clearance requirements, including Secret clearance when required.

78. For most of the contracts reviewed, CBSA was permitted to issue TAs or TA amendments under its own authority when the value was $300,000 or less, excluding taxes. Above that threshold, the TA was required to be authorized by the PSPC Contracting Authority. Overall this requirement was adhered to; however, exceptions were noted. For 1 contract with 4 relevant TAs, 2 TA amendments that were above the $300,000 threshold were not signed by the PSPC Contracting Authority. For another contract, with 3 relevant TAs, a TA amendment valued below $300,000 was not signed by CBSA. CBSA also informed OPO that, effective October 2019, PSPC sign-off was required for all TAs issued for the Senior Business Architect resource category under a TSPS contract. There was 1 TA for a Senior Business Architect resource who began work in July 2021 that did not have the required PSPC signature authorizing the TA.

Task Authorization statement of work

79. The intent of the TA process is to allow for TAs to be raised to cover specific tasks required within the scope of services under a given contract. According to the PSPC Supply Manual, Clients that have been authorized to issue TAs are responsible to “ensure the task (or revised task) description of the work required (activities to be performed, deliverables to be submitted, completion dates for major activities or submission dates for deliverables or, as applicable, both) included in the TA is in accordance with the contract Statement of Work (SoW).”

80. OPO observed that 20 TAs under 8 contracts did not include the specific tasks, including descriptions of the activities to be performed. The statement of work section of these TA forms stated “see attached” however, there was no statement of work attached, nor was a statement of work found on file.

Assessment of Task Authorization resources

81. In response to a TA request, the supplier must propose the required number of resources and include a résumé to demonstrate that each proposed resource meets the requirements of the, mandatory criteria, the minimum points for point-rated criteria, and the flexible grid, as applicable. Client departments must review these assessment worksheets and confirm the proposed resources meet the requirements applicable to the category and level.

82. There were no completed assessment worksheets on file for more than 30 resources that were authorized to perform work for ArriveCAN on 22 TAs issued under 12 contracts. In instances when resource assessment worksheets were on file, the results of the assessment were often not supported with descriptions of past project experience used in the assessment of the resource (i.e., there was no résumé on file).

83. The assessment worksheets for resources added through TAs under a contract awarded to GC Strategies Inc. stood out from the others. For this contract valued at $25.3 million there were 42 TAs. The TA process in the contract stated the résumé submitted “must not simply indicate the title of the individual's position, but must demonstrate that the resource has the required work experience by explaining the responsibilities and work performed by the individual while in that position. Only listing experience without providing any supporting data to describe responsibilities, duties and relevance to the requirement, or reusing the same wording as the TA Form, will not be considered ‘demonstrated’ for the purposes of the assessment.”

84. OPO found assessment worksheets for resources on 16 of the 42 TAs issued under this contract did not demonstrate the proposed resource met mandatory criteria or support points awarded for point-rated criteria. There were numerous examples where the supplier had simply copied and pasted requirements from mandatory and point-rated criteria as project experience of the resource. For example, a mandatory criterion stated the supplier must demonstrate that the proposed resource has experience “designing, developing and implementing mobile-based applications for two of the platforms below: iOS, Android, Blackberry.” The assessment grid from GC Strategies Inc., which was accepted by CBSA, simply stated the proposed resource’s past project responsibilities included “designing, developing and implementing mobile-based applications for two of the platforms below: iOS, Android, Blackberry.”

85. Missing, incomplete, or insufficient assessment worksheets impact the department’s ability to demonstrate that the resources added through the TA process met the required experience criteria for the various categories and levels as described in the contract.

Recommendation 7:

Recommendation 8:

No Criteria to assess resources

86. Of the 28 contracts with TAs, there were 4 that were awarded by PSPC on behalf of CBSA through a non competitive (sole-source) process. Three contracts were awarded to GC Strategies Inc. and 1 contract was awarded to 49 Solutions Inc. The 4 contracts were not issued under the TBIPS supply arrangement, but were similar in many respects and included resource categories found in contracts issued under TBIPS. These contracts did not, however, include criteria to objectively and transparently assess proposed resources that were added through the TA process to determine whether they had the requisite experience and education for the category and level specified.

Recommendation 9:

Verification of security clearances

87. As stated in section 5.15 of the PSPC Supply Manual, for contracts awarded by PSPC, “before contract award, the contracting officer must verify with the [PSPC] Contract Security Program (CSP) that the proposed contractor meets the security requirements of the bid solicitation.” […] “During the period of the contract, the client must ensure that all contractors or subcontractor personnel who will have access to any classified or protected information, assets or sensitive work sites, or to government systems, including information accessible in a cloud service provider portal, are identified as working under the contract and that their security status has been verified with the CSP. The contracting officer will assist in this process, as required.”

88. OPO reviewed file documentation for evidence that personnel security requirements, e.g., Secret or Reliability Status, were verified before proposed resources were authorized to be included on TAs through which work was performed for ArriveCAN. Secret clearance is required by a resource working on a sensitive government contract to access Secret information and assets. Reliability Status is required by a resource working on a sensitive government contract to access information and assets up to the Protected B level.

89. On October 6, 2023, CBSA provided OPO with records confirming that all resources added through TA met the personnel security clearance requirements, i.e. Secret or Reliability status, as stated on the TA form. At CBSA, security confirmations are performed by security personnel; however, the results of these confirmations were often not retained in the contract file. Retention of these records in the contract file is important for ensuring that accurate and comprehensive procurement records are maintained to facilitate management oversight and audit, as required under the Treasury Board Contracting Policy and Directive on the Management of Procurement.

Recommendation 10:

Recommendation 11:

Recommendation 12:

Contract amendments

90. A contract amendment is an agreed addition to, deletion from, correction or modification of a contract. As discussed in section 12.9 of the Contracting Policy “contracts should not be amended unless such amendments are in the best interest of the government, because they save dollars or time, or because they facilitate the attainment of the primary objective of the contract.” The Policy also goes on to state that “many contract amendments are, in fact, prudent. Often contract amendments or probable amendments can be foreseen when the initial contract is contemplated.”

91. Overall, contract amendments were appropriate and were in line with the Contracting Policy. Of the 41 contracts reviewed, 31 had been amended. Broadly speaking, these amendments fell into 1 of 4 categories: (1) administrative amendments, (2) unplanned amendments to extend the contract period with no increase in contract value, (3) planned amendments to exercise previously contemplated option periods, and (4) unplanned amendments that increased the contract value. With respect to the fourth type of amendments, these were supported by written justification on the contract file, which usually focussed on the evolving and unpredictable nature of the COVID-19 pandemic and CBSA’s work in support of Canada’s efforts to combat the virus.

Incomplete proactive publication of contracts

96. OPO searched proactively published contract information on the Open Government website (open.canada.ca) to determine if all 41 contracts and applicable amendments were proactively published. Proactive publication information was missing for 17 of 41 contracts (41%) reviewed. In these 17 cases, the original contract or 1 or more contract amendments valued at more than $10,000 were not available on the Open Government website. In addition, there were 3 contracts (7%) for which results were inconclusive. In these 3 cases, ArriveCAN contracts may have been pooled with other published information.

97. For the remaining 21 contracts (51%), OPO was able to locate proactively published information on the original contract and applicable amendments. There were, however, challenges in finding this information. For 16 of these 21 cases, the contract number was not accurately reflected in the published information. OPO was only able to confidently draw links between published information and the appropriate contract because the review team had access to the contract files. Inaccuracies in proactively published information inhibits transparency and the usefulness of this information to Canadians.

98. The Guide to the Proactive Publication of Contracts provides a limited exception for a contract with TAs. Section 4.1.9 of the Guide states “for contracts with task authorizations, the full potential value of the contract may be reported upon contract award unless the full value is not expected to be used. In the latter situation, each task authorization may be reported individually.” This implies that it is not mandatory to proactively publish TAs if the contract and amendments have been published. That said, publication of complete and accurate TA information supports greater transparency and accountability.

99. OPO noted that CBSA proactively published information for some TAs under which work was performed for ArriveCAN; however, this was only a small segment of all such TAs and TA amendments. Also, TAs that were published were often mis-identified as a call-up or a contract against a standing offer or supply arrangement, further limiting the value of the information provided.

Recommendation 13: