Procurement Practice Review of ArriveCAN New

January 2024

On this page

I. Background

1. On November 14, 2022, the House of Commons Standing Committee on Government Operations and Estimates (OGGO) adopted a motion recommending the Procurement Ombud conduct a review of contracts awarded in relation to the ArriveCAN application (“ArriveCAN”). On January 13, 2023, having considered available information, the Procurement Ombud determined there were reasonable grounds to launch a review of procurement activities associated with the creation, implementation and maintenance of ArriveCAN. In February 2023, in response to a motion adopted by the House of Commons, the Office of the Auditor General (OAG) announced it would be conducting a performance audit of ArriveCAN. The OAG audit is looking at whether all aspects of ArriveCAN, including procurement and expected deliverables, were managed with due regard for economy, efficiency, and effectiveness.

2. This procurement practice review of ArriveCAN contracts was conducted in accordance with paragraph 22.1(3)(a) of the Department of Public Works and Government Services Act, which provides the Procurement Ombud the authority to review the procurement practices of departments to assess their fairness, openness and transparency.

II. Context

3. ArriveCAN was implemented in April 2020, approximately 6 weeks after COVID-19 was declared a global pandemic, to support the Government of Canada’s efforts to limit the spread of the virus. It is a digital platform that enables travelers entering Canada to provide travel information electronically, rather than on paper-based forms. Use of ArriveCAN was made mandatory for all air travellers in November 2020 and expanded to be mandatory for all travellers, whether arriving by land or air, in February 2021. This requirement remained in effect until October 2022. While the use of the application is no longer mandatory, travellers can continue to use its optional advance declaration feature to submit their customs and immigration declaration.

III. Objective and scope

4. This review was undertaken to determine whether procurement practices pertaining to contracts associated with the creation, implementation, or maintenance of ArriveCAN were conducted in a fair, open and transparent manner. To make this determination, the Office of the Procurement Ombud (OPO) examined whether these practices were consistent with the Financial Administration Act and the regulations made under it, Treasury Board policy and, where applicable, organizational policies and guidelines.

5. The objective of this review was supported by the following four lines of enquiry (LOE):

6. The scope of this review included all competitive and non-competitive procurement processes and resulting contracts, contract amendments, and task authorizations (TA) or service orders under which work was performed for the creation, implementation and maintenance of ArriveCAN on or before December 31, 2022. This included procurements conducted by the Canada Border Services Agency (CBSA) on its own behalf as well as procurements conducted by Public Services and Procurement Canada (PSPC) and Shared Services Canada (SSC) on behalf of CBSA.

7. The authority of the Procurement Ombud to conduct this review of departmental procurement practices does not extend to subcontracts issued by a prime contractor. Thus, the scope did not include the review of subcontracts through which work was performed for ArriveCAN. Contracts and acquisition card purchases valued below $10,000 were also excluded from this review.

IV. Approach

8. OPO’s review consisted of an examination of contract files for 41 ArriveCAN-related procurements identified by CBSA. This represented all known contracts under which work was performed for the creation, implementation and maintenance of ArriveCAN during the scope period. Contract files were provided by CBSA, as well as by PSPC and SSC for contracts issued by those departments on behalf of CBSA. CBSA was the user (i.e., Client) department for all 41 procurements. PSPC was the contracting department for 30 files, SSC was the contracting department for 7 files, and CBSA established a contract under its own contracting authority for 4 files.

9. 23 of the 41 procurements were contracts that were issued using a competitive process. Of those 23 competitive contracts, 14 were issued prior to March 11, 2020 when the World Health Organization (WHO) declared COVID-19 a global pandemic, while the remaining 9 were established during the pandemic, between April 2020 and December 2022. All competitive contracts were professional services contracts with TAs that were issued under a PSPC supply arrangement.

A supply arrangement is a non-binding arrangement between Canada and a pre-qualified supplier that allows departments and agencies to award contracts and solicit bids from a pool of pre-qualified suppliers for specific requirements within the scope of the supply arrangement. The intent of a supply arrangement is to establish a framework to permit expeditious processing of individual bid solicitations, which result in legally binding contracts for the goods and services described in those bids.

10. Of the remaining 18 ArriveCAN-related procurements reviewed by OPO, 13 were non-competitive sole-source contracts including 4 contracts with TAs. The other 5 procurements were a mix of call-ups, service orders and TAs under which work was performed for ArriveCAN. For purposes of this report, this latter group of 5 procurements were included in the non-competitive grouping because they were issued to a single supplier through pre-existing procurement vehicles, which did not form part of the review. All 18 contracts in this group were issued during the pandemic, between April 2020 and December 2022.

11. Throughout this report there are references to the value of contracts, including amendments, under which work was performed for ArriveCAN. These values are included to provide the reader with a sense of the relative size of the contract. They should not be interpreted as representing the cost of ArriveCAN because many of those contracts were for professional services that were used to support other CBSA initiatives in addition to ArriveCAN or the full amount of the contract may not have been spent.

A contract with task authorizations is a method of supply for services under which work is performed on an "as and when requested basis" through an administrative process involving TAs. Contracts with TAs are used in service contracting situations when there is a defined need to rapidly have access to one or more categories of services that are expected to be needed on a repetitive basis during the period of the contract.

V. Policy overview

12. During the period covered by this review, Treasury Board policy direction shifted from the Contracting Policy to the Directive on the Management of Procurement. On May 13, 2021, the Directive on the Management of Procurement took effect as a replacement for the Treasury Board Contracting Policy and departments were given one year to transition from the former Policy to the new Directive. Between May 13, 2021 and May 13, 2022, departments could draw policy direction from either instrument. In recognition of this change, the report includes policy requirements from both the Contracting Policy and the Directive on the Management of Procurement.

13. As stated in the Treasury Board Contracting Policy, “Government contracting shall be conducted in a manner that will stand the test of public scrutiny in matters of prudence and probity, facilitate access, encourage competition, and reflect fairness in the spending of public funds.” Under the Directive on the Management of Procurement, the expectation for government procurement to be fair, open and transparent continues as a matter of policy. Expected results of the Directive include “actions related to the management of procurement are fair, open and transparent, and meet public expectations in matters of prudence and probity.”

14. The Directive on the Management of Procurement divides relevant responsibilities between business owners (client department, technical authorities) and contracting authorities. In the early stages of the procurement process, business owners are responsible for clearly defining the intended outcomes of the procurement and working with contracting authorities to support procurement planning and decision making. For their part, contracting authorities are responsible for providing advice and recommending options to business owners on procurement strategies that meet operational requirements and have the intended results. In the context of this review, CBSA officials requiring goods or services were the business owners and procurement personnel from CBSA, PSPC, or SSC were the contracting authorities.

15. Finally, both the Treasury Board Contracting Policy and the Directive on the Management of Procurement emphasize the importance of maintaining complete and accurate procurement records. The Policy stated “procurement files shall be established and structured to facilitate management oversight with a complete audit trail that contains contracting details related to relevant communications and decisions…” while the Directive identifies that contracting authorities are responsible for “ensuring that accurate and comprehensive procurement records applicable to the contract file are created and maintained to facilitate management oversight and audit.”

VI. Results

16. Practices pertaining to procurement activities employed by CBSA, PSPC, and SSC for contracts under which work was performed for ArriveCAN were assessed within the 4 LOEs noted above. OPO made 13 recommendations to address the issues identified in the review, which are summarized in Annex I of this report. The recommendations are based on the analysis of information and documentation provided to OPO by CBSA, PSPC and SSC during the course of the review.

17. In instances throughout the report, multiple observations have been made regarding a single file. As a result, the number of observations may not always correspond to the number of files cited.

Line of enquiry 1: Competitive procurement practices leading to the award of contracts

18. The use of PSPC standing offers and supply arrangements is mandatory for certain commodity classes including Information Processing and Related Telecom Services, and Professional, Administrative and Management Support Services. PSPC maintains a centralized web-based portal known as the Centralized Professional Services System (CPSS) e-portal to support the procurement of professional services using various PSPC standing offers and supply arrangements. PSPC has also established rules for the use of these procurement vehicles in the CPSS, for example specifying the minimum number of pre-qualified suppliers that must be invited to bid on a requirement, how invited suppliers are to be selected, and the minimum period of time invited suppliers are given to submit a bid.

19. All 23 competitive ArriveCAN contracts reviewed under LOE 1 were professional services contracts and all were issued under one of two PSPC supply arrangements available through the CPSS e-portal. This included 21 contracts issued under the Task-based Informatics and Professional Services (TBIPS) supply arrangement and 2 contracts issued under the Task and Solutions Professional Services (TSPS) supply arrangement.

Centralized Professional Services System e-portal search results

20. When using one of these PSPC supply arrangements (i.e., TBIPS or TSPS), the Contracting Authority is required to conduct an initial CPSS search using criteria based on the requirement (e.g., resource categories and security requirements) to identify a pool of potential suppliers that are qualified under the selected supply arrangement. For procurements above certain dollar thresholds, (currently $3.75 million) all suppliers appearing on the CPSS search results list are eligible to bid. For procurements below this threshold, a second CPSS search is conducted to identify a minimum of 15 suppliers that will be invited to bid. From the initial CPSS search results, the Contracting Authority in consultation with the business owner manually selects 10 suppliers with the remaining 5 suppliers being selected randomly by the CPSS Client Module. Contracting Authorities must retain records of searches conducted to demonstrate that CPSS e-portal common business rules have been applied.

21. For the 23 competitive contracts issued under the TBIPS and TSPS supply arrangements, 14 contract files included the required CPSS e-portal search results, while search results were out of date or missing for 9 contracts (3 awarded by CBSA and 6 awarded by PSPC on behalf of CBSA) that resulted from 7 procurement processes. For these 9 contracts, this means procurement files did not confirm that bids were only accepted from pre-qualified suppliers, or in some cases that invited suppliers were qualified to bid. In response to OPO’s observations, PSPC re-performed CPSS searches for the 6 contracts it put in place to demonstrate that bids were only accepted from eligible suppliers. While OPO appreciates PSPC’s efforts in this regard, the following examples are based on available documentation that existed at the time of the procurements:

  1. Three contracts reviewed had resulted from 2 separate re-tendered solicitations, under the TBIPS supply arrangement. One solicitation was issued by PSPC and the other by CBSA. The re-tenders were necessary because the initial processes did not result in the award of a contract. In these cases, the CPSS search results on file were from the original solicitation process. There was no record of CPSS search results for the re-tender and the search results from the first solicitation were out of date. If the search had been conducted closer to the re-tender date, the resulting list of potential suppliers may have been different.
  2. For 2 contracts reviewed, the solicitation was sent by CBSA directly to 15 invited suppliers. In both cases, there were no initial or final CPSS search results on file, meaning there was no way to confirm whether the 15 invited suppliers were qualified TBIPS supply arrangement holders or that they were appropriately selected in accordance with CPSS e-portal common business rules.
  3. For 4 other contracts awarded by PSPC on behalf of CBSA, there were also no CPSS search results on file. Unlike the example above, the solicitations were posted to the Government Electronic Tendering System (GETS), rather than being sent directly to a limited number of invited suppliers. All qualified TBIPS supply arrangement holders were eligible to bid; however, in absence of search results on file, there was no way to confirm that only bids from eligible suppliers were considered for contract award.

Achievement of ‘Best Value’ in the selection methodology

22. The contractor selection methodology must be clearly identified in the solicitation and should support access, competition and fairness, and best value to the Crown. While price is a factor, on its own the lowest price is not always representative of best value.

23. All 23 contracts awarded through a competitive solicitation process clearly identified the method for selecting the successful supplier. In all cases, the selection methodology was one of the commonly used methods, that being highest combined rating of technical merit and price among all responsive bids. Most often (21 of 23 contracts) technical merit accounted for 70% of points available with the remaining 30% being determined based on the bidder’s proposed price. For the remaining 2 contracts, the selection methodology used a 60% technical merit and 40% price ratio for allocating points. While it is recognized that having a greater emphasis on technical merit could result in a price premium being paid by Canada when using a 70/30 technical merit/price ratio rather than a 60/40 ratio, the use of a 70/30 ratio is not unreasonable.

Overly restrictive median bands

24. For 10 of the 23 contracts, the use of “median bands” in the selection methodology, more specifically in the allocation of points for the financial (i.e., price) evaluation may have resulted in higher rates being proposed by the bidders. When median bands are used in the financial evaluation of bids the proposed price has to be within a specified range around the median price from all responsive bids. For the contracts reviewed, the median bands were applied to the proposed per diem rates for each resource category, level and period specified in the solicitation. In general, use of median bands in the financial evaluation of bids is not inappropriate and can limit “low-ball” bids or excessively high bids. As stated in the solicitation, experience has shown, “bidders will from time to time propose rates at the time of bidding for one or more categories of resources that they later refuse to honour, on the basis that these rates do not allow them to recover their own costs and/or make a profit.”

25. The issue at hand is related to the design of the median bands used for these 10 contracts, which were highly restrictive on the low-end and quite flexible on the high-end. The median bands commonly required bidders to propose resource rates that were no more than 10% below the median (-10%) or no more than 30% above the median (+30%), with the upper band being as high as median plus 100% in 1 case. This methodology disincentivized bidders from proposing competitive rates due to the increased potential of receiving zero points for any rates below the lower median band. Simply put, it was less risky to propose a higher rate.

26. All but 1 of the solicitations for these 10 contracts included a “price support” clause describing a process that would permit Canada to require bidders to substantiate proposed rates that fell below the lower limit of the median band. However, with 1 exception, the clause specified that substantiation, if requested, would be sought from all otherwise responsive bidders that had proposed a rate that was at least 20% lower than the median rate. This was not of much use when the lower band was median minus 10%. The substantiation clause was never applied, nor was there any indication in these 10 contract files that substantiation of rates was even considered during the bid evaluation process.

27. PSPC advised OPO that the “price support” clause has proven to be ineffective to address the issue in the past as the bidders were able to provide evidence from previous contracts where they applied the same low-ball pricing strategy. PSPC also noted that the standard range for median bands is median -20% to +30%. PSPC stated it would typically seek justification from the Client to use median band limits that are more restrictive and that justification may have been sought in these cases. OPO found there was limited or no justification on file for solicitations using these median bands.

28. For 4 of the 10 contracts, the restrictive lower median band had a significant impact on the outcome of the solicitation process. For example:

  1. In 1 case, OPO noted the 2 highest ranked technical bids lost a significant number of points in the financial evaluation, and were ultimately unsuccessful, because their proposed per diem rates for various resource categories were between 85% and 90% of the median (i.e., median -15% to -10%) and thus received no financial points for those resource categories. The outcome of this solicitation process could have been different had PSPC applied a “price support” clause and permitted bidders with rates below median -10% to substantiate their proposed rates with evidence (e.g. recent invoices and references) to demonstrate their rates were not unreasonably low.
  2. In another case, a bidder received zero points for 2 resource categories because its proposed rates were between 88% and 89% of the median. Similar to the previous example, if PSPC had applied a “price support” clause and this bidder was able to substantiate its proposed rates, it would have been the first ranked bidder. Use of this overly restrictive median band without providing an opportunity for bidders to substantiate the reasonableness of their more competitive rates did not demonstrate achievement of best value.

Recommendation 1:

PSPC should consistently require Clients to justify the use of median band limits that are more restrictive than median minus 20% to median plus 30%. The justification should be retained in the contract file.

Recommendation 2:

PSPC should revise its “price support” clause with methodology that will enable the Contracting Authority to obtain appropriate evidence to assess the reasonableness of a bidder’s proposed price(s).

Proposed resources did not work on ArriveCAN contracts

29. In 76% of the applicable contracts, some or all of the resources proposed by the successful supplier did not perform any work on the contract.

30. Of the 23 contracts issued through a competitive process, 18 required bidders to propose resources for some or all resource categories included in the solicitation. The number of resources and categories required in the bid varied from one solicitation to another and included as few as 1 to as many as 10 resources. In all cases, these resources were evaluated against applicable mandatory and point-rated criteria and had a significant influence in determining the winning bidder. As mentioned previously, the basis of selection for most of these contracts placed a great emphasis on the technical component of the bid, and much of that technical component was related to the demonstrated knowledge and experience of proposed resources. Simply put, bidders that proposed higher quality resources had a much greater chance of winning the contract.

31. The above noted 18 contracts resulted from 13 solicitation processes. Among these 13 solicitations, 10 included certification clauses regarding the availability of proposed resources that stated, with some minor variation, “by submitting a bid, the Bidder certifies that, if it is awarded a contract as a result of the bid solicitation, every individual proposed in its bid will be available to perform the Work as required by Canada's representatives and at the time specified in the bid solicitation or agreed to with Canada's representatives.” The 3 remaining solicitations indicated certification of resource availability would only be required at the TA stage.

32. Resources proposed in the winning bid were not named in the resulting 18 contracts. Resources were only added through a TA issued to the contractor by CBSA on an “as and when requested basis.” Excluding 1 contract awarded by CBSA that OPO could not review because the file did not include the winning bid, for 9 of 17 contracts (53%) none of the resources proposed in the successful supplier’s bid performed any work on the contract. Further, for 4 of 17 contracts (24%) a portion of the resources proposed in the successful supplier’s bid did not work on the contract. Note that OPO’s analysis for this finding considered all TAs for these contracts, not just the TAs under which work was performed for ArriveCAN.

33. It is possible that proposed resources may have become unavailable for legitimate reasons between the date the bid solicitation period closed and the date the TAs were issued. There was, however, nothing in the files to explain why resources proposed in the winning bids were not included on TAs issued for the same resource categories. Under the “Replacement of Specific Individuals” clause, a replacement for an individual named in the contract must have qualifications and experience that meet or exceed those obtained for the original resource.

34. Individuals (i.e. resources) not included in the bid that were added through TA did have to meet mandatory criteria and the minimum pass score for point-rated criteria applicable to the resource category. However, because the contract had already been awarded there was no longer a competitive pressure on the supplier to propose the best possible resource that would be more qualified, and score higher, than resources from other suppliers.

Recommendation 3:

PSPC should update the ‘Replacement of Specific Individuals’ clause so that it applies to the named resource(s) in the successful supplier’s bid for solicitation requiring the bidder to propose a resource or resources.

Technical evaluation criteria

35. Section 10.7.27 of the Treasury Board Contracting Policy stated that “competing firms should be told the measurement criteria and the weighting assigned to them. […] Fairness to all prospective contractors and transparency in the award process are imperative.” The language used in the new Directive on the Management of Procurement differs from the former Contracting Policy, but it serves the same purpose. Section 4.3.1 of the Directive identifies contracting authorities as being responsible for conducting procurements and establishing contracts based on sound procurement principles, including fairness, openness and transparency. Further, section 4.5.3 of the Directive identifies contracting authorities as being responsible for “simplifying solicitation documents wherever possible to support streamlined processes.” In practice, application of these principles results in solicitation documents that use clear and precise language to define evaluation criteria that helps bidders prepare a responsive bid and evaluators to apply the same criteria equally to all bidders.

Mandatory technical criteria

36. Mandatory technical criteria (mandatory criteria) are intended to identify the minimum requirements for bids to be considered for contract award. They permit evaluators to screen out bidders, which do not have the minimum necessary competence and capability for undertaking the work. That said, contracting authorities need to ensure that competition is not limited by mandatory criteria that are unnecessarily restrictive. As mandatory criteria must be assessed on a simple “pass” or “fail” basis and strictly for compliance, it is essential that they are written in unambiguous terms that make it clear to bidders and evaluators what is required to demonstrate compliance.

37. Overall, OPO found that mandatory criteria were consistent with the statement of work from the solicitation document and were described with sufficient clarity. OPO did note, however, discrete examples of mandatory criteria that lacked specificity that left them open to interpretation. In all but 1 case, mandatory criteria did not unfairly restrict competition. These are discussed in the examples below:

  1. In February 2019, PSPC awarded a contract on behalf of CBSA to Veritaaq Technology House Inc. The contract was for information technology (IT) professional resources in various categories and was valued at $11 million. The solicitation was issued under the TBIPS supply arrangement. One of the mandatory criteria required the proposed resource to have “experience managing multiple IT projects with similar timelines and competing priorities…” but did not specify the amount of experience required. Further, terms including “multiple”, “IT projects”, and “similar timelines” were not defined and lacked specificity. This appears to have resulted in some evaluator subjectivity. For example, all 5 bidders were deemed to have met all mandatory criteria but 3 of 5 bids demonstrated compliance with this criterion using only 1 project (not “multiple”, as stated in the criterion). In another example from the same solicitation, a mandatory criterion required the proposed resource to have “experience within the last 10 years working on large scale IT projects.” While the term “large scale IT projects” was defined, the required amount of experience within the last 10 years was not defined. As such, as little as 1 day of experience would have met this criterion.
  2. In July 2020, PSPC awarded a contract on behalf of CBSA to TEKsystems Canada Corp. The contract was for engineering professional services and was valued at $23.2 million. A mandatory criterion in the solicitation required bidders to demonstrate experience working on a project where they had configured an Enterprise Cloud Security solution. The criterion stated “for a project to be considered, the Bidder must include a detailed description (maximum 750 words) outlining how the solution was leveraged by the organization.” It was not clear if any description outlining how the solution was leveraged would meet this criterion or how evaluators would judge the responses provided to determine compliance. OPO noted that all 4 bidders were deemed compliant.
  3. In May 2022, PSPC awarded a contract under the TBIPS supply arrangement on behalf of CBSA to GC Strategies Inc. The contract was for information management (IM) and IT professional resources in 9 categories and was valued at $25.3 million. This contract was for work that was closely related to work performed under 3 similar contracts that were issued without competition during the COVID-19 pandemic on the basis that the need was one of pressing emergency.

    One mandatory criterion required the bidder to demonstrate it had experience delivering professional informatics services contracts. It stated the reference contracts must be for “Mobile Development” activities and must have used “Level 3 Resources.”

    Given the solicitation was issued under the TBIPS supply arrangement, presumably “Level 3 Resources” meant level 3 as defined by the TBIPS supply arrangement. However, that was not actually stated in the solicitation, leaving it open to interpretation. OPO noted that the contracts submitted by the sole bidder to demonstrate compliance with this criterion were the 3 non-competitive CBSA contracts it had been previously awarded. None of those 3 contracts were issued under the TBIPS supply arrangement. While all 3 previous contracts did call for “Level 3” resources, the term had been undefined and resources for those contracts were not evaluated against TBIPS Level 3 requirements.

38. The mandatory criteria used in the solicitation for the May 2022 GC Strategies Inc. contract, discussed above, were also overly restrictive and favoured this existing CBSA supplier. The solicitation included 7 corporate mandatory criteria (CM). These criteria each specified mandatory requirements in terms of recent experience with the Government of Canada that were closely associated with work that had been performed for CBSA under the previous sole-sourced contracts awarded to this supplier. Below is a sample of the mandatory criteria that bidders were required to meet:

  • CM1: Experience with Large Mobile Architecture Contracts

    The Bidder must demonstrate that it has been awarded up to (3) three informatics professional services contracts, within the last 18 months prior to the solicitation issue date that met the following criteria:

    1. The contract was in support of Mobile Application Development leveraging public cloud (Azure/Amazon Web Services [AWS]) in support of Federal Government programs. A summary of the scope and key responsibilities must be provided;
    2. The contracts must have an accumulative value of $10,000,000.00 minimum before taxes. Value is defined as either the amount specified in the limitation of expenditure article of the contract, plus applicable taxes, or the total price in the contract, whichever is the highest.
    3. Each reference contract must have been contracted directly with the Bidder and not with the Bidder’s subcontractor or affiliate. […]
  • CM2: The Bidder must have one Government of Canada (GoC) department reference [for a project within the past 24 months] with a contract value greater than $2M where the contract required the following mobile development, cloud integration, microservice integration and biometric capabilities:
    • Integration with AWS Services from iOS, Android: Cognito, S3, Kinesis Video Streams
    • Mobile Push Notifications using Firebase Cloud Messaging
    • Address Auto-Complete using Google Places Application Programming Interface (API)
    • Analytics with Microsoft App Center Analytics and Firebase Analytics
    • Optical Character Recognition (OCR) and Near Field Communication (NFC) Travel Document Scanning
    • Integration with Grabba Software Development Kit (SDK)
    • Application Deployment through Mobile Device Management (MDM) solution
    • Integration with Biometrics SDK
    • Mobile Video Chat using AWS Kinesis Video Stream
    • Location-Based Services - Geofences, and location tracking
    • Voice Biometric Authentication
  • CM5: The Bidder must have one GoC department reference within the past 18 months and with a contract value greater than $4M where the contract must require the following mobile development, cloud and on premise integration and microservice integration capabilities:
    • Creation of platform that Synchronizes between on premise, Web application, mobile application and AWS backend securely up to Protected B level within the Government of Canada setting
    • Multi directional capabilities (allows interaction between GoC department and the public)
    • Privacy considerations (Not using Geolocation etc.)
    • Encryption at local level (mobile device, Android and iOS)
  • CM7: The Bidder must have completed work on a GC mobile application that has a rating of Web Content Accessibility Guidelines (WCAG) 2.1 AA or higher within the past 12 months.

39. Despite there being 40 pre-qualified TBIPS suppliers invited to bid, including 10 that indicated they intended to participate, the GC Strategies Inc. bid was the only one received. GC Strategies Inc. relied heavily on the work it performed for CBSA on ArriveCAN, specifically under the 3 previous sole-source contracts, to meet the mandatory criteria. It would have been highly improbable that any of the other suppliers could have met all 7 corporate mandatory criteria required to be deemed compliant.

40. In November 2021, OPO completed a review of CBSA’s procurement practices as part of OPO’s multi-year review plan. In that review, the Procurement Ombud recommended “CBSA should establish a quality control process to ensure mandatory criteria are adequately defined and communicated in a clear, precise and measurable manner.” Given the observation made with respect to the mandatory criteria for the GC Strategies Inc. contract, the Ombud is expanding on the 2021 recommendation.

Recommendation 4:

CBSA should establish a quality control process to ensure mandatory criteria are not overly restrictive and do not undermine the fairness and openness of the bid solicitation process.

Point-rated technical criteria

41. Point-rated technical criteria (point-rated criteria) identify elements that can be evaluated on a variety of characteristics to determine the relative technical merit of each proposal. Point-rated criteria can also be used to establish the minimum requirements (by setting a pass mark) that a bid must meet to be considered a valid and responsive proposal. Technical criteria can be subject to both a mandatory and a point-rated evaluation process. For example, it could be mandatory for a bidder to have previous experience in a specific area of expertise and then, the level of experience that exceeds the minimum mandatory criteria can be subject to point rating.

42. Overall, point-rated criteria were consistent with the statement of work in the solicitation, were described with sufficient clarity, and did not unfairly restrict competition.

43. For the 23 competitive contracts reviewed, OPO did not observe any instances where point-rated criteria unfairly restricted competition. In all cases, point-rated criteria clearly indicated the maximum number of points available per criterion and, when applicable, the minimum number of points required to be deemed responsive. Two solicitations had point-rated criteria that were not fully consistent with the statement of work including 1 with point-rated criteria that were not clearly described and could result in inconsistent application. For example:

  1. In September 2020, PSPC awarded a contract to BDO Canada LLP on behalf of CBSA. The contract, valued at $14.7 million, was for business consulting professional services in 6 resource categories. In the point-rated criteria, OPO noted a disproportionate number of points pertaining to the Project Executive resource relative to other resource categories. The relative importance of the Project Executive over other resource categories did not appear to be reflective of the descriptions in the statement of work. In the same solicitation, not all point-rated criteria were clearly described. Of the 22 point-rated criteria, 4 awarded points for the resource having performed a function on “large scale projects.” Large scale projects was defined as “a project which needs a large number of resources, process changes, assets and money. Project outcomes will impact a large scale group of resources, assets, investments and people and normally reflect investments over a $10 Million dollar threshold minimally.” With exception to the dollar threshold, the definition lacked precision and could be open to a variety of interpretations.

Communication with potential bidders

44. Among the 23 competitive contract files reviewed, 20 included sufficient evidence to demonstrate that the solicitation had been appropriately made available to potential suppliers either directly via email or on-line posting to GETS and that bidders were provided an appropriate period of time to submit their bids. In 3 cases, all of which were solicitations issued by CBSA under the TBIPS supply arrangement, file documentation mentioned that the solicitation had been sent directly to invited suppliers; however, the email showing to whom the solicitation was sent was not retained on file.

45. OPO also reviewed files to determine whether solicitation amendments, including responses to questions from potential bidders were appropriately communicated. In all 23 competitive contract files, there was an indication that questions and answers were exchanged with suppliers during the solicitation period. Most often, responses were posted to GETS in the form of solicitation amendments. A good practice observed in multiple files was the use of an electronic registry to record key information regarding supplier questions received during the bidding period. The more advanced versions of these registries recorded information such as the question asked, receipt date, supplier name, response to the question and the date the response was published or communicated.

46. There were 4 files that included questions and answers pertaining to the solicitation, but there were no records to indicate when or from whom the questions were received or if, when or to whom responses were provided. In 8 other files, the documentation of questions and answers was incomplete. For these 8 files, there was a record of responses being provided to suppliers; however, the origin of some or all questions was unknown due to incomplete records (i.e., emails with supplier questions were not on file). In these cases it is unknown who, when, or how these questions were asked. Recording this information in the file is important as it can demonstrate that all potential bidders were treated equally. A properly documented file would include a complete record of all questions received from suppliers, development of responses, and communication of questions and responses to all potential bidders.

Evaluation of bids and contract award

47. In order to ensure the fairness and defensibility of evaluation processes, both the Treasury Board Contracting Policy and the Directive on the Management of Procurement require due diligence in the evaluation of bids. This includes strict adherence to evaluation criteria and equal application of criteria for all bidders. Failure to ensure the consistent evaluation of proposals increases the risk that ambiguities in the selection process result in the contract being wrongly awarded. Inconsistent evaluations may also call into question the integrity of the procurement process.

Bid evaluation records

48. Bid responses from all suppliers must be maintained on the contract file by either the Contracting Authority or by the Client (i.e. the business owner) or a combination of the two. Responses from suppliers should include all required elements as specified in the bid solicitation (e.g., technical bid, financial bid, and certifications) that will allow for the evaluation of each accepted proposal against all evaluation requirements.

49. OPO reviewed the files for all 23 competitive contracts to assess the completeness of documentation required to support and demonstrate fairness in the evaluation of bids. Most files included a complete record of bids received (19 of 23 files), and most included conflict of interest declarations completed by technical evaluators (19 of 23 files). While 13 of the files included complete records of technical evaluations, a significant number (10 of 23 files) were missing individual or consensus evaluation results for some or all bids received. Examples of incomplete evaluation records included the following:

  • For 4 contracts, including 2 awarded by PSPC and 2 awarded by CBSA, OPO found there were no supplier bids on file or there was an incomplete record of bids received. Without a complete record of technical bids, the rationale for compliance with mandatory technical criteria and points awarded for point-rated criteria are not supportable and hinder transparency of the decision-making process.
  • For 4 contracts, including 1 awarded by PSPC and 3 awarded by CBSA, the file did not include conflict of interest declarations completed by the individuals who performed the technical evaluation of bids. Conflict of interest declarations are an important tool to protect the integrity of the evaluation process and represent a tangible record that evaluators were informed of and acknowledged their duties and obligations with respect to conflicts of interest that may arise in the course of the bid evaluation process.
  • For 10 contracts, including 7 awarded by PSPC and 3 awarded by CBSA, records of the evaluation of bids were absent or incomplete. In all 10 cases, files were missing records of completed individual evaluations; 4 of these contract files were also missing some or all completed consensus evaluations. When present and appropriately documented, evaluators’ worksheets are an integral part of the evaluation process, constitute part of the complete record, form the basis for debriefing unsuccessful bidders and provide justification for evaluation results.

50. For greater clarity, below are descriptions of what OPO observed for 4 of the above noted contracts:

  1. In January 2015, PSPC awarded a contract under the TBIPS supply arrangement to Veritaaq Technology House Inc. on behalf of CBSA. The contract was for IT professional services and was valued at $19.9 million. While records indicate there were 7 bids received for this contract, other than 1 technical bid from an unsuccessful supplier, there were no technical or financial bids on file. Technical evaluations were performed by a three-member CBSA evaluation team; however, a completed individual evaluation was only present for 1 of the 3 evaluators. Further, the financial evaluation and overall results (i.e., the Evaluation Summary Report) were not signed and it was not clear who had completed and approved them. OPO did note that conflict of interest declarations and complete consensus technical evaluation results, signed by all three CBSA technical evaluators, were on file. That said, in absence of technical bids the rationale for compliance with mandatory criteria and points awarded for point-rated criteria are not supportable.
  2. In July 2017, PSPC awarded a contract under the TSPS supply arrangement to MGIS Inc. on behalf of CBSA. The contract was for professional services to support CBSA’s Travellers Projects Portfolio Directorate and was valued at $26 million. The file indicated 6 bids were received. While financial bids were present, there were no technical bids on file, no record indicating who conducted the technical evaluations, no conflict of interest declarations, and no completed individual or consensus technical evaluation worksheets. There were documented results from the financial evaluation that included technical merit scores for the 6 bids received. However, in absence of the above noted documents, it is unclear how the technical scores were determined.
  3. In July 2018, CBSA awarded a contract under the TBIPS supply arrangement to Maplesoft Consulting Inc. The contract was for cyber protection analyst services and was valued at $626,000. CBSA issued the solicitation twice due to the first process failing to result in the award of a contract. According to evaluation documentation on file, 6 bids were received from the second solicitation process. While copies of bids from the first solicitation process were retained, none of the 6 bids received from the second process were on file. Additionally, the file did not include conflict of interest declarations nor individual evaluation worksheets completed by evaluators. Complete consensus evaluations and an Evaluation Summary Report were on file. Despite the presence of consensus evaluation results, in absence of supplier bids, the rationale for compliance with mandatory criteria, points awarded for point-rated criteria, and results from the financial evaluation are not supportable.
  4. In December 2020, CBSA awarded a contract under the TBIPS supply arrangement to SoftSim Technologies Inc. The contract was for software tester professional services and was valued at $1.26 million. According to file documentation, there were 4 bids received. However, there were no supplier bids, no conflict of interest declarations, and no individual technical evaluations on file. CBSA provided OPO with a copy of a consensus Evaluation Summary Report for the successful supplier. Similar consensus evaluation results were not made available for the other bidders. In absence of these records, OPO was unable to determine whether all bids were evaluated in accordance with the solicitation or that all bidders were treated fairly.
Contract award decisions and resulting contracts

51. OPO reviewed competitive contract files for documentation that showed how compliant bids were ranked and that the selection methodology, as stated in the bid solicitation document, was applied correctly. The majority of these files appropriately documented this aspect of the procurement process. Specifically, files included worksheets showing that the basis of selection, which in all cases was highest combined score based on technical merit and price, was appropriately applied. Two files for contracts awarded by CBSA that were mentioned in the previous section as having missing evaluation records also did not have documentation to demonstrate that the basis of selection was properly applied and that the successful supplier was correctly identified.

52. OPO also reviewed contracts to confirm that the statement of work, resultant contract clauses, security requirements and resource categories and levels, matched those that were communicated in the bid solicitation document. In all instances, the statement of work was consistent with the solicitation and there were no significant modifications to the resource categories and levels.

53. In 1 file, the security requirements stated in the contract differed from the bid solicitation document as a result of a contract amendment. The contract was awarded in June 2021 by PSPC to IBISKA Telecom Inc. on behalf of CBSA. The contract was for cyber protection professional services and was valued at $9.3 million. The solicitation stated the contractor must, at all times during the performance of the contract, hold a valid Facility Security Clearance at the level of Top Secret and contractor personnel requiring access to protected/classified information, assets or sensitive work sites must each hold a valid personnel security screening at the level of Reliability Status, Secret or Top Secret, as required.

A Facility Security Clearance allows an organization to clear their personnel at the classified level in order to access classified information, assets and work sites.

54. The security requirements were changed 3 months following contract award. The requirement for Facility Security Clearance at the level of Top Secret was reduced to Secret level and Top Secret was removed from the levels required for personnel security screening. The change was made when CBSA wanted to issue a TA to the Contractor with a proposed resource that would be working out of the country. Initially, PSPC security would not permit it due to the security requirements of the contract. An amendment was then issued to change the security requirements and remove the requirements for Top Secret clearance. While the file did include correspondence between CBSA and PSPC regarding the change, it was unclear if the Top Secret requirement was included by mistake in the solicitation and original contract, or if something had changed in the requirement that caused Top Secret to no longer be required, leaving it open to the perception that the security requirement was changed in order to permit this particular resource to work on the contract. Regardless, the effect of including a requirement of Top Secret in the solicitation only to remove it soon after contract award likely reduced the number of potential bidders due to the challenges in obtaining Top Secret Facility Security Clearance and with providing resources who are Top Secret cleared.

Communication with the Public Services and Procurement Canada Contract Security Program

55. All government departments that award contracts with security requirements under their respective delegated contract authority and who used the PSPC Contract Security Program’s contract security services must send a copy of their contract to the Contract Security Program, including copies of any subsequent contract amendments. This is done to ensure the integrity of the contract security process, as well as the timely and efficient delivery of security screening services to suppliers, their personnel and their subcontractors. Only 6 of 27 (22%) applicable competitive and non-competitive contract files demonstrated that a copy of the contract had been provided to the Contracting Security Program. However, on December 14, 2023, PSPC provided OPO with an Excel table stating that 21 of the 23 PSPC awarded contracts had been provided to the Contracting Security Program, albeit not all in a timely manner.

Recommendation 5:

PSPC and CBSA should ensure adequate procedures are in place for sharing contract information with the Contract Security Program. These procedures should be communicated with all procurement personnel and monitored for compliance.

Line of enquiry 2: Non-competitive procurement practices leading to the award of contracts

56. In contrast to the 23 competitive contracts reviewed under LOE 1, discussed previously, under LOE 2, OPO reviewed the award processes of contracts and contract instruments that were not immediately preceded by a competitive process. In total, this comprised 18 files, which included:

  • 13 files for sole-source contracts
  • 2 files for procurements issued under the Government of Canada (GC) Cloud Framework Agreement
  • 1 file for a procurement under an Enterprise Service Agreement
  • 1 call-up issued under a Microcomputer National Master Standing Offer (NMSO)
  • TA issued under the Cyber Workforce Enablement Platform

57. All 18 of these non-competitive procurements were conducted by PSPC or SSC on behalf of CBSA and all occurred between April 2020 and December 2022, during the COVID-19 pandemic. Note that OPO made no significant observations related to the last 3 items listed above (Enterprise Service Agreement, Microcomputer NMSO, and the Cyber Workforce Enablement Platform). Thus, this section focusses on the 13 sole-source contracts and 2 procurements under the GC Cloud Framework Agreement.

58. The Government Contracts Regulations (GCR) have the force of law and establish the requirements that federal departments must respect when contracting for goods, services and carrying out construction. The GCR underline the predominance of competitive procurement by requiring contracting authorities to solicit bids before awarding contracts. That said, section 6 of the GCR provide several exceptions to the general rule requiring competition. Of note, these exceptions allow for non-competitive contracting in the case of a pressing emergency (GCR section 6(a)) and when only one supplier is capable of performing the work (GCR section 6(d)).

59. A pressing emergency has been defined by the Treasury Board Secretariat as a situation that may involve “an actual or imminent life-threatening situation; a disaster that endangers quality of life or safety of Canadians; a disaster that results in the loss of life; or a disaster that results in significant loss or damage to Crown property.” With respect to situations where it is believed only one supplier is capable of performing the work, the Treasury Board Secretariat requires departments to respond to a set of questions to explain and justify why exception 6(d) of the GCR has been invoked to allow a sole-source contract.

Consistency with Government Contracts Regulations exceptions that permit non-competitive contracting

60. For all 13 non-competitive (sole-source) contracts, the reason cited for awarding without competition was either GCR section 6(a) “the need is one of pressing emergency in which delay would be injurious to the public interest” (8 contracts); section 6(d) “only one person [supplier] is capable of performing the contract” (1 contract); or sections 6(a) and 6(d) were both cited (4 contracts). Files for all 13 contracts included written justification for the sole-source procurement strategy.

Transparency of decision-making for sole-source contracts

61. Decision making associated with sole-source procurements is typically less transparent than open competitive processes, making it even more important for departments to maintain diligent records of actions taken and decisions made. For most of the 13 sole-source contracts reviewed, OPO found the files contained adequate records of the non-competitive procurement process. However, for 2 sole-source contracts there was a lack of documentation regarding communication between PSPC or CBSA and the supplier in the period before the contract was awarded:

  1. In June 2020, PSPC awarded a non-competitive contract to GC Strategies Inc. on behalf of CBSA. The contract was for informatics professional services and was valued at $11.1M. There was no written record of a request or non-competitive solicitation being sent to the supplier. The only record of communication between the Crown and the supplier prior to signing of the Contract was an email from the supplier with quoted rates for various IT professional resource categories. The file included a contract award e-mail stating the supplier had been selected for contract award based on the proposal it submitted. While a draft statement of work and contract were on file, there was no record of either PSPC or CBSA sending a request to the supplier to obtain a proposal.
  2. In August 2021, PSPC awarded a non-competitive contract to 49 Solutions Inc. on behalf of CBSA. The contract was for IT consulting services and was valued at $1.725 million. File records showed that PSPC had initially denied a request from CBSA to award the contract without competition. CBSA had proposed using GCR 6(c) “it would not be in the public interest to solicit bids” to justify awarding the contract directly to a single supplier. The PSPC Contracting Authority, however, did not agree that CBSA had established strong enough justification to merit a sole-source contract award and challenged CBSA on their proposed procurement strategy. CBSA responded with a revised justification, but PSPC remained unconvinced. In a July 21, 2021 email, PSPC provided alternative approaches to CBSA that did not include a sole-source procurement option.

    There was a subsequent July 21, 2021 email indicating a discussion had occurred between CBSA and PSPC regarding PSPC’s refusal to conduct a sole-source procurement; however, there is no record of that discussion on file. There was a gap in the emails on file between July 21 and August 4, at which time PSPC no longer objected to a sole-source procurement. In an August 4, 2021 email, PSPC stated there was a blanket National Security Exception (NSE) in place and that it needed to be referred to in the approval documents. There was no documentation on file to demonstrate why PSPC proceeded with the sole-source procurement, after initially opposing it.

    For the same contract, CBSA had entered into discussions with the supplier before a sole-source procurement strategy had been approved by PSPC. The supplier had submitted proposed rates for various IT resource categories that would be provided on an ‘as and when needed basis’. There were no records on file of discussions or negotiations between CBSA and the supplier that led to receipt of the proposal. There was a second (updated) proposal, dated August 6, 2021, after PSPC had approved the non-competitive procurement strategy. The revised proposal appeared to reflect discussions or negotiations with CBSA or PSPC regarding the requirement. Again, there was a lack of records of discussions or negotiations between CBSA or PSPC and the supplier regarding this revised proposal.

The National Security Exception (NSE) provided for in all of Canada's trade agreements allow Canada to exclude a procurement from some or all of the obligations of the relevant trade agreement(s), where Canada considers it necessary to do so in order to protect its national security interests specified in the text of the NSE.

62. In April 2020, PSPC invoked the NSE and awarded a contract without competition to GC Strategies Inc. on behalf of CBSA. The contract was for informatics professional services and was valued at $13.9 million. The contract stated “the Contractor must, at all times during the performance of the Contract, hold a valid Designated Organization Screening (DOS) with approved Document Safeguarding at the level of Protected B.” File documentation showed GC Strategies Inc. did not meet the Document Safeguarding Capability security requirement when it was awarded the contract. An email on file dated April 6, 2020 from PSPC Security indicated the GC Strategies’ Document Safeguarding Capability as “NIL”. OPO noted that the Document Safeguarding requirement was removed through a contract amendment issued 14 months later, in June 2021. In response to this observation, PSPC stated that the Client (CBSA) advised in April 2021, 12 months after contract award, that the document safeguarding did not apply. This does not explain, however, why the contract was issued to a supplier that did not meet the security requirement in effect when the contract was awarded.

Cloud services Service Orders

63. SSC has established a procurement tool known as the GC Cloud Framework Agreement to provide client departments with access to multiple commercially available public cloud services. Through these agreements suppliers, referred to as Cloud Services Providers, provide access to cloud services on an as and when requested basis. To procure these services, client departments send their request to SSC where they are processed by SSC’s Cloud Brokering Service. SSC procures the services on behalf of the Client by issuing a Service Order to a Cloud Services Provider. Each Service Order forms a separate enforceable contract between Canada and the applicable Cloud Services Provider.footnote 1

64. Service Orders must be issued in accordance with the GC Cloud Framework Agreement Service Order ordering process. Under this process, when the total estimated cost of a requirement is $500,000 or less, SSC can issue a Service Order directly to a single Cloud Services Provider. For requirements valued above $500,000 to $4.5 million, SSC must compare a minimum of 3 Cloud Services Providers to determine which offers the best solution for the requirement. This process may include consideration of factors such as technical capabilities, performance levels, enhanced security and continuation of services or other criteria, as applicable to the requirement. Above $4.5 million, all Cloud Services Providers must be invited to respond to the request.

65. CBSA informed OPO that 16 ArriveCAN-related Service Orders were issued to Cloud Services Provider, Amazon Web Services (AWS). These Service Orders included 5 for cloud hosting services and 11 for advisory services over a period of almost 2 years. Of note, the 11 service orders for advisory services were treated as stand-alone requirements and were valued at $500,000 each. On 3 occasions 2 Service Orders were issued on the same date to AWS. Given the values were set at $500,000 these fell under the first tier of the GC Cloud Framework Agreement Service Order ordering process that allowed for service orders to be issued directly to AWS. While it may not have been the intent, the manner in which these ArriveCAN advisory services were acquired gives the appearance that requirements may have been divided into a number of smaller contracts (e.g., contract splitting), thereby avoiding controls on the duration of assignments or contract approval authorities.

66. SSC requires client requests under the GC Cloud Framework Agreement to be associated with a “Cloud Business Requirement” (CBR) that indicates the project for which the services are being used. SSC provided OPO with a list of the brief (one sentence each) CBR descriptions for these Service Orders. From the information SSC received from CBSA, it appeared these were all unique and unrelated requirements as they all referred to different CBSA systems. There was no indication that they were all linked as services that would be used for ArriveCAN. By treating them as a series of unrelated requirements, the procurement process bypassed the provisions for competitive procurement that are built into the GC Cloud Framework Agreement Service Order ordering process.

67. The total value of ArriveCAN-related Service Orders issued directly to AWS was more than $7 million, with most (approximately 70%) of that amount being for advisory services. There was, however, no indication that CBSA had developed a procurement strategy to address its cloud services requirements to support ArriveCAN and no indication that SSC questioned CBSA’s many requests for advisory Service Orders all valued at $500,000. There was also no indication on file that CBSA or SSC was using provisions in the GCR that allow for contracts to be awarded without competition in certain circumstances, for example when the need was one of pressing emergency or only one supplier is capable of performing the work.

68. In response to OPO’s observations, CBSA confirmed that the Service Orders in question were associated with the development and expansion of the ArriveCAN platform as requirements evolved. Despite there being a process for issuing Service Orders to Cloud Services Providers under the GC Cloud Framework Agreement, CBSA stated it had only obtained interim authority to operate exclusively on the AWS platform during the implementation of ArriveCAN. CBSA advised that AWS was the only option available.

69. Further, CBSA stated “it’s important to highlight that different divisions or directorates within CBSA were responsible for distinct elements of ArriveCAN. The platform, given its complexity and criticality, naturally involved multiple facets of our organization. Each division or directorate had its own unique objectives and deliverables, while all aligning with the overarching goal of creating and enhancing a robust, user-friendly, and secure platform. As ArriveCAN had already been designed, released into production, and was being continuously enhanced, it was essential to maintain consistency in its development. Introducing multiple vendors by distributing portions of the project could have jeopardized the platform's stability and uniformity. Given that we [CBSA] were building on top of an existing product, the continuity in design, functionality, and security could only be ensured by keeping the development process unified under a single GC Cloud FA [Framework Agreement] holder.”

70. For its part, SSC informed OPO that the GC Cloud Framework Agreement had been put in place in 2019 before the Government of Canada had embarked on widespread cloud adoption. According to SSC, “when the COVID-19 pandemic began in March 2020, the demand for cloud services grew exponentially beyond what could have been predicted when the procurement vehicle was established in 2019 and remained in a state of uncertainty until the public health crisis stabilized.” SSC is currently in the process of updating the Framework Agreement to enhance best practices and implement lessons learned.

71. CBSA informed OPO that it decided to expand its cloud footprint to include Microsoft Azure and that Cloud Service Provider, Microsoft Canada, had also performed work for ArriveCAN. However, OPO received very little information about these procurements. SSC provided 3 Service Orders that were issued to Microsoft under the GC Cloud Framework Agreement. The value of these Service Orders was $394,000, $712,691, and $250,000. The first Service Order (valued at $394,000) was for ‘advisory services’. OPO was able to trace this Service Order to an invoice CBSA had tabled with the OGGO committee. The second Service Order (valued at $712,691) indicated it was for ‘PowerApps – SaaS [Software as a Service]’ and the third Service Order (valued at $250,000) indicated it was for ‘Cloud Services – PaaS [Platform as a Service]’. The second and third Service Orders may be associated with 2 other invoices CBSA had tabled with OGGO, but it was not clear based on the documentation provided. Little else could be gleaned from the file information made available.

72. Other than CBSA advising OPO that they decided to expand their cloud footprint to include Microsoft Azure, and to invest in securing Authority to Operate (ATO) for multiple service providers, there was no indication that CBSA had developed a procurement strategy for these ArriveCAN-related procurements and there was no indication that any of these Service Orders with a combined value of over $1.3 million were competed among GC Cloud Framework Agreement holders.

Recommendation 6:

SSC should critically examine all aspects of its Cloud Brokering Service procedures to ensure procurements conducted (i.e., Service Orders issued) under the GC Cloud Framework Agreement and its successors promote fairness, openness, and transparency.

Line of enquiry 3: Practices for issuing Task Authorizations and contract amendments

Task Authorizations

73. Of the 41 files reviewed, 28 were for contracts with TAs under which work was performed for ArriveCAN. For the most part, these were professional services contracts that were not established specifically for ArriveCAN. The contracts provided CBSA with access to professional resources needed to support a variety of technology-related initiatives. Throughout this section, unless otherwise noted, observations pertain specifically to TAs, identified by CBSA, through which work was performed for ArriveCAN.

74. The table below shows the number of ArriveCAN-related TAs that were issued under these 28 contracts. For example, 9 contracts had only 1 TA, 5 contracts had 2 TAs, etc. During the review scope period, work was performed for ArriveCAN through 143 TAs. Roughly half of the TAs were issued under only 3 contracts, which were awarded to GC Strategies Inc. or Dalian Enterprises and Coradix Technology Consulting, in Joint Venture.

Table 1: Overview of ArriveCAN-related contracts
Number of Contracts Number of ArriveCAN TAs per Contract Cumulative Number of ArriveCAN TAstable 1 note *
9 1 9
5 2 19
3 3 28
3 4 40
1 5 45
2 6 57
2 7 71
1 9 80
1 21 101
1 42 143
Table 1 Note
Table 1 Note *

This only includes TAs under which work was performed for ArriveCAN. It is not intended to represent the total number of TAs issued under these contracts.

Return to table 1 note * referrer

75. TAs are issued using a TA form that must include key details of the activities to be performed, including but not limited to:

  • the task number;
  • the categories of resources and the number of resources required;
  • a description of the work for the task outlining the activities to be performed;
  • the start and completion dates;
  • the number of person-days of effort required;
  • the level of security clearance required of resources; and
  • the price payable to the supplier for performing the task.

76. For amendments to TAs, the TA form must indicate the amendment number and the reason for the amendment. The work described in a TA must be in accordance with the scope of the contract and the supplier must not commence work until a valid TA has been issued by Canada. Each contract has clauses describing the steps and documentation required for the TA process. As most of these contracts were established by PSPC on behalf of CBSA, they generally had the same or similar requirements with respect to issuing TAs.

Task Authorization forms

77. OPO found contract files provided a complete record of TAs issued for ArriveCAN. Of the 143 TAs and TA amendments from the 28 applicable contracts reviewed, there was only 1 instance where a TA document was not located on file. Additionally, OPO found key components of these TAs (e.g., resource categories and levels, per diem rates, timeframes) were consistent with the underlying contracts. However, OPO identified 3 TAs with security requirements that deviated from the contract. In 2 files, the contract required personnel to be cleared at the Secret level, but the TA only required resources to have a lower ‘Reliability Status’ security clearance. For 1 of those files, OPO did note that a contract amendment was issued soon thereafter changing the personnel security requirements to permit Reliability Status or Secret, as required. For the third file, the contract required that resources be cleared to Reliability Status, whereas a TA required Secret clearance. For this latter contract, the proper course of action would have been to issue a contract amendment that included various security clearance requirements, including Secret clearance when required.

78. For most of the contracts reviewed, CBSA was permitted to issue TAs or TA amendments under its own authority when the value was $300,000 or less, excluding taxes. Above that threshold, the TA was required to be authorized by the PSPC Contracting Authority. Overall this requirement was adhered to; however, exceptions were noted. For 1 contract with 4 relevant TAs, 2 TA amendments that were above the $300,000 threshold were not signed by the PSPC Contracting Authority. For another contract, with 3 relevant TAs, a TA amendment valued below $300,000 was not signed by CBSA. CBSA also informed OPO that, effective October 2019, PSPC sign-off was required for all TAs issued for the Senior Business Architect resource category under a TSPS contract. There was 1 TA for a Senior Business Architect resource who began work in July 2021 that did not have the required PSPC signature authorizing the TA.

Task Authorization statement of work

79. The intent of the TA process is to allow for TAs to be raised to cover specific tasks required within the scope of services under a given contract. According to the PSPC Supply Manual, Clients that have been authorized to issue TAs are responsible to “ensure the task (or revised task) description of the work required (activities to be performed, deliverables to be submitted, completion dates for major activities or submission dates for deliverables or, as applicable, both) included in the TA is in accordance with the contract Statement of Work (SoW).”

80. OPO observed that 20 TAs under 8 contracts did not include the specific tasks, including descriptions of the activities to be performed. The statement of work section of these TA forms stated “see attached” however, there was no statement of work attached, nor was a statement of work found on file.

Assessment of Task Authorization resources

81. In response to a TA request, the supplier must propose the required number of resources and include a résumé to demonstrate that each proposed resource meets the requirements of the, mandatory criteria, the minimum points for point-rated criteria, and the flexible grid, as applicable. Client departments must review these assessment worksheets and confirm the proposed resources meet the requirements applicable to the category and level.

82. There were no completed assessment worksheets on file for more than 30 resources that were authorized to perform work for ArriveCAN on 22 TAs issued under 12 contracts. In instances when resource assessment worksheets were on file, the results of the assessment were often not supported with descriptions of past project experience used in the assessment of the resource (i.e., there was no résumé on file).

83. The assessment worksheets for resources added through TAs under a contract awarded to GC Strategies Inc. stood out from the others. For this contract valued at $25.3 million there were 42 TAs. The TA process in the contract stated the résumé submitted “must not simply indicate the title of the individual's position, but must demonstrate that the resource has the required work experience by explaining the responsibilities and work performed by the individual while in that position. Only listing experience without providing any supporting data to describe responsibilities, duties and relevance to the requirement, or reusing the same wording as the TA Form, will not be considered ‘demonstrated’ for the purposes of the assessment.”

84. OPO found assessment worksheets for resources on 16 of the 42 TAs issued under this contract did not demonstrate the proposed resource met mandatory criteria or support points awarded for point-rated criteria. There were numerous examples where the supplier had simply copied and pasted requirements from mandatory and point-rated criteria as project experience of the resource. For example, a mandatory criterion stated the supplier must demonstrate that the proposed resource has experience “designing, developing and implementing mobile-based applications for two of the platforms below: iOS, Android, Blackberry.” The assessment grid from GC Strategies Inc., which was accepted by CBSA, simply stated the proposed resource’s past project responsibilities included “designing, developing and implementing mobile-based applications for two of the platforms below: iOS, Android, Blackberry.”

85. Missing, incomplete, or insufficient assessment worksheets impact the department’s ability to demonstrate that the resources added through the TA process met the required experience criteria for the various categories and levels as described in the contract.

Recommendation 7:

CBSA should ensure the qualifications and experience of all resources proposed in response to a TA request are consistently assessed against the requirements for the applicable category and level as set out in the contract and document results of the assessment in the file.

Recommendation 8:

PSPC should require the Client to provide completed resource assessment worksheets demonstrating the proposed resource meets the requirements for the applicable category and level when requesting PSPC authorization of TA forms.

No Criteria to assess resources

86. Of the 28 contracts with TAs, there were 4 that were awarded by PSPC on behalf of CBSA through a non competitive (sole-source) process. Three contracts were awarded to GC Strategies Inc. and 1 contract was awarded to 49 Solutions Inc. The 4 contracts were not issued under the TBIPS supply arrangement, but were similar in many respects and included resource categories found in contracts issued under TBIPS. These contracts did not, however, include criteria to objectively and transparently assess proposed resources that were added through the TA process to determine whether they had the requisite experience and education for the category and level specified.

Recommendation 9:

PSPC should ensure all professional services contracts with TAs, whether issued through competitive or non-competitive processes, include criteria to assess the qualifications and experience of resources added through the TA process.

Verification of security clearances

87. As stated in section 5.15 of the PSPC Supply Manual, for contracts awarded by PSPC, “before contract award, the contracting officer must verify with the [PSPC] Contract Security Program (CSP) that the proposed contractor meets the security requirements of the bid solicitation.” […] “During the period of the contract, the client must ensure that all contractors or subcontractor personnel who will have access to any classified or protected information, assets or sensitive work sites, or to government systems, including information accessible in a cloud service provider portal, are identified as working under the contract and that their security status has been verified with the CSP. The contracting officer will assist in this process, as required.”

88. OPO reviewed file documentation for evidence that personnel security requirements, e.g., Secret or Reliability Status, were verified before proposed resources were authorized to be included on TAs through which work was performed for ArriveCAN. Secret clearance is required by a resource working on a sensitive government contract to access Secret information and assets. Reliability Status is required by a resource working on a sensitive government contract to access information and assets up to the Protected B level.

Secret information and assets are those that, if compromised, could cause serious injury to the national interest.

Protected B applies to information or assets that, if compromised, could cause serious injury to an individual, organization or government.

89. On October 6, 2023, CBSA provided OPO with records confirming that all resources added through TA met the personnel security clearance requirements, i.e. Secret or Reliability status, as stated on the TA form. At CBSA, security confirmations are performed by security personnel; however, the results of these confirmations were often not retained in the contract file. Retention of these records in the contract file is important for ensuring that accurate and comprehensive procurement records are maintained to facilitate management oversight and audit, as required under the Treasury Board Contracting Policy and Directive on the Management of Procurement.

Recommendation 10:

CBSA should not authorize any TAs without first confirming resource(s) named in the TA meet(s) all security requirements and should retain the confirmation in the contract file.

Recommendation 11:

PSPC should require the Client to include proof that security requirements have been verified when requesting PSPC authorization of TA forms.

Recommendation 12:

PSPC should retract the authority of CBSA to issue TAs for contracts awarded by PSPC until such time that CBSA has consistently demonstrated compliance with all requirements of the tasking process.

Contract amendments

90. A contract amendment is an agreed addition to, deletion from, correction or modification of a contract. As discussed in section 12.9 of the Contracting Policy “contracts should not be amended unless such amendments are in the best interest of the government, because they save dollars or time, or because they facilitate the attainment of the primary objective of the contract.” The Policy also goes on to state that “many contract amendments are, in fact, prudent. Often contract amendments or probable amendments can be foreseen when the initial contract is contemplated.”

91. Overall, contract amendments were appropriate and were in line with the Contracting Policy. Of the 41 contracts reviewed, 31 had been amended. Broadly speaking, these amendments fell into 1 of 4 categories: (1) administrative amendments, (2) unplanned amendments to extend the contract period with no increase in contract value, (3) planned amendments to exercise previously contemplated option periods, and (4) unplanned amendments that increased the contract value. With respect to the fourth type of amendments, these were supported by written justification on the contract file, which usually focussed on the evolving and unpredictable nature of the COVID-19 pandemic and CBSA’s work in support of Canada’s efforts to combat the virus.

Line of enquiry 4: Proactive publication of contract information

92. The Government of Canada has committed to the disclosure of contracting data via an online database available to the public. This commitment reflects broader government commitments to transparency and strengthened accountability within the public sector.

93. Under the former Treasury Board Contracting Policy and the current Directive on the Management of Procurement, departments are required to proactively disclose contract information. The Treasury Board Secretariat Guide to the Proactive Publication of Contracts, formerly titled the Guidelines on the Proactive Disclosure of Contracts, provides guidance to departments on the identification, collection, reporting and proactive publication of contract information.

94. Government policy requires quarterly proactive publication of information on the following:

  • A contract when its value is over $10,000;
  • A positive or negative amendment when its value is over $10,000; and
  • A positive amendment when it modifies the initial value of a contract to an amended contract value that is over $10,000.

95. As proactive publication of contracts is a responsibility of the client department, CBSA was responsible for proactive publication of contracts.

Incomplete proactive publication of contracts

96. OPO searched proactively published contract information on the Open Government website (open.canada.ca) to determine if all 41 contracts and applicable amendments were proactively published. Proactive publication information was missing for 17 of 41 contracts (41%) reviewed. In these 17 cases, the original contract or 1 or more contract amendments valued at more than $10,000 were not available on the Open Government website. In addition, there were 3 contracts (7%) for which results were inconclusive. In these 3 cases, ArriveCAN contracts may have been pooled with other published information.

97. For the remaining 21 contracts (51%), OPO was able to locate proactively published information on the original contract and applicable amendments. There were, however, challenges in finding this information. For 16 of these 21 cases, the contract number was not accurately reflected in the published information. OPO was only able to confidently draw links between published information and the appropriate contract because the review team had access to the contract files. Inaccuracies in proactively published information inhibits transparency and the usefulness of this information to Canadians.

98. The Guide to the Proactive Publication of Contracts provides a limited exception for a contract with TAs. Section 4.1.9 of the Guide states “for contracts with task authorizations, the full potential value of the contract may be reported upon contract award unless the full value is not expected to be used. In the latter situation, each task authorization may be reported individually.” This implies that it is not mandatory to proactively publish TAs if the contract and amendments have been published. That said, publication of complete and accurate TA information supports greater transparency and accountability.

99. OPO noted that CBSA proactively published information for some TAs under which work was performed for ArriveCAN; however, this was only a small segment of all such TAs and TA amendments. Also, TAs that were published were often mis-identified as a call-up or a contract against a standing offer or supply arrangement, further limiting the value of the information provided.

Recommendation 13:

The CBSA should update its practices for the proactive publication of contracts, including contracts with task authorizations, to meet the requirements set out in the Directive for the Management of Procurement and the Guide to the Proactive Publication of Contracts.

VII. Other observations

100. In August 2019, PSPC awarded a contract on behalf of CBSA to Dalian Enterprises and Coradix Technology Consulting, in Joint Venture. The contract was for IM and IT professional services to support various CBSA projects within the Business Application Systems Directorate and was valued at $21.2 million. The solicitation for this contract was issued under the TBIPS supply arrangement and was open to qualified Indigenous suppliers under the Procurement Strategy for Indigenous Business.

101. The solicitation stated that Canada intended to award up to 2 contracts for the requirement. File evidence from the procurement planning phase (pre-solicitation), however, showed that CBSA’s preference was to award only 1 contract, but it had allowed for the solicitation to state “up to two contracts” because that was what was included in the TBIPS request for proposal (RFP) template.

102. There were 6 bids received from qualified Indigenous suppliers, 5 of which were deemed compliant. Evaluation results showed all 5 compliant bids were of high quality and all received the maximum points available on the technical component. Following the consensus meeting for the technical evaluation, however, CBSA requested to PSPC that only 1 contract be awarded. The reason given was that CBSA’s processes and procedures to manage more than 1 contract were cumbersome and time consuming. They wanted to reduce the administrative work associated with managing more than 1 contract. This may have been a valid point; perhaps CBSA was not capable of managing contracts with multiple suppliers. That said, in this case timing mattered. Such a decision to award only 1 contract should have been made in the planning phase of this procurement and communicated to potential bidders in a clear, transparent and timely manner in the solicitation.

VIII. Conclusion

103. Procurement practices pertaining to contracts associated with ArriveCAN were assessed to determine if they were consistent with the Financial Administration Act and the regulations made under it, Treasury Board policy and, where applicable, organizational policies and guidelines and to determine if they supported the principles of fairness, openness and transparency. This included a review of 41 competitive and non-competitive procurement processes and resulting contracts, contract amendments, and task authorizations (TAs) or Service Orders under which work was performed for the creation, implementation and maintenance of ArriveCAN. CBSA was the client department for all 41 contracts. These contracts were established for CBSA by PSPC, by SSC, and by CBSA under its own contracting authority.

104. Regarding competitive procurement practices leading to the award of contracts, all 23 solicitations reviewed were issued under a PSPC supply arrangement. Overall, solicitation documents were clear and contained information potential bidders required to prepare a responsive bid. For the most part, solicitations, solicitation amendments and responses to questions from potential bidders were appropriately communicated and bids were evaluated and contracts awarded in accordance with solicitation documents.

105. Mandatory criteria used in 1 solicitation leading to the award of a $25 million contract to GC Strategies Inc. were overly restrictive and favoured this existing CBSA supplier. The criteria each specified mandatory requirements in terms of recent experience with the Government of Canada that were closely associated with work that had been performed under previous CBSA sole-sourced contracts. GC Strategies Inc. was the only bidder for this contract. It would have been highly improbable that any other supplier could have met all mandatory criteria required to be deemed compliant.

106. OPO also identified issues related to the achievement of “best value” in many procurements. For 10 of the 23 competitive procurements reviewed, the use of overly restrictive median bands in the financial evaluation of bids stifled price competition and resulted in rejection of otherwise high quality bids without any efforts on the part of Canada to seek evidence to substantiate the more competitive rates proposed by some bidders.

107. In roughly 76% of applicable contracts, resources proposed in the winning bid did not perform any work on the contract. When TAs were issued under these contracts the supplier offered up other resources, but not the individuals that had been proposed in order to win the contract. While it is recognized that there may be legitimate reasons for some proposed resources being unavailable, the number of times it occurred and the absence of file documentation explaining why these resources were not made available raised serious concerns with these contracts.

108. Files for non-competitive contracts included written justification for awarding the contract through a sole-source process based on the exceptions to competition provided by the Government Contracts Regulations. The reasons cited for not competing these contracts were that they were necessary due to the need being one of pressing emergency or only one supplier was capable of performing the work.

109. Insufficient records maintained by SSC raised questions as to whether Service Orders issued to Amazon Web Services (AWS) and Microsoft Canada under the GC Cloud Framework Agreement followed appropriate procurement practices. There was no documented procurement strategy for work associated with ArriveCAN and multiple Service Orders issued to AWS were treated as separate, unrelated requirements despite the fact all were associated with ArriveCAN.

110. A majority of the files reviewed were for professional services contracts through which work was authorized for ArriveCAN under a TA. Documentation of TAs used for ArriveCAN was overall complete and, for the most part, properly authorized. However, 20 TAs of the 143 reviewed did not include the specific tasks, including descriptions of the activities to be performed.

111. Resources authorized to work on a contract with TAs must be assessed by the business owner before a TA is issued to ensure the individual meets evaluation criteria for the resource category, as specified in the contract. There were no assessments for more than 30 resources who were named on ArriveCAN-related TAs. When assessment worksheets were on file, the results were often not supported by descriptions of past project experience supporting the results of the assessment of the resource. For 4 sole-source contracts with TAs awarded by PSPC on behalf of CBSA, the contracts did not include any criteria to objectively and transparently assess resources to determine whether they had the requisite experience and education for applicable categories and levels.

112. For resources added through TAs, CBSA was responsible to ensure that all personnel security requirements specified in the contract, e.g., Secret or Reliability Status, had been verified before the individual was permitted to start work. Evidence showed that personnel security requirements had been confirmed for all resources that performed work for ArriveCAN. While CBSA was able to produce these records, they were frequently not retained in the contract file. Retention of these records in the contract file is important for ensuring that accurate and comprehensive procurement records are maintained to facilitate management oversight and audit.

113. Overall, amendments to the contracts reviewed were appropriate and were in line with the Contracting Policy. Amendments that increased the value of these contracts were either contemplated in advance (i.e., exercise of contract option periods) or were necessary to respond to the evolving and unpredictable nature of the COVID-19 pandemic and CBSA’s work in support of Canada’s efforts to combat the virus.

114. As the client department, CBSA was responsible for the proactive publication of contract information on the Open Government website for the contracts reviewed. Information was not proactively published for 17 of 41 (41%) contracts reviewed. In these 17 cases, the original contract or one or more contract amendments were not available on the Open Government website. This result runs counter to broader government commitments to transparency and strengthened accountability within the public sector.

115. As discussed throughout this report, OPO found practices for awarding competitive and non-competitive contracts, for issuing TAs and service orders, and for proactive publication of contract information that were inconsistent with government policy and that threatened fairness, openness and transparency of government procurement. The Procurement Ombud has made 13 recommendations to address the issues identified with procurement practices associated with the ArriveCAN application.

IX. Organizational Responses

Canada Border Services Agency

116. The CBSA would like to thank the Procurement Ombudsman for his report, which outlines gaps in controls and areas for improvement in the Agency’s procurement processes. The CBSA recognizes that these are, in fact, part of broader management gaps that must and will be addressed through a five-point Management Improvement Plan.

117. The CBSA accepts each of the Ombuds’ recommendations and will be implementing them to help further improve our procurement processes. Beyond this, the CBSA is strengthening processes and controls related to procurement planning, contract administration, corporate culture and proactive monitoring to reduce the risk of fraud. [A copy of the CBSA Management Improvement Plan is available at Appendix ‘A’.]

118. The CBSA recognizes that procurement activities must be carried out with the highest regard for value for money, transparency and in accordance with policies and management excellence. Audits and reviews are a way for the Agency to make sure that we are doing things right, and recent findings have shown clearly that improvements are needed. We must make these improvements if we are to maintain the trust of Canadians.

Public Services and Procurement Canada

119. Public Services and Procurement Canada (PSPC) is committed to conducting procurements in an open, fair, and transparent manner. This starts by ensuring sound management and integrity of its procurement processes. As the central purchasing agent for federal departments and agencies, PSPC puts contracts in place on behalf of client departments and agencies. While contract management is a shared responsibility between PSPC and its clients, PSPC is committed to improving and strengthening all aspects of the federal procurement process.

120. PSPC would like to thank the Office of the Procurement Ombud (OPO) review team for their thoroughness in undertaking this review, and for the detailed findings and recommendations that have been produced. PSPC accepts the OPO recommendations in their entirety, and has developed action plans to strengthen its procurement policies and processes, and to provide training opportunities for its procurement workforce.

121. The timeframe during which PSPC provided services to our CBSA clients, including the contracts that contributed to the development of the ArriveCAN application, was a challenging period. The department abruptly transitioned to full time remote work, creating a challenge in reconciling paper files located in buildings the workforce could not access, and new electronic records. After three years and multiple personnel changes, efforts to reconcile discrepancies were exacerbated. At the time, procurement teams were also under intense pressure to proceed quickly to enable programs that would ease the effects of the COVID-19 pandemic on the lives of Canadians. In pursuing these goals, expedited processes were encouraged that would differ from ideal practices designed for routine requirements.

122. PSPC noted, throughout the observations, a lack of consistency in documenting procurement files. We agree with this general finding, and have similarly noted that e-mail records were relied upon frequently between 2018 and 2023 as the department transitioned from paper to electronic recordkeeping. Emails and other records have not been consistently placed in procurement files, and we will be taking further action to promote record keeping diligence.

123. Moreover, we agree that PSPC could better document client-driven decisions and actions such as departures from typical median pricing band ranges when setting bid evaluation criteria or the completion of evaluation grids for proposed resources. We agree that these types of decisions were not well documented in PSPC’s files, impeding the department’s ability to holistically manage and report on the status of contracts. PSPC has already taken action to address these issues by providing clear direction to all procurement teams on December 4, 2023 to ensure that all the client-produced paperwork will be on file in the future before any contracts are signed, or Task Authorizations are awarded.

124. PSPC noted the finding that in 76% of contracts for contingency workforce resources, the proposed resources did not perform work on the contract. This validates an existing concern at PSPC, and the department will be promoting the use of both corporate and social responsibility criteria for these contracts when selecting a supplier based on best value, in lieu of evaluating resumes. Going forward, the department believes that evaluating the demonstrated past performance of companies will be a more effective strategy to differentiate between them.

125. The department noted that sometimes task authorizations were found not to include specific tasks, activities, or evaluation criteria against proposed resources, which should have been assessed to justify the charged rates. Direction has already been issued to PSPC procurement teams, and to all our client departments who use our professional services supply arrangements that this practice will no longer be acceptable. Similarly, we noted cases of security clearance validation not being on file and have communicated clear expectations to procurement teams in relation to documenting these validations before issuing contracts or Task Authorizations.

126. PSPC appreciates some of the more positive findings in the report, reinforcing progress the department has been striving for, including in the areas of achieving best value in the selection of methodologies, ensuring clear and fair mandatory and point-rated technical criteria in bid evaluations, having proper documentation in relation to contract award decisions, the consistency with which PSPC documented sole-sourcing decisions, and the consistent treatment of contract amendments in a policy-compliant manner.

127. We also appreciated the positive feedback received on keeping electronic registries to manage and retain information related to supplier questions sent to PSPC during the solicitation period as we believe this work is indicative of the record keeping improvements we are striving for.

Shared Services Canada

128. SSC provides the digital backbone of the federal government, which underpins essential services and programs. Procurement activities undertaken at SSC are guided by the principles of fairness, transparency, openness, inclusiveness, and integrity. SSC collaborates with partner organizations to ensure procurements respect relevant Treasury Board policy instruments, applicable legislation, regulations and trade agreements.

129. SSC would like to thank OPO for performing this review and supports Recommendation 6, which applies to the procurement of cloud services. While the procurement processes outlined in the GC Cloud Framework Agreement were followed for the majority of cloud procurements awarded to Amazon Web Services and Microsoft Canada, SSC agrees that there are opportunities to enhance the Cloud Brokering Service (CBS) procedures. As part of SSC’s ongoing efforts to strengthen procurement processes, a number of improvements have already been made to the CBS procedures which address OPO’s observations, as outlined in Annex I.

130. SSC also continues its work, started prior to this review, to refine record keeping practices by enhancing compliance checks on selected files and incorporating proper document storage into performance management agreements for procurement professionals.

X. Acknowledgment

131. OPO wishes to express its appreciation to the staff at CBSA, PSPC and SSC who provided information and extended assistance and cooperation to OPO during this review.

Annex I: Procurement Practice Review of ArriveCAN: Responses and Action Plans

Table 2: Organizations responses and action plans
Recommendation Response/Action Plan Timeline for Implementation
1. PSPC should consistently require Clients to justify the use of median band limits that are more restrictive than median minus 20% to median plus 30%. The justification should be retained in the contract file.

PSPC accepts this recommendation, and will undertake the following actions:

PSPC will change our median band process to document when and why median bands are applied in a procurement and will require written client justification, kept on the procurement file, whenever median bands that depart from the standard are used.

PSPC will implement this change by updating the templates for RFPs issued under the methods of supply for professional services.

January 2024
2. PSPC should revise its “price support” clause with methodology that will enable the Contracting Authority to obtain appropriate evidence to assess the reasonableness of a bidder’s proposed price(s).

PSPC accepts this recommendation, and will undertake the following actions:

PSPC will review the "Substantiation of Professional Services Rates” clause that permits Canada to require bidders to substantiate proposed rates that fall below the lower limit of the median band. Any changes identified will be incorporated in the templates for RFPs issued under the methods of supply for professional services.

March 2024

PSPC will additionally include requirements in our tendering documents for professional services contracts that will require vendors to provide the information required by PSPC to conduct price analysis, as a condition of bidding.

March 2024
3. PSPC should update the ‘Replacement of Specific Individuals’ clause so that it applies to the named resource(s) in the successful supplier’s bid for solicitation requiring the bidder to propose a resource or resources.

PSPC accepts this recommendation, and will undertake the following actions:

To remedy the issue of resources in bids not being available when the work starts, PSPC will update the “Replacement of Specific Individuals” clause so that it applies to named resources in the successful vendor’s bid for solicitations requiring the bidder to propose a resource or resources.

The replacement of specific individuals clause will be updated in the templates for RFPs issued under the methods of supply for professional services, and reflected in guidance to procurement staff.

Template update in January 2024
PSPC will require that replacement resources are assessed to meet or exceed the contractual requirements and that this is documented on the procurement file. Guidance documentation update in April 2024.
4. CBSA should establish a quality control process to ensure mandatory criteria are not overly restrictive and do not undermine the fairness and openness of the bid solicitation process.

Agreed. The Agency has created a new Executive Contract Review Board, which is responsible for ensuring that mandatory criteria are not overly restrictive for all contracts above $40K. In addition, contracts above $1M are approved by the CBSA’s Executive Committee to ensure they do not undermine the fairness and openness of the bid solicitation process.

Office of Primary Interest (OPI): Vice-President, Finance and Corporate Management Branch (FCMB)

Completed
5. PSPC and CBSA should ensure adequate procedures are in place for sharing contract information with the Contract Security Program. These procedures should be communicated with all procurement personnel and monitored for compliance.

PSPC:

PSPC accepts this recommendation, and will undertake the following actions:

PSPC procedures already require that the Contract Security Program be engaged when a contract has security requirements. A reminder was sent to all procurement staff of the policy requirements.

PSPC:

Communiqué to procurement officers: December 4th, 2023 (completed).

In addition, a new procurement file completion checklist will be developed and implemented for all Professional Services procurement files and will include this step. Implementation of new checklist: February 2024.

CBSA:

Agreed. The CBSA’s new Procurement Directorate has prepared and communicated guidance (including a checklist) to help ensure that each step is completed, including the need to share contract information with the Contract Security Program.

CBSA:

Completed

The consistent application of the new Standard Operating Procedures will be assessed as part of the regular Assurance Reviews.

OPI: Vice-President, Finance and Corporate Management Branch (FCMB)

April 1, 2024
6. SSC should critically examine all aspects of its Cloud Brokering Service procedures to ensure procurements conducted (i.e., Service Orders issued) under the GC Cloud Framework Agreement and its successors promote fairness, openness, and transparency.

SSC critically examined the procurement practices under the Framework Agreement (FA), which resulted in the following interim processes until the new generation of procurement vehicles are in place:

  1. A new Training and Advisory Services (TAS) procurement process. Before any new request is approved, there are new challenge functions in place in order to ensure fairness amongst suppliers under the FA. Clients must now complete a sole-source questionnaire and provide details on their requirement to enable SSC to ensure compliance with the GCRs and with the limited tendering requirement of trade agreements. (Completed)
  2. A new Due Diligence Process. This verification practice ensures the contracting integrity of all new service order requests, their compliance with the FA, and that procurement best practices were followed. (Completed)

Aligned with the evolution of the GC Hosting Strategy, SSC will continue to evolve the ecosystem to further promote openness, transparency and fairness. SSC has initiated activities to establish a new generation (NextGen) of procurement vehicles that will replace the FA and will incorporate lessons learned from this review and from the experience over the past years of the GC Cloud adoption. This initiative has been formally launched with a broad industry engagement session on 29 November 2023.

Completed
7. CBSA should ensure the qualifications and experience of all resources proposed in response to a TA request are consistently assessed against the requirements for the applicable category and level as set out in the contract and document results of the assessment in the file.

Agreed. The CBSA’s new Procurement Directorate has prepared and communicated guidance to ensure that each step is complied with, including the need to consistently assess qualifications and experience and document the results of the review are recorded in the contract file. In addition, all managers in headquarters, with procurement responsibilities, were required to undertake mandatory training in 2023.

Completed

The consistent application of the new Standard Operating Procedures will be assessed as part of the regular Assurance Reviews.

OPI: Vice-President, Finance and Corporate Management Branch (FCMB)

April 1, 2024
8. PSPC should require the Client to provide completed resource assessment worksheets demonstrating the proposed resource meets the requirements for the applicable category and level when requesting PSPC authorization of TA forms.

PSPC accepts this recommendation, and will undertake the following actions:

PSPC has provided direction, in a December 4, 2023 communiqué, to procurement staff that when counter-signing a Task Authorization for contingency workforce, copies of the worksheets demonstrating the proposed resource meets the requirements for the applicable category and level will need to be provided prior to approving.

Communiqué to procurement officers: December 4th, 2023. (completed)

In addition, a new Task Authorization approval checklist will be developed to assist procurement officers in their review of Task-Authorizations being submitted for approval. It will include sourcing the evaluation grids signed by the Technical Authority. Implementation of new checklist for TAs: February 2024
PSPC will also update the Guide to Preparing and Administering Task Authorizations as well as the Record of Agreement template for clients. Guidance documents update: April 2024
9. PSPC should ensure all professional services contracts with TAs, whether issued through competitive or non-competitive processes, include criteria to assess the qualifications and experience of resources added through the TA process.

PSPC accepts this recommendation, and will undertake the following actions:

PSPC has provided direction, in a December 4, 2023 communiqué, to procurement staff that when issuing contracts that include contingency workforce provisions through TAs, the contracts must include specific criteria for Technical Authorities to assess resource qualifications and criteria.

Communiqué to procurement officers: December 4th, 2023. (completed)
This will also be added to the procurement file completion checklist for Professional Services contracts. Implementation of new checklist: February 2024
PSPC will also update the Guide to Preparing and Administering Task Authorizations as well as the Record of Agreement template for clients. Guidance documents update: April 2024
10. CBSA should not authorize any TAs without first confirming resource(s) named in the TA meet(s) all security requirements and retaining the confirmation in the contract file.

Agreed. The CBSA’s new Procurement Directorate has prepared and communicated guidance to ensure that each step is complied with, including the need to confirm that resources meet the security requirements and the results of the review are recorded in the contract file.

Completed

The consistent application of the new Standard Operating Procedures will be assessed as part of the regular Assurance Reviews.

OPI: Vice-President, Finance and Corporate Management Branch (FCMB)

April 1, 2024
11. PSPC should require the Client to include proof that security requirements were verified when requesting PSPC authorization of TA forms.

PSPC accepts this recommendation, and will undertake the following actions:

PSPC has provided direction, in a December 4, 2023 communiqué, to procurement staff that when counter-signing a Task Authorization for contingency workforce, proof that security requirements were verified will need to be provided by the client prior to approving.

Communiqué to procurement officers: December 4th, 2023. (completed)

Implementation of new checklist for TAs: February 2024

PSPC will also update the Guide to Preparing and Administering Task Authorizations as well as the Record of Agreement template for clients. Guidance documents update: April 2024
12. PSPC should retract the authority of CBSA to issue TAs for contracts awarded by PSPC until such time that CBSA has consistently demonstrated compliance with all requirements of the tasking process.

PSPC accepts this recommendation, and will undertake the following actions:

PSPC suspended departments’ authorities to issue their own TAs on currently active professional services contracts for which PSPC is the Contracting Authority on November 28, 2023. These suspensions apply to all professional services contracts issued under the Task-Based Informatics Professional Services, Solutions-based Informatics Professional Services, and the Task and Solutions Professional Services Supply Arrangements.

Nov 28, 2023 (completed)
PSPC communicated with our client departments outlining the changes required to maintain Task Authorization authority. CBSA and other client departments will be required to agree to these changes, as a condition of regaining delegations to use PSPC procurement tools, by signing new Master Level User Agreements with PSPC. Nov 28, 2023 (completed)
13. CBSA should ensure the completeness and accuracy of proactively published contract information as required under the Directive for the Management of Procurement.

Agreed. The CBSA’s new Procurement Directorate has performed a review of proactive disclosure to ensure the transparency over external reporting and ensure full compliance with the proactive disclosure requirements. Since mid-2023, monthly data validation takes place to support the completeness and accuracy of proactively published contract information.

Completed

To provide further assurance that the CBSA meets its legislative requirements, regarding proactive disclosure, the CBSA will develop new reporting capabilities in the Agency’s Financial System to ensure the completeness and accuracy of proactively published contract information.

OPI: Vice-President, Finance and Corporate Management Branch (FCMB)

April 1, 2025

Appendix A

Canada Border Services Agency Management Improvement Plan

The CBSA recognizes that it must address areas of weakness associated with its overall business management practices. That is why every executive within the CBSA had in their 2023-24 performance management agreements a commitment to “Effective management of the Agency: by improving internal systems, controls and processes to ensure more effective management of the Agency’s resources and people, including budgets and human resources, with a particular focus on procurement.”

The CBSA’s Management Improvement Plan includes five areas of focus:

  1. Improve business planning, to more effectively prioritize activities, align them to the available resources, and execute effective oversight and accountability.
  2. Improve project and program management, to help deliver the digital services required by travellers and businesses, on a timely and value-for-money basis.
  3. Improve human resource management, by delivering the People Management and Wellness Strategies.
  4. Improve financial management competencies, internal controls and provide greater assurance on compliance.
  5. Improve procurement management, by delivering the Procurement Improvement Plan, in particular greater oversight and control over all aspects of contracting.

The Procurement Improvement Plan includes eight elements:

  1. Ensure full alignment with the Government of Canada’s procurement policies.
  2. Develop national standard operating procedures, which are consistently applied across the CBSA through the creation of a new Procurement Directorate, including a new Centre of Expertise and Assurance, and ensure that all contracts are managed through the Procurement Directorate.
  3. Develop standardized procurement tools and guidance to ensure that all the required steps are undertaken, and the retention of all relevant documentation in the procurement file.
  4. Develop three-year procurement plans for all branches and regions, as part of the annual integrated business planning process, and ensure alignment of the consolidated plans with the available resources.
  5. Improve procurement management competencies, including the retraining of headquarters managers, and the roll-out of regional best practice workshops.
  6. Improve executive governance, through the creation of the Executive Contract Review Board to review all contracts and Task Authorizations above $40K, with further escalation above $1M to the Executive Committee, for approval.
  7. Develop regular Assurance Reviews to check compliance with the standard operating procedures and provide quarterly reporting to the Executive Committee.
  8. Improve transparency over external reporting and ensure full compliance with proactive disclosure requirements.

Work began on this plan in 2023, as part of the broader Management Improvement Plan. This work will continue throughout the 2024-25 financial year, with the aim of implementing all of the required improvements. The recommendations from the Procurement Ombudsman are incorporated into this plan.

Date modified: