Internal Audit of Procurement
Audit Report, December 2024

1. Executive Summary
2. Detailed report
Appendix A – Comparative view of procurement volumes
Appendix B – Types of services most frequently procured by CIHR
Appendix C – Top vendors for services
Appendix D – Relevant audit criteria

1. Executive Summary

1.1 Background

Procurement is a key corporate function that supports the achievement of strategic and operational objectives through the acquisition of required goods and services. Government of Canada (GoC) procurement is worth billions of dollars annually; for the calendar year 2023, GoC organizations issued over 374K contracts for goods and services totaling $34.5bn^{Footnote 1}. During the same period, CIHR's Procurement Unit issued 293 contracts representing a total value of $8.5M. This means that CIHR's contracts are 0.02% of the total value of contracts for goods and services issued by the GoC. Unlike many other departments and agencies, CIHR only purchases goods and services for its own use, and not on behalf of Canadians. Overall, procurement at CIHR remains low relative to its operating budget and in comparison to other government entities. As a federal agency, procurement activities must be carried out in accordance with relevant legislation and policy requirements, including the Treasury Board Secretariat (TBS) Directive on the Management of Procurement, issued in May 2021.

In early 2022, the CIHR Procurement Unit was expanded and restructured under a newly created and staffed Deputy Director position. Following this, there was a period of transition as new staff were recruited, hired and onboarded, during which the focus of the Unit was primarily on improving daily operations and meeting client requirements.

1.2 Why this is important

An audit of procurement was identified as a priority in CIHR's 2022-24 Risk-based Audit Plan (RBAP) for three key reasons:

The objectives and strategies in CIHR's Strategic Plan 2021-2031 have increased the need for procurement of services and specialized expertise.
Procurement in the GoC is governed by a complex set of legislative, regulatory and policy requirements that must be navigated efficiently and effectively to meet business needs.
Sound financial stewardship and transparency in procurement activities is necessary so that government funds are managed prudently, and contracting activities can withstand public scrutiny.

Procurement within the Government of Canada has been under significant scrutiny in recent years. This internal audit provides assurance to management regarding CIHR's procurement activities at a time when this function within the government is the focus of considerable attention from the public, media, and central agencies.

1.3 Objective and Scope

The objective of this audit is to provide independent assurance that CIHR's procurement activities are managed in an efficient and compliant manner to support the achievement of corporate objectives.

The scope of this audit includes,

Governance;
Training, roles and responsibilities;
Compliance with Treasury Board Policy; and
Continuous improvement.

The audit covered procurement activities between May 13, 2021, and February 1, 2024.

1.4 Overall Audit Opinion

CIHR's Finance and Administration Branch has undertaken efforts to improve the procurement function over the past several years. These efforts have focused on enhancing the structure and staff complement. As the Agency has grown significantly in the past several years, so too has the need for procurement of goods and services to support operations. Since 2021, there have been several changes to the leadership of the procurement function as well as to the Finance and Administration Branch. During this period, the Procurement Unit has focused on ensuring that goods and services are procured on time.

To strengthen the function, management is advised to focus on enhancing governance, clarifying and communicating roles and responsibilities, providing necessary training, and ensuring compliance with evolving government policies. These actions are expected to help maintain consistent performance despite potential changes in personnel, organizational scale, and other variables.

1.5 Key Audit Findings

This audit intends to provide senior management with an assessment of CIHR's procurement processes. Procurement within the GoC has undergone significant change and will continue to experience such changes into the future. The findings and recommendations from this audit, offer senior management an opportunity to continue to refine and improve the agency's processes.

Finding 1) CIHR does not have adequate governance in place to ensure that procurement operates in a manner that is compliant, efficient, and supports business objectives.

CIHR has not identified an oversight mechanism for the function to help ensure procurement strategies are aligned with business objectives. Furthermore, procurement policies, procedures, and supporting materials available to staff on the Intranet are outdated and do not reflect the most recent TBS requirements. Lastly, the Procurement Unit does not have a formal approach to set objectives, establish key performance indicators (KPIs) and regularly report on performance results.

Finding 2) Business owners do not receive sufficient communication and training on their roles and responsibilities.

The audit found that while authorities, roles, and responsibilities for business owners are defined, they are not well communicated through available documentation. Furthermore, business owners receive minimal procurement-related training, and the ad hoc nature of communication creates challenges in clearly understanding their responsibilities.

Finding 3) Non-competitive procurement processes are not always conducted in compliance with requirements.

The audit identified instances where the agency used the <$40K exception to contract directly with a vendor for services (without soliciting multiple bids). However, the contract values exceeded the $40K limit allowed under this exception. The rationale for these exceptions was either missing from the files or deemed inadequate.

Finding 4) Compensation payment practices frequently and regularly diverge from policy and are not designed to obtain best value.

The audit identified 50 compensation payment contracts or amendments through judgemental sampling that diverged from either the CIHR Directive on Retroactive Contracting, the TBS Contracting Policy, or the TBS Directive on the Management of Procurement. Many of the instances of non-compliant compensation contracts were due to the occurrence of retroactive contracting or "after the fact" contracting. Additionally, since the amount that CIHR pays for these services is not based on a quote from the suppliers or information on market rates, the Agency does not have assurance it is obtaining best-value for these services.

Finding 5) The Procurement Unit does not monitor and report against service standards to continuously improve the function.

Service standards for procurement exist; however, they were last updated in 2008. The audit noted that performance data are not being collected, analysed and reported against service standards to continuously improve processes.

Management's response to the audit findings and recommendations can be found following the Conclusion section at the end of this report.

1.6 Statement of Conformance

The Audit of Procurement conforms with the Policy on Internal Audit as supported by the results of the quality assurance and improvement program.

The Office of Internal Audit (OIA) thanks management and staff for their assistance and cooperation throughout the audit.

John-Patrick Moore
Chief Audit Executive, Office of Internal Audit
Canadian Institutes of Health Research

Tammy Clifford
Acting President
Canadian Institutes of Health Research

2. Detailed Report

2.1 Background

Long description

**Chart 1 - Goods versus Services (Calendar Year 2023)**

Goods $3.1M (36%)

Services $5.4M (64%)

Procurement is a key corporate function that supports the achievement of strategic and operational objectives through the acquisition of required goods and services. Government of Canada (GoC) procurement is worth billions of dollars annually; for the calendar year 2023, GoC organizations issued over 374K contracts for goods and services totaling $34.5bn^{Footnote 2}. During the same period, CIHR's Procurement Unit issued 293 contracts representing a total value of $8.5M. Approximately two-thirds of this value (64%) was for services, with the remainder for goods, as seen in Chart 1. CIHR's procurement has increased significantly in the past four years, both in volume and value. In 2020, the Agency issued 189 contracts representing a total value of $4.35M. This represents an increase of 55% in volume and 95% in value from 2020 to 2023. Increased procurement can be attributed to several factors, including the growth of the organization, meeting the requirements of CIHR's Strategic Plan, and the transition of IT services to the cloud. Despite this increase, procurement at CIHR remains low relative to its operating budget and in comparison to other government entities. See Appendix A for more details.

Unlike some other GoC departments and agencies, CIHR only purchases goods and services for its own use, and not on behalf of Canadians. The services most frequently acquired by CIHR are professional services that are needed to provide specific expertise or to augment existing capacity. The Agency also acquires other types of services to meet operational needs, such as employee training and security guard services. See Appendix B for the services most frequently acquired by CIHR and Appendix C for the top services vendors. Purchases of goods are considered lower risk because:

They are almost exclusively made to meet CIHR's Information Technology (IT) needs; and many IT goods are acquired through Shared Services Canada (SSC).
CIHR's authority for goods purchases is limited to $25K, beyond this limit, goods of all types are purchased on the Agency's behalf by either Public Services and Procurement Canada (PSPC)^{Footnote 3} or SSC.

Within the Government of Canada (GoC), procurement activities must be carried out in accordance with relevant legislative and policy requirements. A key policy document is the Directive on the Management of Procurement ("the Directive"). It was issued in May 2021 by Treasury Board Secretariat (TBS) and government organizations had one year to fully comply with the Directive. Adherence to the requirements set out in the Directive and other instruments helps organizations meet the goal of sound financial stewardship while carrying out procurement activities in a fair and transparent manner.

At the time the new Directive was issued, and organizations were expected to begin the transition, CIHR was still operating under its Business Continuity Plan (BCP) due to the then ongoing COVID-19 pandemic. Throughout the rest of the year, like many other government entities, the Agency focused on continuing to support the government-wide pandemic response while gradually resuming activities that had been paused under the BCP. Senior management within the Finance and Administration Branch assessed the procurement function in late 2021 to determine if it was meeting client's needs. The Unit was subsequently expanded and restructured under a newly created and staffed Deputy Director position. Following this was a period of transition as new staff were recruited, hired and onboarded, during which the focus of the Unit was primarily on improving daily operations and meeting client requirements.

2.2 Significance of the audit

An audit of procurement was identified as a priority in CIHR's 2022-24 Risk-based Audit Plan (RBAP) for three key reasons:

The objectives and strategies in CIHR's Strategic Plan 2021-2031 have increased the need for procurement of services and specialized expertise;
Procurement in the GoC is governed by a complex set of legislative, regulatory and policy requirements that must be navigated efficiently and effectively to meet business needs; and,
Sound financial stewardship and transparency in procurement activities is necessary so that government funds are managed prudently and contracting can withstand public scrutiny.

Beginning in 2022, public scrutiny of procurement activities across the GoC increased, which led the Office of the Auditor General (OAG) to carry out two audits, both of which addressed issues around the acquisition and management of professional and consulting services^{Footnote 4}. Subsequently, the Office of the Comptroller General (OCG) launched a risk-based horizontal audit of procurement, which is currently underway. While CIHR is not included in the OCG horizontal audit, this internal audit provides management assurance regarding CIHR's procurement activities at a time when procurement is the focus of considerable attention from the public, media, and central agencies. Furthermore, there have been updates to TBS policy, making the audit's recommendations particularly relevant as the complexity of procurement increases due to these changes.

2.3 Audit Objective and Scope

The objective of this audit is to provide independent assurance that CIHR's procurement activities are managed in an efficient and compliant manner to support the achievement of corporate objectives.

The scope of this audit includes:

Governance;
Training, roles and responsibilities;
Compliance with Treasury Board Policy; and,
Continuous improvement.

The audit covers procurement activities between May 13, 2021, and February 1, 2024, in order to include procurement activities that occurred after the Treasury Board update of relevant policies.

The following is out of scope:

Procurement of goods and services using acquisition cards. These purchases are limited to $5000 and are regularly reviewed and controlled by Finance.
Targeted review of Indigenous procurement initiatives. CIHR is required to meet the GoC target of 5% of the total value of contracts to be held by Indigenous businesses; however, the Set-Aside Program for Indigenous Business is voluntary and not mandatory^{Footnote 5} given that the agency does not procure goods or services destined for areas, communities, or groups where Indigenous people make up at least 51% of the population and will be the recipient of the good or service^{Footnote 6}. As such, CIHR's Procurement Unit's obligations are limited to verifying that Indigenous suppliers are registered in the Indigenous Business Directory. Indigenous Services Canada is responsible for audits of processes in this area.

2.4 Audit Criteria and Methodology

Audit criteria are based on a risk assessment. The sources of criteria include:

Treasury Board Secretariat (TBS)'s Management Accountability Framework – A Tool for Internal Auditors;
TBS Policy on the Planning and Management of Investments; and,
TBS Directive on the Management of Procurement as well as related guidance.

The development of the criteria was informed by the results of recent audits related to procurement undertaken by the OAG and the OCG's audit program for its horizontal audit of procurement. Please refer to Appendix D for the detailed audit criteria. The criteria guided the audit fieldwork and formed the basis for the overall audit conclusions.

Four methods were used to collect and assess the evidence against the audit criteria:

Review of documentation (i.e., policies, guidelines, frameworks, reports);
Process walkthroughs;
Consultation with 25 key stakeholders involved in the process: Associate Vice-Presidents (AVPs), Directors General (DGs), Deputy Directors (DDs), Other Government Departments (OGDs) and members of the Procurement Unit; and
File testing through review and testing of a sample of procurement files.

Sampling methodology

A population of contracts and amendments for both goods and services was identified for the period in scope (May 2021 to February 2024) – Refer to Chart 2.

Random and judgemental sampling techniques were used to select files for review. For the judgemental sampling, analysis of the population based on selected criteria (e.g., multiple contracts to the same vendor, use of exceptions) was used to identify and select files for review.

Chart 2 – Number of Contracts and Amendments for goods and services procured during the in-scope period

	Services	Goods	Totals
Number of Contracts	348	197	545
Number of Amendments	102	18	120
Totals	450	215	665

2.5 Findings and Recommendations

The findings and recommendations in the following section are intended to:

build upon the good work of the staff supporting the procurement function and activities and to facilitate continuous improvement; and
assist senior management in modernizing internal operations, a key commitment under the Organizational Excellence commitment in the CIHR Strategic Plan 2021-2031.

Governance

Expectations:

Governance is established, and oversight of departmental procurement plans/activities is informed by sufficient information to measure performance against objectives; and,
A policy suite for procurement (e.g., policies, directives, guidelines, service standards) is established in alignment with the GoC policy suite.

Finding 1) CIHR does not have adequate governance in place to ensure that procurement operates in a manner that is compliant, efficient, and supports business objectives. Urgency: Urgent

The TBS Directive on the Management of Procurement ("the Directive") took effect May 13, 2021, replacing the Contracting Policy and the Policy on Decision Making in Limiting Contractor Liability in Crown Contracts. The Directive sets out the responsibilities of the senior designated official^{Footnote 7} (SDO), contracting authorities, and business owners, aiming to ensure that procurement activities are fair and transparent; business objectives are supported; best value is obtained; and good stewardship of public funds is achieved. CIHR was given one year to transition to the new directive by aligning its internal policies and practices with the new requirements.

Governance

A key requirement of the Directive is the establishment of a Procurement Management Framework (PMF) which is used to define the governance and administration of procurement within the Agency. It sets out the requirements for the oversight, planning, reporting, and management of procurement activities. The audit found that CIHR has not finalized a PMF to support the application of the Directive to procurement activities, nor has it identified an oversight mechanism or body for the function to help ensure procurement strategies are aligned with business objectives. Furthermore, roles and responsibilities of the SDO role, which is currently fulfilled by the Chief Financial Officer (CFO), are not adequately defined and communicated within the organization. A key role of the SDO is to facilitate collaboration between contracting authorities and business owners.

CIHR's Policy Suite

The audit found that the procurement policies, procedures, and supporting materials available to staff on the Intranet are outdated and do not reflect the most recent TBS requirements. As of spring 2024, the procurement team had begun revising policies and related documentation to align with the Directive. However, out-of-date documentation persists. For example, the CIHR Procurement Policy as well as the procurement procedures on the Agency's intranet have the incorrect dollar threshold listed for when a service contract must go through a competition ($25K) and do not reflect that this amount was increased to $40K in December 2022. Outdated information such as this can lead to inefficiencies. Some business owners report having to redo work after referencing procurement documentation that did not contain current information.

Performance Measurement

The Directive requires that organizations incorporate performance results into their PMF to inform procurement decision-making. The audit found that in the absence of a PMF, the Procurement Unit does not have a formal approach to set objectives, establish key performance indicators (KPIs) and regularly report on performance results. Establishing clear objectives for procurement that align with business priorities and tracking progress against key indicators is intended to enable the function to identify gaps and adjust its approach to better meet organizational needs.

Impact

In the absence of clearly defined governance and up-to-date policies and procedures, procurement activities may not be aligned with the Agency's objectives or government requirements. Furthermore, without a defined performance measurement approach, management may not have the information needed to improve the function, and actively identify and remediate instances of non-compliance.

Recommendation

The CFO should establish a procurement management framework that includes the required elements as defined in the Directive (e.g., oversight, planning, and reporting mechanisms) and is commensurate with the value, risk and complexity of the procurement activities undertaken by CIHR.

Training and Roles and Responsibilities

Expectation:

Procurement related authorities, responsibilities, and accountabilities, including those related to decision-making and oversight, are clearly defined, communicated, and understood by all stakeholders.
The Agency's procurement function periodically assesses its capacity and provides the necessary training, tools, resources, and information to support the discharge of CIHR employees' responsibilities.

Finding 2) Business owners do not receive sufficient communication and training on their roles and responsibilities. Urgency: Fairly Urgent

Procurement is a shared responsibility between the contracting authorities (the Procurement Unit) and business owners, whose respective responsibilities are defined in the Directive. Business owners identify the need for procurement and are responsible for procurement deliverables and activities that require subject matter expertise, and for managing the contract to ensure value-for-money. Contracting authorities provide advice and recommend options to business owners based on risk and complexity to ensure contracts and contractual arrangements are established based on sound procurement principles including fairness, transparency, and best value.

Capacity of the Procurement Unit

In 2021, Finance and Administration Branch management undertook an ad hoc review of the procurement function, including its human resource capacity. To better address the Agency's needs, the function was reorganized as a separate unit within the branch with a dedicated Deputy Director and an expanded team. Key positions within the Unit were reclassified to better align with equivalent positions in the core public service, enhancing the Agency's ability to compete with other GoC organizations. The audit found that roles and responsibilities for procurement staff are defined, and that members of the team receive comprehensive training through completion of mandatory courses. Procurement staff also have access to resources and guidance through membership in an industry group for public sector procurement.

Roles and Responsibilities of Business Owners

The audit found that authorities, roles and responsibilities for business owners are defined but are not well communicated through available documentation. Rather, this information is provided on an ad hoc basis when business owners contact the Procurement Unit. Furthermore, business owners with delegated spending and financial authorities (DFSA) receive limited procurement-related training as part of the mandatory DFSA training; however, their responsibilities for procurement extend beyond financial obligations. The ad hoc approach to communication combined with limited training creates challenges for business owners in clearly understanding their responsibilities. For example, business owners are responsible for contract management and documentation which includes monitoring, documenting, and certifying the delivery of the goods and services procured to ensure they meet the criteria established in the contract. Testing was conducted over this responsibility and the audit found that in 4/12 (33%) of the files reviewed, the business owner^{Footnote 8} either did not retain sufficient evidence of the services received or received something different than what was specified in the contract. These findings suggest that business owners may not fully understand the full breadth of requirements for end-to-end contract management.

Impact

Lack of clear communication and training for business owners could result in procurement actions that are not compliant with mandatory requirements set out by TBS. Furthermore, TBS continues to add appendices to the Directive, increasing the risk of non-compliance if communications and training are not kept up to date.

Recommendation

The CFO should clearly articulate the roles and responsibilities of business owners through the appropriate communications channels and up-to-date training.

Compliance with Policy

Expectation: Contract files are complete, compliant, and contain sufficient and reliable information to demonstrate that:

Procurement activities comply with the Directive and other applicable requirements;
Exceptions comply with regulations and are adequately justified and documented; and,
Procurement activities adhere to the principles of best-value, fairness and transparency.

Finding 3) Non-competitive procurement processes are not always conducted in compliance with requirements. Urgency: Urgent

Government departments are required to solicit bids through a competitive process before entering a contract; however, there are a set of allowable exceptions^{Footnote 9} under which a contract may be established through a non-competitive process. As a result, CIHR's Procurement Unit uses a mix of competitive and non-competitive procurements to address business requirements. During the audit period (May 2021 to February 2024) CIHR issued 191 competitive contracts totalling $11.5M and 354 non-competitive contracts totalling $7.7M^{Footnote 10}. This means that non-competitive contracts represent 65% of the total number of contracts issued. The audit reviewed contract files for both types of procurements, using a combination of random and judgemental sampling to select files for review.

Competitive contracts

The audit examined a random sample of 14 competitive procurement processes and found that all resulted in complete and compliant contract files. The procurement vehicles selected are appropriate, bids are solicited and evaluated in accordance with documented requirements, and contracts are awarded in a fair and transparent manner. The review of a sample of 13 amendments to competitive contracts found that amendments are established in accordance with the terms and the scope of the work identified in the original contract and are not used to avoid additional procurement actions.

Non-competitive contracts

Contract regulations allow organizations to contract directly with a vendor for services without soliciting multiple bids if the total value, including amendments, is expected to be under $40,000. Through a combination of random and judgemental sampling, the audit identified four cases where this exception (<$40k) was cited as the reason for using a directed, non-competitive contract, but the contract values exceeded the limit.

In two of these cases, the original contract amounts exceeded the threshold by $6K and $60K, respectively.
In the other two cases, the contracts were amended above the threshold by $40K and $58K respectively.

The rationale for making these exceptions was either missing from the files or assessed as inadequate by the audit team. For example, in one case where a non-competitive contract was amended above the threshold, a brief rationale was provided that only reiterated the original reason for the contract, rather than why it was necessary to be extended without competing the requirement.

Proactive disclosure

As per the Access to Information Act, departments and agencies of the federal government must, on a quarterly basis, publish specific information related to contracts over $10,000. The audit identified some discrepancies in how non-competitive contracts were categorized for public disclosure^{Footnote 11}. As per guidance from TBS, directed contracts under ProServices^{Footnote 12} are to be categorized as having used a 'competitive' solicitation procedure. However, during file testing, it was noted that some contracts of this type were incorrectly disclosed as 'non-competitive'. In another case, a contract's published information indicated that the reason it used a non-competitive process was that it did not exceed the prescribed dollar limits when in fact, the contract value exceeded the limit of $40,000. The TBS Guide to the Proactive Publication of Contracts defines valid values for each field to be disclosed. However, guidance on choosing the appropriate values is limited, which could lead to these types of discrepancies.

Impact

Exceptions- Inappropriate use of exceptions in contracting can lead to non-compliance with policies that exist to ensure procurement is conducted in a manner that is fair and uses government resources in a prudent manner.

Disclosure- Disclosure data is publicly available and provides transparency into government contracting. Inaccuracies in the data not only misrepresent what has occurred, but if identified, could reduce public trust in the information and process.

Recommendations

The CFO should,
1. Prevent misuse of exceptions used to justify non-competitive procurement. However, when exceptions are warranted, ensure the justification is adequately documented; and,
2. enhance internal guidance on mandatory disclosure requirements to support accurate reporting.

Special Examination of Compensation Payments

Context: During the conduct phase of the audit, the audit team identified a class of procurement transactions for which a separate procurement process had been created. The class of procurement contracts identified are payments used to compensate members of External Advisory Committees (EAC)^{Footnote 13} and Virtual Engagement Sessions (VES)^{Footnote 14}.

Expectation: Contract files are complete, compliant, and contain sufficient and reliable information to demonstrate that:

Procurement activities comply with the Directive and other applicable requirements;
Exceptions comply with regulations and are adequately justified; and,
Procurements activities achieve best-value and are fair and transparent.

Finding 4) Compensation payment practices frequently and regularly diverge from policy and are not designed to obtain best value. Urgency: Very Urgent

To support activities related to the pursuit of health equity through research (Priority D of the Agency's Strategic Plan 2021-2031), business owners engage people with lived experience in the design and implementation of various initiatives. For instance, in 2021 CIHR established an External Advisory Committee on Accessibility and Systemic Ableism, consisting of researchers with disabilities, disability community leaders, and accessibility advocates, to advise on CIHR's Accessibility Plan. Recognizing the need to compensate these external participants for their expertise, time and lost wages—and to reduce systemic barriers—the Agency provides compensation. Across the federal government, honoraria are commonly used as benevolent payments for these types of voluntary services where no legal payment obligation exists. CIHR currently lacks the authority from Treasury Board to issue honoraria. Given this limitation, CIHR compensates participants for their "time or lost wages" through service contracts, a procurement mechanism intended for consulting services, which requires compliance with the Procurement Unit's regulations and policies. According to the Finance Branch, the Agency incurred $193,157 in related compensation contract expenses between FY 21-22 and 23-24.^{Footnote 15} The expenditures related to these contracts have increased by 247% between FY 2021-2022 to FY 2023-2024. Compensation contract payments received by members vary greatly depending on their level of involvement. For instance, some members may participate in a single meeting and earn $350, while others who serve on multiple committees and attend several meetings can earn over $5,000 annually.

During the in-scope period from May 13, 2021, to February 1, 2024, the audit identified 50 compensation payment contracts or amendments through judgemental sampling that diverged from either the CIHR Directive on Retroactive Contracting, the TBS Contracting Policy, or the TBS Directive on the Management of Procurement.

Retroactive contracting

Many of the instances of non-compliant compensation contracts were due to the occurrence of retroactive contracting or "after the fact" contracting. This involved business owners entering arrangements with vendors, agreeing to terms, and receiving services without the completion of a contract. Then, after services were received, retroactive contracts were established with inadequate information or an inadequate justification and, in some cases, these contracts were backdated.

In one instance, members of a committee had been meeting voluntarily for nearly a full year, when CIHR offered compensation, but only to the members of the group who did not already have "paid employment". The compensation was not only offered going forward from the date the contracts were established, but was also offered for meetings that had already occurred in the past year for which no contract had been established and for which the members had already agreed to participate as volunteers. The audit found that management approved many of these retroactive payments without following established procedures to document the justification and establish why a retroactive payment was necessary (e.g. due to error, emergency, safety of human life, etc.)

The audit found that the contracts related to compensation payments were also regularly amended to retroactively increase the payment terms after terms and conditions had been agreed upon. This included instances in which increased per diem rates were offered to vendors, vendors accepted the increased rates, then approval for the increased rates was sought and received from management. Contracts were also amended to add deliverables and extend the contract after it had expired which contravenes accepted GoC procurement practice.

Justification for compensation payments

The documented justifications for compensation payments are inconsistent across the files examined as part of this audit. In some instances, payments are described as remuneration for services rendered to the Agency, while in others, they are noted as a way to offset lost wages to promote barrier-free participation. In the case noted above, only unemployed committee members were offered compensation. These inconsistencies create challenges for the Agency in managing and justifying payment processes. For instance, compensating only unemployed members for lost wages, which in their case would be nil, undermines the rationale for payment. Furthermore, this inconsistency raises equity concerns, as other committee members performing the same services without compensation may expect equal remuneration.

Incorrect use of the Joint Tri-Agency Policy to justify payments- In 2016 the Privy Council approved the Joint Policy on Peer/Merit Review Financial Recompense for remuneration of committee members through honoraria for non-public sector individuals who suffered loss due to participation on a committee. However, CIHR has not been provided the authority by Treasury Board to issue honoraria. Despite this, the audit found that this policy is frequently and incorrectly used to justify payments to members of EACs and VESs.

Value for money

A review of documentation and contract files found that the amount paid for compensation payments is based on the amount offered in the past by CIHR for honoraria and as noted above, CIHR does not have the authority to issue honoraria. Given that the amount that the Agency has decided to pay for these services is not based on a quote from the suppliers or information on market rates, the Agency may not be obtaining best-value when compensating stakeholders for their participation in CIHR-led initiatives. Furthermore, the audit did not find evidence that the Agency considered the organizational cost to create and administer these contracts when deciding to compensate members using this mechanism.

Impact

Retroactive contracting- Retroactive contracting for compensation payments (without adequate justification) is non-compliant with Treasury Board policy and CIHR directives. Potential consequences of non-compliance include funding restrictions, loss of procurement authority, changes to delegated powers, or even termination of individuals within the Agency.

Value for Money- CIHR risks overspending to obtain services from individuals participating in CIHR-led initiatives and committees. The Agency may also be inefficiently using its resources by placing a high level of organizational effort on administering low-dollar value contracts. This could lead to less capacity for higher-impact activities within the Agency.

Recommendations

The CFO, in collaboration with business owners, should develop a policy to ensure that compensation payments and the associated justifications are compliant with TB Policy, best value is obtained, and retroactive contracting is prevented.

Continuous Improvement of the Procurement Function

Expectation:

Planning and prioritization of procurement files are aligned with the needs of the organization and the Agency's procurement strategy.
Procurement processes are implemented in a timely manner to enable clients to deliver on their objectives.
A process has been implemented to drive continuous improvement (i.e., identification, root cause analysis, prioritization, implementation).

Finding 5) The Procurement Unit does not monitor and report against service standards to continuously improve the function. Urgency: Fairly Urgent

Business owners generally find that the procurement process is effective and that they have been able to procure what they need on time. However, many report that the process could be more efficient and transparent. One mechanism that can support this is service standards, which are used to establish expectations for the duration of key steps in the procurement process undertaken by both procurement staff and business owners. To be effective, service standards should be communicated to stakeholders, and performance against these standards should be tracked and reported. Data tracked for service standards can be used along with other data and information (such as that from business planning, historical trends, and other performance measures) to support continuous improvement.

Service standards and performance monitoring

Service standards for procurement exist; however, they were last updated in 2008. The audit noted that performance data are not being collected, analysed and reported against service standards. Consultation with business owners indicated that defining procurement service standards (aligned with improved process documentation) would enhance the efficiency of procurement.

Data quality

Procurement team members enter data manually into a log to track the status of new and ongoing procurement requests. While the purpose of this is to assist the team with day-to-day workload management, stakeholders reported having little confidence in the integrity of the data for longer-term planning and prioritization of work and reporting purposes (e.g., too much information, data entry inconsistencies, and missing data). As noted in Finding 3, errors also exist in contract disclosure data, which is based on reports from the financial system, indicating there may be broader issues with data inaccuracy within the Procurement Unit which warrants further attention.

Impact

Without well-communicated service standards and reliable data, management may lack the insights needed for effective planning and decision-making, limiting opportunities to enhance efficiency and timeliness in processes.

Recommendation

The CFO should,
1. establish and communicate updated service standards to all relevant stakeholders,
2. ensure accurate and reliable performance data are tracked and reported to management to support performance monitoring and continuous improvement.

2.6 Conclusion

In recent years, CIHR has made significant progress in enhancing its procurement practices; however, opportunities for further improvement remain. This audit identifies key recommendations to bolster governance, clarify business owners' roles and responsibilities, ensure compliance with non-competitive contracting guidelines, and establish service standards to support continuous improvement. Implementing these actions will position CIHR to strengthen the efficiency and compliance of its procurement processes, which is particularly vital as public scrutiny and policy complexity surrounding government procurement intensify. Although CIHR is not included in the current Office of the Comptroller General's horizontal audit, this internal audit provides management with valuable assurance at a time when government procurement practices are under significant external review.

2.7 Management Response to Recommendations

Finding	Recommendation	Management Response	Completion date
1	The CFO should establish a procurement management framework that includes the required elements as defined in the Directive (e.g., oversight, planning, and reporting mechanisms) and is commensurate with the value, risk and complexity of the procurement activities undertaken by CIHR.	Agrees/Disagrees: Agrees Responsibility: Contracting and Procurement Unit Management Response: The CFO agrees with the recommendation and will establish a comprehensive procurement management framework. This framework will align with the requirements outlined in the TBS Directive on the Management of Procurement and be approved by the CFO and presented to the Senior Leadership Committee (SLC). Anticipated completion: December 2025	7– 12 months Urgency: Urgent
2	The CFO should clearly articulate the roles and responsibilities of business owners through the appropriate communications channels and up-to-date training.	Agrees/Disagrees: Agrees Responsibility: Contracting and Procurement Unit Management Response: The CFO agrees with the recommendation. A mandatory Canada School of Public Service Training for Business Owners on procurement (Overview of Procurement COR 403) will be recommended to SLC to maintain their financial delegation. This training will ensure managers are equipped with the necessary knowledge to effectively engage in the procurement process and adhere to established policies. Additionally, a strategy that includes communications to inform business owners of any updates or changes to procurement policies and procedures will be established. Anticipated completion: December 2025	13-18 months Urgency: Fairly Urgent
3	The CFO should, Prevent misuse of exceptions used to justify non-competitive procurement. However, when exceptions are warranted, ensure the justification is adequately documented; and, enhance internal guidance on mandatory disclosure requirements to support accurate reporting.	Agrees/Disagrees: Agrees Responsibility: Contracting and Procurement Unit Management Response: The CFO agrees with the recommendation. To prevent misuse of exceptions, we would like to refer to our management responses to recommendations 1 and 2. In addition, it will update the internal procurement checklist to include a step for documenting justifications for all non-competitive procurements. This will ensure that any exceptions are clearly explained, and the justification is thoroughly documented. The CFO agrees with the recommendation. It will include a component in the Procurement Management Framework on reporting that will establish controls to ensure the accuracy, completeness, and timely publishing of information on contracts. This component of the framework will articulate roles and responsibilities, review frequency, and procedures for validating SAP data. Anticipated completion: December 2025	13-18 months Urgency: Fairly Urgent
4	The CFO, in collaboration with business owners, should develop a policy to ensure that compensation payments and the associated justifications are compliant with TB Policy, best value is obtained, and retroactive contracting is prevented.	Agrees/Disagrees: Agrees Responsibility: Finance and Administration Branch Management Response: The CFO agrees with the recommendation and, working with the current Compensation Framework group, business owners, and relevant branches, will issue a comprehensive compensation policy framework. This will ensure compliance, maximize value, and monitor retroactive contracting or payments. The CFO will provide quarterly updates to the SLC on the monitoring of any retroactive (after the fact) transactions to ensure transparency and accountability. In the interim of finalising the compensation policy framework, the contracting and procurement unit will ensure that any compensation to individuals is managed through service contracts to prevent retroactive contracting or payments. Additionally, the existing retroactive contracting and confirming orders directive that stipulates consequences for business owners who do not follow the procurement procedures will be enforced. These consequences may include requirements for retraining, suspension of delegation of authority, or other appropriate actions deemed necessary by the CFO. Anticipated completion: May 2025	<= 6 months Urgency: Very Urgent
5	The CFO should, establish and communicate updated service standards to all relevant stakeholders, ensure accurate and reliable performance data are tracked and reported to management to support performance monitoring and continuous improvement.	Agrees/Disagrees: Agrees Responsibility: Contracting and Procurement Unit Management Response: The CFO agrees with the recommendation. Contracting and Procurement Unit is currently in the process of establishing updated service standards for procurement. These standards will be communicated to all stakeholders (through CIHR .COMM Bulletins) and posted on the intranet site. The CFO agrees with the recommendation. To support performance monitoring and continuous improvement, it will track and report on service standards and include metrics into the quarterly FSR report presented to SLC. Anticipated completion: December 2025	13-18 months Urgency: Fairly Urgent

It is good practice that all recommendations be actioned within an 18-month window of the approval of an audit report. To that end, the OIA risk rates the recommendations to assist management with the prioritization of remedial actions.

The urgency rating chart outlined below, takes into consideration the complexity of the recommendation and/or the underlying issues or causes for concern, and the level of risk to which the Agency is exposed as a result of the issue identified.

Urgency	Suggested timeline for completion
Very Urgent	<= 6 months
Urgent	7 – 12 months
Fairly Urgent	13 – 18 months

Appendix A – Comparative view of procurement volumes

Procurement volumes vary across GoC organizations as they are influenced by both the nature of the programs at each department or agency, government priorities, and other factors (e.g., external events, business transformations, etc.). The following table demonstrates this variation comparing CIHR with its two sister agencies, key members of the health portfolio and other key departments or agencies. For example, in the table below, the large variations in procurement between 2022 and 2023 for Health Canada and the Public Health Agency of Canada likely can be attributed to the pandemic response. In interpreting these numbers, it is also important to note:

Amounts reflect the contracted value and not expenditures.
Amounts for a particular year include the total value of multi-year contracts that were awarded in that year.

Organization	2022 Total Goods and Services Contracted^{Footnote 16}	2023 Total Goods and Services Contracted^{Footnote 16}	Operating Budget FY 2022-23^{Footnote 17} (Vote 1)
CIHR	$6.51M	$8.5M	$74.44M
Health Canada	$376.19M	$1,043.15M	$1,602.4M
Public Health Agency of Canada	$748.74M	$136.69M	$10,989.36M
Canada Food Inspection Agency	$98.45M	$80.48M	$719.6M
Natural Sciences and Engineering Research Council	$19.05M	$16.86M	$62.06M
Social Sciences and Humanities Research Council	$6.03M	$6.98M	$45.10M
Canada Border Services Agency	$549.84M	$586.59M	$2,350.99M
Innovation, Science and Economic Development Canada	$238.01M	$216.82M	$659.72M

Appendix B – Types of Services Most Frequently Procured by CIHR

This table displays the six largest categories of contracted services (non-competitive and competitive contracts) during the audit period (May 13, 2021, to February 1, 2024), which together account for $11.2 million, or 93%, of the total $12 million in contracted services for that period. Dollar amounts reflect total contract values including amendments.

Services Category	Amount	Examples
Professional Services	$3.56M	Change Management, Executive Search, Compensation Payments, Other Consulting
Information Processing and Related Telecommunication Services	$3.35M	IT Consulting
Administrative and Management Support Services	$1.58M	Translation
Educational and Training Services	$1.57M	Language Training, Course Fees
Custodial Services	$0.58M	Commissionaire services
Communication, Photographic, Mapping, Printing and Publication Services	$0.56M	Audio Visual, Website & Media

Appendix C – Top Vendors for Services

This table displays the top vendors for contracted services during the audit period (May 13, 2021, to February 1, 2024), which together account for $6 million, or 50%, of the total $12 million in contracted services for that period. Dollar amounts reflect total contract values including amendments.

Vendor	Total Vendor Amount	% of Total Services Contracts	# of Contracts	Types of Services
MINDWIRE SYSTEMS LTD	$1,406,061	12%	2	Information Processing and Related Telecommunication Services
BDO CANADA LLP	$580,329	5%	4	Professional Services
Canadian Corps of Commissionaires	$565,235	5%	6	Custodial Services
SAMSON & ASSOCIÉS CPA/CONSULTATION INC.	$439,676	4%	5	Professional Services
MAPLESOFT CONSULTING INC.	$436,748	4%	2	Information Processing and Related Telecommunication Services
GARTNER CANADA CO.	$350,628	3%	4	Information Processing and Related Telecommunication Services
PUBLIVATE INC.	$339,106	3%	1	Professional Services
COOP EDGAR	$307,715	3%	4	Administrative and Management Support Services
BOYDEN ONTARIO INC.	$291,540	2%	2	Professional Services, Studies and Analysis – Admin Support
MDOS CONSULTING INC.	$274,148	2%	2	Information Processing and Related Telecommunication Services
LEARN2LANG	$273,964	2%	28	Educational and Training Services
ALTIS RECRUITMENT & TECHNOLOGY INC.	$214,866	2%	6	Professional Services, Information Processing and Related Telecommunication Services
DIGITAL SCIENCE & RESEARCH SOLUTIONS INC.	$180,802	2%	1	Educational and Training Services
RAYMOND CHABOT GRANT THORNTON	$176,889	1%	2	Professional Services
EXCEL HR	$170,824	1%	2	Information Processing and Related Telecommunication Services, Personnel Recruitment

Appendix D – Relevant Audit Criteria

The key risks identified in the risk assessment were used to develop the audit's four lines of inquiry, as seen in the table below. Each line of inquiry is associated with audit criteria. These criteria formed the basis by which CIHR's procurement activities were assessed. The criteria were developed based on Treasury Board guidance found in the "Management Accountability Framework – A Tool for Internal Auditors", in conjunction with the TBS Directive on Procurement, and relevant associated policies, procedures, and directives.

The following criteria were used to conduct the audit:

Lines of Inquiry	Reference to Findings
Line of Enquiry 1: CIHR's procurement activities are governed by a suite of management processes that provide guidance and oversight.
1.1 CIHR's procurement function has established a policy suite (e.g., Policies, Directives, guidelines, service standards) that aligns with the GoC Policy suite.	Finding 1
1.2 Governance is established, and oversight of departmental procurement plans/activities is informed by sufficient information to measure performance against objectives.	Finding 1
Line of Enquiry 2: Stakeholders' procurement related roles and responsibilities are understood and supported by adequate capacity and training.
2.1 The Agency's procurement function has assessed its capacity and provides the necessary training, tools, resources, and information to support the discharge of CIHR employees' responsibilities.	Finding 2
2.2 Procurement related authorities, responsibilities, and accountabilities, including those related to decision-making and oversight, are clearly defined, communicated, and understood by all stakeholders.	Finding 2
Line of Enquiry 3: CIHR's procurement process is compliant with Treasury Board Policy.
3.1 Contract files are complete, compliant, and contain sufficient and reliable information.	Finding 3 and 4
Line of Enquiry 4: Key procurement processes are in place and are continuously improved to best achieve the Agency's objectives.
4.1 Planning and prioritization of procurement files is aligned with the needs of the organization and the Agency's procurement strategy.	Finding 5
4.2 Processes are implemented in a timely manner to enable clients to deliver on their objectives.	Finding 5
4.3 A process has been implemented to drive continuous improvement (i.e., identification, root cause analysis, prioritization, implementation).	Finding 5

Footnotes

Footnote 1

Dollar amounts reflect total contract values including amendments, exclude construction contracts, and are based on data retrieved October 21, 2024. Source: Proactive Publication - Contracts - Data Visualization - Open Government Portal

Return to footnote 1 referrer

Footnote 2

Return to footnote 2 referrer

Footnote 3

Public Services and Procurement Canada (PSPC) supports federal departments and agencies, as a central purchasing agent, and by improving federal procurement processes and sharing best practices.

Return to footnote 3 referrer

Footnote 4

OAG Report 1 – ArriveCAN, OAG Report 5 – Professional Services Contracts

Return to footnote 4 referrer

Footnote 5

Refer to the Office of the Procurement Ombud for a complete description of when set-asides are Mandatory vs Voluntary.

Return to footnote 5 referrer

Footnote 6

See Indigenous business and federal procurement for more information.

Return to footnote 6 referrer

Footnote 7

As defined by the Policy on the Planning and Management of Investments, organizations are required to identify a senior designated official for procurement who is responsible for supporting the deputy head in fulfilling their policy requirements.

Return to footnote 7 referrer

Footnote 8

The Project or Technical Authority as specified in the contract.

Return to footnote 8 referrer

Footnote 9

See section 6 of the Government Contracts Regulations.

Return to footnote 9 referrer

Footnote 10

Dollar amounts reflect total contract values including amendments.

Return to footnote 10 referrer

Footnote 11

Proactive disclosure is the practice of releasing information before it is requested by the public. As such, departments are required to publicly disclose contracts over $10,000, standing offer agreements, and supply arrangements. Contracts under $10,000 are disclosed internally to Treasury Board on an annual basis. The goal of proactive disclosure is to improve transparency and accountability, and to promote more informed public debate.

Return to footnote 11 referrer

Footnote 12

ProServices is the mandatory procurement vehicle for acquiring professional services when the total contract value is less than $100K. ProServices requires a minimum of two suppliers to be invited to bid; however, it does allow a contract to be directed to one qualified supplier if the anticipated total contract value is below $40K.

Return to footnote 12 referrer

Footnote 13

Members of these EACs are not CIHR employees but are typically experts from a particular field or members from stakeholder organizations from whom CIHR would like to engage in order to develop guidance on various topics (e.g., the EAC on Accessibility and Systemic Ableism was used to engage health researchers living with disabilities, accessibility advocates, and experienced allies to advise on the formation of the accessibility and systemic ableism action plan).

Return to footnote 13 referrer

Footnote 14

Virtual Engagement Sessions are essentially focus groups created in order to bring experts from a particular field or members from stakeholder organizations from whom CIHR would like to consult on a particular topic. For example, the VES to Discuss the Approach for CIHR's Anti-Racism Action Plan brought together members of communities marginalized by racism, specifically visible minorities to provide feedback on the proposed approach for a CIHR anti-racism plan.

Return to footnote 14 referrer

Footnote 15

The totals provided were obtained from the Finance and Administration Branch and are the actual amounts spent by CIHR. The Audit Team was unable to obtain a complete list of contracts related to compensation payments from the Finance Branch as information was decentralized across the organization.

Return to footnote 15 referrer

Footnote 16

Dollar amounts reflect total contract values including amendments, exclude construction contracts, and are based on data retrieved October 23 & 24, 2024. Source: Proactive Publication - Contracts - Data Visualization - Open Government Portal

Return to first footnote 16 referrer

Footnote 17

Source: Volume II: Details of Expenses and Revenues—Public Accounts of Canada 2023—Receiver General for Canada—PSPC

Return to footnote 17 referrer

Date modified:: 2025-03-07

Internal Audit of Procurement Audit Report, December 2024

Contents

1. Executive Summary

1.1 Background

1.2 Why this is important

1.3 Objective and Scope

1.4 Overall Audit Opinion

1.5 Key Audit Findings

1.6 Statement of Conformance

2. Detailed Report

2.1 Background

2.2 Significance of the audit

2.3 Audit Objective and Scope

2.4 Audit Criteria and Methodology

Sampling methodology

Chart 2 – Number of Contracts and Amendments for goods and services procured during the in-scope period

2.5 Findings and Recommendations

Governance

Finding 1) CIHR does not have adequate governance in place to ensure that procurement operates in a manner that is compliant, efficient, and supports business objectives. Urgency: Urgent

Governance

CIHR's Policy Suite

Performance Measurement

Impact

Recommendation

Training and Roles and Responsibilities

Finding 2) Business owners do not receive sufficient communication and training on their roles and responsibilities. Urgency: Fairly Urgent

Capacity of the Procurement Unit

Roles and Responsibilities of Business Owners

Impact

Recommendation

Compliance with Policy

Finding 3) Non-competitive procurement processes are not always conducted in compliance with requirements. Urgency: Urgent

Competitive contracts

Non-competitive contracts

Proactive disclosure

Impact

Recommendations

Special Examination of Compensation Payments

Finding 4) Compensation payment practices frequently and regularly diverge from policy and are not designed to obtain best value. Urgency: Very Urgent

Retroactive contracting

Justification for compensation payments

Value for money

Impact

Recommendations

Continuous Improvement of the Procurement Function

Finding 5) The Procurement Unit does not monitor and report against service standards to continuously improve the function. Urgency: Fairly Urgent

Service standards and performance monitoring

Data quality

Impact

Recommendation

2.6 Conclusion

2.7 Management Response to Recommendations

Appendix A – Comparative view of procurement volumes

Appendix B – Types of Services Most Frequently Procured by CIHR

Appendix C – Top Vendors for Services

Appendix D – Relevant Audit Criteria

Internal Audit of Procurement
Audit Report, December 2024