INTRODUCTION

According to the Office of the Auditor General of Canada (OAG), the “mandate of Defence Construction (1951) Limited (the Corporation) is to provide procurement, construction, professional, operational, and maintenance services in support of the defence of Canada,” principally to National Defence, but also to the Canadian Forces Housing Agency, the Communications Security Establishment Canada, Shared Services Canada, and Public Services and Procurement Canada.[1]

The Corporation (also known as Defence Construction Canada or DCC) reports to Parliament through the Minister of Public Services and Procurement and “is a procurement and contract-management agency that serves as an intermediary between its government clients and the consultants and contractors hired to perform the actual project work. This arrangement allows the Corporation to work at arm’s length from the government while managing the procurement process, from awarding tenders to managing contracts at job sites.”[2] Since 2001, DCC “has drawn its revenues from fees it charges to its government clients” for services related to “project and contract management, life-cycle management of real property, and helping projects meet environmental targets.”[3]

In December 2016, the OAG presented a special examination report to DCC’s Board of Directors whose objective was to determine whether selected systems and practices were “providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively.”[4]

On 2 November 2017, the House of Commons Standing Committee on Public Accounts (the Committee) held a hearing on this report.[5] From the OAG were Michael Ferguson, Auditor General of Canada, and Marise Bédard, Principal. From DCC were Robert Presser, Chair, Board of Directors; James Paul, President and Chief Executive Officer; and, Mélinda Nycholat, Vice-president, Operations-Procurement.[6]

FINDINGS AND RECOMMENDATIONS

A. Corporate Management Practices

The OAG found that DCC had elements of good governance in place.[7] It also found evidence of “sound systems and practices in strategic planning, risk management, and performance measurement and reporting,” but noted that “the corporate risk register did not take into consideration all aspects of fraud risks, such as the risk that the systems and practices would not prevent or detect fraud.”[8] For example, the “register did not include a risk related to detecting or preventing fraud, collusion, or corruption. This in turn limited the information that senior management and the Board had about fraud, to inform their risk management and decision making.”[9]

With regard to procurement services, the OAG found that although DCC “had systems and practices for the management of contracts and services,” it had “rudimentary fraud-detection systems, which were manual and implemented regionally. Management was therefore unable to use the systems to detect and analyze broader trends that might reveal fraud (such as bid-rigging) that could be spread out over time, across regions, or among many suppliers. This kind of fraud, collusion, or corruption could take place even among contracts that, individually, appeared to have been awarded properly.”[10]

Lastly, although the Corporation provided fraud training to employees, it did not do so systematically; moreover, as DCC was not able to track the training that its employees received consistently, “it could not be sure whether that training had been delivered to the right employees.”[11]

Therefore, the OAG recommended that Defence Construction Canada “should better define fraud risks in its corporate risk register, ensuring that it covers all relevant aspects of these risks, and should put in place the systems and processes needed to assess, monitor, and address them.”[12]

The Corporation agreed with this recommendation and in its Detailed Action Plan stated that it had already “implemented its new fraud prevention and detection practices related to procurement,” and that it “will develop a data analysis process to better capture potential fraud trends.”[13] Moreover, the “Corporation plans to adopt the use of best practices in global fraud detection and prevention that can better detect patterns of suspicious procurement activity.”[14]

When questioned about this issue, Robert Presser, Chair of the Board of Directors, further stated that the Corporation was in the process of improving oversight mechanisms.[15] More specifically, Mélinda Nycholat, Vice-president, Operations-Procurement, explained in some detail the Corporation’s recently developed multi-step data analysis system, including the use of statistical methods such as co-efficient of variance analysis, in addition to other investigative techniques.[16]

Notwithstanding these new developments, the Committee recommends

RECOMMENDATION 1 – Regarding analysis of risk

That, by 31 May 2018, Defence Construction Canada provide the House of Commons Standing Committee on Public Accounts with a report detailing what progress has been made with regard to a) better defining fraud risks in its corporate risk register; b) ensuring that it covers all relevant aspects of these risks; and, c) implementing systems and processes needed to assess, monitor, and address them.

B. Management of Contracts and Services

The OAG found that despite having systems and practices in place for the sound management of contracts and services, DCC had weaknesses in its “contract and service management process, internal service-line verification, and tracking of employee training.”[17]

Additionally, the OAG observed that the Corporation did not store information consistently—“paper documents and scanned files were often kept within individual regions, making them difficult or slow to obtain elsewhere. Some electronic documents were not stored in Laserfiche, the enterprise content-management system used by the Corporation, but were stored on individual hard drives or email accounts.”[18]

Document formats were also not consistent—from the OAG’s sample, “some key documents had not been digitized; some individual documents had been scanned as several files, while several key paper documents had been scanned as a single file. In one case, the paper file was not found.”[19]

The OAG also reported that per government contracting policy, “documents for a given contract must be stored such that they hold all the information required for someone to understand the history of the contract, and must be accessible to more than one person.”[20]

Finally, the OAG noted that these deficiencies matter “because without consistent information management and readily accessible documentation, the Corporation could not know whether it had all the documentation it needed. Even if the Corporation had stored all the documentation it required, searching for it would still be inefficient. Furthermore, proper access to key contracting documents by more than one person can reduce fraud risks.”[21]

Hence, the OAG recommended that Defence Construction Canada should “ensure that the supporting documentation for each contract is classified efficiently and systematically in its filing software, to ensure that all required documents can be obtained, monitored, and verified as complete.”[22]

The Corporation agreed with this recommendation and stated in its Detailed Action Plan that “DCC is in the process of refining its file naming convention to reduce complexity and improve its ease of use. DCC will continue to monitor the naming convention usage by all personnel, and will take appropriate follow-up action, as required, including further training.”[23]

When questioned about this matter, Mélinda Nycholat spoke about the modernization of DCC’s document management practices:

The biggest challenge when it comes to the adoption of an electronic document management system is the change in culture that is needed. That's something we've had to deal with over the past few years. We have to work really hard to motivate employees to store information properly. They still have a tendency to print out documents and keep them on their desk.

First of all, we've endeavoured to improve the speed of the electronic system. If the system is too slow and employees find it quicker and easier just to keep the documents in their desk, they won't want to use the system. We've made the system much faster to use to eliminate that barrier.

Second of all, we set up a new committee to examine all aspects of the situation and identify potential weaknesses affecting the system's effectiveness and efficiency. We've made changes to the way documents are filed to make the process easier. The committee looks at the issue as it relates to all our regions and local offices. In addition, instead of waiting for the annual verification process to review our documents, we are going to implement ongoing verification in the next year, to stress to staff the importance of being disciplined in ensuring that documents are filed properly.[24]

Therefore, the Committee recommends

RECOMMENDATION 2 – Regarding document management practices

That, by 31 May 2018, Defence Construction Canada provide the House of Commons Standing Committee on Public Accounts with a report detailing what progress has been made with regard to ensuring that the supporting documentation for each contract is classified efficiently and systematically in its filing software, to ensure that all required documents can be obtained, monitored, and verified as complete.

C. Internal Service-Line Verification Process

The OAG found that DCC “established a practice of performing an internal review of two of its service lines—Contract Services and Contract Management Services—to provide management with assurance that activities are being carried out with due diligence and in accordance with the Corporation’s policies and procedures. The Corporation aims to perform these reviews each fiscal year, for the previous fiscal year.”[25] However, DCC “performed no internal verification for 2014–15 on Contract Services in the 2015–16 fiscal year. Corporation officials said that these internal verifications were postponed mainly because of the increase in program activities. Moreover, the Corporation had documented recommendations from previous years’ regional verifications, but follow-up actions on those recommendations were not clearly documented.”[26]

Thus, the OAG recommended that DCC should “regularly perform its internal service-line verifications, and clearly document follow-up on the resulting recommendations, to ensure that procurement activities are being carried out in accordance with established practices.”[27]

The Corporation agreed with this recommendation, and its Detailed Action Plan reported that it “has completed the internal verification of the Contract Services Service Line, which included data from 2014–15 and 2015-16. DCC has amended its verification reporting format to more clearly document conclusions, recommendations, and actions taken;”[28] additionally, reports “on the status of these actions have been provided to the Audit Committee of DCC’s Board of Directors at each meeting.”[29]

When questioned about the reasons for which the Corporation did not perform the verifications, James Paul, President and Chief Executive Officer, offered the following explanation:

That was a calculated decision we made at the time in light of a very large volume of contracts that we were dealing with under the FIIP. We approached those verifications on almost a normal audit sampling type basis.

We absolutely accept the finding and recommendation of the Auditor General that there is risk in doing that, and we did go back and perform those verifications. So you're right. Within that fiscal period, in light of the load and priority of getting the FIIP contracts out, it was something we decided to come to but not in the normal scheduled time. Normally, all those verifications are performed. We did take that risk and we accept the recommendation.[30]

When further pressed about how DCC would address this issue if it potentially faced another unusually high workload in the future, Mr. Paul responded as follows:

We will absolutely perform all those verifications every year going forward, and the risk might be a few procurements are delayed. We measure our performance on procurements out the door, projects completed according to spec, schedule, and giving value for money for taxpayers. If you look at our metrics, we delivered over 94% of the FIIP program for National Defence. We take a lot of pride in that, but if necessary, the priority is the verifications and we would perform them in the future.[31]

Consequently, the Committee recommends

RECOMMENDATION 3 – Regarding service-line verifications

That, by 31 May 2018, Defence Construction Canada provide the House of Commons Standing Committee on Public Accounts with a report detailing what progress has been made with regard to ensuring that the Corporation regularly performs its internal service-line verifications, and clearly documents follow-up on the resulting recommendations, to ensure that procurement activities are being carried out in accordance with established practices.

D. Training and Development

According to the OAG, DCC’s employees require a diverse set of skills to ensure they perform their duties adequately; some training is specific to position types.[32] Furthermore, the Corporation “had identified the specific training that employees had to take; this was reviewed by each employee’s supervisor during the annual performance review process, establishing that employees were taking the required training.”[33]

The OAG found that although DCC launched a new tracking and planning tool for training in the 2016–17 fiscal year, it “did not consistently track the courses taken. For example, training that one individual took five years before was listed as having been taken in 2015–16, while data on more recent training was not available.”[34]

According to the OAG, this finding matters “because the Corporation relies on the expertise of its employees to monitor contracts and deliver services in keeping with industry standards. The industry is in constant evolution, and specific issues that warrant close attention, such as fraud detection, require a proactive approach to preparing employees.”[35]

Consequently, the OAG recommended that DCC “should ensure that its tracking and planning tool for training records employees’ training consistently and accurately.”[36]

The Corporation agreed with this recommendation and stated in its action plan that it “has finalized and implemented a new electronic training tracker, an online tool which is an employee-specific registry of all required and completed training. Both employees and managers are able to use this tool to manage individual training records consistently and accurately.”[37]

Therefore, the Committee recommends

RECOMMENDATION 4 – Regarding training and development

That, by 31 May 2018, Defence Construction Canada provide the House of Commons Standing Committee on Public Accounts with a report detailing what progress has been made with regard to ensuring that its tracking and planning tool for training records employees’ training consistently and accurately.

CONCLUSION

The Committed finds that notwithstanding the matters raised in this audit, in general, DCC “did a good job of managing its corporate governance, strategic planning, risk management, and performance measurement and reporting.”[38] Furthermore, it should be noted that “there were no significant deficiencies in [DCC’s] systems and practices that [the OAG] examined for corporate management and management of contracts and services” and that “the Corporation maintained these systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.”

To help ensure the Corporation continues its good performance, the Committee has made four recommendations that aim to address the matters raised by the OAG.

SUMMARY OF RECOMMENDED ACTIONS AND ASSOCIATED DEADLINES

Table 1 – Summary of Recommended Actions and Associated Deadlines

Recommendation	Recommended Action	Deadline
Recommendation 1	Defence Construction Canada needs to provide the Committee with a report detailing what progress has been made with regard to a) better defining fraud risks in its corporate risk register; b) ensuring that it covers all relevant aspects of these risks; and, c) implementing systems and processes needed to assess, monitor, and address them.	31 May 2018
Recommendation 2	Defence Construction Canada needs to provide the Committee with a report detailing what progress has been made with regard to ensuring that the supporting documentation for each contract is classified efficiently and systematically in its filing software, to ensure that all required documents can be obtained, monitored, and verified as complete.	31 May 2018
Recommendation 3	Defence Construction Canada needs to provide the Committee with a report detailing what progress has been made with regard to ensuring that the Corporation regularly performs its internal service-line verifications, and clearly documents follow-up on the resulting recommendations, to ensure that procurement activities are being carried out in accordance with established practices.	31 May 2018
Recommendation 4	Defence Construction Canada needs to provide the Committee with a report detailing what progress has been made with regard to ensuring that its tracking and planning tool for training records employees’ training consistently and accurately.	31 May 2018