Audit of Information Technology (IT) Procurement

Vetted Report

February 2017

Table of contents

  1. Acronyms and abbreviations
  2. Executive summary
  3. Management's response to the audit
  4. 1. Background
  5. 2. Objective, scope and methodology
  6. 3. Audit findings
  7. 4. Recommendations
  8. 5. Conclusion
  9. Appendix A – Audit Objective and Criteria
  10. Appendix B – Process Maps of Procurement Processes

Acronyms and abbreviations

AMM
Asset Management Manual
CIO
Chief Information Officer
CQA
Contract Quality Assurance
DIO
Divisional Information Management/Information Technology Officer
ECS
Enterprise Computing Services
FMM
Financial Management Manual
IM
Information Management
IT
Information Technology
OiC
Order in Council
PWGSC
Public Works and Government Services Canada
RBAP
Risk-Based Audit Plan
SO
Standing Offer
SSC
Shared Services Canada

Executive summary

Information management (IM) and information technology (IT) play an important role in enabling the RCMP to meet its operational priorities. Providing RCMP personnel with updated IT equipment allows them to keep abreast with evolving technological crime. As Canada's national police force, it is also important that the RCMP's IT systems be compatible and consistent with its law enforcement and criminal justice partners. Accordingly, effective IT procurement practices help to ensure that IT equipment acquired meets the RCMP's operational needs and demonstrates sound stewardship of resources.

In 2012, Shared Services Canada (SSC) was mandated to provide services related to email, data centres and networks to 43 partner organizations including the RCMP. On September 1, 2015, an Order in Council (OiC) came into effect extending SSC's mandate for the provision of services related to end-user information technology. This removed contracting authority for IT goods from SSC's 43 partner organizations and delegated full contracting authority for IT goods to SSC. This audit focused on the RCMP's accountabilities with respect to IT procurement.

The objective of this audit was to assess whether the RCMP's IT procurement practices meet operational needs, and comply with government procurement regulations and policy. The audit scope included the procurement of IT goods completed during the period of April 1, 2014 to June 30, 2016.

The audit concludes that RCMP units have been working well with Divisional IM/IT Officer (DIO) personnel to clearly define IT requirements for procurement decisions to meet ongoing operational needs. Additionally, controls put in place to ensure that procurement officers confirm that requests for IT goods are approved by DIO personnel prior to initiating procurement are working as intended.

Opportunities for improvement exist in a few areas. The Force would benefit from assessing existing procurement authorities and responsibilities in the post OiC context, and updating RCMP policies and guidelines related to the procurement of IT goods, including the * and retroactive contracting. Additionally, * would serve to strengthen adherence to policy and OiC requirements across the Force.

The management responses included in this report demonstrate the commitment from senior management to address the audit findings and recommendations. A detailed management action plan is currently being developed. Once approved, RCMP Internal Audit will monitor its implementation and undertake a follow-up audit if warranted.

Management's response to the audit

Corporate Management and Comptrollership:

The Audit of Information Technology (IT) Procurement has highlighted opportunities to further strengthen the planning and acquisition of IT within the RCMP, particularly in light of the Order in Council extending Shared Services Canada's (SSC) mandate for the provision of workplace technology devices.

SSC is working to establish options to enable the authority to delegate and will seek approvals as required. Once the extent of the delegation is known, Corporate Management will review and revise internal policies and procedures as necessary. Corporate Management will do this in close collaboration with the Chief Information Officer.

Corporate Management welcomes the audit findings as a mechanism to further strengthen the delivery of procurement and contracting services and to further enhance its policy suite, and risk-based quality assurance programs.

Corporate Management commits to developing a detailed action plan which will include specific timelines and milestones to which the RCMP will adhere.

Dennis Watters
Acting Chief Financial and Administrative Officer

Specialized Policing Services (SPS):

SPS accepts the RCMP's Internal Audit findings and recommendations. We appreciate the consideration and support provided to the IM/IT Program personnel during the course of this process.

*

There is a requirement to work with SSC and Public Services and Procurement Canada to streamline the procurement process to ensure timeliness of IT procurement in support of Policing Operations. *

The IM/IT Program, in collaboration with the RCMP Chief Financial and Administrative Officer, will address the recommendation to ensure quality assurance monitoring activities are being used, *

Assistant Commissioner Joe Oliver
Acting Deputy Commissioner, Specialized Policing Services

1. Background

Information management (IM) and information technology (IT) play an important role in enabling the RCMP to meet its operational priorities. Providing RCMP personnel with updated IT equipment allows them to keep abreast with evolving technological crime. As Canada's national police force, it is also important that the RCMP's IT systems be compatible and consistent with its law enforcement and criminal justice partners. Accordingly, effective IT procurement practices help to ensure that IT equipment acquired meets the RCMP's operational needs and demonstrates sound stewardship of resources.

Procurement of IT equipment has traditionally been decentralized across the Force, whereby in addition to Procurement personnel, Divisional IM/IT Officers (DIOs), Unit Commanders and other individuals with delegated contracting authority could acquire IT goods and services. Prior to 2015, DIOs, Unit Commanders, and other individuals had delegated contracting authority for goods under $10K and the DIOs had authority for call ups against Standing Offers (SOs) up to $20K such that only procurement requests for goods over $10K were processed by Divisional and Corporate Procurement. *

In 2011, Shared Services Canada (SSC) was created in an effort to improve the efficiency, reliability and security of the Government's IT infrastructure. The intent in establishing SSC was to streamline IT, reduce expenditures in the area of IT, limit waste and reduce duplication.Footnote 1In 2012, SSC was mandated to provide services related to email, data centres and networks to 43 partner organizations including the RCMP.

On September 1, 2015, an Order in Council (the OiC) came into effect extending SSC's mandate for the provision of services related to end-user information technology.Footnote 2 This removed contracting authority for IT goods from SSC's 43 partner organizations, including the RCMP, and delegated full contracting authority for IT goods to SSC. Although in 2012, partial procurement responsibilities had been transferred from Public Works and Government Services Canada (PWGSC) to SSC, some departments continued to depend on PWGSC for the procurement of IT-related goods and services, and PWGSC continued to manage and maintain procurement instruments (i.e. contracts, SOs and supply arrangements) related to the purchase of IT goods and services. This situation resulted in duplication of effort between PWGSC and SSC. The intent of the OiC was to increase efficiencies in the procurement process, ensure a consistent approach to supply chain integrity and potentially increase savings opportunities by having cohesive government buying power.

Post OiC, the RCMP is still accountable for procurement planning and defining IT needs, but the RCMP is no longer fully engaged in the contract award processes of IT procurement. Most of the IT procurement for the Force is channeled through Corporate and Divisional Procurement, who liaise with SSC on procurement requests. *

Current RCMP responsibilities related to IT procurement continue to involve the following stakeholders.

  • Reporting to the Deputy Commissioner, Specialized Policing Services and led by the Chief Information Officer (CIO), the IM/IT Program, acting as a policy center, is responsible for providing strategic direction and policy on IM and IT as well as managing the execution of major IM/IT projects. *
  • Reporting to the Chief Financial and Administrative Officer and led by the Director General Procurement and Contracting, Corporate Procurement at national headquarters is responsible for developing national procurement policies and providing advice to Divisional Procurement personnel as well as planning, managing and delivering centralized procurement and contracting services for units in the national headquarters area.
  • Divisional Procurement personnel are responsible for assisting units and detachments with the acquisition of equipment including IT goods and services.

The Commissioner-approved 2015-2018 Risk-Based Audit Plan (RBAP) includes an Audit of IT Procurement. The inclusion of this audit in the RBAP follows prior audit work performed by the Office of the Auditor General on the of Aging IT Systems (2010), which highlighted the increasing demands for IM/IT services, the aging of current systems that require significant investment to maintain, and requirements to enhance existing infrastructure.

2. Objective, scope, methodology and statement of conformance

2.1 Objective

The objective of the engagement is to assess whether the RCMP's IT procurement practices meet operational needs, and comply with government procurement regulations and policy.

2.2 Scope

The audit focused on the RCMP's accountabilities with respect to IT procurement. As part of this, the audit considered the procurement of IT goods including routine equipment (desktop computers, laptops, scanners, etc.), IT systems procured as part of larger IT projects and purchases of specialized IT equipment for operational purposes.

The audit did not assess the procurement of IT services such as the contracting of professional services and the procurement of sensitive equipment since these topics are addressed by other audit engagements included in the 2015-2018 RBAP. The audit also excluded the procurement of radio equipment and systems.

The time period examined for audit testing purposes was April 1, 2014 to June 30, 2016 to reflect the pre and post OiC periods.

2.3 Methodology

Planning for the audit was completed in July 2016. In this phase, the audit team conducted interviews, process walkthroughs and examined relevant policies, directives, procedures and results of previous audit work performed.

Sources used to develop audit criteria and audit tests included Government of Canada procurement policies and RCMP procurement policies and guides. The audit objective and criteria are available in Appendix A. Process maps of the procurement process pre and post OiC are included in Appendix B for information purposes.

The examination phase, which concluded in November 2016, employed various auditing techniques including interviews, documentation reviews and testing of procurement filesFootnote 3,direct purchasesFootnote 4 and acquisition card purchasesFootnote 5. Site visits took place at four divisional headquarters to review files and assess practices. Upon completion of the examination phase, the audit team held meetings to validate findings with personnel and debriefed senior management of the relevant findings.

The table below provides a summary of the number, type and dollar value of transactions tested during the audit. Sampling methodology involved a combination of random and judgmental sampling based on data extracts obtained from the TEAM system and Corporate Finance. The sample selection excluded transactions under $500 since in the post OiC context, this was a threshold below which IT purchases were generally considered office supplies.

Table 1: Testing of procurement files, direct purchases and acquisition card transactions
Number of Transactions Tested Pre OiC Dollar Value ($) Number of Transactions Tested Post OiC Dollar Value ($)
Procurement files 50 $1,056,354 115 $1,916,354
Direct purchases 123 $571,393 131 $418,223
Acquisition card transactions No testing performed on transactions pre OiC 95 $459,310
Total per period 173 $1,627,747 341 $2,793,887
Overall total pre and post OiC 514 tested transactions $4,421,634 in tested transactions

2.4 Statement of conformance

The audit engagement conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

3. Audit findings

The context in which IT procurement is carried out at the RCMP has evolved as a result of the changes brought about by the OiC. Prior to this OiC, most of the RCMP's IT procurement requirements were fulfilled directly by the RCMP. In the post OiC context, most IT goods are procured on the RCMP's behalf. Consequently, demonstrating sound stewardship of resources while meeting operational requirements, and complying with policy requirements can become more complex. *

Paths to success in this area rest upon collaboration amongst stakeholders involved in the procurement of IT goods, an awareness of and willingness to adhere to policy requirements related to procurement of IT goods, monitoring of IT procurement transactions, and mechanisms to address deviations from policy requirements.

Accordingly, we expected the audit would find that:

  • RCMP roles and responsibilities for IT procurement are defined, communicated, and understood to support effective IT procurement;
  • planning for IT procurement supports effective and efficient results and uses an enterprise approach where applicable;
  • IT procurement is conducted in accordance with policy, and contracts are monitored to ensure that the RCMP obtains required IT goods and deficiencies are adequately addressed;
  • procurement needs are well defined and appropriately communicated to ensure operational requirements are met in a timely manner.

3.1 IT Procurement Processes

Opportunity exists for the RCMP to improve how it communicates and adapts to new processes introduced by the OiC as IT goods are procured on its behalf.

General procurement responsibilities are clearly defined and communicated in the Treasury Board (TB) Contracting Policy, the RCMP Asset Management Manual, the RCMP Financial Management Manual, and the RCMP guide An Introduction to Procurement and Contracting in the RCMP.

Prior to the OiC, DIOs, Unit Commanders, and other individuals had delegated contracting authority for goods under $10K and the DIOs had authority for call ups against SOs up to $20K such that only procurement requests for goods over $10K were processed by Divisional and Corporate Procurement.Footnote 6 Procurement under $10K could be completed using a Purchase Order (contract), by ordering directly from the vendor without a contract, or using an acquisition card. Contract Quality Assurance (CQA) was done by Corporate Procurement on procurement officer files, but CQA did not apply to purchases under $10K of any type. *

The DIO role * and providing technical advice and assistance to units did not change post OiC. The DIO remained the point of contact as technical authority for IT procurement but could no longer award contracts. The resulting impact was a loss of control over the type of equipment procured as well as an increase in the timelines for completing procurement.

In response to the OiC, Corporate Procurement in its role as policy centre, reviewed the ordering process established by SSC and determined that submitting a purchase requirement through the SSC portals was substantially similar to submitting a requisition to PWGSC. In accordance with column 39 of the RCMP's Delegation of Authorities Matrix, this action is limited to RCMP procurement authorities.Footnote 7 As a result, all IT procurement requests regardless of value were forwarded to Divisional and Corporate Procurement. We were informed through interviews with procurement managers that the procurement officers' workload increased due to the additional transaction volume. Review of transaction volume for IT goods with a purchase order between April 2014 and June 2016 indicated that 1709 of 2452 (70%) transactions during this period were under $10K.Footnote 8

The role of RCMP procurement officers was further complicated by having to determine when the responsibility to award IT contracts for particular requirements fell to SSC and when procurement officers could proceed with the acquisition of equipment. For contracts within SSC's scope, RCMP procurement officers had access to SSC's Request for Acquisition Services portal to order software and licenses and the IT Portal to order workplace devices. Procurement officers had to determine the correct portal through which to submit the request, and whether to request exemptions for the RCMP to procure the IT goods directly if the goods needed were not in inventory on the procurement portals. For purchases within SSC's scope, procurement officers still prepared all pre-contractual documentation and drafted contracts but SSC awarded the contracts. Procurement officers reported spending additional time liaising between the units, the DIO and SSC, and tracking the status of procurement requests.

Communication of Process Changes Post OiC

New processes related to the post OiC context were introduced on an ongoing basis during the first six months of the transition. A significant amount of information was provided by SSC to the RCMP via different channels such as Corporate Procurement, Divisional Procurement, the IM/IT Program and the RCMP-SSC Liaison Team.Footnote 9 Information from SSC Procurement was received in Corporate Procurement and disseminated to Divisional Procurement sections through the monthly Procurement manager teleconferences and through regular communication from the CQA Section, with the intent that it be further communicated to all Divisional Procurement officers. Although efforts were made to communicate evolving process changes to Divisional Procurement, such information would have also benefitted other key stakeholders in the IT goods procurement process, including DIOs. Similarly, while information was received by the IM/IT Program and disseminated to DIOs, such information would have also benefitted key stakeholders in Procurement. Procurement officers and DIOs lacked clarity in regard to what items were not within SSC's mandate to procure. Procurement officers questioned whether determining what was in and out of scope should be their role versus a DIO responsibility. Recognizing that post OiC processes were in flux, enhanced coordination across functional lines and interim procedures could have provided steps for Divisional Procurement staff and DIOs to follow to request IT goods from SSC.

Process Changes for Major IT Projects

Major IT projectsFootnote 10 which often have an IT procurement component are included in the RCMP's corporate plans such as the Investment Plan and the IM/IT Plan. The Investment Plan provides an overview of the planned RCMP investments in assets and acquired services over a five year planning period, and the IM/IT Plan provides a high level view of the IM/IT Program planned investment over a three year period. Procurement activities had a limited impact on major project timelines prior to September 2015 because the RCMP had delegated contracting authority up to $400K for IT goodsFootnote 11 which resulted in the RCMP having greater control over the procurement process and the flexibility to reassign priorities depending on emerging needs and changing schedules. In the post OiC context, the RCMP's capacity to plan is crucial to the delivery of IT projects on time and on budget, given that requests for services to be delivered by SSC must respect SSC's service intake process, which includes submitting requests prior to specific cut-off dates.

Further, given that the RCMP's ability to execute its major projects and fulfill associated IT procurement needs is impacted by virtue of SSC's role in providing email, network and data services to all 43 partner organizations, the ability of the Force to prioritize its needs is also of importance. Although enterprise prioritization criteria for the selection of major projects were developed by the IM/IT Program, they were not readily adopted by all committees and consistently applied to major projects. Several committees were in place to oversee project implementation such as the Architecture and Initiative Review Board, the CIO Core Management Team, the Strategic Investment and Priority Council – which applies the RCMP prioritization framework to IM/IT investments, the Project Review Board and the Change Advisory Board. While the governance structure for IM/IT project implementation was functional, there was some potential for overlap of mandates and attendance (e.g. the committees identified above all provide a form of strategic oversight and review of project implementation, and require the attendance of IM/IT Program senior management).

During our interviews, IM/IT Program managers emphasized the importance of proper planning and adherence to projects timelines in the post OiC environment. Audit testing was performed to determine whether only those major IT projects identified on a corporate plan were initiated, and whether projects were appropriately tracked and actively monitored. Results indicated that not all projects in the initiation phase could be tracked to the Investment Plan, and also indicated that there are challenges in how the RCMP measures project progress given that schedules and budgets can be re-baselined, establishing new completion dates and budget projections for a given project. Enhancing RCMP project management activities including project prioritization could help focus resources on the Force's priorities while respecting the shared services model of IT service delivery in which the RCMP is a partner.

3.2 Adherence to Policies

Further effort is required to ensure that effective control measures are put in place to ensure adherence to policy requirements for the procurement of IT goods, including ensuring the IM/IT Program's awareness of IT purchases.

The audit examined whether RCMP IT procurement practices complied with TB and RCMP policy requirements. Specifically, audit testing and file reviews assessed whether pre-approval for IT procurement requests was obtained as per the Asset Management Manual Chapter 3.4, whether the RCMP had the required delegated contracting authority to procure IT goods post OiC, and whether commitment of funding as per section 32 of the Financial Administration Act was sufficient for contract costs (Financial Management Manual Chapter 9.2Footnote 12). The audit also assessed whether there were processes in place to identify and correct instances when requirements were not met.

IT Goods Pre-Approval Process

* to reduce instances of security vulnerabilities created by new equipment purchases that may be incompatible with the RCMP network requirements, or may not be centrally and divisionally supported by the IM/IT Program from a maintenance perspective. * Prior to the OiC, upon receiving approval for the acquisition, units were authorized to proceed with their IT equipment.

*

*

Evidence of Appropriate Approval

* We were informed by officials in the IM/IT Program that there were no quality assurance monitoring activities being undertaken to ensure adherence to the requirements of AMM Chapter 3.4. *

*

*

*

*

*

*

*

The audit team also obtained data extracts from Corporate Finance on acquisition card purchases for the period of September 2015 to June 2016 and identified possible IT purchases for this period. The subsequent analysis focused on transactions over $1K. *

*

*

*

We also identified that the current information management tool (Excel spreadsheet) being used by the IM/IT Program to manage IT procurement information made it challenging to aggregate the data for planning, monitoring, and decision-making. There is an opportunity to enhance information management tools and the utilization of information received from divisions to identify trends in the types of equipment purchased as well as opportunities for additional efficiencies (e.g. bulk purchases).

*

*

Adherence to the OiC

In accordance with the OiC, the audit team expected to find that all IT procurement contracts and IT purchases were done by SSC during the period of September 2015 to June 2016. However, interviews and file testing indicated that departments could still procure IT goods using SOs that remained with PWGSC, as well as certain software deemed out of scope by SSC. In addition, SSC provided exemptions on a case by case basis for the RCMP to award contracts.

Determining what IT goods were in and out of scope for the RCMP at the onset of the OiC was challenging for RCMP Procurement and DIO personnel. Through our interviews, many of the DIOs and divisional Procurement OfficersFootnote 13 highlighted the difficulty in determining what was in and out of scope for the RCMP to procure, advising that following the OiC, and with the intent of adhering to the OiC's requirements, SSC was contacted for every request to confirm whether it was in or out of scope. Determining who had the authority to purchase investigative tools and software as well as policing equipment such as mobile work stations and certain forensic software was particularly challenging.

At the time of the audit, while efforts were being made to provide guidance within functional lines on equipment in and out of scope for the RCMP, greater coordination across functional lines would have helped ensure divisional stakeholders were aware of changes and interpreted information received by SSC in a consistent manner. In addition, we were informed by officials in the IM/IT Program and Corporate Procurement that there were no quality assurance monitoring activities being undertaken to assess compliance with the OiC. The results of our file testing identified 4 out of 115 (3%) out of scope procurement transactions being done by the RCMP without an exemption from SSC. That said, 3 out of the 4 contracts were awarded in early September 2015, following the OiC coming into effect. More noteworthy, 112 out of 131 (85%) direct purchases and 65 out of 95 (68%) of acquisition cards transactions reviewed were identified to be IT goods valued at amounts greater than $500. Since these goods were purchased post OiC, were greater than the $500 authority threshold, and were not identified as exceptions to the OiC, these purchases did not meet the requirements of the OiC (see table 4).

Table 4: Adherence to the OiC
Type of transaction Total # of transactions reviewed completed post OiC Out of scope transactions completed by the RCMP
Procurement files 115 (total value $1.9M) 4 (3%) (total value $62K)
Direct purchases 131 (total value $418K) 112 (85%) (total value $386K)
Acquisition cards 95 (total value $459K) 65 (68%) (total value $322K)
Total 341 (total value $2.8M) 181 (53%) (total value $770K)

Retroactive Contracting

The Guidelines for the Handling of Retroactive Contracting in the RCMP state that retroactive contracting is a circumstance where a formal procurement vehicle has not been put in place by an appropriately delegated individual, but an agreement has been made and work has been undertaken or goods/services delivered. When this occurs, special procurement documentation must be used to formalise the purchase and satisfy contracting policies.Footnote 14 Different types of solutions can be used if retroactive contracting occurred. For example, a Confirming Order can be "issued when purchases are made without a contract to confirm that work has been completed and delivered, and that the Crown has fulfilled all of its obligations under the terms of the contractual agreement."Footnote 15 It must be completed before payment can be made and contain the information needed to document the transaction. Pre-contractual work clauses can also be used in contracts for instance where the requirement has not been fully completed but the work has begun without a written agreement. The Guidelines for the Handling of Retroactive Contracting in the RCMP identify that it is Government policy that Retroactive Contracting be avoided given the sensitive nature of these types of transactions and the risks they can pose to an organization.Footnote 16

Interviews with procurement personnel and review of additional documentation identified instances in the post OiC context where there was uncertainty over whether the RCMP had the authority to complete Confirming Orders.

Current RCMP guidelines on retroactive contracting were not updated to reflect the OiC related to IT procurement, and no direction was provided by Corporate Procurement to the Divisions on the process that should be followed when the need for a Confirming Order arises post OiC. Since the RCMP no longer has delegated authority to award contracts related to IT goods, it would benefit the Force to obtain clarification on whether the RCMP has the authority to complete Confirming Orders.

Monitoring and Reporting on Non-Adherence

Addressing instances of non-adherence, when detected, currently involves redress measures such as reminders and remedial training but these are not enforced consistently across divisions. TB Contracting Policy also stipulates that an individual can lose their contracting authority in cases of non-adherence to procurement policiesFootnote 17, providing Corporate Procurement with another mechanism to address serious instances of non-adherence.

The Guidelines for the Handling of Retroactive Contracting in the RCMP specifies that Corporate Procurement should follow up with Divisional Procurement Managers on a quarterly basis to review the cases of retroactive contracting and track the frequency of offences. Corporate Procurement is also expected to report cases of Confirming Orders to senior management via monthly reports outlining Retroactive Contracting occurrences and quarterly reports on the status of recommendations and redress carried out by the regions. Corporate Procurement has indicated that this reporting has not been undertaken over the past two years due to competing priorities and resource constraints.

*

Audit testing indicated that there is significant non-adherence to procurement of IT goods under $10K done by non-procurement personnel post OiC. Retroactive contracting processes should be clarified to promote consistent application of policy, ensure that Confirming Orders are done by the proper contract authority, and also to ensure that redress is taken if necessary. Although some statistics are gathered to meet reporting requirements to TB, senior management is not consistently made aware of issues relating to adherence, therefore not allowing opportunities to mediate or sanction as appropriate.

3.3 Effectiveness of Service Delivery

Opportunities exist to streamline the process and gain efficiency in requesting IT goods to be procured on the RCMP's behalf.

The inability to acquire IT equipment in a timely fashion can pose a risk to the RCMP operationally in terms of progressing on investigations and court disclosure. To measure the effectiveness of service delivery in obtaining IT goods, the audit examined whether procurement needs were well defined and operational requirements were met in a timely manner.

Needs Definition

During audit interviews with procurement officers, we were informed that little time was required to clarify needs during the procurement phase given that DIOs and representatives from the IM/IT Program in the Divisions were effective in assisting units to define their IT needs prior to them submitting a purchase requisition to Procurement. The involvement of DIOs and IM/IT Program personnel in needs definition was reflected in file testing which showed that only 3 out of 50 (6%) of pre OiC procurement files and 8 out of 115 (7%) of post OiC procurement files reviewed had significant changes between the original statement of requirements and the statement of requirements used in the contract.

Through audit interviews, DIOs and their personnel demonstrated a sound understanding of suitable products for the organization in terms of functionality and compatibility * although their interpretation of those varied. * That said, there was a lack of visibility at the DIO level of available product offerings from SSC as DIOs do not have direct access to the procurement portals to obtain this information. This impacted their ability to advise units on the equipment they could procure through SSC and to effectively submit requests to Procurement.

Review of procurement files sampled indicated that units typically received the item that was identified on the purchase requisition. Based on reviewed invoices on file, 47 out of 50 (94%) units purchasing IT goods through Procurement pre OiC obtained the product they requested on the Purchase Requisition while 59 out of 72 (82%) units received the product requested post OiC when the contract was awarded by SSC.Footnote 18

There was little documented evidence in procurement files sampled regarding post contract issues such as units not receiving the product in accordance with the contract, pricing discrepancies or service delivery issues. However, DIOs maintained separate client files that contained evidence of post-contract issues indicating that units did not always obtain what they required post OiC. More generally, DIOs experienced frustration with the inability to order specific brands and models of equipment that were known to be compatible with the RCMP's IT infrastructure and highlighted instances when they had to modify equipment ordered through SSC after determining that it was not meeting RCMP requirements.Footnote 19For instances where a good received is not in accordance with contract terms, the good should not be accepted and Corporate Procurement should be advised so that remedies within the terms and conditions of the contract can be applied. In addition, documenting post-contract issues more consistently in Procurement or DIO files would allow the RCMP to quantify costs and issues associated with the shared services model of delivery for IT procurement.

Timeliness of Procurement

While RCMP units obtained the equipment they needed to perform their duties in a majority of cases, increased processing time post OiC was highlighted as an issue and supported by our file testing. Using the procurement files reviewed, the audit team measured the average timelines from the date a procurement request was received by Procurement to the date the goods were delivered to units pre and post OiC. A second analysis was done to measure the timeline between Initiation Date and Contract Award to isolate the procurement timeline from post-contract issues.

While the procurement timelines between the Initiation Date and Delivery Date increased slightly post OiC for the selected sample, the main difference post OiC was the increased processing time between Initiation Date and Contract Award. The average number of days from procurement initiation to contract award increased by 16 calendar days from pre OiC to post OiC when SSC was the contracting authority (see table 5).

Table 5: Timeline from Initiation to Contract Award
Pre OiC (RCMP Contracts) Post OiC (RCMP Contracts - SSC Exemptions) Post OiC (SSC Contracts**)
Initiation to contract (up to 14 days) 54% (27/50) 49% (21/43) 24% (17/72)
Initiation to contract (15 to 28 days) 20% (10/50) 16% (7/43) 21% (15/72)
Initiation to contract (over 29 days) 22% (11/50) 33% (14/43) 54% (39/72)
Unknown 4% (2/50) 2% (1/43) 1% (1/72)

** Contracts awarded by SSC for which the RCMP did preparatory work up to contract award.

Note: The average number of days from procurement initiation to contract award pre OiC was 21 calendar days compared to 37 calendar days post OiC, a difference of 16 calendar days.

Analysis performed highlighted two main reasons for the increased timelines. A significant increase in transaction volume was caused by the RCMP not having any authority to procure IT goods under $10K with the new OiC, and having to forward requests through the procurement portals via Corporate and Divisional Procurement.Footnote 20There were also additional steps required of the RCMP in order to submit procurement requests, such as deciding which procurement portal to use, providing justifications for exceptions to generic equipment available in shared inventory, and reviewing contracts drafted on behalf of the RCMP.

Assessing timeliness post OiC highlighted opportunities for potential efficiencies, especially as it pertains to the RCMP's decision to only allow procurement officers to submit requests to SSC. As previously identified, DIOs with the exception of national headquarters were responsible for the procurement of IT goods under $10K pre OiC. If appropriate from a risk and administrative perspective, this role could be reinstituted as a way to relieve current pressures reported by Corporate and Divisional Procurement staff and Divisional IM/IT units.

Although units continue to define their IT equipment needs with the assistance of IM/IT Program personnel, timeliness of equipment delivery has been a challenge post OiC. While the time spent on a file by Divisional Procurement and SSC respectively could not be allocated, awareness of overall timelines for procurement highlighted that streamlining the process to accelerate placing orders to SSC could add value and benefit the Force as a whole.

4. Recommendations

  1. The Chief Financial and Administrative Officer in consultation with the Chief Information Officer, should assess existing IT procurement authorities, roles, responsibilities, and processes in the post OiC context, and update RCMP procurement policies and guidelines as necessary.
  2. The Chief Financial and Administrative Officer should: * and take follow-up action, as appropriate.
  3. *
  4. *

5. Conclusion

The audit concludes that RCMP units have been working well with DIO personnel to clearly define IT requirements for procurement decisions to meet ongoing operational needs. Additionally, controls put in place to ensure that procurement officers confirm that requests for IT goods are approved by DIO personnel prior to initiating procurement are working as intended.

Opportunities for improvement exist in a few areas. The Force would benefit from assessing existing procurement authorities and responsibilities in the post OiC context, and updating RCMP policies and guidelines related to the procurement of IT goods, including the IT goods pre-approval process and retroactive contracting. Additionally, * would serve to strengthen adherence to policy and OiC requirements across the Force.

Appendix A – Audit objective and criteria

Objective: The objective of the engagement is to assess whether the RCMP's IT procurement practices meet operational needs, and comply with government procurement regulations and policy.

Criteria 1: Roles and responsibilities for IT procurement are defined, communicated, and understood to support effective IT procurement.

Criteria 2: Planning for IT procurement supports effective and efficient results and uses an enterprise approach where applicable.

Criteria 3: Procurement needs are well defined and appropriately communicated to ensure operational requirements are met in a timely manner.

Criteria 4: IT procurement is conducted in accordance with policy, and contracts are monitored to ensure that the RCMP obtains required IT goods and deficiencies are adequately addressed.

Appendix B – Process Maps of Procurement Processes

Pre OiC Process: Requirements under $10K processed by individuals with delegated authority

Pre OiC Process: Requirements under $10K processed by individuals with delegated authority
  1. Unit defines requirement often with DIO assistance
  2. *
  3. *
  4. DIOs or other individuals with delegated authority purchase IT goods under $10K via:
    • Purchase order (obtains quotes, does contract)
    • direct purchase from vendor (obtains invoice), or
    • acquisition card
  5. Unit obtains goods, performs certification of receipt (as per section 34 of the Financial Administration Act), and sends invoices to Accounting Operations for payment
  6. Invoice or acquisitions card payments made by Accounting Operations - only section 34 certification required under $10K *

Pre OiC Process: Requirements over $10K processed by Divisional Procurement Offices

Pre OiC Process: Requirements over $10K processed by Divisional Procurement Offices
  1. Unit defines requirement often with DIO assistance
  2. *
  3. *
  4. Purchase requisition/ request to Divisional or Corporate Procurement via Form 4041 (Requisition for Goods, Services and Construction) to generic GroupWise Mailbox
  5. Requirement is assigned to a Procurement Officer - Procurement Officer notifies requesting Unit
  6. IT goods requirements up to $400K: Divisional or Corporate Procurement clarifies requirement, determines appropriate procurement method, obtains quotes, prepares contract, provides copy to Unit, and tracks receipt of goods
  7. IT goods requirements over $400K: Divisional / Corporate Procurement actions purchase requisition /request to PWGSC if over their authority, prepares paperwork, e.g. quotes, and provides copy of contract to Unit once received by PWGSC
  8. Unit performs section 34 certification upon receipt of goods and (usually) provides a copy to Procurement Officer
  9. If issues with goods received, Procurement Officer contacts vendor to resolve

Post OiC: All requirements to SSC via Divisional / Corporate Procurement regardless of value

Post OiC: All requirements to SSC via Divisional / Corporate Procurement regardless of value
  1. Unit defines requirement-often with DIO assistance
  2. *
  3. *
  4. Purchase requisition/ request to Divisional or Corporate Procurement via Form 4041 to generic GroupWise Mailbox
  5. Requirement is assigned to a Procurement Officer - Procurement Officer notifies requesting Unit
  6. Divisional or Corporate Procurement clarifies requirement, determines if in or out of scope for SSC
    • If in scope, go to step 7.
    • If out of scope, go to step 9.
  7. In scope SSC: Procurement Officer determines appropriate portal to enter procurement request, (can result in delays if entered in wrong portal and order needs to be resubmitted); prepares documentation, drafts contract, and submits order
  8. Procurement Officer liaises with SSC and tracks requirement until contract is awarded by SSC (requests copy of the contract if not received from SSC) Go to step 10.
  9. Out of scope for SSC or if SSC grants an exemption: Procurement Officer determines appropriate procurement method, obtains quotes, prepares contract, provides copy to Unit, and tracks receipt of goods
  10. Procurement Officer liaises with RCMP Unit on status of order and tracks requirement until goods received
  11. Unit performs section 34 certification upon receipt of goods and (usually) provides a copy to Procurement Officer
  12. If issues with goods received Procurement Officer must go through SSC to have resolved with vendor
Top of page
Date modified: