THE STANDING SENATE COMMITTEE ON NATIONAL FINANCE
EVIDENCE
OTTAWA, Wednesday, October 23, 2024
The Senate Standing Committee on National Finance met this day at 6:47 p.m. [ET] to study matters relating to federal estimates generally and other financial matters.
Senator Claude Carignan (Chair) in the chair.
[Translation]
The Chair: Good evening, honourable senators.
Before we begin, I would like to ask all senators and other in‑person participants to consult the cards on the table for guidelines to prevent audio feedback incidents. Please make sure to keep your earpiece away from all microphones at all times. When you are not using your earpiece, place it face down, on the sticker placed on the table for this purpose.
Thank you all for your cooperation.
I wish to welcome all of the senators as well as the viewers who are watching us on sencanada.ca.
My name is Claude Carignan, senator from Quebec, and chair of the Senate Standing Committee on National Finance. Now, I would like to ask my colleagues to introduce themselves starting from my left please.
Senator Forest: Éric Forest from the Gulf division, Quebec.
[English]
Senator MacAdam: Welcome. Jane MacAdam, Prince Edward Island.
Senator Loffreda: Welcome. Tony Loffreda, Montreal, Quebec.
[Translation]
Senator Boudreau: Victor Boudreau from New Brunswick.
Senator Dalphond: Pierre J. Dalphond, De Lorimier division, Quebec.
[English]
Senator Pate: Kim Pate, and I live here in the unceded, unsurrendered territory of the Algonquin Anishinaabeg. Welcome.
Senator Osler: Welcome. Flordeliz Gigi Osler, Manitoba.
Senator Smith: Larry Smith, Quebec.
[Translation]
The Chair: The committee is meeting today to hear from the Auditor General of Canada, Karen Hogan. She is joined by several members of her team: Andrew Hayes, Deputy Auditor General; Mathieu Lequain, Principal; Nicholas Swales, Principal; and Sami Hannoush, Principal. I am going to give you the floor, and after that, the senators will certainly have some questions.
[English]
Karen Hogan, Auditor General of Canada, Office of the Auditor General of Canada: I am pleased to be here today to discuss three reports that were tabled in Parliament in June of this year.
I first want to acknowledge that we’re gathered in Ottawa on the traditional unceded territory of the Algonquin Anishinaabe people.
I will begin with our audit of professional services contracts. It looked at whether federal contracts awarded to McKinsey & Company between 2011 and 2023 complied with applicable policies and provided Canadians with value for the money spent. These contracts spanned 20 federal organizations, including 10 Crown corporations. The total value of contracts awarded to McKinsey & Company during the period we reviewed totalled $209 million, of which about $200 million was spent.
We found that the organizations awarding the contracts showed a frequent disregard for federal contracting and procurement policies and guidance. We also found that each organization’s own practices often did not demonstrate value for money.
The extent of non-compliance and the risks to value for money varied across the organizations; for example, in 10 of the 28 contracts that were awarded through a competitive process, we found that bid evaluations did not include enough information to support the selection of McKinsey & Company as the winning bidder.
[Translation]
When it came to non-competitive contracts, organizations often issued these without documenting the required justification for doing so. About 70% of the 97 contracts we looked at were awarded to McKinsey & Company as non-competitive contracts, and their value was approximately $118 million.
When we sampled and reviewed 33 contracts to assess results, we found in more than half that one or more issues prevented organizations from demonstrating that the contracts had delivered value for the money. This included a failure to show why a contract was necessary, no clear statement of what the contract would deliver, or no confirmation that the government had received all expected deliverables.
We found that as the central purchasing and contracting agent and subject matter expert for the Government of Canada, Public Services and Procurement Canada did not challenge organizations when awarding some contracts on their behalf. The department did not challenge the organization requesting the contracts about whether the procurement strategy used was appropriate when multiple contracts were awarded to McKinsey & Company for a similar purpose and within a short period of time.
[English]
While this audit focused on contracts awarded to McKinsey & Company, it also highlights basic requirements and good practices that all federal organizations should follow when procuring professional services on behalf of the Government of Canada. Federal contracting and procurement policies exist to ensure fairness, transparency and value for Canadians. But they only work if they are followed.
Turning now to our audit of Sustainable Development Technology Canada, or SDTC, this looked at whether the foundation managed public funds in accordance with the terms and conditions of contribution agreements and its legislative mandate. We also looked at Innovation, Science and Economic Development Canada’s oversight and administration of public funds.
Between March 2017 and December 2023, the foundation approved $856 million of funding to 420 projects. The audit found that there were significant lapses in Sustainable Development Technology Canada’s governance and stewardship of public funds — specifically, the foundation awarded $59 million to 10 projects that did not meet the key requirements set out in the contribution agreements between the government and the foundation. These projects were ineligible for funding because, for example, they did not support the development or demonstration of a new technology, or the projected environmental benefits were overstated.
I am also very concerned by breakdowns in the foundation’s governance.
[Translation]
The foundation was not always following conflict of interest policies, and it failed to comply with the Canada Foundation for Sustainable Development Technology Act.
The act requires the foundation to have a group of 15 members, separate from its board of directors, to represent Canadians and appoint most of the foundation’s board. The audit determined that the foundation did not comply with the legislation because it had only two such members, instead of the required 15.
With respect to conflicts of interest, the foundation did not have an effective system to maintain its conflict-of-interest disclosures and related actions. Its own records show that in 90 cases, conflict-of-interest policies were not followed. These 90 cases were connected to approval decisions that awarded projects nearly $76 million in funding.
Like all organizations funded by Canadian taxpayers, Sustainable Development Technology Canada has a responsibility to conduct its business in a manner that is transparent, accountable, and compliant with legislation. Our findings show that when this doesn’t happen, it’s not always clear that funding decisions made on behalf of Canadian taxpayers were appropriate and justified.
Our final audit focused on combatting cybercrime. It looked at whether the Royal Canadian Mounted Police, Communications Security Establishment Canada, the Canadian Radio-television and Telecommunications Commission, and Public Safety Canada had the capacity and capability to effectively enforce laws against cybercrime activities and protect Canadians online.
[English]
We found that these organizations have neither the capacity nor the tools to effectively fight cybercrime as cyberattacks grow in number and sophistication. Part of the issue is the federal government’s siloed and disconnected approach. We found breakdowns in response, coordination, tracking and information sharing between and across responsible organizations.
In addition, given the links between spam and cybercrime, the Canadian Radio-television and Telecommunications Commission’s narrow view of its role has limited the extent to which it helps protect Canadians. Effectively addressing cybercrime relies on incident reports going to the organizations best equipped to receive them and relies on those organizations acting on the reports. The current system for reporting cybercrime incidents is confusing, and it does not meet the needs of the individuals reporting these crimes.
[Translation]
We found that many reports were made to the wrong organizations and that those organizations did not respond to individuals or redirect the reports they received. For example, Communications Security Establishment Canada told us that almost half of the 10,850 reports it received between 2021 and 2023 were out of its mandate because they related to individual Canadians and not to organizations. However, it did not follow up with many individuals to inform them to report their situation to another authority.
[English]
While the RCMP, Communications Security Establishment Canada and Public Safety Canada have discussed implementing a much-needed single point for Canadians to report cybercrime, this has yet to happen. We also found that the RCMP struggled to staff its cybercrime investigative teams. We estimated that as of January 2024, close to one third of positions across all teams were vacant.
In our view, having a plan to reduce human resource gaps across all organizations involved in fighting cybercrime, including the RCMP, is an important component of a national cybersecurity strategy. The takeaway from these reports is that when good governance is lacking, the remedy isn’t necessarily new processes or more people or money; it’s about applying the rules that exist and having the right people with the right expertise for the job.
[Translation]
Mr. Chair, this concludes my opening statement. We would be pleased to answer any questions the committee may have. Thank you.
The Chair: Thank you, Ms. Hogan. We will begin the question period with Senator Forest.
Senator Forest: Thank you; it is always a pleasure to receive your reports.
Ms. Hogan, it is somewhat unbelievable that over 12 years, 70 of the 97 contracts that were reviewed were awarded to McKinsey, for a total value of $110 million.
How can it be that no one was able to do a due diligence review? Were these people not accountable to any superior, were they absolutely not accountable for their management of these public funds?
Ms. Hogan: I admit that when we reviewed the contracts awarded to McKinsey, it puzzled me that there had been so much non-compliance. The extent of the non-compliance varied from one organization to another, but it existed in several of them. We are talking about nine out of ten for the departments we examined and eight out of ten for the Crown corporations.
I often wondered about the reason for all of this, and that is why we recommended that the government take a step back and look at why there had been so many policies and practices that were not properly followed.
Are there too many, so people are not familiar with all of them? Are there too many, so people go around them to speed up the contracting process? We were unable to find a root cause and this is something the government should do. Is the answer to this problem to make more rules? I don’t think so. What is needed is to make sure the existing rules are followed properly.
Senator Forest: It would be completely unbelievable if you had told us that one department out of ten failed to follow the rules, but it is the reverse: it is nine departments out of ten. It is bizarre and unimaginable.
Ms. Hogan: That is why I have no reason to believe that the results are limited solely to the contracts awarded to McKinsey. I expected that the rules would be followed, but to see a result like that for other organizations. I hope the government will not review only those contracts that relate to the contracting process.
Senator Forest: Did you find, in your investigation, that there are rules for issuing contracts negotiated by mutual agreement? For example, where I come from—the municipal government sector—to issue that kind of contract, there are very clear rules that have to be recorded in the file to make sure there has actually been effective management of public funds.
Did you see rules like that in the departments or organizations involved in negotiating contracts by mutual agreement?
Ms. Hogan: Are you speaking in general or in relation to conflicts of interest and management?
Senator Forest: I am talking mainly about an untendered contract. To do that, I have to meet certain conditions; for example, it has to be a captive market or there has to be a deadline or really stringent conditions to be met, to be able to issue such a high volume of mutually agreed contracts.
Ms. Hogan: It is somewhat difficult to answer that question. When we look at Crown corporations, they all have very different rules. However, if we look at government departments, it is very easy to know whether a contract will be issued in a non-competitive process that should be well documented with a reason to justify it. There are rare exceptions, but we often found that this explanation was missing. Without that justification, it is difficult to know why McKinsey was chosen or whether they were the best suppliers for the needs. I expected that it would be better and I admit that I have seen the public service do better in the past.
Senator Forest: In your report, you note that 30% of the cybercrime positions in the RCMP are vacant. I can’t help but notice that during this time, with Bill C-63, there was a plan to hire 330 new employees to combat online hate and sexual exploitation, both being important forms of cybercrime. How do you think this is going to be achieved when we already see that 30% of the positions in the RCMP’s national cybercrime coordination centre have not been filled?
Ms. Hogan: I believe the RCMP is aware of this issue. We recommended that they do a labour market analysis. These are positions with unique, specialized skills. A proper analysis really needs to be done in order to be able to recruit the individuals they need.
In my opinion, it starts with a good plan. The RCMP has a general labour shortage, and the right plan for properly determining what skills they need, and filling specialized positions like these, may be missing. They have a challenge in front of them, for sure; a lot of federal organizations do, but it starts with a good plan.
Senator Forest: Thank you.
[English]
Senator Smith: Welcome, Ms. Hogan and all of your excellent support staff.
Your audit of professional services contracts reveals that many federal organizations, especially those issuing non-competitive contracts, do not have proactive processes in place to identify or manage conflicts of interest. This is concerning because it potentially undermines fairness and integrity in the procurement process.
Could you explain why the lack of conflict of interest monitoring across the government is a significant issue, and in which departments or agencies is this problem more prevalent?
Ms. Hogan: I’m going to look to Mr. Swales in case I misspeak. Hopefully, he’ll correct me if I do.
What we found here was there was a mixed practice when it came to conflicts of interest. At the foundation, departments and agencies said they relied on the annual declaration that a public servant makes every year. What we were looking for was something more focused and specific to a procurement process.
We saw varied practices, even when it came to the Crown corporations. We actually highlighted that Export Development Canada had a good practice here, where they asked individuals involved in issuing contracts, whether it be competitive or non-competitive, to proactively fill out whether they believed they had any conflicts of interest linked to the procurement process.
We made a recommendation to the government to require that — over and above the annual declaration — to cause anyone involved in the procurement process to take a step back and think, “Do I have to declare that, potentially, I have a perceived or real conflict of interest here?” Therefore, it can be well managed. When they’re not declared, they’re not well managed.
Sometimes perception is worse than reality. It’s important to have these conversations.
Mr. Swales, do you want to add anything?
Nicholas Swales, Principal, Office of the Auditor General of Canada: The only thing I would add is what we saw was very inconsistent behaviour. You had these specific declarations for some competitions run by departments and agencies, but not others. Then you had them for competitive scenarios, but not non-competitive ones.
The logic underlying that approach was not consistent for us and needed to be made more so.
Senator Smith: I’m not sure if this is repetitive, but you note in your report that departments and agencies relied on the annual proactive disclosure, which you talked about, and conflict of interest declarations. A lot can happen in a year. I’m wondering why many departments would rely on yearly disclosure for conflicts of interest. Why wouldn’t they report it as soon as they see it?
Ms. Hogan: It’s a great question to ask some of them.
As Mr. Swales pointed out, we saw varied processes. Some would do it, and some wouldn’t. We made a recommendation so that it is more consistently done.
Senator Smith: Did you receive any justification or feedback about justification for this type of practice?
Ms. Hogan: I’ll turn to you, Mr. Swales.
Mr. Swales: No. We simply saw that there were different practices and policies in the case of Crown corporations.
Senator Smith: Do you inspect practices either at the provincial level or in other jurisdictions that the federal government could look to in terms of proactive disclosure so that you could improve the process?
Ms. Hogan: As I mentioned, I don’t think we need to go to other levels of government. We’re seeing it in the federal government. There were some departments and agencies that were proactive. There were some Crown corporations that were proactive. The tools exist here. It is just about consistency and, I think, requiring them.
One of the changes that happened following our audit was — or I think it was just before our audit was released — Public Services and Procurement Canada brought out a few extra requirements. One of them is certification by individuals at the end of a procurement process to verify that they have done everything they were supposed to do. That reminder about what you are accountable for and your roles and responsibilities will hopefully help improve this.
Senator Smith: Is this just an attitude problem, or is this an actual process that some of these departments use to avoid any form of additional scrutiny or just operating? It just seems unbelievable that you would have these types of situations where given the size of these departments and the money that is being granted to these people to do work, this could happen.
Ms. Hogan: I’m sure that Mr. Hayes is going to want to jump in to talk about values and ethics in the public service, and I think it is a bigger, broader conversation that has been ongoing.
For many of the public servants whom I cross during our audits, they are incredibly well intentioned and want to do right by Canadians, and that’s why when it comes to contracting, we have to figure out why we saw what is happening in the public service and really get to the root cause of it: Are people just trying to deliver quickly, so they’re circumventing the rules, or do they just not know about all of the rules, or are they intentionally trying to avoid them?
Senator Smith: Does this fall under the responsibility of senior management within the various departments?
Andrew Hayes, Deputy Auditor General, Office of the Auditor General of Canada: That is certainly part of it. Managers should be ensuring that the people who are working on these procurements are declaring their conflicts of interest, real or perceived, in a timely way. It shouldn’t be just a tick-box exercise. It should be done up front before decisions are made on contracts. One of the recommendations that we made is geared toward that.
I think what is probably happening is that there are a lot of things to do in procurement, and conflict of interest hasn’t been a central feature of it. Some of the reports that we have brought forward, whether it is the ArriveCAN report, the McKinsey report or the SDTC report, have really shone a light on this. We’re hoping with the increased attention that the Clerk of the Privy Council has put on values and ethics, plus our recommendations, there will be a marked improvement.
[Translation]
Senator Boudreau: I have a general question. I have a little experience at the provincial level, but not so much the federal, so the system may operate a bit differently. There does seem to be a somewhat systemic situation, with 20 organizations and 97 contracts over a 12-year period under two different governments. I understand the role of the Office of the Auditor General, which does occasional research into various cases, but what is the role of the Office of the Comptroller General of Canada in this regard? As I understand it, at least in New Brunswick, they are supposed to oversee what goes on. Is something missing there, or has the role of the Office of the Comptroller General been taken into consideration in this situation?
Ms. Hogan: The Office of the Comptroller General has an internal audit group that does government-wide horizontal audits. Each department and organization, be it a Crown corporation or a department, does its own internal audits of the contracting process. In this case, there really are regulations that were not followed. That might have been found by internal audits. There has to be a proper balance. Often, the internal audit groups look at issues from the perspective more of supporting the deputy minister, but they also have to look at the essentials and mechanisms from time to time. I think that is sometimes forgotten in internal audits.
Senator Boudreau: In this case, I would say the essentials and mechanisms were missing.
[English]
The nuts and bolts were missed.
[Translation]
That is the crux of the problem, isn’t it? If your office had waited 20 years to do this study, would the same problems have kept recurring for 20 years? Someone should have realized what was happening over the years, whether at the Treasury Board Secretariat of Canada, at the Department of Finance, or at the Office of the Comptroller General.
Ms. Hogan: Treasury Board makes the policies and the Office of the Comptroller General is part of the Treasury Board Secretariat. So they make policies too. Yes, they give advice for making sure policies are followed correctly, but it is really the deputy minister who is responsible for making sure that the department follows all the rules and policies. Our office often reviews the contracting process. We often find issues. That is why I say that, in my opinion, the problem is not limited to the contracts issued to McKinsey & Company and we would see the same thing in other contracts. This is when to make sure that everyone working in groups that handle contracting are familiar with the rules. Sometimes, a brief general reminder is important.
Senator Boudreau: Okay, thank you.
The Chair: A brief reminder. I am going to wait my turn.
Senator Dalphond: It was a long time for the McKinsey contracts. There are 97 contracts and we are talking about $200 million. That makes an average of $2 million per contract. I see in the detailed contract list that there are some for $25,000 and others that were for $24 million. We are not talking about the same kind of contract. When the amounts are small, like $25,000 or $50,000 or $100,000 or $1 million, for a department that administers $1 billion, then $1 million is below the audit threshold. Is there a culture of slacking when the amounts are small, or are our approval requirements too high? If it says $20,000 needs two authorizations, should it be $100,000 instead of $25,000? That would mean having fewer situations of non‑compliance with the rules for small contracts, as compared to big ones.
Ms. Hogan: The rules for contracting have a threshold. It used to be that if it was under $25,000, a non-competitive process was acceptable. The threshold was raised to $40,000 because you can’t buy a lot with $25,000 these days. I would still have expected there to be some accountability, even if a department is spending $25,000. When it goes over the threshold, it is recommended that it be a competitive process, but we found that most of the contracts issued to McKinsey were issued non-competitively.
In that case, I expect to get an explanation about the need for the contract and the reason why that supplier was chosen. That is often what is missing; that is why we concluded that proof of value for money was often missing in the contracting process.
Senator Dalphond: Is the threshold too low?
Ms. Hogan: It is not up to me to decide the threshold that will be set in the policy.
Senator Dalphond: I understand it with $25 million, but for $100,000 it takes 56 authorizations and 56 accountability processes. I get the feeling that the government will be devoting more money to processes and accountability than the amount being spent.
Ms. Hogan: That is why I think the government should take a step back and review the rules. We often do audits of contracting processes and also of departments. I get the feeling that one requirement keeps getting piled on top of another. It is time to take a step back and ask whether there are some that are no longer necessary because of a change in the process, or other rules are more effective. That step back has not been taken. That is why I always say that I would like the government to take a step back and evaluate the existing policies before adding more because it is clear, with the requirements that exist right now, that they are not always followed. If a rule is not followed, maybe it is because there are too many rules, or maybe because they are too complicated.
Senator Dalphond: What I’m afraid of is that the machine will add more layers of rules and oversight, but for the same tender.
I think I have read in the papers, and I know you did not review this, that McKinsey was a small services supplier as compared to a lot of other suppliers, in particular certain big accounting firms that have consultancies. Am I to understand that we would find the same kind of problems if we looked at those contracts?
Ms. Hogan: I would expect to make similar findings. We included two graphs in our report to answer the question you are asking us, to show that the funds spent on professional services during the audit period came to about $68 billion; McKinsey accounted for 0.3% of those contracts. So it is a small supplier. If we see things missing for a small supplier, I would expect to see then in other contracts as well.
Senator Dalphond: Thank you.
[English]
Senator Loffreda: Thank you for being here, Ms. Hogan and team. My question is about Report 5—Professional Services Contracts, and with respect to that, I want to further explore your assessment that organizations’ contracting policies often did not promote value for money. Ensuring public funds are spent with due regard to value for money is one of the main objectives of our National Finance Committee, particularly when we review the government’s spending priorities through the estimates cycle.
I was struck by the fact that 45% of the procurement files you sampled for value for money lacked sufficient documentation to justify the need for a contract and that some contracts failed to include a clear statement about what the contract would deliver.
Can you speak to us about those findings? What remedial measures would you recommend and need to be implemented in such cases to guarantee value for money and to ensure departments receive all expected deliverables?
I say that what you allow, you empower. How are we not allowing this to happen in the future, and how did they justify this decision?
Ms. Hogan: You did a great job of summarizing the aspects we looked at when we were trying to determine if the government had received value for money on these contracts. In the sample we looked at, we had at least one or two issues out of the three where we couldn’t show proof that the best value for money had been received.
I think it starts with the first one: justifying why you need the contract. Is the contract needed to increase capacity or fill a skills gap that you might have? That would be a good reason for why you would go out and procure professional services. Then you need a clear statement of work so that it is very clear what you expect in return, and you can evaluate if you received those goods and services. For me, those are really basic elements when it comes to managing a contract and determining if value for money had been achieved.
We didn’t issue recommendations around this because there is a lot out there already in this area. These are practices that should be there. When they transition away from professional services, I would also like to see the government think about how to bring those skills and competencies into the public service so that you don’t continue to establish the need to rely on external vendors, and you can bring the skills into the public service for the future.
Senator Loffreda: As part of our committee’s review of the Main Estimates and supplementary estimates, I have often raised the question of cybercrime with senior public servants and our ability to deter, investigate and prosecute criminals. In your report, you note that the RCMP had not built the capacity needed to combat the growing issue of cybercrime, and it may not have enough people with the skills needed to conduct cybercrime investigations.
As part of your audit, what are some of the staff recruitment and retention challenges you observed at the RCMP that makes plain its difficulty in addressing cybercrime? Could this be corrected in the future? Cybercrime is a main concern in today’s world, and we all know why, without getting into it. Does the RCMP have sufficient funds to adequately compensate its staff and remain competitive in the job market? You make a good point; I have a note to go to number 19, but you read it in your opening statement, and you know what it is about: They struggle to staff their cybercrime investigative teams. I won’t read it completely, as you know which statement I’m referring to.
Ms. Hogan: It is important to note that we didn’t do a staffing or labour audit when we were looking at cybercrime here. We found that the RCMP is missing not only the talent that it needs — the capacity to handle cybercrime — but it is also missing some of the tools in order to be effective at responding to cybercrime.
This isn’t about prevention or education. It is about what to do once something has been reported. We asked them why around 30% of their cybercrime investigative team positions are vacant, and they noted to us that it was competitive pricing — having the competitive salary to attract the talent that they needed. That’s why I think it is important that they do a market analysis and that they also have a more comprehensive plan to staff. They do have recruiting challenges at the RCMP. We found this in other audits, whether it is on Indigenous policing or on this. There is a need for them to step back and figure out which skills they need where and then try to meet those.
Senator Loffreda: Did you ask why the recruiting challenges were there?
Ms. Hogan: We talk about it in generalities, but, as I say, that’s not what we were looking at here in this audit. It could be here that it’s the skills gap — it’s a very specialized set of skills. If the salaries are not competitive, that will make it difficult. It could be other instances of where the work is and the remote nature of it. I think there are many issues that the RCMP faces when it comes to staffing, and I’m sure if you invite them, they would be happy to elaborate. They would be the experts on the challenges that they face.
Senator Loffreda: Thank you.
Senator MacAdam: First, I want to thank you for being here, and I want to thank you for your service to Canadians. These are three excellent reports.
I have a question on professional services contracts first. You made a recommendation focused on conflict of interest, and we talked a bit about that earlier. I’m just going to read the recommendation:
To effectively monitor and ensure that officials involved in the procurement process do not have conflicts of interest, all federal organizations that have not already done so should implement a proactive process to identify actual or perceived conflicts of interest in the procurement process and should retain the result of such a process and completed conflict-of-interest declarations in the procurement file.
I looked at the “Recommendation and Responses” section of your report, and I noted the recommendation was accepted by the relevant departments — I think it was mostly Crown corporations in this case. Regarding the responses that are in the report, are those all the entities that did not comply?
Ms. Hogan: In this audit, the 20 organizations were all the ones that had reported that they had contracts with McKinsey & Company. There was one organization, the Canada Pension Plan Investment Board, that did not participate. We are not their auditors, so I couldn’t tell you if they had contracts or how they may have handled those contracts. These are the 20 that have McKinsey contracts, so we would have expected all of those who didn’t have this process to respond and agree to the recommendation.
Mr. Hayes: All the Crown corporations responded, but there was a global response on behalf of the government by the Treasury Board of Canada Secretariat.
Senator MacAdam: And they agreed with the recommendation as well?
Ms. Hogan: They agreed that an annual declaration should be different from when you’re sitting down and looking at a procurement process that involves individual corporations and vendors. You need to know whether or not you have relationships there that might impede your impartiality and fairness.
Senator MacAdam: It is noted in your report that you didn’t repeat recommendations that had been made earlier or work that was done, any kind of reviews —
Ms. Hogan: The Procurement Ombud was also looking at contracts, so we didn’t feel it necessary to repeat a recommendation that already existed. We expect they would all be implemented.
Senator MacAdam: This is the only recommendation in the report. Will you be following up with all organizations that didn’t comply, and when would you expect to do that in terms of your following up on past audits? You have a cyclical process.
Mr. Hayes: Conflicts of interest are going to be a feature of the work we do. It has obviously become front and centre for the government and, by extension, for us.
With the Crown corporations, our annual audit work in the Crowns will cover some of this. We’re not always in the Crown corporations for performance audits, but when we do future procurement performance audits in the government, we’ll definitely be looking at conflict of interest as part of that.
Senator MacAdam: So you will build it into your future audits.
When you were looking at these contracts, you looked at contracts that were awarded by Crown corporations as well as departments. Did you find a difference between the value for money regarding Crown corporations versus departments in terms of the problems that you identified?
Ms. Hogan: I think you would start off with the fact that many Crown corporations set their own procurement rules, so they don’t follow the Treasury Board policies for procurement, and there you have to hold them to their expectations. They aren’t always as clear, and many don’t require justification if it’s going to go non-competitive. Whereas in the departmental space, that’s an absolute requirement.
But I would still expect that everyone would be making sure that a contract is needed, and they would be following up on deliverables and have clear statements of work. Our findings around value for money included some Crowns as well as departments, so what we found was across the whole group of them. More than half of them could not meet the expectation of demonstrating that value for money existed in their contracts.
Senator MacAdam: You mentioned that with non‑competitive contracts, there was not enough justification for them not to be competitively bid. You couldn’t see the documentation to support the justification, but were there any that were not competitively bid and you could see it met the eligibility criteria for not having to be competitively bid?
Ms. Hogan: I could split it up for you between the Crown corporations and the departments. In the Crown corporations, about 50% of the time, we didn’t see a justification for non‑competitive contracts. But as I say, sometimes their own rules didn’t require it.
In the departments, it would have been about 95% of the time, but most of those were linked to a national master standing offer, or NMSO. I think there was confusion. It’s a vehicle that exists within Public Services and Procurement Canada that departments can tap into, and it’s meant to reduce the time to contract. Many of those departments didn’t understand that when they called upon the NMSO, that was the issuance of the contract — the NMSO was not a contract in and of itself — so they didn’t do that justification.
But during our audit, Public Services and Procurement Canada made it very clear that they should justify that. Since then, most of these standing offers have been cancelled, and new ones are in the process of being put into place. I think everyone agrees they have to be clearer now when they use it, and they explain why it’s this vendor and why it’s these services.
Senator MacAdam: Thank you.
[Translation]
The Chair: I would like to confirm something: you do not audit the Public Sector Pension Investment Board, PSP Investments?
Ms. Hogan: We audit PSP Investments, but not CPP Investments. I’m sorry, I don’t know the acronyms in French.
The Chair: You do the public sector employees pension fund, but not the Canada Pension Plan pension fund.
Ms. Hogan: We are not the auditors for that fund.
The Chair: Okay. I wanted to be sure I had understood correctly.
[English]
Senator Osler: Thank you all for being here today. I have a two-part question. First, are you noticing consistent governance lapses throughout the audits that you did? Can you comment any further on internal controls? In Report 6—Sustainable Development Technology Canada, and also in Report 5 where you looked at the 20 federal organizations, including the 10 Crown corporations, is there consistency in internal controls amongst the different departments, organizations and foundations? And are those controls adequate in terms of scope, design, implementation and efficacy?
Ms. Hogan: That’s an enormous question to answer. When we looked at the McKinsey contracts, we were not looking at the controls in a corporation, so we would have been zeroing in on controls around contracting. I wouldn’t want to speak to the controls in general in the 20 departments and agencies. That’s what I mean; it’s pretty big to make that statement just by looking at procurement.
For sure I would tell you that I would have expected to see better follow-up and better quality processes within all of these organizations when it came to procurement. You should be pulling a sample of procurements every year to see whether this is happening. It should be a routine process to issue contracts. It shouldn’t be any different between contracts for goods and services or professional services. They should be the absolute same.
Do you want to add to that, Mr. Hayes, and then I can turn to governance?
Mr. Hayes: On controls, I would highlight two in particular that should be strengthened or followed up.
First, as we stated in the McKinsey report, it was 91% of contracts where we found the federal organizations did not perform sufficiently detailed cost estimate calculations before receiving proposals. It’s important to know how much you’re going to spend.
This was something else we found in the ArriveCAN audit, where there wasn’t a budget at the beginning of that project. When you don’t have a budget, it’s difficult to know whether you’re spending too much.
The other piece that I’ll signal is it’s important to ensure you are getting the goods or services in the contract. There’s a part of the Financial Administration Act that requires public servants to certify that the goods and services were delivered according to the contract. In both the McKinsey case and the ArriveCAN case, we found that there were weaknesses around ensuring that goods and services were delivered.
Those are two fundamental controls that we always look at.
Ms. Hogan: On your governance question, I’m not sure that I can speak to governance around the professional services contracts. That’s a routine process.
But definitely on Sustainable Development Technology Canada, we saw a significant lapse in governance and in stewardship of public funds. The board of directors, in my view, failed to comply with the legal requirements and their own enabling legislation. For me, that was a real failure of governance, even in the management of conflict of interest.
There was a similar failure in governance in our ArriveCAN work, so I think it does depend on the scope of the audit. On ArriveCAN, it would have been around disregarding good financial management control, good budgeting and what you do when you have a new IT system. There were just so many governance failures in that audit as well.
I wouldn’t tell you it’s in all of them, but at times when we have seen it lately, it’s been pretty glaring.
Senator Osler: I think it was that major governance lapse that made me then look up Report 6, and I noticed that Report 6 contained 15 recommendations, 13 of which SDTC agreed with, and there were 2 recommendations where they only partially agreed. Can you comment on their partial recommendations and their response to your recommendations, and is that satisfactory in your opinion?
Ms. Hogan: I want to refresh my memory on the partial recommendations. I have a good memory, but every so often —
Senator Osler: It is Recommendation 6.26 and Recommendation 6.29. They agreed with all your other recommendations.
Ms. Hogan: Yes. One of them is we think they should go back and look at all the projects to determine whether they met the eligibility requirement.
While they have said that they partially agreed, I have been watching the testimony from the three new interim board members who have been named. The foundation has decided, based on the guidance of those three board members, to go ahead and look at all of them. No, I was not satisfied with a partial agreement. Right now, they are doing that assessment. I’m happy to hear that.
Do you want to look at the next one for me? Thank you.
Mr. Hayes: For the recommendation about reassessing projects approved, one of the reasons why SDTC didn’t agree fully was they believed the written records did not fully capture the robust deliberations that were taking place at the project approval stages. From our perspective, that’s unsatisfactory. Those discussions should be documented. The reasons for awarding public funds should be clear. Everybody should be accountable for it. While there is a partial disagreement there, the principle is they should be documenting everything.
Senator Osler: Thank you.
Senator Pate: Thank you to all of you for your work.
My colleagues have covered well some of the issues around the McKinsey contracts and other areas. I’d like to talk to you about your audits of the Correctional Service of Canada. Thank you for those. You’ve done a tremendous job in the past. The past few weeks have made it clear that we’re witnessing a virtual erosion of external accountability for the Correctional Service of Canada.
Regarding the ministerial advisory body that was put in place to monitor the implementation of Bill C-83, its mandate ended. There’s been no follow-up to that. They issued a report showing the law was not being followed, and the intent of the legislation they were monitoring was being subverted.
This week, I received calls from independent external decision makers who were hired on contract to review the decisions of corrections to place people in structured intervention units — the replacement for segregation that was brought in. The perception is this: For those who had not rubber-stamped corrections’ decisions, their contracts weren’t renewed.
There’s a real question of what kind of oversight is likely to be in place as a result of some of these non-renewals of contracts, if I can put it that way, which is slightly different than the McKinsey case, obviously.
Given the history within corrections and with other kinds of external decision makers, like independent chairpeople who were supposed to be appointed at each prison to oversee serious charges, and given the fact that many of those have not been appointed — in fact, wardens have taken on that position — is there any move afoot to be looking at that kind of issue in terms of conflicts of interest and how contracts are being awarded, if they’re being awarded to former corrections employees? This has been somewhat the case in terms of the independent external decision makers whose contracts have been renewed. Also, what is the overall objective of those positions when they’re being provided? It strikes me we’re in a moment where that kind of oversight is needed.
To juxtapose it, there are numerous court cases being mounted about the lack of oversight and the breaches of the law that are happening as a result. It strikes me there’s an accountability mechanism there, and it might be useful to have the Auditor General weigh in on this.
Ms. Hogan: I thank the honourable senator for sharing your perspectives on that.
We did do some work on corrections a few years ago. It focused on the outcomes for individuals incarcerated. We definitely saw there were systemic issues and there were differential outcomes based on race and ethnicity.
It was a difficult audit and difficult findings. We issued many recommendations. We’re always wondering when is the right time to go back and relook at that.
You are helping us consider this: Do we move that up in the time frame and maybe what we scope in it? I thank you for sharing your perspectives. All I can say is we’ll take it under advisement as we look at our work plan in the coming years.
Senator Pate: Thank you. It’s precisely because of the thoroughness and the value that those audits provide to many who are trying to do some of this work, and I think a proactive approach by corrections would be more advantageous for Canadian taxpayers as well, frankly, rather than pay now or pay later — and more later. Thank you.
[Translation]
The Chair: I have two questions. The first comes from Senator Marshall. You will see the difference between a former auditor general and a lawyer. Senator Marshall’s question is this.
[English]
Have you signed off on the public account for the last fiscal year: 2023-24?
Ms. Hogan: You’ll probably see in our responses the difference between being an auditor general and being a lawyer when we provide answers.
No, we have not signed off on our independent auditor’s report on the Government of Canada’s 2024 financial statements. The government has not closed its books. The government needs to close its books and complete its financial statements before we can complete our audit work and issue an audit opinion on those financial statements.
[Translation]
The Chair: That’s a fairly long time, because the fiscal year ended seven months ago. Do you see this often?
Ms. Hogan: Ordinarily, we sign our independent auditors’ report in September, so it has been a bit longer. There are accounting issues that the government is trying to resolve and it is really their process. I kind of follow them in that process. They have to close their books and finish their financial statements for me to be able to complete my audit.
The Chair: And now the lawyer’s question. You noted in several places that justification was not included in the contracts. You say:
The need for a contract was often not documented: in 15 of the 33 contracts sampled by the office, the procurement files lacked sufficient documentation to justify the need for a contract.
That is a big finding; this is public money. Did you consider recommending that the case be referred to the RCMP?
Ms. Hogan: Three issues were taken into account when we considered whether there had been value received for the taxpayers’ money that was spent, and yes, in 45% of the cases, there was no explanation about the need for the contract.
I said earlier that it is important to know whether the purpose of the contract was to fill a gap in needs. If there is a need to increase capacity, it’s very temporary; you don’t want to hire someone full-time when the need is just to increase capacity or when there is no skills gap. What you might expect after that, when you know the justification for the contract, is to know that there are deliverables that would be a bit different. Was what was needed a skills transfer, or was it just a need to increase capacity?
Without asking that, it is hard to assess whether there was value. Our office has undergone the same process to determine whether we too considered the justification when we want to award a contract. Sometimes we did and sometimes we didn’t. I have asked that we improve in this regard, because it is important to take a step back, to see whether we have the capacity and skills within the public service before going outside for it. These rules exist, so I expect them to be followed.
The Chair: You produced another widely publicized report because of the Green Fund issue. When I read your report and I look at the Green Fund report, I see similarities, such as the issue of conflicts of interests or the risk of conflicts of interest, and the issue of justification. Am I mistaken, or are there points of similarity? The organization has been shut down, but we really should not be shutting down our government departments.
Ms. Hogan: In my opinion, the issues are somewhat similar. Both reports address conflicts of interest, but I would say that the findings were very different.
In professional services contracts, you want to increase transparency on the part of public servants to ensure that there is proactive disclosure. What we saw in Sustainable Development Technology Canada was that there were very elaborate processes for managing conflicts of interest, but they were not followed. In 90 cases, we saw that members of the board of directors who had disclosed conflicts of interest nevertheless voted to give money in those situations. Proactive disclosure is a very different situation from not managing a conflict of interest properly. No one should receive a benefit from public funds as a result of their vote. I would expect that really to be better managed in the foundation. I am encouraged by the fact that the projects will now be transferred to the public service in order to improve transparency and accountability.
The Chair: So we hope. In the documents that were provided about the Green Fund specifically, a number were redacted. That is one reason among others why there are issues on the other side. Have you seen the unredacted documents?
Ms. Hogan: Yes, absolutely. The documents we received from the foundation and the department were not redacted at all.
The Chair: Okay.
Ms. Hogan: We have seen all the documents. I have very broad access to protected documents and the act that my office administers contains a provision that requires that I make sure that their documents’ security classification is adhered to. We received unredacted documents.
The Chair: Perfect, thank you.
Senator Forest: In somewhat the same vein, one of the big questions I wonder about here relates to responsibility. That even goes back to the Phoenix payroll system; at some point, people have to be responsible within the organizations. The Green Fund has been shut down, but I think there was a lax attitude on the part of the board of directors, there was a lax attitude among the managers who saw it all going on and failed to react. In terms of the responsibility of organizations or departments, if, for example, I am responsible for supervising an organization and I fail to do it, it seems to me that there has to be responsibility somewhere. I am not sensing it, this responsibility, within our public administration.
Ms. Hogan: I think it depends on the situation. As I said earlier, most of the public servants we work with during our audits really do exhibit good will and accountability. When it comes to contracting, however, there are a lot of rules that have to be followed and there is really a failure to follow those rules. What we saw at Sustainable Development Technology Canada was really, in my opinion, extremely significant defects in management and responsibility on the part of the board. Conflicts of interest should have been managed better. There are funds that were given to companies that were not eligible, and I would expect that public funds would be managed better.
Senator Forest: I do not doubt that a very large majority of public servants are good managers, except that at some point…. Your instinct, to ask yourself, “In our own organization, are we following our rules?” — that is an instinctive reaction that senior public servants should have as a matter of course; we would expect that, given their responsibilities in relation to these public funds, they would take this kind of responsibility and have this instinctive reaction, and nobody would be telling themselves to close their eyes. We are talking about 11 years, in the case of McKinsey, or 12 years, and it just slipped through. Something is both fascinating and worrisome.
Ms. Hogan: That is not one of the reports we are discussing today, but if I look at our report on ArriveCAN, I think that is why it is a bit frustrating to ask who is responsible. That is the question everyone is asking themselves: Who made the decision? That is why we said in our report that when a public servant signs their name to documents, we have to recognize that this carries a responsibility and acknowledge the responsibilities that come with signing. If you are not comfortable signing, you should raise that concern. There is a whole mechanism for public servants to be able to raise concerns like these. That is why the discussion about values and ethics in the public service is so important.
Senator Forest: I have one last question on another subject. We are in the process of writing our report on the main estimates. In the testimony heard, several agents of the government told us they were not satisfied with how things are done and with budgets. You said this was not necessarily the case, but our report may be going to tackle that subject. Do you have any recommendations to make regarding the way agents of the government are funded?
Ms. Hogan: Agents of Parliament?
Senator Forest: Yes.
Ms. Hogan: Like our office?
Senator Forest: Exactly. Independent agencies like yours.
Ms. Hogan: I think I was very clear. I think I have been very clear for the last four years. I have the funding that I have, to manage my office at this time. There are a lot of subjects that could be audited. Like any agent of Parliament, I would tell you that if you want to give me more money, I will do more with it. I would expect that agents of Parliament have a funding mechanism that is independent of the departments they audit. In our case, we are accountable to the Department of Finance. I do not want our funding system to not include accountability, but I think we should not apply for funding to a department that we audit.
Senator Forest: Thank you. It was specific this year, since several agents that wanted to have a degree of independence for carrying out their mandate voiced some concern about that.
Ms. Hogan: Some agents of Parliament have an independent funding mechanism. However, those agents still have accountability, and there are some others, like our office, that do not.
Senator Forest: Thank you, and keep up the excellent work.
[English]
Senator Smith: One of the key findings of your report on combatting cybercrime is that the current system of reporting these crimes is confusing, as many are reported to the wrong organization. You noted that, in many instances, organizations that receive these reports do not follow up with the individuals to help them report their concerns to the right organization.
My gut feeling leads me to say that our policy and security agencies seem to be working in silos, possibly without the proper collaboration.
Can you speak to this concern that you share and why it poses a risk to the safety of Canadians?
Ms. Hogan: One of our main findings in this audit is that Canada’s response to cybercrime is hindered by the siloed and disconnected approach that we’re seeing across the organizations that are responsible in this space.
I’ll tell you that many of them don’t have the capacities and the tools, but what makes it confusing for a Canadian is not knowing where to report. Many of these organizations identified that having that one single point to report and then letting the federal government sort out the entity that is best equipped to respond is what should happen. However, it hasn’t happened, and that is why we issued a recommendation. We would really like to see that happen.
Canadians should report a crime. I would imagine that, right now, they’re frustrated, wondering what happened to their reports. We use some examples: The Communications Security Establishment Canada said that about half of the reports that they received were not within their mandate because an individual was reporting it when they’re responsible for critical infrastructure and businesses. Some of them wrote back to the individual, but for thousands, they did not.
I would have expected that they would at least have passed it along to the organization that perhaps would be best equipped, but that was not happening. They told us that, for privacy reasons, they weren’t going to be sharing that information. However, that leaves Canadians confused and frustrated. I hope they will implement this one single point to make it easier for Canadians.
The RCMP has found that, I think, 5% to 10% of cybercrimes are actually being reported. Wouldn’t it be better if law enforcement had all of this information, then they could act on it? I would encourage Canadians to report, but I would encourage the government to make it easier for them to do so.
Senator Smith: You have a mandate to do certain things in terms of your analysis, and maybe I’m talking out of turn, but is there any way that you could recommend that these organizations improve information sharing and coordination? Is that outside of your mandate? Or is that something where if you are able to pinpoint two or three areas that could be of major benefit to these organizations, why not?
Ms. Hogan: We absolutely did tell them to do better information sharing. What we actually saw was that there was good information sharing internationally, but within the federal family, that information sharing wasn’t happening at all or effectively.
As I mentioned, often privacy rules were cited for that, and that’s why in order to eliminate those issues, you should have everything come in at one point and then have someone decide who is the organization best equipped with the skills, the competencies and the mandate to respond to this reporting of crime.
Senator Smith: You noted in your report on combatting cybercrime that the RCMP was failing to adequately staff its investigative teams. You also noted in your opening remarks that hiring more people and setting aside more money is not necessarily going to fix the many issues you brought to light in your audits.
On one hand, there seems to be a lack of — I don’t want to say qualified public servants. But on the other hand, it seems there is a rapidly growing federal public service over the last few years without necessarily higher levels of productivity. Productivity seems to be an issue, and I would like your thoughts — or maybe some outside points of view — on the human resource plan, or lack thereof, from the federal government.
Is this something that you have looked at? Are you concerned, or is this outside of your mandate?
Ms. Hogan: Writ large, across the federal public service, I have not looked at a human resource plan. We did note in the cybercrime audit that the RCMP needs a comprehensive one that includes identifying the unique skills that they need in cybercrime but also in other areas as well.
I said it wasn’t about more money; they have the money. They just have vacant positions, right? So it is about attracting into the public service the skills that are needed.
Just speaking in generalities, if I step back, I would tell you that across the public service, we need to look at the skills and competencies that we need for the future. You can train existing public servants, and you can also bring in public servants with the skills that are missing. I would like to see that happen, writ large, but I haven’t looked at it.
One thing I could tell you is that we are looking at an RCMP recruitment audit in the spring of 2026, so hopefully we’ll be able to answer some of the questions that have been asked here, because we have seen it in a few of our audits, and we recognize that it is something that we can maybe do to help the RCMP.
Senator Smith: I always go back with my last point. In your remarks tonight, you emphasized that improving governance isn’t about adding more processes but about enforcing existing rules with the right expertise. I know some of these issues may be outside of the parameters of your mandate, but I just see that this is such a common-sense, obvious issue that needs to be reinforced at all levels through the leadership of not only you and your team, but also your ability to speak to other people within key positions of government. It just doesn’t seem to make sense that we get ourselves into this type of a position.
Ms. Hogan: All I can say is the honourable member makes wise statements.
I agree that we should, as a public service, be able to know the skills that we need and ensure that we have them in the right place to deliver services to Canadians, absolutely.
Senator Smith: Thank you.
[Translation]
The Chair: You say you are doing an audit of RCMP human resources or recruitment?
Ms. Hogan: RCMP recruitment.
The Chair: Are you also reviewing the Department of National Defence?
Ms. Hogan: We are currently doing an audit of Department of National Defence recruitment.
The Chair: Which is in progress, right.
Ms. Hogan: But there is another audit concerning RCMP recruitment a year later.
The Chair: Okay. We wear several hats here in the Senate, including national defence and security, and I know there are issues in both.
Ms. Hogan: We are reviewing both.
The Chair: Okay. Thank you.
[English]
Senator Loffreda: We covered a lot of areas this evening, but we didn’t talk much about Sustainable Development Technology Canada, or SDTC. Based on your report’s findings, it is clear that conflicts of interest at SDTC existed in some instances and that the foundation’s conflict-of-interest policies were not followed. We know, for example, the board of directors is required to declare potential conflicts of interest and must refrain from participating in any discussions regarding matters that could give rise to such a conflict.
Recognizing that SDTC reports to Parliament through the Minister of Innovation, Science and Industry, I would like you to explain to us the role of Innovation, Science and Economic Development Canada in monitoring conflicts of interest at the foundation, and what explains the department’s lack of properly assessing, challenging and monitoring conflicts of interest at SDTC? What failures did you uncover that should serve as a reminder of what not to do?
Ms. Hogan: There are a lot of questions in there.
Conflicts of interest at Sustainable Development Technology Canada, I think, were not well managed because they didn’t have an effective system to manage it. Their system was using the minutes of their board meetings to have a declaration and then, maybe many meetings later, to remember that someone had declared a conflict of interest.
We saw cases that were well managed where members of the board had declared a conflict of interest, and then they recused themselves, which is what we would expect to see when a discussion and a vote would happen, but in 90 cases, we did not see that happen.
When it comes to Innovation, Science and Economic Development Canada, or ISED, they were the department that was charged with monitoring compliance with the contribution agreement between the Government of Canada and the foundation. Specifically linked to conflict of interest, they were supposed to receive reports from the foundation. They didn’t get them, but they also didn’t ask for them when it came to conflicts of interest. They relied on the annual reporting around how much funds were going out the door and which organizations were receiving those funds, and, in our view, that was really lacking in good oversight of the spending.
During our audit, we saw the department take prompt action to try to fix some of these situations. In fact, they even had an assistant deputy minister, or ADM, who was present at the board meetings. What we saw was that there was a lack of understanding for what that role was. Board members thought that an individual’s presence was an implicit agreement with anything that happened at the board meeting, but that’s not how the ADM saw their responsibility.
Even throughout our audit, we saw clarity being brought to that, as this situation exists in other foundations where ISED has oversight. We did see the government react quickly to what we found, but in my view, it really boils down to the board of directors failing when it comes to good governance and then ISED needing to do better at monitoring these agreements on their side.
Senator Loffreda: They need to do better. Do you feel that they will do better? Once again, what you allow, you empower.
Going back to my audit days — this is way, way back — does it change the nature and extent of your audit once you do find irregularities or non-confirmation, especially in compliance issues as important as these?
I could talk about the McKinsey & Company contracts and what you recovered. Although the Deputy Minister of Public Services and Procurement does state that the Procurement Ombud has reviewed everything, and he found no instances of political interference, no wrongdoing and no fraud, yet here we are.
[Translation]
It leaps out at you, as they say.
[English]
You discovered all this. Everybody tells their own story. Does it change the nature and extent of your audit when you do find this? How do we ensure that we don’t allow this and we don’t empower it going forward?
Ms. Hogan: I think your first question was this: Do I have confidence that ISED is going to change things? We saw them reacting while we were auditing. They agreed with our recommendations. My expectation would be that they will carry through and follow through on their commitments.
Moving all of the projects to a department, I think, will improve some of the issues that we saw. There is a different governance structure, and there will be different monitoring. Hopefully, that will bring more transparency to some of the processes that we saw once everything moves over to a department.
You talked about political interference in McKinsey. We did not see any political interference when we looked at the McKinsey contracts. We did see one contract where a minister had approved it, but it was because the contract exceeded the thresholds that the department was allowed to contract for. It was absolutely appropriate what took place there.
Senator Loffreda: Thank you.
Ms. Hogan: I probably didn’t answer your extent question, actually. I know you had a third one, the nature and the extent. Thank you.
Senator Loffreda: That’s an important question.
Ms. Hogan: We set out to do work, and we don’t expect to find high levels of non-compliance. But when you do, you adjust. In some instances, you look at more of the population or all of the population. I mean, it really depends.
Senator Loffreda: Like we used to do in the corporate world.
Ms. Hogan: It absolutely impacts. And that’s why sometimes it even impacts the timing of when we release reports, because we need to do more work in order to get —
Senator Loffreda: Timing is adjusted according to what you find in the compliance testing, right? It is the same in your compliance audits.
Ms. Hogan: Yes, and when it comes to conflicts of interest, we would have expected to see that they would have followed their own policies, right? Their corporate records should have adequately reflected what transpired in the board meetings, but they did not.
Senator Loffreda: I’m glad to hear that it is extended and the samples are larger because you found irregularities, and hopefully we can follow up on it. Thank you.
[Translation]
The Chair: The stock exchange would be in free fall.
[English]
Senator Loffreda: There were consequences when things went wrong, so I think there have to be consequences also in order to correct — it’s consequences, accountability and transparency.
Senator MacAdam: I have a couple of questions on Report 7—Combatting Cybercrime. Your audit found that, in general, Canada’s cybersecurity workforce needs to be strengthened across organizations, and we have already talked about the 30% issue with the RCMP, as a lot of the cybercrime investigative team positions are vacant. Did you identify staffing shortages in any of the other organizations that have cybercrime-related responsibilities?
Ms. Hogan: When we looked at Communications Security Establishment Canada, there were some files that weren’t theirs which they didn’t act on. Also, at the Canadian Radio-television and Telecommunications Commission, or CRTC, there were many reports to them that they didn’t act on or didn’t funnel to another organization — they often told us that it was because of the capacity. So there were privacy rules and there was the capacity to deal with things.
If I give you an example, at the CRTC, they received a few hundreds of thousands of reports on violations of the anti-spam legislation. About 75,000 of those were potential cybercrime, and we saw that they only investigated six cases. They often said that it was because of capacity or wasn’t within their mandate to do that work, but then they didn’t send those reports to the right organization and didn’t tell the individual, “We can’t deal with this. You should report it somewhere else.” That, to me, is a concern for Canadians. They haven’t done an assessment if it is about capacity, but they explained that to us as one of their reasons why.
Senator MacAdam: Continuing on with the CRTC, you identified the CRTC as an organization involved with combatting cybercrime. At the House Standing Committee on Public Accounts, you noted that they are not yet part of the national cybersecurity strategy, and it would be important for them to be a part of it. In your opening remarks, you also mentioned that the CRTC has a narrow view of their role, I guess. Can you just elaborate on how that has impacted some of the findings, and what is the narrow view they have that has that impact on the service to Canadians?
Ms. Hogan: Hopefully, I get this right. If not, I’ll turn to Sami Hannoush to add something here. If you take a step back, when it comes to the CRTC’s role in the anti-spam legislation, the legislative scheme that is in place here — the role they play in managing the anti-spam legislation — was developed when cybercrime wasn’t as sophisticated as it is now. As many of us know, we receive spam emails, and many of those are really the gateway to a cybercrime. They are looking to get you to click on a link or to respond or send something. Those reports end up at the CRTC. Their narrow view is that they are just managing if someone violates the anti-spam legislation. They don’t have a criminal aspect to theirs. But they aren’t forwarding anything that might be of a criminal nature to law enforcement, citing either capacity or privacy reasons.
That is where their narrow interpretation really isn’t serving Canadians well. A Canadian believes they have reported a potential crime somewhere and then just doesn’t know what is happening to it. I got a head nod from Mr. Hannoush, so I don’t think I need to add anything.
Senator MacAdam: I’m assuming there is a recommendation on this, and do they agree with the recommendation?
Ms. Hogan: They don’t always agree with some of our findings for sure, but that’s why our recommendation was about making sure that their role in fighting cybercrime is clear. The fact that they don’t appear in the current draft of the national cybersecurity strategy is concerning when spam is really like a foot in on cybercrime. I would have expected that their role would have been more prominent and to make it clear to them the role that they play.
Senator MacAdam: Absolutely.
When you appeared before this committee last February, you spoke about four major areas where you would like to see the Auditor General Act modernized, including clarity around the office’s access to confidential information, your mandate involving Crown corporations and administrative elements including, for example, more inclusive language. These are just some of the ones that you mentioned. Have you had any further conversations, or is any of this moving forward? Are there any developments in this area?
Ms. Hogan: I might ask Mr. Hayes to jump in. He has been having some conversations. We always happily talk to everyone about things we’d like to see changed in our act — the main one being clarifying our access issues. That still remains in order to make sure that while we have broad access, it is very clear when and what type of access we should have. It is almost 50 years old and the act hasn’t been updated from that standpoint in a long time.
The view of giving us some flexibility with Crown corporations still exists, making special examinations a little more flexible for us, and making sure that it is clear that Crown corporations could be subject to performance audits is essential.
And then for that other bucket, I would tell you that there are many in there. There are two that are really important for me. One is making it clear that our reports should be and are required to be tabled in the Senate, bringing the Senate to an equal footing with the House. Right now, they are just required in the House, but we send them to both chambers all the time. I would like to clarify that in our act.
Dealing with the gender-neutral language in our act, for me, would be really key to do before my mandate is done. I don’t know, Mr. Hayes, if you want to talk about some of the conversations you have had.
Mr. Hayes: Yes. For the access point, that is a major irritant for us historically, and I would pinpoint it on our access to solicitor-client privilege information. That information becomes very important when we’re studying contingent liabilities in the context of the public accounts. It is important also when we’re doing performance audits, but if I were to say that there is one place where it really matters, it is in the context of the public accounts.
Over the course of the last 20 years, there have been a number of court decisions, including appellate court decisions, that talk about the importance of clear language when solicitor-client privilege information should be accessed. There are other examples in Canadian law — for example, the Auditor General of Nova Scotia has a very clear provision. The Auditor General of Ontario is now working through that as well. We have raised it with the Deputy Minister of Finance and the Deputy Minister of Justice that we need our act to be updated to stay with the times.
Senator MacAdam: Thank you.
Senator Osler: Ms. Hogan, I’m going to follow up on a comment you made after my previous question, and it follows up on some of the answers you gave to Senator Loffreda on the governance issues. You sound confident like they are being addressed, and I think you had mentioned that you watched or read testimony from the three new board members.
When I look at their website, it only lists 3 board directors instead of the required 15 voting directors, and there are 3 members instead of 15 members representing people, business and not-for-profits. When I look at the bios of the three members, all three served in the public service; I think all three were ADMs, and two of them were with Industry Canada.
I’m wondering if you can comment a little bit more on how they are addressing their governance lapses and what you have seen or read so far to give you confidence that they are addressing it in an appropriate manner.
Ms. Hogan: I haven’t done any work subsequent to the audit. I have been watching, obviously, the committee appearances when these individuals are there.
It is my understanding that this is a very interim state. It is a one-year mandate for these three board members to address the recommendations that were in our audit and to transition the employees and all of the files over to the public service. I think it stands to reason that it is not following its sort of enabling legislation because it is this interim period in order to move things forward.
Senator Osler: There was an external law review going on at the same time as your audit, was there not? An external firm was also reviewing this?
Ms. Hogan: There was a lot going on here. I could back it up to tell you that in February of 2023, we received allegations of financial mismanagement from prior employees. We shared those with the Privy Council Office because there were many Governor-in-Council appointees on the board of directors. They immediately asked the Department of Innovation, Science and Economic Development to do something.
In March of 2023, they hired a consultant to do a fact-finding mission. Then that consultant issued a report in September of that year. Then they hired a law firm in order to look at labour and employment practices. When we saw the response to all of these fact findings, we decided that we wanted to come in and do an audit, which is why we launched an audit, because we weren’t satisfied with the response of the foundation to some of the findings.
While we were there, the HR labour practice issued their report saying they didn’t find any concerns, so we focused in on the financial mismanagement. There was a lot going on around the foundation over the course of the last couple of years.
Mr. Hayes: I might just add that regarding one of the recommendations that we talked about before, which is the one that relates to reassessing all the projects, a representative of the board has spoken to me and Mr. Lequain about their plans. They wanted to check with us on how they were going to proceed, and we agreed that the way they were going to proceed made sense to us — not that we audited it, but that it made sense.
The board is interested in having the funding reinstated to eligible companies. They wanted to turn the tap back on, so to speak, for the eligible ones, and they wanted to ensure that we were on side with the principles that they were moving forward with.
Again, we can’t comment on the substantive approach that they are taking and the work that they have done, but, in principle, we felt comfortable with the way they’re going to approach things.
Senator Pate: Thank you. I want to come back to the cybercrime reports that you were looking at. It was a bit disturbing to see some of your findings and what was reported. You have mentioned that as well.
On Saturday, I am speaking at a conference of international psychiatrists, and right before my session is one on the links between cybercrime and people with autism. I’m reminded of this: We were just dealing with auto theft in the budget recently. Many of these measures focus on the easiest to catch, and I’m wondering whether any of your audits look at the effectiveness of interventions to actually address the long-standing issue, because going after kids with autism or even adults with autism who inadvertently, in some cases, get involved doesn’t capture where the real threats are, I would suggest.
You talked about infrastructure, but I want to focus particularly on the antiquated cyberinfrastructure, if I can say that, as most of our systems are 50 or 60 years old. Has there been an audit of how to most effectively update those, in part not just to look at cybercrime? It seems to me — I’m a techno twit, so you may say I have no idea what I’m talking about, and that would be true — if we have an updated system, we may have better intervention approaches and ones that rely less on people being able to make arbitrary decisions about who is reporting to whom and if there were streamlined approaches. I think of that, whether it is the police reporting systems or these kinds of systems. If I am totally wrong, just tell me. I’m clearly not in my lane right now.
Ms. Hogan: I feel like everyone at this table wants to help me answer this question, so I will let them jump in.
First, when it comes to sort of vulnerable populations, we have done work on outreach to vulnerable populations, and we do have an audit report coming up on services to seniors. We try to always think about those who are often forgotten, and we try to work that into as many reports as we can. At times, we do reports really just focused on them.
When it comes to cybercrime and the conversation about antiquated infrastructure, there are two things here. The cybercrime report was this: Once a crime has occurred or a potential crime has occurred, how is the federal government responding to that? The antiquated infrastructure, to me, would be more on the prevention and cybersecurity side versus the cybercrime side.
We have done two reports recently on the health of IT in the federal public service. I’m not sure if my findings will make you feel good, but there are something like 7,500 systems that are deemed critical which are considered to be in poor health by the public service. We focused on looking at the replacement for the Benefits Delivery Modernization, which is really looking at Old Age Security and so on.
There is a lot of effort spent repairing and maintaining these old systems. It is like having an old car. You can invest a lot of money in repairing and maintaining them, but eventually they might fail. So you really do need to think about when it is time to buy a new car. The government is seized with working on that now, but it is going to take a long time. We do not want to see a failure of the Old Age Security system because of how many individuals it supports.
I’m just going to let everyone else jump in and say something.
Mr. Hayes: I would highlight two other reports. A few years ago, we did a report on procurement of complex IT systems, and the Benefits Delivery Modernization programme was one of them. The process to replace the Phoenix pay system was also part of that report, and we’re keeping an eye on how the government is moving through that.
We also did an audit report on the protection of personal information in the cloud. While we couldn’t report all of our findings publicly to Parliament, we did write a management letter to some of those departments to highlight areas of vulnerability that we saw. We signalled to the House Standing Committee on Public Accounts as well that we had made a recommendation outside of the report, which we will follow up on and which we expect the Standing Committee on Public Accounts will ask us about. The purpose of that report was to dig into the guardrails that the public service should be implementing to ensure that personal information is protected.
All of these audits are being conducted early or midway in the process of government activity, and we’re going to continue to do that. Instead of looking back and saying, “They should have done this, that and the other thing,” we want to ensure we’re contributing while improvements need to be made.
[Translation]
The Chair: It reminds me of my former life, when I sat on the board of an institution where the saying was that, in any event, we didn’t need to worry about the systems being so old, because the pirates were too young to know about them. So they were protected because they were old.
Senator Boudreau: I also have a question about cybercrime and coming back to the RCMP’s national solution.
When we hear that $531 million was lost in 2022 and only 5% to 10% of the crimes were reported, the situation seems to me to be pretty serious.
You said in your report that deploying the national solution had been pushed back more than two years, to March 2025, which is only five and a half months away. That is not very far off. Typically, what we hear is that there is not enough money to do what is needed, but in your report, you say that on December 31, 2023, the RCMP still had almost $40 million to put into that project. There was also mention of human and technology resources gaps. How confident are you that the March 2025 date will be met by the RCMP? Does the fact that you did an audit on the subject mean that you can request an update in order to be sure? As I said earlier, there is still $40 million on the table, but March 2025 is not far off. What sort of answer or result are you expecting to get from the RCMP?
Ms. Hogan: It is very interesting software. The system is supposed to provide a comprehensive picture of cybercrime and facilitate information sharing with partners in the fight against cybercrime and also reporting by individuals. That should improve the RCMP’s response to cybercrime.
I don’t know whether an update is available, but we could always ask them. We completed our work in 2023, we submitted the report in June, and the update was done at that time. I would expect that they may have moved the project forward, but at the moment we do not have anything else. However, whenever a department appears before the Standing Committee on Public Accounts, it is required to provide a detailed action plan for implementing our recommendations. That might be a way for you to get more information about this. At the moment, we do not intend to do any follow-up on the software alone, but when we review the process of implementing all our recommendations, we will consider it as a question that really needs to be looked at.
Senator Boudreau: Okay.
The Chair: We have a few minutes left. Does anyone else have any questions or have we covered everything? I think we have.
Senator Forest: It’s not a question, it’s more of a clarification.
The board of directors, on the subject of the management of the Green Fund, is currently a transition board.
Ms. Hogan: I describe it that way because there are only three individuals —
Senator Forest: Exactly.
Ms. Hogan: — and their mandate is to address the recommendations and handle the transition of the employees and contracts to the public service.
Senator Forest: None of those three individuals was on the former board of directors?
Ms. Hogan: No, definitely not; they are three new members.
Senator Forest: Okay, thank you.
The Chair: Thank you for your work and your information; it is always invaluable. As an agent of Parliament, you are kind of our eyes and ears. Thank you for your excellent work.
Ms. Hogan: Thank you very much.
The Chair: Colleagues, our next meeting will be on Wednesday, October 30, at 6:45 p.m. We are off on Tuesday. Thanks to everyone for all the support, and I will see you on Wednesday.
(The meeting is adjourned.)