Spring 2024 Reports 5 to 7 of the Auditor General of Canada

Opening Statement before the Standing Senate Committee on National Finance

Spring 2024 Reports 5 to 7 of the Auditor General of Canada

23 October 2024

Karen Hogan, Fellow Chartered Professional AccountantFCPA
Auditor General of Canada

Mr. Chair, I am pleased to be here today to discuss the 3 reports that were tabled in Parliament in June. I first want to acknowledge that we are gathered in Ottawa on the traditional unceded territory of the Algonquin Anishinaabe people. I am accompanied today by Andrew Hayes, Deputy Auditor General, as well as Sami Hannoush, Mathieu Lequain, and Nicholas Swales, who were responsible for the audits.

I will begin with our audit of professional services contracts. It looked at whether federal contracts awarded to McKinsey & Company, between 2011 and 2023, complied with applicable policies and provided Canadians with value for the money spent. These contracts spanned 20 federal organizations, including 10 Crown corporations. The total value of contracts awarded to McKinsey & Company during the period we reviewed totalled $209 million, of which about $200 million was spent.

We found that the organizations awarding the contracts showed a frequent disregard for federal contracting and procurement policies and guidance. We also found that each organization’s own practices often did not demonstrate value for money.

The extent of non-compliance and risks to value for money varied across organizations. For example, in 10 of the 28 contracts that were awarded through a competitive process, we found that bid evaluations did not include enough information to support the selection of McKinsey & Company as the winning bidder.

When it came to non-competitive contracts, organizations often issued these without documenting the required justification for doing so. About 70% of the 97 contracts we looked at were awarded to McKinsey & Company as non‑competitive contracts, and their value was approximately $118 million.

When we sampled and reviewed 33 contracts to assess results, we found in more than half that one or more issues prevented organizations from demonstrating that the contracts had delivered value for the money. This included a failure to show why a contract was necessary, no clear statement of what the contract would deliver, or no confirmation that the government had received all expected deliverables.

We found that as the central purchasing and contracting agent and subject matter expert for the Government of Canada, Public Services and Procurement Canada did not challenge organizations when awarding some contracts on their behalf. The department did not challenge the organization requesting the contracts about whether the procurement strategy used was appropriate when multiple contracts were awarded to McKinsey & Company for a similar purpose and within a short period of time.

While this audit focused on contracts awarded to McKinsey & Company, it highlights basic requirements and good practices that all federal organizations should follow when procuring professional services on behalf of the Government of Canada. Federal contracting and procurement policies exist to ensure fairness, transparency, and value for Canadians—but they only work if they are followed.

Turning now to our audit of Sustainable Development Technology Canada, which looked at whether the foundation managed public funds in accordance with the terms and conditions of contribution agreements and its legislative mandate. We also looked at Innovation, Science and Economic Development Canada’s oversight and administration of public funds. Between March 2017 and December 2023, the foundation approved $856 million of funding to 420 projects.

The audit found that there were significant lapses in Sustainable Development Technology Canada’s governance and stewardship of public funds. Specifically, the foundation awarded $59 million to 10 projects that did not meet key requirements set out in the contribution agreements between the government and the foundation. These projects were ineligible for funding because, for example, they did not support the development or demonstration of a new technology, or the projected environmental benefits were overstated.

I am also very concerned by breakdowns in the foundation’s governance. The foundation was not always following conflict of interest policies, and it failed to comply with the Canada Foundation for Sustainable Development Technology Act.

The act requires the foundation to have a group of 15 members, separate from its board of directors, to represent Canadians and appoint most of the foundation's board. The audit determined that the foundation did not comply with the legislation because it had only 2 such members, instead of the required 15.

With respect to conflicts of interest, the foundation did not have an effective system to maintain its conflict-of-interest disclosures and related actions. Its own records show that in 90 cases, conflict-of-interest policies were not followed. These 90 cases were connected to approval decisions that awarded projects nearly $76 million in funding.

Like all organizations funded by Canadian taxpayers, Sustainable Development Technology Canada has a responsibility to conduct its business in a manner that is transparent, accountable, and compliant with legislation. Our findings show that when this doesn't happen, it's not always clear that funding decisions made on behalf of Canadian taxpayers were appropriate and justified.

Our final audit focused on combatting cybercrime. It looked at whether the Royal Canadian Mounted Police, Communications Security Establishment Canada, the Canadian Radio-television and Telecommunications Commission, and Public Safety Canada had the capacity and capability to effectively enforce laws against cybercrime activities and protect Canadians online.

We found that these organizations have neither the capacity nor the tools to effectively fight cybercrime, as cyberattacks grow in number and sophistication. Part of the issue is the federal government’s siloed and disconnected approach. We found breakdowns in response, coordination, tracking, and information sharing between and across the responsible organizations. In addition, given the links between spam and cybercrime, the Canadian Radio‑television and Telecommunications Commission's narrow view of its role has limited the extent to which it helps protect Canadians.

Effectively addressing cybercrime relies on incident reports going to the organizations best equipped to receive them and on those organizations acting on the reports. The current system for reporting cybercrime incidents is confusing, and it does not meet the needs of individuals reporting these crimes.

We found that many reports were made to the wrong organizations and that those organizations did not respond to individuals or redirect the reports they received. For example, Communications Security Establishment Canada told us that almost half of the 10,850 reports it received between 2021 and 2023 were out of its mandate because they related to individual Canadians and not to organizations. However, it did not follow up with many individuals to inform them to report their situation to another authority. While the Royal Canadian Mounted PoliceRCMP, Communications Security Establishment Canada, and Public Safety Canada have discussed implementing a much needed single point for Canadians to report cybercrime, this has yet to happen.

We also found that the RCMP struggled to staff its cybercrime investigative teams. We estimated that as of January 2024, close to one third of positions across all teams were vacant. In our view, having a plan to reduce human resource gaps across all organizations involved in fighting cybercrime, including the RCMP, is an important component of a National Cyber Security Strategy.

The takeaway from these reports is that when good governance is lacking, the remedy isn’t necessarily new processes or more people or money; it’s about applying the rules that exist and having the right people with the right expertise for the job.

Mr. Chair, this concludes my opening statement. We would be pleased to answer any questions the committee may have. Thank you.