2017 Spring Reports of the Auditor General of Canada to the Parliament of Canada Independent Audit ReportReport of the Auditor General of Canada to the Board of Directors of Defence Construction (1951) Limited—Special Examination—2016

2017 Spring Reports of the Auditor General of Canada to the Parliament of CanadaReport of the Auditor General of Canada to the Board of Directors of Defence Construction (1951) Limited—Special Examination—2016

Independent Audit Report

This report reproduces the special examination report that the Office of the Auditor General of Canada issued to Defence Construction (1951) Limited on 2 December 2016. The Office has not performed follow-up audit work on the matters raised in this reproduced report.

Introduction

Background

1. The defence of Canada involves military and non-military efforts that require extensive construction and engineering. For example, armouries, shipyards, hangars, and barracks must be built and upgraded to reflect changing requirements. Such projects often have unique requirements, especially for security, which in turn require a specific set of highly trained and qualified people.

2. The mandate of Defence Construction (1951) Limited (the Corporation) is to provide procurement, construction, professional, operational, and maintenance services in support of the defence of Canada. The main beneficiary of these services is the Department of National Defence, but the Corporation also provides services to the Canadian Forces Housing Agency, the Communications Security Establishment Canada, Shared Services Canada, and Public Services and Procurement Canada. The services are generally defined in yearly memorandums of understanding.

3. Essentially, the Corporation is a procurement and contract-management agency that serves as an intermediary between its government clients and the consultants and contractors hired to perform the actual project work. This arrangement allows the Corporation to work at arm’s length from the government while managing the procurement process, from awarding tenders to managing contracts at job sites.

4. Also commonly known as Defence Construction Canada, the Corporation was created in 1951. As a federal Crown corporation, it is accountable to Parliament through the Minister of Public Services and Procurement.

5. To conduct its operations, the Corporation does not receive funding directly from the government. Instead, since 2001, the Corporation has drawn its revenues from fees it charges to its government clients. These fees are for services such as project and contract management, life-cycle management of real property, and helping projects meet environmental targets.

6. Demand for the Corporation’s services varies considerably over time, because defence requirements are subject to external factors, such as government decisions and changing service-level requirements from government clients. Moreover, the types of services needed can change throughout the life cycle of a project, which can be accelerated or delayed—for example, by the need for additional consultations or because of conditions required by an environmental assessment.

7. The Corporation continually adjusts the size of its workforce in response to the demand for infrastructure services (Exhibit 1). Demand is expected to increase in the coming fiscal years, to support the increase in work volume forecast as a result of the Federal Infrastructure Investments Program and the additional funding announced by the government in Budget 2016.

Exhibit 1—Defence Construction (1951) Limited revenue and staffing levels

2014–15
(actual)note 1
2015–16
(actual)note 1
2016–17
(planned)note 2
2017–18
(planned)note 2
2018–19
(planned)note 2
Total revenue ($1000s) 80,531 84,905 92,123 97,835 102,238
Full-time equivalent employees at year-end 751 830 859 886 895

Focus of the audit

8. Our objective for this audit was to determine whether the systems and practices we selected for examination at Defence Construction (1951) Limited were providing it with reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively, as required by section 138 of the Financial Administration Act.

9. On the basis of our assessment of risks, we selected systems and practices in the following areas:

The selected systems and practices and the criteria used to assess them are found in the exhibits throughout the report.

10. This audit is important because the Corporation’s activities are integral to the ability of National Defence to deliver its own mandate. The total value of the services that the Corporation provided in the 2015–16 fiscal year was $84.9 million. Furthermore, according to the Corporation, these services also involved awarding 2,440 contracts to contractors, consultants, and suppliers.

11. More details about the audit objective, scope, approach, and sources of criteria are in About the Audit at the end of this report.

Findings, Recommendations, and Responses

Corporate management practices

The Corporation had good corporate management practices in place, but some improvements were needed

Overall message

Fraud—An intentional act by one or more individuals among employees, management, those charged with governance, or third parties involving the use of deception to obtain an unjust or illegal advantage.

12. Overall, we found that Defence Construction (1951) Limited (the Corporation) did a good job of managing its corporate governance, strategic planning, risk management, and performance measurement and reporting. However, as a subset of risk management, we found that the Corporation did not consider all aspects related to fraud risks, such as the inability to deal with potential allegations of fraud, corruption, and collusion. The Corporation’s fraud-related systems and practices were limited—which in turn limited the ability of management and the Board to manage the fraud risks strategically. The Corporation needs to address fraud-related risks more proactively.

13. This finding matters because well-designed corporate management practices provide a sound basis for decisions on allocating human and financial resources, especially when the demand for services changes (Exhibit 1). They also promote transparency and accountability, instilling confidence in the Corporation’s ability to manage federal resources responsibly. Analyzing fraud risks at the operational and strategic levels is a prerequisite to addressing fraud risks across the Corporation.

14. Our analysis supporting this finding discusses the following topics:

15. The Corporation has a Board of Directors composed of seven members. The Board has formed an Audit Committee and a Governance and Human Resources Committee.

16. Strategic planning and risk management are essential for the Corporation in setting its short- and long-term objectives, and for allocating resources to achieve them. The Corporation is facing strategic challenges, with the planned increase in service revenues, and is planning to build its capacity, in order to meet demand. According to the Corporation’s corporate plan, the Department of National Defence (DND) expects an increase in capital program expenditures of approximately 28 percent from the 2014–15 to 2018–19 fiscal years.

17. Corporate strategic planning also includes assessing and adjusting the Corporation’s direction in response to the risks and challenges in its changing environment. Because the Corporation operates in an industry known for incidents of fraud, risk management that explicitly addresses fraud is critical to its service delivery. It is also vital that the Corporation mitigate high-priority risks in its allocation of resources. Performance reporting enables the Corporation to demonstrate the extent to which it delivers its services.

18. Our recommendation in this area of examination appears at paragraph 27.

19. Corporate governance. We found that the Corporation had in place the elements of good governance (Exhibit 2).

Exhibit 2—Corporate governance—key findings and assessment

Systems and practices Criteria used Key findings Assessment against the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

Board structure

The Board and its committees have clearly defined and implemented their roles, responsibilities, authorities, and accountabilities.

Roles and responsibilities of the Board and its committees were clearly defined.

The Board structure, including the two committees, reflected the nature and complexity of the Corporation’s business and responsibilities.

Check  mark in a green circle, meaning met the criteria

Board performance evaluation

The Board assesses its performance as well as the performance of its committees and its members.

The Board assessed its performance and that of its committees and members at least once every two years.

The Board used a transparent mechanism to report the assessment results among Board members.

Check  mark in a green circle, meaning met the criteria

Board independence

The Board functions independently from management; individual Board members are independent from the Corporation and follow defined code of conduct and conflict of interest guidelines for Board members.

The Board functioned independently of management in its decision making.

The Corporation had a conflict of interest code that applied to Board members, who were also informed of their obligations under the Conflict of Interest Act.

Check  mark in a green circle, meaning met the criteria

Strategic direction

The Board has the necessary information to interpret the Corporation’s legislative and public policy mandate, to allow it to provide management with strategic direction.

The Board’s interpretation of the mandate was consistent with the mandate set down in the enabling legislation and letters patent, which are the written orders used for the creation of the Corporation, defining its purpose and objectives.

The Corporation’s strategic objectives were clearly linked to the legislative mandate and were included in the corporate plan.

The Board was active in setting up annual objectives for its Chief Executive Officer (CEO) that aligned with the strategic direction and the corporate objectives.

The Board was active in conducting the annual assessment of the CEO’s performance.

Check  mark in a green circle, meaning met the criteria

Board oversight and decision making

The Board receives timely information necessary to oversee and monitor the Corporation’s activities, results, and management of risk, and for decision making to achieve corporate objectives.

The Board

  • had embedded risk management into its governance processes;
  • monitored risk management through regularly scheduled briefings; and
  • had appropriate and timely information that demonstrated that it was achieving its duty of care in key areas, such as financial performance and risk management.

Board members made decisions, questioned the information, offered direction, and followed up on actions taken.

Check  mark in a green circle, meaning met the criteria

Communications

The Board maintains effective communication with stakeholders, the responsible Minister, and the public in the delivery of its mandate.

There was a protocol for communication between the Corporation and its stakeholders and shareholder.

The Corporation communicated relevant information with its shareholder, stakeholders, and the public in a timely manner.

Check  mark in a green circle, meaning met the criteria

Board competencies

The Board has a sufficient number of members with the ability, skills, knowledge, and experience, as well as access to external expertise and training, to discharge its responsibilities.

The Board had profiled the skills and expertise needed to be a director of the Corporation.

There had been periodic assessments to determine whether the Board was made up of people who had the appropriate skills and knowledge.

The Corporation provided new Board members with a comprehensive orientation program.

The Board had access to outside expertise, but had not deemed such access necessary for the past two years.

Check  mark in a green circle, meaning met the criteria

Succession planning (management and critical positions)

Succession planning for key positions in the organization is performed to ensure the achievement of corporate objectives.

The Corporation undertook succession planning for senior management and other critical positions, and developed strategies to address impending retirements and departures.

Check  mark in a green circle, meaning met the criteria

20. Strategic planning, risk management, and performance measurement and reporting. We found that the Corporation had sound systems and practices in strategic planning, risk management, and performance measurement and reporting. However, we noted that the corporate risk register did not take into consideration all aspects of fraud risks, such as the risk that the systems and practices would not prevent or detect fraud. The only fraud-related consideration in the Corporation’s risk register was the inability to deal with potential allegations of fraud, corruption, and collusion (Exhibit 3).

Exhibit 3—Strategic planning, risk management, and performance measurement and reporting—key findings and assessment

Systems and practices Criteria used Key findings Assessment against the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

Assigning roles and responsibilities for strategic planning, risk management, and performance measurement and reporting

Roles, responsibilities, authority, and accountability for strategic planning, risk management, and performance measurement and reporting have been defined and implemented.

The Corporation had in place a systematic process for strategic planning, risk management, and performance measurement and reporting.

Appropriate roles, responsibilities, and resources for this process were established and approved.

Risk management was applied entity-wide and integrated with the culture of the Corporation.

Check  mark in a green circle, meaning met the criteria

Environment and risk analysis for strategic planning

Strategic planning process takes into consideration the internal and external environment, organizational strengths and weaknesses, and identified risks.

The Corporation had taken into consideration the internal and external environment, and had identified its competitive strengths and weaknesses, except for a weakness related to consideration of all aspects of fraud risks (see next system and practice).

The Corporation had identified the key risks to the achievement of expected results.

Check  mark in a green circle, meaning met the criteria

Risk identification and assessment

The Corporation identifies and assesses the potential risks (including fraud) that need to be managed to achieve its strategic and operational objectives.

The Corporation identified its key corporate and operational business risks and assessed them according to their potential impact, likelihood of occurrence, and level of tolerance within which they had to be managed.

Weakness

The Corporation was not taking into account all aspects of fraud risks, such as the risk that its systems and practices would fail to prevent or detect fraud. Consequently, senior management and the Board had limited information about fraud to inform their risk management and decision making.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Strategic direction setting

Strategic direction is clearly defined and communicated and is congruent with government priorities and the Corporation’s mandate.

The Corporation had established measurable strategic objectives.

The strategic plan was communicated to employees and stakeholders.

An accountability process was in place to monitor implementation of the strategic plan.

Check  mark in a green circle, meaning met the criteria

Human resource strategy

The Corporation carries out a human resource strategic planning process to assess workforce needs in support of corporate objectives.

The Corporation had a human resource planning process in place.

The Corporation knew its human resource needs for the upcoming year, and had a projection for the next four years.

The human resource annual business plan was properly approved.

The human resource planning process included a scan of the environment and identified the current and estimated overall level of staffing required.

Check  mark in a green circle, meaning met the criteria

Implementation of strategic direction through operational planning

Operational plans are aligned with the strategic direction, contain sufficient and appropriate information to guide management action, and are well communicated throughout the organization.

The Corporation’s operational business plans were consistent with the strategic direction and provided enough detail to guide management actions.

The Corporation aligned these plans with its strategic direction and communicated the plans throughout the organization.

The Corporation had an accountability process to monitor the implementation of the plans.

Check  mark in a green circle, meaning met the criteria

Information for decision making and monitoring of risks

There is appropriate information on risks provided to senior management and to the Board for decision making and to allow them to manage / monitor risks and update risk mitigation strategies.

The Corporation had defined the information needed to manage risks within its levels of tolerance. The Board received timely information, and the risk reports were clear and concise, and highlighted the significant changes.

The management of risks was taken into account when the Corporation established its strategic direction, priorities, and operations.

Check  mark in a green circle, meaning met the criteria

Setting performance expectations for the reporting period that support strategic objectives

The Corporation has established measurable annual performance expectations (set performance targets) that support its strategic objectives.

The strategic business plans had challenging and measurable performance objectives.

Check  mark in a green circle, meaning met the criteria

Designing measurable performance indicators

The Corporation has designed measurable performance indicators to generate information that is important to users (entity management, the Board, and the public) and supports achievement of its strategic objectives.

The Corporation had established qualitative and quantitative indicators to assess its performance against its measurable objectives.

Check  mark in a green circle, meaning met the criteria

Collecting data to assess performance against operational targets

The Corporation collects performance indicator data that measures its success in achieving its operational targets as set out in annual corporate plans.

The Corporation collected the data needed for its performance indicators and included the results in its annual report.

Check  mark in a green circle, meaning met the criteria

21. Weakness—Risk identification and assessment. The Corporation’s risk register identified and assessed its key corporate and operational business risks. However, the only risk related to fraud, corruption, and collusion (as it applied to employees and contracts) identified in the register was that the Corporation would not appropriately deal with such allegations if they were to arise. The register did not include a risk related to detecting or preventing fraud, collusion, or corruption. This in turn limited the information that senior management and the Board had about fraud, to inform their risk management and decision making.

22. The Corporation had systems and practices for the management of contracts and services (paragraphs 28 to 52). However, the Corporation had rudimentary fraud-detection systems, which were manual and implemented regionally. Management was therefore unable to use the systems to detect and analyze broader trends that might reveal fraud (such as bid-rigging) that could be spread out over time, across regions, or among many suppliers. This kind of fraud, collusion, or corruption could take place even among contracts that, individually, appeared to have been awarded properly. Being able to perform such analysis would allow the Corporation to bring the management of fraud risks to a more strategic level.

23. Moreover, the Corporation did not consistently store contract information in its content-management system (paragraphs 38 to 42). This limited the information that senior management provided to the Board. It also hindered the Corporation’s ability to analyze trends.

24. The Corporation delivered training on fraud to employees, but not systematically. Furthermore, because the Corporation was unable to consistently track the training that its employees received (as discussed in paragraphs 48 to 51), it could not be sure whether that training had been delivered to the right employees. Fraud prevention and detection therefore depended on employees’ individual skills and diligence.

25. Officials told us that the Corporation was putting in place an electronic bidding system that would provide the information management needed to detect trends that could show evidence of possible fraud, collusion, or corruption. Even without such a system, however, it is our view that the Corporation could take some interim measures to improve its fraud detection, such as systematic training of project officers or improving manual tracking of the information. Addressing weaknesses in the Corporation’s storage of contracting documents would also help staff identify contracting irregularities.

26. This weakness matters because no organization that safeguards public resources is immune to fraud risks. If undetected, fraud can divert public funds to unrelated private interests or allow competitions to favour suppliers who provide less value for money. Moreover, a lack of measures to monitor and mitigate fraud systematically can undermine public trust. This is especially true for an organization whose core business is the awarding of contracts, where there is a corresponding risk of contract irregularities.

27. Recommendation. The Corporation should better define fraud risks in its corporate risk register, ensuring that it covers all relevant aspects of these risks, and should put in place the systems and processes needed to assess, monitor, and address them.

The Corporation’s response. Agreed. Defence Construction (1951) Limited takes the risk of fraud very seriously and is further developing its systems and processes, including analysis and training, to allow it to better detect and prevent fraud activities. The Corporation has updated its corporate risk register, reviewed with the Board of Directors on a quarterly basis, to ensure that it covers all relevant aspects of the risk of fraud. Commencing with the 2017–18 fiscal year, the Corporation will improve responses to this risk through enhanced data analysis, allowing the management of fraud to be elevated to a more strategic level, up to the Board.

Management of contracts and services

The Corporation had good management practices in place for its operations, but some improvements were needed

Overall message

28. Overall, we found that the Corporation did a good job of managing contracts and delivering its services. For example, the contracts were carried out according to industry standards and clients’ requirements, and client deadlines and budgets were met. However, we found that they did not manage or store required information in an organized manner, which resulted in incomplete files. Also, despite having an internal verification process, the Corporation did not perform the verification for 2014–15. Furthermore, the Corporation could not know if all of its processes were being applied as intended, and the tracking of employee training was not consistent.

29. These findings matter because good information management is vital to the Corporation’s monitoring to ensure that all processes and procedures have been applied as required. This in turn supports the Corporation’s continuous effort to provide value for its clients, the government, and ultimately the public. The Corporation relies on the expertise of its employees to deliver its services.

30. Our analysis supporting this finding discusses the following topic:

31. The Corporation provides contracting, construction contract management, infrastructure and environmental services, and life-cycle support for Canada’s defence requirements.

32. When a client decides to initiate a project, it contacts the Corporation to procure and manage the associated project contracts on its behalf. Corporation employees manage the procurement process, from awarding tenders to managing the contracts at the job site. Private-sector contractors and consultants perform the actual work in the execution of the contracts that the Corporation puts in place.

Real property—Any right, interest, or benefit in land or immovable improvements, such as buildings or other permanent structures, on or below the surface of the land.

33. The Corporation channels its resources into five service lines:

34. The Corporation provides advice through only three of its service lines: Environmental Services, Project and Program Management Services, and Real Property Management Services. The Corporation helps the clients meet their own environmental performance targets, comply with regulatory requirements, and manage their due diligence and risks. As the Corporation operates through service-level agreements in these service lines, all responsibilities remain with that client, rather than the Corporation.

35. For services provided in Contract Services and Contract Management Services, the Corporation takes on these elements on behalf of the clients.

36. Our recommendations in this area of examination appear at paragraphs 43, 47, and 52.

37. Management of contracts and services. We found that the Corporation had in place systems and practices for sound management of contracts and services. However, we found weaknesses in its contract and service management process, internal service-line verification, and tracking of employee training (Exhibit 4).

Exhibit 4—Management of contracts and services—key findings and assessment

Systems and practices Criteria used Key findings Assessment against the criteria

Legend—Assessment against the criteria

Check  mark in a green circle, meaning met the criteria

Met the criteria

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Met the criteria, with improvement needed

Minus sign in a red circle, meaning did not meet the criteria

Did not meet the criteria

Procurement process

Contract award process

Service process

The Corporation manages the procurement and contract award process to ensure that contracts and services are carried out according to the deadline, budgets, clients’ requirements, and industry standards.

The Corporation’s procurement, contract award, and service processes functioned well—for example, by

  • delegating authority that decentralized responsibilities;
  • aligning policies, procedures, and guidelines with federal and industry requirements; and
  • ensuring that procurement policies were applied consistently, updated, and communicated.
Check  mark in a green circle, meaning met the criteria

Contract management process, including reporting

Service management process, including reporting

The Corporation manages contracts and service-level agreements to ensure that the management of contracts and services is carried out according to the deadline, budgets, clients’ requirements, and industry standards.

Contract and service management, including reporting, had some processes that functioned well—for example, by ensuring

  • client compliance with requirements for industrial security,
  • that relevant policies were applied consistently,
  • that the services met client deadlines and budgets, and
  • compliance with federal regulations and policies.

Weakness

Throughout the organization, the Corporation did not store information in a manner that ensured that files held all the required information.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Communication

The Corporation communicates regularly with clients and contractors throughout the procurement and contract management process.

The Corporation had practices and templates in place to ensure timely communication with its clients and contractors.

Check  mark in a green circle, meaning met the criteria

Health and safety

The Corporation ensures its compliance with health and safety policy when managing contracts.

The Corporation had systems and practices in place to ensure compliance with health and safety policies as they applied to contractors.

Health and safety incidents were reported to the management and the Board.

Check  mark in a green circle, meaning met the criteria

Internal service-line verification process

The Corporation has an internal service-line verification process to ensure that contracts and services are in compliance with the systems and practices in place.

The Corporation had an internal service-line verification process for Contract Services and Contract Management Services. When the verifications were performed, they were well done, and the results were communicated to the regions and the Vice-President of Operations.

Weakness

The Corporation did not perform internal verification for 2014–15 on its Contract Services line, nor did it clearly document follow-up actions on previous years’ recommendations.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

Identification, assessment, and management of the environmental risk process

The Corporation ensures that environmental risks of contracts are regularly identified, assessed, and managed to reduce or eliminate potential environmental impacts and/or liabilities, and to achieve compliance with environmental requirements.

The Corporation had a process in place to identify, assess, manage, and appropriately mitigate environmental risks, to reduce or eliminate environmental impacts and liabilities, and to achieve compliance with environmental requirements.

Management and the Board were kept informed of instances of non-compliance and significant environmental incidents.

Check  mark in a green circle, meaning met the criteria

Security clearance process and integrity verification processNote 1 for contractors

Guiding principles in the conduct of business (Code of Business Conduct, Procurement Code of Conduct, etc.)

The Corporation ensures that contractors who obtain contracts have been cleared to the appropriate security levels, and that their integrity is continuously verified and managed throughout the duration of the contracts.

The Corporation had systems and practices in place to ensure that contractors had been cleared to security levels appropriate to the requirements of their work, that their integrity had been checked before they began work (ensuring that they had no charges or convictions linked to unethical business conduct), and that the clearances were managed regularly over the contract terms.

The Corporation had processes in place to keep management and the Board of Directors informed of issues related to security clearances and integrity verification. No specific cases of integrity or security clearance issues had been reported in the Board minutes.

Check  mark in a green circle, meaning met the criteria

Systems to protect sensitive information

The Corporation handles sensitive and protected information according to the established policies.

The Corporation

  • provided training on how to manage sensitive and protected information;
  • monitored compliance with its policy on information management; and
  • had a security policy and a comprehensive suite of security standards published on its intranet.
Check  mark in a green circle, meaning met the criteria

Training and development

A training and development program is in place and enables the acquisition, maintenance, and development of skills and competencies needed to carry out required work and meet objectives.

The Corporation had a learning and development policy and process in place.

The policy stated the process to identify current and future training needs for employees and supervisors and to monitor their progress.

Weakness

The Corporation’s tracking and planning tool for training did not consistently track training information.

Exclamation point in a yellow circle, meaning met the criteria, with improvement needed

38. Weakness—Contract and service management processes, including reporting. Throughout the organization, the Corporation did not store information consistently. We found that paper documents and scanned files were often kept within individual regions, making them difficult or slow to obtain elsewhere. Some electronic documents were not stored in Laserfiche, the enterprise content-management system used by the Corporation, but were stored on individual hard drives or email accounts. The availability of such a document might depend on the presence and memory of an individual.

39. Document formats were also inconsistent. While performing our sampling, we found that some key documents had not been digitized; some individual documents had been scanned as several files, while several key paper documents had been scanned as a single file. In one case, the paper file was not found.

40. These inconsistencies limited the Corporation’s ability to ensure completeness of information. The complexity of contracting documents exacerbated this situation. Different types of contracts require different sets of documents, such as environmental assessments, signed service-level agreements, or risk assessments. Because there was no tracking sheet to ensure that every required document had been completed, the Corporation relied on the knowledge of individuals. However, as the Corporation could not know what training the employees had received (as discussed in paragraphs 48 to 51), their knowledge might not reflect the most recent requirements. It should be noted that, through the annual performance assessment process, each supervisor reviewed with each employee their training requirements and resulting plans.

41. According to the government’s Contracting Policy, documents for a given contract must be stored such that they hold all the information required for someone to understand the history of the contract, and must be accessible to more than one person.

42. This weakness matters because without consistent information management and readily accessible documentation, the Corporation could not know whether it had all the documentation it needed. Even if the Corporation had stored all the documentation it required, searching for it would still be inefficient. Furthermore, proper access to key contracting documents by more than one person can reduce fraud risks.

43. Recommendation. The Corporation should ensure that the supporting documentation for each contract is classified efficiently and systematically in its filing software, to ensure that all required documents can be obtained, monitored, and verified as complete.

The Corporation’s response. Agreed. In the 2017–18 fiscal year, Defence Construction (1951) Limited will take the necessary steps to complete its transition to a new electronic document management system. As part of this, the Corporation plans to provide refresher training to all its personnel to ensure that they properly utilize this new system, in order to ensure that documents are classified efficiently and systematically. Thereafter, the Corporation will continue to monitor the use of the new system and take appropriate follow-up action, as required.

44. Weakness—Internal service-line verification process. The Corporation has established a practice of performing an internal review of two of its service lines—Contract Services and Contract Management Services—to provide management with assurance that activities are being carried out with due diligence and in accordance with the Corporation’s policies and procedures. The Corporation aims to perform these reviews each fiscal year, for the previous fiscal year.

45. The Corporation performed no internal verification for 2014–15 on Contract Services in the 2015–16 fiscal year. Corporation officials said that these internal verifications were postponed mainly because of the increase in program activities. Moreover, the Corporation had documented recommendations from previous years’ regional verifications, but follow-up actions on those recommendations were not clearly documented.

46. This weakness matters because the verifications provide the Corporation with the assurance that procurement activities are being carried out with due diligence and in accordance with its contracting policies and procedures and its Integrity Management Framework.

47. Recommendation. The Corporation should regularly perform its internal service-line verifications, and clearly document follow-up on the resulting recommendations, to ensure that procurement activities are being carried out in accordance with established practices.

The Corporation’s response. Agreed. Defence Construction (1951) Limited will perform an internal verification of the Contract Services service line in the 2016–17 fiscal year, including verification of data from the 2014–15 fiscal year. The Corporation will also review how it tracks and maintains records of completed verifications to better capture follow-up activities.

48. Weakness—Training and development. Corporation employees require a diverse set of skills to ensure that they are capable of carrying out their duties and are meeting regulatory requirements. Some of these requirements are general, as is the case for training on values and ethics. Some are specific to job types: Procurement officers have a particular set of training requirements that focus on contracting practices, while those who work on construction sites require regular training on health and safety.

49. The Corporation had identified the specific training that employees had to take; this was reviewed by each employee’s supervisor during the annual performance review process, establishing that employees were taking the required training.

50. The Corporation launched a new tracking and planning tool for training in the 2016–17 fiscal year. We planned to examine a sample of 22 employee files in the tool. We found that the tool did not consistently track the courses taken. For example, training that one individual took five years before was listed as having been taken in 2015–16, while data on more recent training was not available.

51. This weakness matters because the Corporation relies on the expertise of its employees to monitor contracts and deliver services in keeping with industry standards. The industry is in constant evolution, and specific issues that warrant close attention, such as fraud detection, require a proactive approach to preparing employees. It is therefore essential that the competencies of employees be kept current. It is also essential for the Corporation to know what training has been delivered, and where gaps in competencies exist, so that it can address them and demonstrate to its stakeholders and clients that it is meeting its training requirements.

52. Recommendation. The Corporation should ensure that its tracking and planning tool for training records employees’ training consistently and accurately.

The Corporation’s response. Agreed. Defence Construction (1951) Limited is in the process of transitioning to a new electronic training tracker, and this system is planned to be fully implemented by the end of the 2016–17 fiscal year.

Conclusion

53. In our opinion, based on the criteria established, there were no significant deficiencies in Defence Construction (1951) Limited’s systems and practices that we examined for corporate management and management of contracts and services. We concluded that the Corporation maintained these systems and practices during the period covered by the audit in a manner that provided the reasonable assurance required under section 138 of the Financial Administration Act.

About the Audit

This independent assurance report was prepared by the Office of the Auditor General of Canada on Defence Construction (1951) Limited. Our responsibility was to express

Under section 131 of the Financial Administration Act (FAA), Defence Construction (1951) Limited is required to maintain financial and management control and information systems and management practices that provide reasonable assurance that

In addition, section 138 of the FAA requires the Corporation to have a special examination of these systems and practices carried out at least once every 10 years.

All work in this audit was performed to a reasonable level of assurance in accordance with the Canadian Standard for Assurance Engagements (CSAE) 3001—Direct Engagements set out by the Chartered Professional Accountants of Canada (CPA Canada) in the CPA Canada Handbook—Assurance.

The Office applies Canadian Standard on Quality Control 1 and, accordingly, maintains a comprehensive system of quality control, including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.

In conducting the audit work, we have complied with the independence and other ethical requirements of the Rules of Professional Conduct of Chartered Professional Accountants of Ontario and the Code of Values, Ethics and Professional Conduct of the Office of the Auditor General of Canada. Both the Rules of Professional Conduct and the Code are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour.

In accordance with our regular audit process, we obtained the following from management:

Audit objective

The objective of this audit was to determine whether the systems and practices we selected for examination at Defence Construction (1951) Limited provided reasonable assurance that its assets were safeguarded and controlled, its resources were managed economically and efficiently, and its operations were carried out effectively, as required by section 138 of the Financial Administration Act.

Scope and approach

This special examination covered the following areas, for which we selected systems and practices of Defence Construction (1951) Limited, a federal Crown corporation:

The systems and practices selected for examination for each area of the audit are found in the exhibits throughout the report.

The scope of our audit was Defence Construction (1951) Limited. In performing our work, we reviewed documents and interviewed members of the Board of Directors, senior management, and employees of the Corporation. We also travelled to the Corporation’s offices in Petawawa, Ontario, and Halifax, Nova Scotia, reviewed documentation, and visited project sites. Our planned examination also included an inspection of 22 training files; however, after we examined 4 items, we determined that the tool that was designed to track and plan training did not consistently track the courses taken. We therefore reviewed no more files. We also examined 36 contracting files. We selected items to ensure coverage over regions and types of file.

In carrying out the special examination, we relied on internal audits of business planning and resource management, succession planning, and values and ethics.

Sources of criteria

The criteria used to assess the systems and practices selected for examination are found in the exhibits throughout the report.

Corporate governance

OECD Guidelines on Corporate Governance of State-Owned Enterprises, Organisation for Economic Co-operation and Development, 2015

Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005

Practice Guide: Assessing Organizational Governance in the Private Sector, The Institute of Internal Auditors, 2012

20 Questions Directors Should Ask about Crown Corporation Governance, Canadian Institute of Chartered Accountants, 2007

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Corporate Governance in Crown Corporations and Other Public Enterprises—Guidelines, Treasury Board Secretariat, 1996

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Practice Guide: Assessing Organizational Governance in the Public Sector, The Institute of Internal Auditors, 2014

Managing the Business Risk of Fraud: A Practical Guide, The Institute of Internal Auditors, The American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners

Ultimate HR Manual, Human Resources Professionals Association and CCH

Strategic planning, risk management, and performance measurement and reporting

Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005

20 Questions Directors Should Ask about Strategy, third edition, Chartered Professional Accountants of Canada, 2012

20 Questions Directors Should Ask about Risk, Canadian Institute of Chartered Accountants, 2006

Guidelines for the Preparation of Corporate Plans, Treasury Board Secretariat, 1996

OECD Guidelines on Corporate Governance of State-Owned Enterprises, Organisation for Economic Co-operation and Development, 2015

20 Questions Directors Should Ask about Crown Corporation Governance, Canadian Institute of Chartered Accountants, 2007

Meeting the Expectations of Canadians: Review of the Governance Framework for Canada’s Crown Corporations, Treasury Board Secretariat, 2005

Internal Control—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2013

Managing the Business Risk of Fraud: A Practical Guide, The Institute of Internal Auditors, The American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners

Framework for the Management of Risk, Treasury Board Secretariat, 2010

Enterprise Risk Management—Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, 2004

Recommended Practice Guideline 3, Reporting Service Performance Information, International Public Sector Accounting Standards Board, 2015

Ultimate HR Manual, Human Resources Professionals Association and CCH

Management of contracts and services

Defence Production Act, Part 1, Procurement of Defence Supplies

Letters Patent of Defence Construction (1951) Limited

Contracting Policy, Treasury Board

Corporate Plan Summary 2015–2016 to 2019–2020, Defence Construction (1951) Limited

Guideline on Service Standards, Treasury Board Secretariat, 2012

COBIT 4.1 Framework—PO5 (Manage the IT Investment), PO10 (Manage Projects), AI7 (Install and Accredit Solutions and Changes), and ME2 (Monitor and Evaluate Internal Control), IT Governance Institute and ISACA

Managing the Business Risk of Fraud: A Practical Guide, The Institute of Internal Auditors, The American Institute of Certified Public Accountants, and the Association of Certified Fraud Examiners

Policy on Occupational Safety and Health, Treasury Board

ISO 14001—Environmental Management Systems, International Organization for Standardization

Improving Environmental Performance and Compliance: 10 Elements of Effective Environmental Management Systems, Commission for Environmental Cooperation, 2000

The Identification and Communication of Security Requirements for Realty Projects, Department of National Defence, 2009

Policy Framework for People Management, Treasury Board Secretariat, 2010

Policy on Government Security, Treasury Board, 2012

Policy on Information Management, Treasury Board, 2012

Policy on Management of Information Technology, Treasury Board, 2007

Policy Framework for Information and Technology, Treasury Board Secretariat, 2007

Security Organization and Administration Standard, Treasury Board Secretariat, 2015

Best Practices for Managing Information Security, IT Policy Compliance Group, 2010

Policy on Learning, Training and Development, Treasury Board, 2006

Ultimate HR Manual, Human Resources Professionals Association and CCH

Period covered by the audit

The special examination covered the period between 19 November 2015 and 30 June 2016. This is the period to which the audit conclusion applies. However, to gain a more complete understanding of the significant systems and practices, we also examined certain matters that preceded the starting date of the special examination.

Date of the report

We obtained sufficient and appropriate audit evidence on which to base our conclusion on 15 November 2016, in Ottawa, Ontario.

Audit team

Principal: Marise Bédard
Lead Director: Josée Maltais
Director: Julie Tremblay

Benoît Gosselin
Ying Wah Hong
Catherine Lapalme
Josée Surprenant
Chee Yan Yu

List of Recommendations

The following table lists the recommendations and responses found in this report. The paragraph number preceding the recommendation indicates the location of the recommendation in the report, and the numbers in parentheses indicate the location of the related discussion.

Corporate management practices

Recommendation Response

27. The Corporation should better define fraud risks in its corporate risk register, ensuring that it covers all relevant aspects of these risks, and should put in place the systems and processes needed to assess, monitor, and address them. (21–26)

The Corporation’s response. Agreed. Defence Construction (1951) Limited takes the risk of fraud very seriously and is further developing its systems and processes, including analysis and training, to allow it to better detect and prevent fraud activities. The Corporation has updated its corporate risk register, reviewed with the Board of Directors on a quarterly basis, to ensure that it covers all relevant aspects of the risk of fraud. Commencing with the 2017–18 fiscal year, the Corporation will improve responses to this risk through enhanced data analysis, allowing the management of fraud to be elevated to a more strategic level, up to the Board.

Management of contracts and services

Recommendation Response

43. The Corporation should ensure that the supporting documentation for each contract is classified efficiently and systematically in its filing software, to ensure that all required documents can be obtained, monitored, and verified as complete. (38–42)

The Corporation’s response. Agreed. In the 2017–18 fiscal year, Defence Construction (1951) Limited will take the necessary steps to complete its transition to a new electronic document management system. As part of this, the Corporation plans to provide refresher training to all its personnel to ensure that they properly utilize this new system, in order to ensure that documents are classified efficiently and systematically. Thereafter, the Corporation will continue to monitor the use of the new system and take appropriate follow-up action, as required.

47. The Corporation should regularly perform its internal service-line verifications, and clearly document follow-up on the resulting recommendations, to ensure that procurement activities are being carried out in accordance with established practices. (44–46)

The Corporation’s response. Agreed. Defence Construction (1951) Limited will perform an internal verification of the Contract Services service line in the 2016–17 fiscal year, including verification of data from the 2014–15 fiscal year. The Corporation will also review how it tracks and maintains records of completed verifications to better capture follow-up activities.

52. The Corporation should ensure that its tracking and planning tool for training records employees’ training consistently and accurately. (48–51)

The Corporation’s response. Agreed. Defence Construction (1951) Limited is in the process of transitioning to a new electronic training tracker, and this system is planned to be fully implemented by the end of the 2016–17 fiscal year.