Public Accounts Committee on April 4th, 2024

Evidence of meeting #112 for Public Accounts in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was kpmg.

A video is available from Parliament.

On the agenda

Report 1, ArriveCAN, of the 2024 Report 1 of the Auditor General of Canada

MPs speaking

John Williamson
Michael Barrett
Valerie Bradford
Nathalie Sinclair-Desgagné
Blake Desjarlais
Larry Brock
Iqra Khalid
John Nater
Brenda Shanahan
Arnold Viersen
Chris Bittle
John Aldag

Also speaking

Lydia Lee  Partner and National Leader, Digital Health Transformation Practice, KPMG
Hartaj Nijjar  Partner and National Leader, Cybersecurity, KPMG
Clerk of the Committee  Ms. Hilary Smyth

10:50 a.m.

Bloc

Nathalie Sinclair-Desgagné Bloc Terrebonne, QC

Thank you.

In her report, the auditor mentions that, when invoices were sent under contracts between KPMG and the government, the invoices were less and less specific about the tasks performed. This led to longer and longer lead times, which in turn increased the price and value of the contracts. That also meant more hours spent on contracts. Invoices were higher and higher, and less and less specific about the tasks performed.

When you fill out an invoice and send it to the customer, normally you have to be specific about the tasks performed. I know, having done it several times myself. This is true even of our own accounting departments.

At KPMG, was it Mr. Bashir again who authorized sending the government imprecise invoices?

10:50 a.m.

Partner and National Leader, Digital Health Transformation Practice, KPMG

Lydia Lee

Thank you very much for the question. I'll take that for the Public Health Agency-related work.

Very specifically, when we were working under the initial TA—the COVID emergency professional services vendor of record—the very first time, we prepared an invoice. We worked extensively with the Public Health Agency and its internal team to make sure that the documentation on the invoice was satisfactory with its requirements to process the payment, and that it provided the level of detail required.

We had it all pre-approved, and that never changed throughout the entire, as I said, two and a half years that we worked with PHAC.

Furthermore, our understanding with respect to the OAG report...we were not led to believe by the Auditor General that any of those concerns were actually directed specifically toward KPMG. However, as I said, the Public Health Agency pre-approved the level of detail in all our invoices from the very beginning.

10:50 a.m.

Conservative

The Chair Conservative John Williamson

Thank you very much.

Next up is Mr. Desjarlais. You have the floor for two and a half minutes.

10:55 a.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

Thank you very much, Mr. Chair.

I now want to return to this significant problem that I believe could have been addressed largely through Public Services and Procurement Canada's policies, but was largely avoided.

Are either of you aware of the Public Services and Procurement Canada supply manual?

10:55 a.m.

Partner and National Leader, Digital Health Transformation Practice, KPMG

Lydia Lee

As I said, KPMG always follows the specific procurement approach that is laid out by the government. Our federal government practice is familiar with all of those policies and procedures for all of the procurement activity that we do with the federal government.

10:55 a.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

You're aware that there is the ability for a contractor, and particularly a prime contractor like GC Strategies—or a general contractor, as it's called itself at times—to absorb several task authorizations and then dispose of those task authorizations through multiple subcontractors.

Are you aware of that practice?

10:55 a.m.

Partner and National Leader, Digital Health Transformation Practice, KPMG

Lydia Lee

I am not aware of all of the details, specifically, of the steps you're talking about. However, as Mr. Nijjar and I have said, all of the contracting work we did was at the government's direction throughout the entire time we worked on the ArriveCAN service.

10:55 a.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

When the CBSA directed KPMG, was that at the beginning of that work? Was it supposed to be directly related to the work of GC Strategies or the overall work of supporting the government in the Public Health Agency of Canada's overall mandate? Was it narrowly, at the time of direction, by the CBSA?

Who directed that you work with GC Strategies?

10:55 a.m.

Partner and National Leader, Digital Health Transformation Practice, KPMG

Lydia Lee

I think there might be some confusion about the contracting relationship. The Public Health Agency contracted directly with KPMG, and I was the lead partner for that work during the two and a half years we supported the Public Health Agency. None of that work had anything to do with the ArriveCAN app or the relationship with GC Strategies.

The only work that was done through GC Strategies was the cybersecurity audit that Hartaj spoke about. I hope that clarifies things.

10:55 a.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

It does clarify things. The CBSA only directed in the very particular instance the work related to ArriveCAN—that's what you're saying—not the work at the Public Health Agency.

10:55 a.m.

Partner and National Leader, Digital Health Transformation Practice, KPMG

Lydia Lee

That is correct. Yes.

10:55 a.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

In regard to who from CBSA directed KPMG, has there been any further communication between that individual from CBSA and KPMG past the time of the original contract?

10:55 a.m.

Partner and National Leader, Cybersecurity, KPMG

Hartaj Nijjar

There has not been to my knowledge.

10:55 a.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

Thank you.

10:55 a.m.

Conservative

The Chair Conservative John Williamson

Next up is Mr. Nater.

You have the floor for five minutes.

10:55 a.m.

Conservative

John Nater Conservative Perth—Wellington, ON

Thank you, Mr. Chair, and, through you, thank you to our witnesses for joining us today.

I want to clarify a few points, because I'm rather troubled by what I've heard here this morning. Just so I understand this, a senior Government of Canada official came to KPMG and said, “We know you have the qualifications to perform $400,000 worth of cybersecurity assessments, but we're not going to contract with you directly. Instead we want you to go through this two-person basement firm, which will also take a $90,000 cut, rather than dealing directly with the CBSA.” Am I understanding correctly that a senior government official came to you and said, “Go through GC Strategies”?

10:55 a.m.

Partner and National Leader, Cybersecurity, KPMG

Hartaj Nijjar

The government official asked us to submit a proposal for the cybersecurity work to GC Strategies.

10:55 a.m.

Conservative

John Nater Conservative Perth—Wellington, ON

Is this something you've experienced personally in the past, that a government official has directed you outside the direct contracting relationship to a third party, to, for lack of a better word, a middleman or middle company?

10:55 a.m.

Partner and National Leader, Cybersecurity, KPMG

Hartaj Nijjar

KPMG is often asked to subcontract by small-, medium- and large-scale organizations when they do not have the capabilities to deliver on the specific piece of work or the requirements and when they feel as though KPMG can deliver very high-quality work, so subcontracting is not unusual for us.

April 4th, 2024 / 11 a.m.

Conservative

John Nater Conservative Perth—Wellington, ON

I want to follow up on that. Here's the concern. I'm not going to quibble about KPMG's ability to deliver on contracts. Obviously you're a large, successful firm. There's no question about that. Where I have a concern is that GC Strategies is not an IT firm. They don't have capabilities, period. So it's not a matter of subcontracting for another like-minded business or a similar business. This is a subcontract from someone who had no capabilities. Did it not raise any flags whatsoever that this was being subcontracted, that the Government of Canada was asking you, instead of contracting directly, to go through a third party, GC Strategies, which had no capabilities to do this contract which you were qualified to do?

11 a.m.

Partner and National Leader, Cybersecurity, KPMG

Hartaj Nijjar

As was mentioned earlier, at the time, we did follow our strict client engagement processes and practices. At the time of the engagement, there was nothing that stood out as peculiar from those processes and practices in terms of following the instructions from the government with respect to contracting GC Strategies on this specific piece of work in a time that was unprecedented and in a way that gave us an opportunity to help Canadians, and we complied with the ask.

11 a.m.

Conservative

John Nater Conservative Perth—Wellington, ON

I just think Canadians might be concerned by what seems to be a very cozy relationship that GC Strategies seemed to enjoy with senior government officials, in which contracts were awarded through third parties to make this work. We know that hundreds of middleman-type companies are being used.

I want to address one final point before I run out of time, and that's about developing the details and the specifics of contracts. Has KPMG ever helped the government draft calls for proposals that you have then bid on?

11 a.m.

Partner and National Leader, Digital Health Transformation Practice, KPMG

Lydia Lee

The answer is no. KPMG has not participated in that process.

11 a.m.

Conservative

John Nater Conservative Perth—Wellington, ON

Would that be something that would be outside of the normal practice for a firm like yours or any other firm or should it be?

11 a.m.

Partner and National Leader, Digital Health Transformation Practice, KPMG

Lydia Lee

The vast majority of the work we do for the government, whether federal, provincial or municipal, goes through a competitive bidding process following a request for proposals. As I said before, we would not be involved in developing those kinds of qualifications or criteria in advance of an RFP.