Evidence of meeting #102 for Government Operations and Estimates in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was audit.
A video is available from Parliament.
6:15 p.m.
Conservative
Stephanie Kusie Conservative Calgary Midnapore, AB
Thank you very much, Mr. Chair.
Madam Auditor General, in paragraph 1.67, you state that “the [CBSA] approved time sheets that included no details on the work”, which means it's highly likely that contractors were being paid for completing no work.
Who were the contractors who submitted these blank time sheets?
6:15 p.m.
Auditor General, Office of the Auditor General of Canada
That paragraph doesn't speak about blank time sheets. What was missing from the time sheets were the projects that they might relate to or the work that was accomplished. There would have been an individual's name and the hours worked, but what was often missing were the details that would allow you to know which IT project it went toward and which contract or task authorization it related to. That's just not good financial record-keeping. It's not good controls or practices to validate that the government is paying for what it actually received.
6:15 p.m.
Conservative
Stephanie Kusie Conservative Calgary Midnapore, AB
Thank you.
My colleagues across the aisle talk continuously about the security of the application and the use of the application, but in paragraph 1.74 you state that GC Strategies used two resources to check the cybersecurity of ArriveCAN and did not ensure that these resources had the adequate security clearances. Is that correct?
6:15 p.m.
Auditor General, Office of the Auditor General of Canada
Yes, we did find that individuals who did some of the security testing did not have the security clearances that were required by the contract. However, that security testing was done in a test environment. It still raises a concern, because a person could potentially be identifying the vulnerabilities of the application, but they did not have access to individuals' data, since it was in a test environment.
6:15 p.m.
Conservative
Stephanie Kusie Conservative Calgary Midnapore, AB
Are there many levels of the CBSA and PSPC that handle security checks to ensure the integrity and security of Canada's private information?
6:15 p.m.
Auditor General, Office of the Auditor General of Canada
We didn't look at who issues security clearances here. What we were looking at was that a task authorization required that an individual doing work needed to have a certain level of security clearance. We would have expected that the Canada Border Services Agency would have ensured that those carrying out the work had the requirements that were outlined in the task authorization, and that's not what happened here.
6:15 p.m.
Conservative
Stephanie Kusie Conservative Calgary Midnapore, AB
Do you know how many points of failure occurred to allow this to happen? In a process, would there be certain security checkpoints that you would audit in terms of following through a process? Would you be able to determine the number of points where this failed?
6:15 p.m.
Auditor General, Office of the Auditor General of Canada
I think that's a difficult question. I guess it would start off with whether the security requirement checklist was done before a task authorization or a contract was put forth. Once you set out the requirements in that task authorization, someone should have ensured that the resources that were proposed by the vendor met those requirements. Then you would have had to check a second time when the invoice came in that it was the actual individual.
There could be many points where this could have been flagged. In this instance, I don't know the details as to where that failure might have occurred. However, the fact remains that individuals who didn't have clearance carried out the work, and they shouldn't have.
6:15 p.m.
Conservative
Stephanie Kusie Conservative Calgary Midnapore, AB
Since GC Strategies had two examples of not properly vetting their resources and following the proper security protocols, do you think that perhaps this should require further review? Should, perhaps, their work across other departments—the quarter-of-a-billion dollars, as we learned today—those security clearances and those who worked on these GC Strategies' projects be under further review after correlating the revelations that were found within your report and then the quantity of work completed by GC Strategies across government that we learned about today?
6:15 p.m.
Deputy Auditor General, Office of the Auditor General of Canada
In our report, we made it a recommendation that all resources, including contractors and subcontractors, should have valid security clearances on the file prior to starting any work. It's important that it's before they start work. Regardless of who the contractor is—in this case, GC Strategies—that should be happening. Wherever this contractor is working, we would expect that departments or agencies are looking to make sure valid security clearances are in place before work is started.
6:15 p.m.
Conservative
Stephanie Kusie Conservative Calgary Midnapore, AB
I agree entirely with this recommendation.
Further to the investigation by the RCMP, Botler AI also made allegations that were reported in October 2023, which stated that they were not given the proper security clearances before they began their work back in 2020. Do all of these examples bring concern of a systemic problem for you across government, or certainly across the agency, regarding security clearances?
6:20 p.m.
Auditor General, Office of the Auditor General of Canada
It's hard to speak across the government, since we really focused here on ArriveCAN, but it is a concern. If there's a requirement that an individual have a security clearance and the person managing that contract didn't make sure that happened, that is a concern. There are valid reasons for having security clearances in place, and that's why we issued the recommendation. It does concern us.
6:20 p.m.
Conservative
Stephanie Kusie Conservative Calgary Midnapore, AB
I had mine done at Foreign Affairs. It was quite a process: top secret.
Thank you, Chair.
6:20 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Thank you, Mr. Chair.
Mr. Chair, if you'll allow me, I'm going to make a comment, and then I'll resume my line of questioning. The comment builds on what my colleague, MP Kusmierczyk, was talking about.
I'd like to put the following to Canadians and all of our colleagues. If there was an e-commerce application that had 18 million users, processed 60 million transactions and facilitated over billions of dollars of monetary transactions, what would its valuation be today in the market? There's a big difference between the cost of developing an application, including making code, and what it's valued at. I'll leave it at that. If you're interested, go do a bit of research to understand what the valuation of such an application is.
Thank you for indulging me.
Madam Hogan, you talked about the deputy head being accountable and the executive director being responsible. In consulting, we have a concept that's called RACI: responsible, accountable, consulted, informed. That's what RACI stands for. You said that by virtue of the fact that the executive director has signed that authorization requisition, that individual is both responsible and accountable.
I'm finding a conflict, and I'm hoping that you will be able to clarify. On one hand, on the accountability, it goes to the highest level, and you identify the deputy head. On the other hand, the responsibility is.... Can you help me clarify that? Who is ultimately accountable, and who was responsible?
6:20 p.m.
Deputy Auditor General, Office of the Auditor General of Canada
The origin of that statement about deputy head accountability is rooted in the Financial Administration Act, which makes it clear that deputy ministers, in this case the president of the agency, are the accounting officers for the departments or agencies for which they're responsible. They're answerable to Parliament for all of the activities of their organization.
6:20 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Ultimately, it is the deputy head. Is that fair?
Okay, thank you.
You indicated there was a lack of documents to determine how many of the department officials attended these events. You were saying there were emails that requested that the officials attend these social events. Is there any indication as to how many of those there were and how many of them indicated...? Was it 100, 50, two or one? Is there any indication as to how many employees attended those?
6:20 p.m.
Auditor General, Office of the Auditor General of Canada
We were talking about invitations that we saw that vendors sent to individuals linked to ArriveCAN. I think I have to start with that. It is linked to ArriveCAN. We didn't do a bigger, broader search across the Canada Border Services Agency. In this instance, we saw three or four vendors who sent invitations to individuals in the IT branch—
6:20 p.m.
Liberal
6:20 p.m.
Auditor General, Office of the Auditor General of Canada
As I said, I don't have a comprehensive list, but I can tell you that there were three or four vendors who invited at least five Canada Border Services employees. There were another half a dozen individuals on those emails as well. Because we couldn't see the extensions, we're not exactly sure if they were Canada Border Services employees or other public servants.
6:20 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Could you talk about the level of these five individuals from CBSA who were invited?
6:20 p.m.
Auditor General, Office of the Auditor General of Canada
It would go from the assistant deputy minister down to the working level.
6:20 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Do you know how many times the invite was made? Was it five times?
6:20 p.m.
Auditor General, Office of the Auditor General of Canada
I do not know who attended, and I do not know if any of them, in accordance with the code of conduct of the agency, reported this to their supervisor.
6:25 p.m.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Thank you very much.
Mr. Chair, you gave me 27 seconds. I'm going to give you back 27 seconds.
