Thank you for the question.
As I was explaining, risk-based audit plans have been done. There would have been ones done on procurement before. I will say that, while I don't have a copy of all of them here, a lack of documentation generally is not a surprising finding. There would be audits in the past showing that information management practices could have been improved. I do not believe the internal audits missed this. There's also a requirement, based on internal auditing standards, that if we, on any audit, see improvements, gaps or possible fraud, we have an obligation to report those. Those would have been, over the past, improved.
As to how we didn't find this particular issue with one company, as we've heard at committee, the Government of Canada is a large organization across the board. Audit is spread out. We have small teams at departments, but we won't find every single thing. It is based on risk, but there have been audits done in the past in this area and they will continue. We're doing a new one, a horizontal, that will hopefully also strengthen our areas of focus in this area until the risks are diminished.