Evidence of meeting #112 for Public Accounts in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was kpmg.
A video is available from Parliament.
10:10 a.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
The contracts were amended multiple times: yes or no?
10:10 a.m.
Partner and National Leader, Digital Health Transformation Practice, KPMG
Yes. Our contracts were amended a few times.
10:10 a.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
Those amendments saw the fee for service increase, the length of time for the contract increase and the deliverables reduced. Is that correct?
10:10 a.m.
Partner and National Leader, Digital Health Transformation Practice, KPMG
The initial TA and the initial contract through the Public Health Agency were incredibly detailed in terms of deliverables and key activities that we were asked to provide. The subsequent and final contract that was awarded by the Public Health Agency was less so, by the Public Health Agency specifically, because you have to remember that this was during the third and fourth waves of the pandemic, and they required more flexibility because of wanting to be able to respond to unforeseen events and policy changes at the time.
10:15 a.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
Just for clarity, the Auditor General said in her report that KPMG had contracts amended to do exactly what I detailed: add additional costs and make the deliverables over a longer period of time, with less specific deliverables. Do you agree with the Auditor General's assessment? Yes or no, please.
10:15 a.m.
Partner and National Leader, Digital Health Transformation Practice, KPMG
We agree with the Auditor General report findings.
Thank you.
10:15 a.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
Thank you very much.
Who in the government was KPMG's contact for the non-competitive contracts that KPMG received? I want the name of the individual at the department, please.
10:15 a.m.
Partner and National Leader, Digital Health Transformation Practice, KPMG
I'd be happy to start the description of that through the Public Health Agency work, and then I might ask Hartaj to speak to the other contract.
10:15 a.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
You have about 10 seconds to get us a name before the end of my time, please.
10:15 a.m.
Partner and National Leader, Digital Health Transformation Practice, KPMG
We were contacted through the CEPS vehicle to work with the Public Health Agency under Sheriff Abdou.
10:15 a.m.
Conservative
Michael Barrett Conservative Leeds—Grenville—Thousand Islands and Rideau Lakes, ON
Thanks very much.
10:15 a.m.
Conservative
The Chair Conservative John Williamson
Thank you very much.
We'll turn now to Ms. Bradford, who's joining us virtually.
You have the floor for six minutes, please, Ms. Bradford.
10:15 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
Thank you very much.
Thank you to the witnesses for coming today.
Some of this might be a bit repetitive from your opening comments, but I just want to get it on the record. Could you please help the committee members and the Canadians watching from home understand what specific services were provided for the $5 million received in government contracts by KPMG for the ArriveCAN app? What work did KPMG specifically provide for this?
10:15 a.m.
Partner and National Leader, Digital Health Transformation Practice, KPMG
I can definitely take that for the Public Health Agency work. I'll ask my colleague Hartaj to speak to the cybersecurity work in a moment.
The work we did to support the Public Health Agency was focused primarily on helping them to analyze and plan for the operational impacts of all the evolving policies that were happening under the Quarantine Act during the pandemic. This included both detailed and extensive stakeholder engagement within government and helping them to facilitate discussions outside of government—for example, with the travel sector, air operators and so on.
We also were asked to provide global leading expertise and access to information through KPMG's global network of colleagues to help inform policies that were forming here in Canada. For example, we reached out through our global network to the Five Eyes countries and to other jurisdictions to learn how they were handling the COVID-19 pandemic, quarantine, and quarantine restrictions, and then eventually how they were handling things like lab testing, vaccine administration, documentation and so on for international travel.
The other thing I'll mention is that at that time, KPMG was providing very specialized expertise to the Public Health Agency to address what we understood were some capability gaps in terms of being able to quickly support their detailed planning in things like human-centred design. We were trying to understand what the traveller's experience would be through all of these policy changes and operational changes at the borders. We were developing journey maps and process designs, all at a very, very rapid pace, to support their constantly evolving policy environment.
That essentially was the nature of the work we did under the Public Health Agency.
Maybe I'll let Hartaj speak to the other work.
10:15 a.m.
Partner and National Leader, Cybersecurity, KPMG
Sure. With respect to the cybersecurity work, there were five primary bodies of work. The first was to assess vulnerability management practices around the ArriveCAN environment. How do you identify vulnerabilities and mitigate them in a timely manner? The second was to assess compliance with certain privacy regulations, particularly those surrounding the cloud hosting platform. The third was to assess the cloud hosting platform itself to understand if appropriate security controls were embedded. The fourth was to understand whether appropriate incident response processes were in place. If there was an incident or a breach of some sort, would it be possible to respond and recover in a timely fashion? The last was to do with understanding whether appropriate security practices were integrated within the development processes.
10:20 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
Thank you for those detailed responses.
Can you confirm the total amount that KPMG received for this work on the ArriveCAN application?
10:20 a.m.
Partner and National Leader, Digital Health Transformation Practice, KPMG
I want to reconfirm that KPMG did not do any work on the development of the app itself. However, for the Public Health Agency work that was contracted to KPMG, we invoiced about $4.5 million before taxes.
10:20 a.m.
Partner and National Leader, Cybersecurity, KPMG
For the cybersecurity work, we invoiced $400,000.
10:20 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
Thank you so much. It is approximately $5 million.
Can you please explain why KPMG was not able to receive a contract directly from the government, or the CBSA in this case, to work on the ArriveCAN app, or for the work it provided in this process? Why did it need to be subcontracted by GC Strategies?
10:20 a.m.
Partner and National Leader, Cybersecurity, KPMG
I can take that question, as I believe it relates to the cybersecurity work.
KPMG would have been proud to contract under any vehicle, or even to bid in a competitive RFP process. We were asked to subcontract through GC Strategies, and we complied with the government's request.
10:20 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
How was the decision made on KPMG's end to become a subcontractor for GC Strategies?
You said it reached out. What was the process whereby you made the decision that you would subcontract through GC Strategies?
10:20 a.m.
Partner and National Leader, Cybersecurity, KPMG
When KPMG is contracting with a party, be it a client, a partner or an entity, we have rigorous client acceptance and engagement acceptance processes that we must follow in every case, and we followed those processes to understand whether there would be any adverse considerations in engaging with GC Strategies. At the time, our results showed that there would be no adverse considerations in contracting with GC Strategies, given that it was, at the time, a well-known entity in the government sector and we were being asked to contract with it by the government.
10:20 a.m.
Liberal
Valerie Bradford Liberal Kitchener South—Hespeler, ON
Have either of you met with Kristian Firth or Darren Anthony?
10:20 a.m.
Partner and National Leader, Cybersecurity, KPMG
I have not met with either of those individuals, and I believe Ms. Lee has also not met with those individuals.
10:20 a.m.
Partner and National Leader, Digital Health Transformation Practice, KPMG
I have not.