Public Accounts Committee on May 30th, 2024

Thank you, Mr. Chair.

Thank you to the members of the committee for inviting KPMG to contribute to this important conversation.

My name is Imraan Bashir. I'm a cybersecurity partner at KPMG in Canada. I am here following the appearance of my colleagues Lydia Lee and Hartaj Nijjar on April 4, when they spoke about the services KPMG provided to support the ArriveCAN program.

I've been in the information technology and cybersecurity field for close to 24 years, with my career split across the public and private sectors. I started my career at a leading IT services company before joining the public service. I was a proud public servant for almost 11 years, spending time at Indigenous Services Canada and the Treasury Board of Canada Secretariat under both Conservative and Liberal governments. I joined KPMG four years ago, in May 2020. Since joining KPMG, I have worked with a variety of public and private sector clients to provide cybersecurity services in an ever-evolving threat landscape.

Lydia and I are here today to represent KPMG Canada, which employs approximately 11,000 people across our country. Our role is to serve and assist our clients, including governments at the federal, provincial and municipal levels, in identifying and closing strategic and operational gaps, providing specialized knowledge and services in areas where support is required. We consider our services to be an important part of our contribution to Canadian society.

While we are very proud of the services we provide to assist governments, KPMG is not a leading recipient of government contracts. As you are likely aware, an analysis by Carleton University noted that KPMG ranked 112 on the list of contracts awarded across all public service departments and agencies in 2021-22.

KPMG is very supportive of the important work being done by this committee. In addition to joining committee meetings, we have provided written responses, as requested, to questions that arose from our previous appearance. For today's session, to the extent the committee thinks I can be helpful or of further assistance, I am happy to answer your questions.

As my colleagues Lydia and Hartaj discussed at their previous appearance, KPMG's work related to the ArriveCAN program fell into two streams. The first stream, led by Lydia, was for the Public Health Agency of Canada. In this stream, KPMG provided in-depth subject matter expertise and global knowledge to assist in developing policies and procedures for the implementation of the ArriveCAN program. The second stream of work was the cybersecurity assessment that was performed for the CBSA's ArriveCAN application and supporting infrastructure. I was the local delivery partner on this work, supported by Hartaj, who leads our national cybersecurity practice. As you know, KPMG is well known in the field for its cybersecurity expertise. We offer a range of services to help organizations identify, assess and mitigate cyber-risks.

Between October 2021 and March 2022, KPMG provided an independent cybersecurity assessment of the ArriveCAN application. This work was subcontracted to KPMG through GC Strategies in October 2021 at the request of the CBSA. Our scope consisted of five streams of work performed under two separate task authorizations, which involved reviewing the CBSA's cloud security architecture, including a comprehensive security control review; the department's alignment with privacy regulations; its vulnerability management practices; its secure product development practices; and its security incident response protocols and procedures. Our work was completed on time and on budget, in alignment with Government of Canada policies, and was reviewed and ultimately approved by the CBSA.

We are very proud of the services that KPMG provided during the pandemic to assist not only governments but also health care organizations, academic institutions, not-for-profits and the private sector. We delivered highly specialized expertise at a time of unprecedented uncertainty for Canadians and the world.

Thank you. We'd be happy to take your questions.

Good afternoon to the committee. Thank you for the opportunity to provide information on Donna Cona's involvement with ArriveCAN.

My name is John Bernard, and I am the CEO of Donna Cona. I am here with my business partner and the president of Donna Cona, Barry Dowdall. I am a status first nation person from the Madawaska Maliseet First Nation in New Brunswick. Although I grew up on reserve, I moved off reserve shortly after I graduated from university. After moving around to a number of cities, I landed in Ottawa in the late 1980s, working for a few federal government departments: Fisheries and Oceans, Health and Welfare Canada, and finally, as it was called back then, Indian Affairs.

In 1990, I resigned from the federal government and became an IT consultant working with Systems Interface. Right from the start, I began encouraging Systems Interface to hire aboriginal employees and pursue contracts within the Department of Indian Affairs. Unfortunately, it wasn't until 1996, with the introduction of the PSAB program, that any recognition was given to hiring aboriginals. Part of the PSAB requirement was that a company had to be owned and/or majority controlled by an aboriginal. It was at this time in 1996 that we spun off Donna Cona as 51% owned by me and 49% owned by Systems Interface. Today I own 100% of Donna Cona and continue to hire and promote aboriginals as much as possible.

Donna Cona provides information technology and information management professional services to several clients, one of them being the federal government. We also provide a crisis counselling service for all indigenous, first nations, Métis and Inuit people of Canada. This service runs 24-7 and handles about 50,000 contacts per year through phone and online chat. We are international standards—ISO—certified, and for the past six years we've been named one of Canada's best-managed companies.

Donna Cona has hired many indigenous employees over the last two and a half decades. Just as importantly, we've sponsored and supported indigenous associations, communities and students over the last 28 years. Today, Donna Cona has 84 employees. There are 18 indigenous staff and 58 women. We also use many incorporated subcontractors to supply our client delivery services. Thirty per cent of our overall revenue comes from PSIB set-asides. It was once PSAB, but today it's called PSIB.

The success of Donna Cona and technology afforded me the ability to experience my dream of moving back into my community and investing in businesses in my first nation. In 2007, I built an entertainment centre on the Madawaska Maliseet First Nation that eventually included a 10,000-square-foot events venue, as well as multiple restaurants and electronic gaming. Since 2008, these businesses have returned over $20 million to my community and close to $10 million to the New Brunswick government. With this business, along with a number of other businesses that I own on the reserve, I employ close to 150 employees from the local town and my first nation.

As today's agenda is to talk about the CBSA ArriveCAN project, the following has been our involvement with the CBSA, and in particular ArriveCAN. We have three supply arrangements with the CBSA that were competitively procured in July 2019 and September 2020. One is for enterprise data warehouse IT services, and the other is for travellers' projects. Neither of the supply arrangements, nor any of the TAs, mentions ArriveCAN.

With regard to the Auditor General's report, we disagree that we provided $3 million for ArriveCAN. We found, through the time sheets, activities for only the two contracts and determined that approximately $500,000 of the cloud infrastructure development was provided in support of ArriveCAN. We worked with CBSA staff to design cloud data pipelines on AWS cloud services to implement the Public Health Agency COVID-19 analytics architecture in AWS and to provide business intelligence and tech support for reporting purposes.

Once again, thank you for the opportunity to assist the committee in its efforts.

Thank you, Mr. Chair, the clerk and committee members, for inviting us to appear today regarding your study on the Auditor General's report on ArriveCAN.

My name is Chris Loschmann. I'm the director of Canadian government services at TEKsystems.

TEKsystems is a global provider of technology, business and talent solutions. We have over 100 locations worldwide and we partner with over 6,000 customers, including many Fortune 500 companies and public sector clients. We help our customers achieve their business goals through advisory, outcome-based and staff augmentation services. We pride ourselves on our core values and our fundamental commitment to excellence and integrity. We have worked hard to earn the trust and respect of our clients and to follow the rules when it comes to working with the government.

In March 2020, CBSA publicly posted an RFP for cloud engineering professional services. In June 2020, after submitting our bid and competing with three other bidders, TEKsystems was successful in securing this contract. The scope was to provide highly skilled IT professionals at the request of CBSA on an as-and-when-required basis to assist in deploying and maintaining its applications in cloud environments.

In May 2021, CBSA publicly posted another RFP competition for cloud cybersecurity services. In October 2021, after submitting our bid and competing against four other bidders, TEKsystems was awarded this second contract. The scope of the work was to provide IT professionals on an as-and-when-required basis to assist CBSA in performing cloud security assessments, vulnerability assessments and cloud security operations.

It's important to note that these contracts went through an open, fair and competitive process according to procurement rules and regulations. Neither contract was created specifically for ArriveCAN. Within the scope of these contracts with CBSA, TEKsystems was directed by CBSA to provide IT professionals for ArriveCAN. All the work we did on the app came at the direct request of CBSA, as it fell within the scope of these contracts.

Both of these contracts were ordered after the original rollout of ArriveCAN in April 2020. TEKsystems did not take part in the original development or set-up of the app. We also did not participate in the planning or management of any element of the delivery of ArriveCAN.

We provided highly sought-after professionals who were specialists in cloud networking and infrastructure services to help build and secure the platform that the application sits on, and we performed cloud-based, back-end development to strengthen and secure the application after its initial rollout. All our professionals go through a rigorous vetting process, including in-person meetings, reference checks and capability testing to make sure they have the skills to meet our clients' needs. We also make sure they have valid security clearance at the appropriate level.

At the request and direction of the CBSA, TEKsystems delivered $3.2-million worth of staff augmentation services for ArriveCAN. That was confirmed by the Auditor General and her report. We agree with her report and we co-operated with her investigation. Based on her findings, the findings of the procurement ombud and the previous testimonies already received at this committee, we would like to make the following points.

At no point did TEKsystems contact GC Strategies, Dalian or Coradix regarding any of the services provided to CBSA or the competition of CBSA contracts. We did not partner with any of these organizations for any IT professionals allocated for ArriveCAN or for any work done for CBSA. TEKsystems did not win any non-competitive contracts with CBSA, Health Canada, the Public Health Agency of Canada or any other government department for any IT professionals we provided to CBSA for ArriveCAN. All of our contracts went through an open, fair and competitive bidding process that had multiple bidders. All of the professionals that TEKsystems provided to CBSA went through a rigorous vetting process, reference checks, technical ability screening and security clearance validation.

Our work with the federal government has always been in accordance with procurement rules, guidelines, policies and procedures respecting the integrity of public institutions. We have a defined public sector practice that invests in making sure we operate ethically and deliver value to our customers and Canadians. We invest significantly in training and compliance for our teams, including annual mandatory legal and ethical training, and third party international standard organization audits.

We're happy to work with the committee today to answer any questions you may have. Thank you.

Just to clarify, are you referring to my current job at KPMG or previously in the federal government, or both?

Okay, thanks for clarifying.

I'll separate the answer into two different answers. In the federal government, I did meet with Mr. Firth two to three times at most—like I met with several vendors—generally to discuss some offerings that he had in the security space. I met with him once virtually while at KPMG.

The one KPMG meeting I mentioned was virtual. The two to three at most, when I was at the Treasury Board of Canada Secretariat, all occurred in the lobby of 90 Elgin, which is the Treasury Board government building.

That's correct.

Yes, that is correct.

Absolutely.

I should say that all my answers subsequently will be directed through the chair. I'm sorry about that.

While in the federal public service, many vendors reached out from time to time to explain what types of security products or services they were offering, given my role at the time was director general of cybersecurity.

In the specific meetings with Mr. Firth, I remember discussing two products related to—I apologize for the lack of detail—something around secure communications and digital identity, but there were no subsequent meetings. He left with a brochure, a pamphlet so to speak, and that was the end of that.

The KPMG meeting specifically was more of a reintroduction, I suppose. He had apparently been talking to one of my colleagues prior. I was looped into an email thread, and it was apparent that the subject of cybersecurity came up. I subsequently discussed with Mr. Firth the types of cybersecurity services that KPMG—

It's a retired partner who's no longer with the firm.

After we submitted a proposal to Mr. Utano, he and I did have a meeting, and it was at that meeting that he asked, ”Can you also submit this proposal through to GC Strategies?”

My understanding was that Mr. Utano was exploring his procurement options. I believe his procurement team had likely given him some advice on what the quickest way to procure was. I understand there was some urgency due to the cybersecurity nature of the work in question.

It's hard to speculate. It's probably a question better directed to the CBSA, to be honest.

I'd never worked with Mr. Utano prior to the engagement. I likely crossed paths with him in my time in government at a government event, but I don't recall ever working with him on anything.

To answer the first part of your question, the way it came up was that we discussed the proposal, and he seemed happy with what he saw and suggested that I pass that along to Mr. Firth afterwards.

The way that I characterize procurement is that there are essentially three steps to it. Step one is to identify what you want to procure. The second step is to identify the vehicle by which you would procure it. The third one is to procure it.

Having completed the first step of establishing what it was that he wanted to procure, my understanding was that Mr. Utano was simply exploring the options he had. One of the other options he had was the CEPS vehicle, which my colleague Lydia discussed last time. As my other colleague, Hartaj, mentioned, we would have happily competed for it had he wanted to put it out to a full tender as well.

Obviously, we'd prefer direct procurement where possible, for sure. I can't begin to speculate on the reasons CBSA may have wanted to go that particular route.

To my knowledge, no, but I know KPMG as a firm, as I believe we submitted in writing as well, has subcontracted for—don't quote me on this; I don't have it in front of me—I believe 13 different companies of varying sizes, from very large organizations to small. The key there is that where we can help provide expertise specifically to the government in areas that we are good at and can provide value for taxpayers, we will entertain that, yes.

Given the position that I held in the federal public service, I was subject to the Treasury Board directive on conflict of interest, as most are. I believe they term them positions designated to be high risk for conflict of interest.

What that directive states—and this is the process that I followed upon my departure—is that upon receipt of an offer of employment.... I should say that I did this way earlier than having the offer of employment. When I began thinking about getting an opportunity, I engaged with my values and ethics team immediately, who coached me through the entire process. That involves a discussion with the senior management team and finally culminates in a formal letter from the deputy head outlining post-employment restrictions—some term it a “cool-off period”—upon a departure from the public service.

In my particular case, I was given a one-year post-deployment restriction that forbade me from soliciting work or even being named on a request for proposal response for the core federal public service. I have that letter. I took that letter to KPMG upon my start date there, and we established the appropriate protocols and ethical walls to ensure that I was completely removed from the federal practice for the entirety of the first year, at which time I worked on other things like provincial government, municipal and other contracts.

It's challenging, for sure. I think the directive does a very good job of outlining the requirements from all parties about the person in question and the organizations that need to subsequently follow that. I can't really comment on the oversight of that, as I've never been involved on the other side. I can say it's incumbent upon all parties involved—the departing organization, the new organization and the person involved—to ensure continuous compliance with these requirements.

I'm sorry. Are you asking me how TEKsystems—

I can take that, if you want.

Yes, I'll defer to you.

We won three competitively produced RFPs for CBSA. We were providing resources. Nothing in our contract or in the task authorizations mentioned ArriveCAN, so we had a number of IT professionals, typically cloud people, who were working on it.

They were essentially building containers, for lack of a better term, on the AWS cloud to bring in data. They brought in some data, as John mentioned, from public health and other applications. They were building this infrastructure on the cloud to accept data from different sources.

We went through our time sheets when the AG report came out because we didn't have anything that said “ArriveCAN”. We looked through the activities, and that's how we found—

No. We competitively won the RFPs, and CBSA contacted us for an “as and when”.

I will add that I was quite surprised to see my company's name listed in the AG report.

I joined as a direct-admit partner.

If I understood that correctly, I joined as a direct-admit partner in May 2020, when I joined the firm.

Sorry, that was direct-admit partner. That was my mistake. I will slow down.

It cut out a bit at the end, but if I understood you, you are asking about the training I took for risk....

Thank you for the clarification.

That is correct. Upon joining the firm, and subsequently on a regular basis, we continually take risk, independence, security and privacy training—all of the training.

I have one point of clarification before I answer the question.

We did not have a direct procurement vehicle with the CBSA at the time. I believe what I referred to earlier was the CEPS vehicle, which was more of a government-wide vehicle. There was nothing direct with the CBSA at that particular time.

With respect to the training, we fully followed every single process that the training indicates. This included rigorous risk management processes that check each party that we're engaged with. In this particular case, we had to list GC Strategies and CBSA and subsequently go through a three-partner approval process to ensure that we were able to proceed with the engagement. At that point in time, no flags were raised and, as such, we proceeded accordingly.

The procurement method is chosen by the government department at the end of the day. We can't question the government's direction on how to procure a service for them.

I didn't get a question there, but I guess I would simply say that we follow the process we had in place. I'd also like to add that the Government of Canada had vetted GC Strategies, I believe, 100-plus times, as they were awarded a number of contracts in the last number of years, as this committee has discussed.

When you couple our processes with the fact that the Government of Canada itself had validated and revalidated the legitimacy of GC Strategies, that information led us to believe that this was a reasonable path forward to procure.

I'll refer you to the previous response. We went through our processes and trusted that the government went through its processes as well.

I'm sorry. To clarify again, do you mean when I started work while at KPMG or as a public servant? Can you clarify that, please?

My start date was October 2009 as a full-time employee.

Immediately prior to my departure to KPMG, I was the director general of cybersecurity and digital identity at the Treasury Board of Canada Secretariat.

I think I had a decent understanding, for sure. I'd led a handful of procurement processes, but not a large number, if that's what the question is.

Thank you for the clarification. Yes, I am familiar with the procurement process, for sure.

You're taking me back a bit. I'm going to guesstimate somewhere in the 2018 range.

I departed the public service in May 2020.

At the time, I was discussing post-government employment with a number of different organizations. I don't actually recall who emailed whom. I think it was kind of mutual. We had some mutual.... People know people in the city, and you sit down and say, would you be interested? It was one of those types of conversations to get it started.

Absolutely not. No. I'm very well aware of the directive on conflict of interest and the restrictions around hospitality and gifts.

There were phone calls, to be honest, to start everything off. I started off with phone calls and emails, and ultimately—

The answer is no to that question.

As I mentioned earlier, when meeting with Mr. Utano after submitting the proposal, what he directed was for me to submit a copy of that proposal to Mr. Firth at GC Strategies, which I did.

At that meeting we discussed the number of procurement options Mr. Utano had at his disposal, which I think I mentioned could have included the CEPS vehicle and opening an RFP from scratch, or using one of his existing vehicles. All options were discussed, so nothing stood out from that conversation.

No. Neither the number of employees of GC Strategies nor the work they were doing at the time with the CBSA was discussed. What was discussed was only that they had existing procurement vehicles that were set already with the CBSA.

That's where I lean on our risk management processes that I discussed earlier, to find out if red flags occurred. What we do is we take the information back and we submit that information through that process to validate, and no red flags came up.

As I mentioned earlier, the Government of Canada itself—and not just the CBSA, but many other departments—had awarded this same company numerous contracts, which further validates our decision.

I can't speak to the processes that Mr. Utano went through, but certainly I can speak to our processes. Yes, that is the result of our process.

Keep in mind that the processes are at a point in time. At that point in time, that's the information that arose. I suspect, if run today, the result would be different.

I do, but I'll defer that to my partner, because we spoke about this prior to coming in.

You said about $500,000, and I think in the AG report they talked about how there was some internal financial coding that was unsure. We would submit time sheets with deliverables, and then what happened after that, we don't really know. They would have put whatever coding they had against it, so other than that we're at a loss as to what happens after we submit time sheets.

We didn't see the internal coding.

Well, it's actually on record. In 2006 I sat in front of a Senate committee on aboriginal procurement. Back in 2006 I warned of the potential abuse of joint ventures, and to this day, 18 years later, we are seeing the results of that. Basically, I was using terms like, “Aboriginal companies need to learn how to walk before they run,” yet, amazingly, Donna Cona has been in business 28 years, and we find ourselves up against aboriginal firms that just got into business and are running multi-million dollar contracts.

I guess what I'm trying to say is that being an aboriginal is not a skill, yet in aboriginal procurement with joint ventures, it's almost like if you're aboriginal, all of a sudden that's the quality you're bringing to the joint ventures, and we just don't agree with that. Obviously, you have to start somewhere, so they should be small, but we believe the aboriginal side of a joint venture should progress. They shouldn't be going after a $100-million contract when they were riding an ice cream truck the week before.

If you go back to the 2006 testimony—which is on record with the Senate committee—in there I actually give three ways that I think it should be addressed. The first one, most importantly, is the joint venture. That's where there's really a lot of room for abuse. Unfortunately, there's no motivation for aboriginal companies to grow, because if you can become a joint venture, you don't have to do anything. You don't even need staff or admin staff, because your joint venture partner has all of that.

No, and let's face it, there aren't enough indigenous people to meet some of these contracts. Calling myself an aboriginal company or an indigenous company, just because I own 100% and I'm a status Indian from.... I don't believe that's what it should be. It should be aboriginal benefits. It's not what we....

People ask me, “Well, you're an aboriginal company, so what does that mean? Do you stand on one leg?” No. We do business just like everybody else. In calling myself an aboriginal company, it's what we do, and not just in hiring indigenous people but in the sponsoring, the supporting and then spinning off other aboriginal business. As I explained about my community, that, to me, is the solution. I'm sorry, but if you're just going to hire aboriginal people and you think you're going to get 50 aboriginal people on a 150-person project, that's just not going to happen in this field.

I held a variety of roles, but my stint with the Treasury Board started in July 2011. I could walk you through the path, if you'd like.

Oh, I probably didn't start procuring anything—like in a role in which I was procuring anything myself—until, probably, 2017, in the role of director general, cybersecurity.

Yes. I mentioned earlier that Mr. Firth was probably like every other vendor in town, who would send an email and try to get a meeting to discuss a product or a service they offered. There were two in particular that I think I was discussing earlier: One was around secure communications and one was around digital identity. Both were files that fell under my portfolio, so it piqued my interest to hear a bit more.

The nature of the meeting was a bit of a debrief on the service or the product he was offering at the time. As I mentioned, both meetings occurred in the lobby of the building I worked in, which is 90 Elgin, and nothing really followed after that, to be clear.

My role was a little different at the Treasury Board. For context for the committee, where I worked in the Treasury Board was more of a policy organization—setting policies, standards and directives for the rest of the public service to follow—so we didn't typically procure any goods per se. However, in order to do my job properly and set forth a forward-looking cybersecurity strategy for all of government, it was incumbent upon me to understand where the industry was heading, how technology was evolving and so forth, so that was the general gist of the interactions with Mr. Firth. We didn't really discuss subcontracting or any of those things you asked about.

Absolutely, and my answer will apply to every contract we take on—or any engagement, as we call them.

To start any process, we run checks on the entity itself—we call it an “engaging party”. In this case the engaging end party was the CBSA. We also have to run KYC—know your customer or know your client—types of checks on any other intermediary that would be involved. In this case it was GC Strategies, so both are listed in what's called a “client acceptance process”. In that process they vet both the entities individually and then the engagement as a whole in consideration of the results of the entity process, if you follow me so far. That is a process that involves a series of questions that have to be answered, including the nature of the work, whether or not we audit the individual or the companies—obviously, that would be a red flag for our firm—and other factors. I don't know all the questions off the top of my head, but there are a number of questions, and as I mentioned, it goes through.... Every public sector engagement has a mandatory three partners on it: first, a lead delivery partner; second, a quality control partner; and third, a client acceptance partner—all vetting that the information has been filled out appropriately.

At that particular time, no red flags were raised throughout that process.

Not to my knowledge, no.

No, not to my knowledge.

Not to our knowledge, no.

Are you asking where I was as an employee of the federal public service?

No. In 2009, that would have been Indigenous Services Canada. I believe it was called something different at the time—INAC.

I believe you're speaking about the bid rigging. Is that correct?

Yes, we were accused, and all the accusations were dropped. We never had our day in court to defend ourselves or even to ask for an apology. It changed my life, being accused of something like this.

I have no other information on anybody else who was involved. I was asked, “If you have information, we will waive you,” or whatever. I said, “Well, I have no information because I know nothing about what you're talking about,” but we were accused at the very last minute.

Do you mean today?

We have 84 employees right now and probably about 200 or 300 other resources, like subcontractors, who work for us.

If you're asking if 84 employees and maybe 200 or 300 others is enough, yes, that's enough.

Thank you for the member's question.

As I mentioned the last time I was here, there are a couple of things. One is on the invoicing. The very first time that we issued an invoice was against the original CEPS, the COVID emergency professional services. It was the first TA, or task authorization, and we asked for the Public Health Agency to approve the level of information, the details that were described in the invoice, to validate that they were getting enough information in order to process the invoice on their side correctly. They verified that, yes, this was sufficient, and we never changed that whole level of detail in all of our invoices for every contract that we had throughout the COVID-19 pandemic.

When we got to the end of the CEPS agreement term, the Public Health Agency sponsor at that time said that they wanted to go back to CEPS and ask for the ability to use that vehicle to renew. Our understanding was that PSPC said, “No, you can't use that vehicle any longer.” I don't know why. They said, “Okay, fine. Then we will have to renew our agreement with KPMG through a Public Health Agency direct contract.”

That's why we were not given the information.

Yes, sir, I did.

Thank you for the question.

I'm aware of what was in the Auditor General's report, so yes, I'm aware that's there.

Given that it's a PHAC question, I'll pass that over to my colleague Lydia, who worked on that engagement.

Thank you for the member's question.

If I can also bring you back to the testimony that I shared the last time I was here, after the original CEPS TAs expired and the Public Health Agency wanted to try to extend KPMG under that contract and were told by PSPC that they could no longer use that vehicle—and KPMG does not know why—KPMG was informed by the Public Health Agency that they were working through, with their own internal procurement team, a justification and rationale for keeping KPMG on.

As you'll remember, this was at the height of the lockdown of the COVID-19 pandemic, and the subsequent contracts that were awarded to KPMG by the Public Health Agency were of the same type of work that we had been doing along the first original CEPS agreement, and they—

We absolutely were not. We were acting under the direction of the Public Health Agency at that time.

We understood that the Public Health Agency wished to keep KPMG extended, but in terms of the inner workings of their local procurement team inside the Public Health Agency, we were not involved in any of that.

Regarding the ArriveCAN work that I supported and that Imraan did, we are not aware of any RCMP conversations or communications.

I have not been, personally.

No, thank you. Neither of us have been.

Thank you very much for the member's question on that.

Our understanding was that you wanted to understand the way in which we became...well, that Imraan and our team became introduced to GC Strategies at the time, and we did provide all of that information in our written response.

Thank you for the question.

Mr. Chair, as I mentioned in my opening statement, TEKsystems did not have an ArriveCAN contract. We bid on and won two contracts through an open, fair and competitive process to provide staff augmentation services to CBSA. We were providing professionals to them, and those professionals worked at the direction of CBSA. CBSA asked us for resources, and they placed them on the ArriveCAN project.

Mr. Chair, TEKsystems was a prime contractor directly to CBSA.

The vote is on whether the chair's ruling shall be sustained, which is to say, shall the chair's ruling be upheld? If the chair's ruling were upheld, the motion would be admissible and be allowed to be moved.

Shall the—

If the ruling is overturned—

The chair's ruling is that the motion is inadmissible. Shall the chair's ruling be sustained? That is to say, shall the chair's ruling be upheld?

It's a tie, so the chair votes.

(Ruling of the chair sustained: yeas 6; nays 5)

I'll make just a small clarification: It was the same proposal. Initially we were asked to submit it to Mr. Utano, which we did. Subsequently we met with Mr. Utano to discuss the details of it, and it was at that subsequent meeting that he asked us to send a copy of it to Mr. Firth at GC Strategies.

That's correct. It was a PowerPoint presentation, to be specific, but it was exactly the same presentation, yes.

This is going to be a little long-winded, so I apologize. There were originally going to be two separate task authorizations, the first being more of a technical control review. That was in the amount of $255,000. The second task authorization was more procedural in nature, reviewing policies and procedures of the sort, and that was for $145,000, for a grand total of $400,000.

I did, from GC Strategies, yes. That is correct.

That is correct.

That is my understanding of what happened, yes.

I did not know the nature of GC Strategies' business in great depth. What I did know about them.... To give Mr. Firth credit, he thoroughly read a recent IT strategy we had posted in 2017-18 and sent an email, since obviously I had a public email address at the time, saying he had some suggestions on how I might be able to achieve some of those strategic objectives.

I didn't do any research into the company. I took the meeting as I would have with any other vendor who had come up with a good idea to investigate further.

I'm sorry....

I don't know the term that you used there, but what I would suggest is that he brought two valid products to the table. One was to secure communications, as I mentioned. One was digital identity. When I looked up those products, they're legitimate products that he had aligned himself with, so, you know, kudos to him for finding the right products out there.

We have records of all of these processes, and I'll take that back to the team to see what can be shared.

I don't recall that being one of the fields I talked about earlier that had to be filled out regarding personal meetings with the organization. The process is more about testing the legitimacy of the organization. I think we looked for any public knowledge of lawsuits or things of that nature, and nothing came up at that time.

No, not to my knowledge.

No.

Thanks for clarifying.

In my particular case, security clearances were certainly a requirement given the security nature of the work we were performing, and I can assure you that every member of my team had the requisite security clearance based on the role they had.

To clarify that statement, on those that were issued, a couple of the members of my team were required to have in-depth access, as you can imagine, to CBSA systems, and they required secret clearances. Other members of my team required reliability clearances, but all folks involved had the requisite clearance, yes.

Yes, we had the appropriate corporate security clearances, as did our consultants. We have a team that is responsible for making sure that's all in place on any contract.

Yes, we had all the security clearances.

We review all our fees and contracts to validate that we meet the security requirements, and we met the security requirements for our CBSA contracts.

We hold a security clearance as a company, and we validate the security clearance of the individuals that we place with the Government of Canada.

No. I've never met Mr. Anthony.

No.

No, not at all.

Me, personally? No, I have not.

I don't know, Lydia, if—

If I can clarify, the Auditor General did contact KPMG to confirm the information that was about to go out in the report ahead of time, just before the report was released, to confirm the details, and we complied with her request.

If I understand the question correctly, I believe you might have been referring to my statement about closing strategic and operational gaps.

Was that the reference?

Absolutely. Thank you.

Through the chair, I'll answer that, specifically in my field of cybersecurity, a lot of our work ends up being gap analysis type of work. This means assessing the security posture of systems today, assessing where they need to be and providing road maps on how to get to a state that best protects the information being held by the organization. Closing operational gaps.... That's the reference, certainly, with respect to the engagement I worked on.

I'll pass it to Ms. Lee to see if there's anything she wants to add.

As I said before, the last time we were here, the work we did on the Public Health Agency's ArriveCAN program was to help the Public Health Agency understand policy directions they might need to take, change or evolve with the COVID-19 pandemic. We reached out to our global colleagues to find out about global leading practices the Five Eyes or other jurisdictions were doing to help inform those policy directions. That was the nature of the type of support we were providing.

The first thing to state is that we had CBSA asking us to help them augment the security of a system that stored personal information for Canadians. That is squarely in our wheelhouse. I'm proud to have done that work and would do that particular work again for any government agency.

With respect to the question about GC Strategies, as I stated earlier today, if we were to go through that risk management process again, I strongly suspect flags would be raised and we would not proceed with the engagement through GC Strategies.

However, I don't want to take away from the fact that the work itself, we still believe and I'm proud to say, was useful.

When it comes to procurement, we have to follow the direction of the agency conducting the procurement. That is what we did at the time and what we would do going forward, relying on our processes afterwards to dictate whether or not it is acceptable for our firm to go forward with the work.

Going forward, I think we'll continue to work together as a partner group and make sure we assess the risks of all engagements to the best degree we can with the information we have at the time.

Again, I would point out that, having conducted this risk assessment in October 2021 with the information available at the time, I stand by the decision we made to proceed at that given time. Given the new information that has come to light since then, I suspect our decision would be different.

I don't have an exact date for you. I can give you a rough guess: some time in 2017 or 2018.

I think the level of documentation varies depending on the nature of the meeting. You know, a half-hour meeting with a vendor—

That's correct. At the time, my management knew I was meeting with Kristian Firth, yes.

I generally debriefed my leadership team on all vendor meetings.

I don't recall. It could have been an email.

I don't have access to my email.

Yes, I did, to the best of my knowledge. I don't have access to my old emails, but if I could speak generally—

At that particular time, it probably would have been.... I'm sorry. I've worked for a number of different.... In 2017 or 2018, if memory serves, it would have been Marc Brouillard.

To the best of my recollection, it was 2017 or 2018.

The reason I say that—

Well, the reason I say that—

If you'll allow me to answer, I know it was in relation to when we released our digital operations strategic plan. In my head, I remember writing that in 2017. I just don't recall when it was published. Mr. Firth would have contacted me after the publication of that digital operations strategic plan.

Respectfully, you're asking me about a meeting from seven years ago. I'm doing my best to recall. The Treasury Board Secretariat likely has access to my calendar, so I suggest that might be the fastest way to get the exact meeting invite.

Generally, what would happen after those types of meetings is that I debriefed my management team.

Debriefs could have occurred in writing or in person for this particular meeting.

I don't know the number of employees of every company, for sure, but I would say it wasn't uncommon to see subcontracting relationships between companies of all sizes.

I'm not aware of any times we wrote our own contracts. It's strictly forbidden.

That's correct.

I don't recall the details of that meeting. I couldn't give you an exact answer.

No, we were not permitted to meet with lobbyists.

I'm saying me personally. I don't know. My staff may have checked on my behalf as well.

On my specific contract, they were not involved in my delivery.

I cannot speak to what Mr. Utano and Mr. Firth did afterwards, but specific to the delivery of—

As I stated earlier, the two task authorizations totalled an amount of $400,000.

I do not have visibility into that.

That happened in May of 2020.

I think the Government of Canada can decide the way in which—

We would do business with any company that—

Could I complete the answer?

I'd like to complete the sentence. Thank you, Mr. Chair.

We would do business with any company that passes our risk management processes, as GC Strategies did at that time.

First, we had no ArriveCAN contracts. We had a call-up with the CBSA as a vehicle, and that vehicle was used.

I know that the Auditor General says $3 million. We immediately went and looked through all of our time sheets, and we were only able to identify $500,000.

In the federal government, procurement vehicles are brought up. We have a number of vehicles. We all do.

I can talk to you from my side, because I was also in the government and I had vehicles. Oftentimes, we needed to do some IT work, and it had to be done right away. We didn't have the resources, so we'd go through these vehicles.

We have such vehicles. We all do. We had three of those vehicles. One of them was never used at all. For two of them that were used, we identified at least half a million dollars through the time sheets.

Thank you for the member's question.

Just to clarify, our work at KPMG was a cybersecurity assessment post-development of the application itself, so I can't really comment on how it sped up the development of the app.

I can comment on the fact that we did help identify areas for improvement to enhance the security of the application for the benefit of Canadian citizens who used it.

As was previously mentioned, we think, from the time sheets of the work that was done, our team was building infrastructure on the AWS cloud to accept data and provide business intelligence reports back, but it was not only from Public Health. There were many other applications that were providing data into this infrastructure, so we were building this infrastructure on the AWS cloud.

I don't know if it helped speed up the app—I have no idea—but we were creating infrastructure for a number of different applications.

Well, you had to build something in the cloud, to sit in the cloud, so yes, it would help.

As I mentioned in our opening statement, we bid on and won two contracts with CBSA that went through a competitive process in which we were selected because of our value to the Crown. Yes, I think we delivered value to CBSA.

If I might, I would just say what I've already said, which is that all of our contracts were competitively procured through the RFP process. There was no sole source or anything. They were all in the RFP process, and we were successful in winning them through a very competitive process. These processes are very competitive.

Thank you for the member's question.

I just want to add, on behalf of KPMG, that we're really proud of the work we did to support both the Public Health Agency of Canada and CBSA during the COVID-19 pandemic. At the time, circumstances for both agencies were incredibly stressful. At all times we followed the government's preferred procurement process, and we did not influence that procurement process. We abided by it at their request. I just want to clarify that.

I have no additional clarifications at this time.

No, sir, they did not.

All in the lobby of 90 Elgin, from what I recall...yes.

I did not have any line of sight into that.

I did not have any line of sight into that either.

That's correct.

It's possible. I don't recall, but I don't recall the basement conversation coming up.

That is correct.

I don't know the details. I'll ask Ms. Lee after this to provide whatever details she can about our acceptance processes, which are executed by another team. My understanding is that they look into a variety of factors, including the board of directors or C-suite, any kind of—

My understanding is that they look for any public lawsuits, adverse media attention or things of that nature.

However, Ms. Lee, please, if I'm missing anything in our....

That's right. That's correct.

At that given time, given that these are point-in-time assessments, nothing of concern was raised.

That's correct.

At that time, my understanding was that he was exploring a variety of procurement options—