Audit Report
Conducted By:
Internal Audit Directorate
Audit Report Approved August 18, 2009
Like many other government departments and agencies; the Canadian Food Inspection Agency (CFIA) relies on third party arrangements to deliver certain aspects of its mandate. At present there are approximately 300 third party arrangements listed in the CFIA information management database (Central Registry) that help to deliver on CFIA’s mandate. These arrangements include Accreditation Arrangements, Collaborative Research Agreements, Confidentiality Agreements, Federal-Provincial-Territorial MOUs, Funding Agreements, General Memorandum of Understanding (MOUs), Information Sharing, International (Foreign Governments), Material Transfer Agreements, Sanitary and Phyto-sanitary Arrangements, Service Agreements, and Umbrella Agreements.
The objective of this audit was to provide assurance to senior management that the Agency has effective controls in place to design, review, approve and monitor the management of third party arrangements. The audit was undertaken in keeping with the CFIA Risk-Based Audit Plan for 2006-09.
The scope of the audit focused on the management of third party arrangements across CFIA and was conducted over the period October, 2008 to April, 2009. Five (5) third party arrangements (three service agreements, one Memorandum of Understanding and one accreditation agreement) were selected for examination.
Finding 1: Guidance and Communications
Formal guidance is in place for the development and approval of third party arrangements; but only for arrangements that are submitted for approval by the Program Delivery and Emergency Management Committee (PDEMC). Requirements and guidance for arrangements not considered by PDEMC are not well-communicated.
Recommendation 1:
Policy and Programs Branch should develop and communicate formal guidance and requirements for the development and approval of all third party arrangements, including those not submitted to Program Delivery and Emergency Management Committee.
Finding 2: Oversight of Third Party Arrangements
There is limited guidance available, and the ongoing monitoring and risk assessment of third party arrangements is undertaken in an inconsistent manner.
Recommendation 2:
Policy and Programs Branch should develop and ensure the implementation of a consistent oversight approach (including accountability, monitoring and risk management) for all third party arrangements.
Finding 3: Information Management
The information management database (Central Registry) used to track third party arrangements is out of date and incomplete.
Recommendation 3:
Policy and Programs Branch should ensure that an information system providing up-to-date and accurate information on all third party arrangements is established and utilized.
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.
In my opinion, CFIA has weaknesses, with low risk exposures, related to the governance and control processes for the management of third party arrangements that require management attention.
Peter Everson
Chief Audit Executive,
Canadian Food Inspection Agency
Like many other government departments and agencies; the Canadian Food Inspection Agency (CFIA) relies on third party arrangements to deliver certain aspects of its mandate. At present there are approximately 300 third party arrangements listed in the CFIA information management database (Central Registry) that help to deliver on CFIA’s mandate. These arrangements include Accreditation Arrangements, Collaborative Research Agreements, Confidentiality Agreements, Federal-Provincial-Territorial MOUs, Funding Agreements, General Memorandum of Understanding (MOUs), Information Sharing, International (Foreign Governments), Material Transfer Agreements, Sanitary and Phyto-sanitary Arrangements, Service Agreements, and Umbrella Agreements.
The Program Delivery and Emergency Management Committee (PDEMC) is responsible for reviewing and approving third party arrangements for CFIA. The main purposes of PDEMC are to ensure that senior management has an opportunity to provide early input in the development of arrangements; to confirm the level of consultation with internal and external partners and stakeholders; and to increase the level of consistency into the development and approval of arrangements.
The objective of this audit was to provide assurance to senior management that the Agency has effective controls in place to design, review, approve and monitor the management of third party arrangements. The audit was undertaken in keeping with the CFIA Risk-Based Audit Plan for 2006-09.
The scope of the audit focused on the management of third party arrangements across CFIA and was conducted over the period of October, 2008 to April, 2009.
Audit criteria were discussed with staff and management of Policy and Programs Branch, Legal Services and Finance, Administration and Information Technology (FAIT).
The approach included interviews, documentation review and analysis. Interviews were conducted with CFIA staff and management located across Canada from Policy and Programs Branch, Operations Branch, Science Branch, FAIT, Legal Services and Corporate Secretariat. Areas of assessment included:
Five (5) third party arrangements (three service agreements, one Memorandum of Understanding and one accreditation agreement) were selected for examination.
The audit was conducted in compliance with the Government of Canada’s Policy on Internal Audit.
This section presents detailed findings from the audit of the Management of Third Party Arrangements at the CFIA. Findings are based on the evidence and analysis from both our initial risk analysis and the detailed audit conduct. No findings are reported with regard to risk management.
Formal guidance is in place for the development and approval of third party arrangements; but only for arrangements that are submitted for approval by the Program Delivery and Emergency Management Committee (PDEMC). Requirements and guidance for arrangements not considered by PDEMC are not well-communicated.
We expect that guidance for the third party arrangements should be readily available and that all third party arrangements that expose the Agency to significant business risks would be approved by the PDEMC and be properly documented for approval.
PDEMC is a senior management oversight body that reviews and approves new third party arrangements. This committee acts as a forum to discuss, and provide direction on major issues and initiatives which impact the delivery of CFIA programming, including emergency management, service delivery modernization, enforcement, performance information and audit or review findings. PDEMC is responsible for reviewing and approving CFIA agreements and MOUs related to program delivery and emergency management and ensures that they are consistent with the goals and policies of CFIA and are developed in accordance with Government of Canada and Treasury Board policies.
There is an approved terms of reference for PDEMC and membership includes senior executives from across the Agency. There is a mandate for the Committee that states it is to meet biweekly or at the call of the Chair. To date, meetings have taken place monthly.
Submissions to PDEMC are expected to cover strategic direction, legislative and regulatory requirements, central agency guidelines and standards, as well as business risks. Legal Services are expected to review and sign off on the arrangement before PDEMC considers it for approval. The objective of the review and approval process is to ensure that senior management has an opportunity to provide early input into the development of the third party arrangements and to increase the consistency into the development and approval of such arrangements across CFIA.
There has been no formal communication to Agency staff of the existence of the Program Delivery and Emergency Management Committee to date and many Agency staff are unaware that the new committee was in place.
Time and cost restraints limit the feasibility of having all new arrangements go to the PDEMC for approval; and there is limited guidance how to determine which arrangements may not require PDEMC review and approval (e.g.: determining level of business risk). There is also limited guidance available to proceed on arrangements that do not receive PDEMC review and approval (such as model/template MOU’s that have already been reviewed and approved by the Committee).
A number of guidance documents were produced for PDEMC’s predecessor (the Sub-Committee on Regulations and Agreements or SCRA). While it is not clear that the SCRA guidance was communicated to staff; it did outline the approval process and what type of arrangements required review by the Committee in that all third party arrangements other than Collaborative Research Agreements (CRA’s) and Material Transfer Agreements (MTA’s) were to go before the Committee for review and approval. SCRA guidance also exempted template MOU’s that had been reviewed and approved by the Committee. No similar documents were found for PDEMC.
In terms of other guidance, we found the following:
The Agency is at increased risk if arrangements are entered into without PDEMC review and approval (including review by Legal Services) or appropriate guidance. Such arrangements may be entered into without considering; how the arrangement supports the CFIA’s mandate and strategic direction, what regulatory and legislative requirements are involved, central agency guidelines, risk management, and potential financial losses, litigation and damage to the Agency’s reputation.
Policy and Programs Branch should develop and communicate formal guidance and requirements for the development and approval of all third party arrangements, including those not submitted to Program Delivery and Emergency Management Committee.
There is limited guidance available, and the ongoing monitoring and risk assessment of third party arrangements is undertaken in an inconsistent manner.
We expected that CFIA would maintain adequate oversight over all third party arrangements to minimize potential exposure to significant financial loss, damage to the Agency’s reputation and failure to meet required regulatory and legislative authorities. We expected that third party arrangements would be reviewed on a continuous basis to ensure that performance is consistent with the terms of the written arrangement and that the risks are being assessed and mitigated appropriately.
Each of the five arrangements we examined took advantage of their right to monitor third party performance; little consistency exists as to how this is undertaken however. Some completed audit work, while others used concurrent auditing, and another a ‘Quality Management System’. Concurrent auditing takes place when the Agency pairs one of their own inspectors with one of the third party inspectors in order to oversee the inspection. This technique allows the Agency to determine whether prescribed techniques are being used and rules and regulations followed.
There are no guidelines or best practices for managers and each manager has flexibility in determining their approach to audit or performance measurement. This is also true of ongoing monitoring; with some attending client Board meetings, some undertaking formal training sessions, and others engaging in informal discussions - either at regular intervals or on an as needed basis. No reassessment of risk during the life of these arrangements is undertaken; although risk is assessed at the PDEMC review and approval stage.
Without clear direction on accountability and a consistent approach to third party oversight; monitoring and risk management will remain inconsistent and may increase the risk that third party arrangements do not achieve the purposes intended and are inconsistent with CFIA priorities and objectives.
Policy and Programs Branch should develop and ensure the implementation of a consistent oversight approach (including accountability, monitoring and risk management) for all third party arrangements.
The information management database (Central Registry) used to track third party arrangements is out of date and incomplete.
We would expect that the Agency would maintain a complete and current information system to track and account for all third party arrangements.
There is a process in place to record, store and handle the information however, it has not been properly communicated. Individuals who used the PDEMC may be aware they are to store the original document with Central Registry; however, those who didn’t go through this process may not be aware it exists. The former SCRA maintained a central registry with all original, signed arrangements housed in one place. Once signed, all arrangements were to be submitted to the Agency Agreement/MOU Analyst, logged and forwarded to the Central Registry. Based on interviews with the Analyst this process has not changed for PDEMC.
Our examination of the registry revealed that arrangements listed in the Central Registry include those approved through SCRA or PDEMC and signed and returned to the Agency Agreement/MOU Analyst. Completed arrangements are sent for entry and filing. If however, the arrangement is approved through PDEMC and a final signed copy is not sent to the Analyst it is not entered into the Central Registry; although follow-ups are done to try and prevent this. Agreements not approved by the PDEMC are included only if those responsible are aware that the central file registry is intended to house the original and they provide it.
The Central Registry is out-of-date (listing both current and expired agreements) as no role has been assigned to task anyone with tracking expired agreements. The Central Registry is responsible for entering and housing the original arrangements received and the Agency Agreement/MOU Analyst is responsible for forwarding the arrangements to the Central Registry.
In an effort to keep the list current and accurate, the Analyst will periodically send out a call letter to Agency Branches asking for an update. This does not ensure that all of the agreements are listed. Legal Services attempted to obtain a complete list with the Agency Agreement/MOU Analyst’s help, but was unable to complete the task.
A sample of 11 arrangements from the most recent Analyst call letter sample was tested at the Central Registry to determine whether arrangements listed by the Branches as current had original documents recorded and housed with the Central Registry. Two arrangements had expired arrangements on file, one had a copy instead of the original on file, one arrangement had no documentation on file, and one arrangement was not recorded.
Without a complete, accurate and timely inventory of third-party arrangements; there is a risk that senior management and staff are unable to account for the Agency’s level of involvement with third parties (number and materiality) or to ensure that these arrangements provide services and results that are in keeping with CFIA priorities and objectives.
Policy and Programs Branch should ensure that an information system providing up-to-date and accurate information on all third party arrangements is established and utilized.
Design and Development
Review and Approval
Information Management
Monitor and Oversight