Audit of the Management of Third Party Arrangements

Management Response

Audit Report

Conducted By:
Internal Audit Directorate

Audit Report Approved August 18, 2009

---

• 1.0 Executive Summary
  • Introduction
  • Audit Objective and Scope
  • Findings and Recommendations
    • Governance
    • Controls
  • Statement of Assurance
    Audit Opinion
• 2.0 About the Audit
  • Background
  • Audit Objective and Scope
  • Methodology
• 3.0 Findings and Recommendations
  • Introduction
  • Governance
    • Finding 1: Guidance and Communications
    • Recommendation 1
  • Controls
    • Finding 2: Oversight of Third Party Arrangements
    • Recommendation 2:
    • Finding 3: Information Management
    • Recommendation 3:
• Appendix A - Audit Criteria

---

1.0 Executive Summary

Introduction

Like many other government departments and agencies; the Canadian Food Inspection Agency (CFIA) relies on third party arrangements to deliver certain aspects of its mandate. At present there are approximately 300 third party arrangements listed in the CFIA information management database (Central Registry) that help to deliver on CFIA’s mandate. These arrangements include Accreditation Arrangements, Collaborative Research Agreements, Confidentiality Agreements, Federal-Provincial-Territorial MOUs, Funding Agreements, General Memorandum of Understanding (MOUs), Information Sharing, International (Foreign Governments), Material Transfer Agreements, Sanitary and Phyto-sanitary Arrangements, Service Agreements, and Umbrella Agreements.

Audit Objective and Scope

The objective of this audit was to provide assurance to senior management that the Agency has effective controls in place to design, review, approve and monitor the management of third party arrangements. The audit was undertaken in keeping with the CFIA Risk-Based Audit Plan for 2006-09.

The scope of the audit focused on the management of third party arrangements across CFIA and was conducted over the period October, 2008 to April, 2009. Five (5) third party arrangements (three service agreements, one Memorandum of Understanding and one accreditation agreement) were selected for examination.

Findings and Recommendations

Governance

Finding 1:  Guidance and Communications

Formal guidance is in place for the development and approval of third party arrangements; but only for arrangements that are submitted for approval by the Program Delivery and Emergency Management Committee (PDEMC). Requirements and guidance for arrangements not considered by PDEMC are not well-communicated.

Recommendation 1:

Policy and Programs Branch should develop and communicate formal guidance and requirements for the development and approval of all third party arrangements, including those not submitted to Program Delivery and Emergency Management Committee.

Controls

Finding 2:  Oversight of Third Party Arrangements

There is limited guidance available, and the ongoing monitoring and risk assessment of third party arrangements is undertaken in an inconsistent manner.

Recommendation 2:

Policy and Programs Branch should develop and ensure the implementation of a consistent oversight approach (including accountability, monitoring and risk management) for all third party arrangements.

Finding 3:  Information Management

The information management database (Central Registry) used to track third party arrangements is out of date and incomplete.

Recommendation 3:

Policy and Programs Branch should ensure that an information system providing up-to-date and accurate information on all third party arrangements is established and utilized.

Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.

Audit Opinion

In my opinion, CFIA has weaknesses, with low risk exposures, related to the governance and control processes for the management of third party arrangements that require management attention.

Peter Everson
Chief Audit Executive,
Canadian Food Inspection Agency

---

2.0 About the Audit

Background

Like many other government departments and agencies; the Canadian Food Inspection Agency (CFIA) relies on third party arrangements to deliver certain aspects of its mandate. At present there are approximately 300 third party arrangements listed in the CFIA information management database (Central Registry) that help to deliver on CFIA’s mandate. These arrangements include Accreditation Arrangements, Collaborative Research Agreements, Confidentiality Agreements, Federal-Provincial-Territorial MOUs, Funding Agreements, General Memorandum of Understanding (MOUs), Information Sharing, International (Foreign Governments), Material Transfer Agreements, Sanitary and Phyto-sanitary Arrangements, Service Agreements, and Umbrella Agreements.

The Program Delivery and Emergency Management Committee (PDEMC) is responsible for reviewing and approving third party arrangements for CFIA. The main purposes of PDEMC are to ensure that senior management has an opportunity to provide early input in the development of arrangements; to confirm the level of consultation with internal and external partners and stakeholders; and to increase the level of consistency into the development and approval of arrangements.

Objective and Scope

The objective of this audit was to provide assurance to senior management that the Agency has effective controls in place to design, review, approve and monitor the management of third party arrangements. The audit was undertaken in keeping with the CFIA Risk-Based Audit Plan for 2006-09.

The scope of the audit focused on the management of third party arrangements across CFIA and was conducted over the period of October, 2008 to April, 2009.

Methodology

Audit criteria were discussed with staff and management of Policy and Programs Branch, Legal Services and Finance, Administration and Information Technology (FAIT).

The approach included interviews, documentation review and analysis. Interviews were conducted with CFIA staff and management located across Canada from Policy and Programs Branch, Operations Branch, Science Branch, FAIT, Legal Services and Corporate Secretariat. Areas of assessment included:

• Completeness of third party arrangements (i.e. adequate coverage of legislative and regulatory requirements);
• Review and approval of third party arrangements; and
• Monitoring and oversight (e.g.: compliance, management and reporting).

Five (5) third party arrangements (three service agreements, one Memorandum of Understanding and one accreditation agreement) were selected for examination.

The audit was conducted in compliance with the Government of Canada’s Policy on Internal  Audit.

3.0 Findings and Recommendations

Introduction

This section presents detailed findings from the audit of the Management of Third Party Arrangements at the CFIA. Findings are based on the evidence and analysis from both our initial risk analysis and the detailed audit conduct. No findings are reported with regard to risk management.

Governance

Finding 1: Guidance and Communications

We expect that guidance for the third party arrangements should be readily available and that all third party arrangements that expose the Agency to significant business risks would be approved by the PDEMC and be properly documented for approval.

PDEMC is a senior management oversight body that reviews and approves new third party arrangements. This committee acts as a forum to discuss, and provide direction on major issues and initiatives which impact the delivery of CFIA programming, including emergency management, service delivery modernization, enforcement, performance information and audit or review findings. PDEMC is responsible for reviewing and approving CFIA agreements and MOUs related to program delivery and emergency management and ensures that they are consistent with the goals and policies of CFIA and are developed in accordance with Government of Canada and Treasury Board policies.

There is an approved terms of reference for PDEMC and membership includes senior executives from across the Agency. There is a mandate for the Committee that states it is to meet biweekly or at the call of the Chair. To date, meetings have taken place monthly.

Submissions to PDEMC are expected to cover strategic direction, legislative and regulatory requirements, central agency guidelines and standards, as well as business risks. Legal Services are expected to review and sign off on the arrangement before PDEMC considers it for approval. The objective of the review and approval process is to ensure that senior management has an opportunity to provide early input into the development of the third party arrangements and to increase the consistency into the development and approval of such arrangements across CFIA.

There has been no formal communication to Agency staff of the existence of the Program Delivery and Emergency Management Committee to date and many Agency staff are unaware that the new committee was in place.

Time and cost restraints limit the feasibility of having all new arrangements go to the PDEMC for approval; and there is limited guidance how to determine which arrangements may not require PDEMC review and approval (e.g.: determining level of business risk). There is also limited guidance available to proceed on arrangements that do not receive PDEMC review and approval (such as model/template MOU’s that have already been reviewed and approved by the Committee).

A number of guidance documents were produced for PDEMC’s predecessor (the Sub-Committee on Regulations and Agreements or SCRA). While it is not clear that the SCRA guidance was communicated to staff; it did outline the approval process and what type of arrangements required review by the Committee in that all third party arrangements other than Collaborative Research Agreements (CRA’s) and Material Transfer Agreements (MTA’s) were to go before the Committee for review and approval. SCRA guidance also exempted template MOU’s that had been reviewed and approved by the Committee. No similar documents were found for PDEMC.

In terms of other guidance, we found the following:

• Legal Services prepared a deck on ‘Presentation on Agreements by Legal Services to the CFIA Policy Committee’ in May, 2008. The deck includes a section that deals with circumstances where Legal Services should be contacted for legal advice.
• In May, 2005 the Science Branch prepared a deck on ‘Arrangement/MOU Review & Approval Process’. The deck outlined the objective of the review and approval process, what types of arrangements are subject to review and approval, what types are excluded, steps in the process and who to contact for more information.
• CFIA’s Program Policy Integration Division has been tasked with developing a CFIA Policy on development of alternative service delivery mechanisms that will provide guidance for and consistency across the Agency. While this policy is intended to address the many considerations for developing an alternative service delivery mechanism; it does not exist and no deadline for the policy has been set.

The Agency is at increased risk if arrangements are entered into without PDEMC review and approval (including review by Legal Services) or appropriate guidance. Such arrangements may be entered into without considering; how the arrangement supports the CFIA’s mandate and strategic direction, what regulatory and legislative requirements are involved, central agency guidelines, risk management, and potential financial losses, litigation and damage to the Agency’s reputation.

Recommendation 1:

Policy and Programs Branch should develop and communicate formal guidance and requirements for the development and approval of all third party arrangements, including those not submitted to Program Delivery and Emergency Management Committee.

Controls

Finding 2: Oversight of Third Party Arrangements

We expected that CFIA would maintain adequate oversight over all third party arrangements to minimize potential exposure to significant financial loss, damage to the Agency’s reputation and failure to meet required regulatory and legislative authorities. We expected that third party arrangements would be reviewed on a continuous basis to ensure that performance is consistent with the terms of the written arrangement and that the risks are being assessed and mitigated appropriately.

Each of the five arrangements we examined took advantage of their right to monitor third party performance; little consistency exists as to how this is undertaken however. Some completed audit work, while others used concurrent auditing, and another a ‘Quality Management System’. Concurrent auditing takes place when the Agency pairs one of their own inspectors with one of the third party inspectors in order to oversee the inspection. This technique allows the Agency to determine whether prescribed techniques are being used and rules and regulations followed.

There are no guidelines or best practices for managers and each manager has flexibility in determining their approach to audit or performance measurement. This is also true of ongoing monitoring; with some attending client Board meetings, some undertaking formal training sessions, and others engaging in informal discussions - either at regular intervals or on an as needed basis. No reassessment of risk during the life of these arrangements is undertaken; although risk is assessed at the PDEMC review and approval stage.

Without clear direction on accountability and a consistent approach to third party oversight; monitoring and risk management will remain inconsistent and may increase the risk that third party arrangements do not achieve the purposes intended and are inconsistent with CFIA priorities and objectives.

Recommendation 2:

Policy and Programs Branch should develop and ensure the implementation of a consistent oversight approach (including accountability, monitoring and risk management) for all third party arrangements.

Finding 3: Information Management

We would expect that the Agency would maintain a complete and current information system to track and account for all third party arrangements.

There is a process in place to record, store and handle the information however, it has not been properly communicated. Individuals who used the PDEMC may be aware they are to store the original document with Central Registry; however, those who didn’t go through this process may not be aware it exists. The former SCRA maintained a central registry with all original, signed arrangements housed in one place. Once signed, all arrangements were to be submitted to the Agency Agreement/MOU Analyst, logged and forwarded to the Central Registry. Based on interviews with the Analyst this process has not changed for PDEMC.

Our examination of the registry revealed that arrangements listed in the Central Registry include those approved through SCRA or PDEMC and signed and returned to the Agency Agreement/MOU Analyst. Completed arrangements are sent for entry and filing. If however, the arrangement is approved through PDEMC and a final signed copy is not sent to the Analyst it is not entered into the Central Registry; although follow-ups are done to try and prevent this. Agreements not approved by the PDEMC are included only if those responsible are aware that the central file registry is intended to house the original and they provide it.

The Central Registry is out-of-date (listing both current and expired agreements) as no role has been assigned to task anyone with tracking expired agreements. The Central Registry is responsible for entering and housing the original arrangements received and the Agency Agreement/MOU Analyst is responsible for forwarding the arrangements to the Central Registry.

In an effort to keep the list current and accurate, the Analyst will periodically send out a call letter to Agency Branches asking for an update. This does not ensure that all of the agreements are listed. Legal Services attempted to obtain a complete list with the Agency Agreement/MOU Analyst’s help, but was unable to complete the task.

A sample of 11 arrangements from the most recent Analyst call letter sample was tested at the Central Registry to determine whether arrangements listed by the Branches as current had original documents recorded and housed with the Central Registry. Two arrangements had expired arrangements on file, one had a copy instead of the original on file, one arrangement had no documentation on file, and one arrangement was not recorded.

Without a complete, accurate and timely inventory of third-party arrangements; there is a risk that senior management and staff are unable to account for the Agency’s level of involvement with third parties (number and materiality) or to ensure that these arrangements provide services and results that are in keeping with CFIA priorities and objectives.

Recommendation 3:

Policy and Programs Branch should ensure that an information system providing up-to-date and accurate information on all third party arrangements is established and utilized.

---

Appendix A:  Audit Criteria

Design and Development

• Third party arrangements are prepared according to central agencies guidelines and standards (e.g. TBS).
• Business risks and needs are adequately assessed at the development stage.
• Third party arrangements clearly identify all legislative and regulatory requirements that are to be carried out by third party on behalf of the CFIA.

Review and Approval

• A senior management committee is established to review and approve third party arrangements.
• The mandate, purpose, composition, and roles and responsibilities of the assigned senior management committee (e.g. SCRA, PDEMC) is properly documented and communicated.
• The mandate has been formally communicated to relevant internal and external stakeholders.
• All information including draft copy of arrangement and submission form must be submitted to senior management committee (e.g. SCRA, PDEMC) in advance of the scheduled meeting date to permit sufficient time to review.

Information Management

• Effective and efficient process in place to record, store and handle all information and documents related to third party arrangements.
• Central Registry database is complete, valid and up to date.

Monitor and Oversight

• CFIA has rights to monitor third party performance which is clearly disclosed in applicable arrangements.
• Responsibility for monitoring and updating performance measures is clear and communicated.
• The parties meet on a regular basis to inform and consult on: legislation, programs, policies, and procedures, new activities and initiatives.
• Active monitoring is clearly demonstrated and performance is reviewed on a periodic basis and updated as required.
• Results of performance measurement are documented, are reported to required authority.
• Audit work is completed as required by third party arrangements.