Introduction 3.1 Since 2005, the Department of Health (the Department) has undertaken significant work to advance the Electronic Health (EHealth) initiative and a One Patient One Record vision. Key components in that vision include: Electronic Health Records (EHR), a Client Registry, a Provider Registry, a Diagnostic Imaging Repository, and a Drug Information System. 3.2 EHealth is an integrated set of information and communication technologies, together with related health delivery process enhancements, intended to enable the efficient and sustainable delivery of healthcare services over the full continuum of care, through the provision of integrated health information systems, tools and processes. 3.3 A key partner is Canada Health Infoway (Infoway) which provides funding for various EHealth projects. Infoway is an independent not-for-profit corporation created by Canada’s First Ministers in 2001 to foster and accelerate the development and adoption of Electronic Health Record systems with compatible standards and communications technologies. 3.4 Prior to December 2011, EHealth projects were directly administered by the Innovation, E-Health and Office of Sustainability branch of the Department of Health. Operational and maintenance/support activities relating to all health technology systems were administered by the Information Technology Services branch. The Department merged these two branches into a new branch called Health Business and Technology Solutions in December 2011. The Branch was created to facilitate the design, implementation and operations of technology initiatives within the New Brunswick healthcare system. 3.5 EHealth in New Brunswick is delivered collaboratively by the Department of Health, Facilicorp NB, and the Regional Healthcare Authorities (RHAs). Why we audited the EHealth initiative 3.6 During 2009, concerns were brought to the attention of the Office of the Comptroller (OoC) relating to the EHealth development projects and operational activities administered by the Innovation, EHealth and the Office of Sustainability branch. Specifically noted were potential conflicts of interest, concerns around the procurement process for professional services and possible deficiencies in contract management practices. OoC reviewed 15 of the 40 IT professional services contracts that had been signed as of April 2009. Based on its review, OoC concluded the concerns brought forward were valid and made 10 recommendations to the Department. 3.7 In May 2011, the Department released, through a Right to Information request, a redacted version of the OoC internal audit report. The report focused on the contract procurement process for a sample of EHealth related contracts and found a series of problems regarding how contracts were awarded and managed within the Department. The Minister of Health subsequently announced that the Department would have a review conducted of all EHealth related development and operational contracts from 2005 forward. 3.8 In August 2011, our Office was approached by the Department of Health regarding an audit of the EHealth projects and operational activities. We considered two primary factors when deciding to take on this engagement. First, the impact of the EHealth program on New Brunswickers is significant. The implementation EHealth systems will fundamentally affect how health care transactions are recorded, collected, stored, and accessed. It, in turn, will significantly impact the quality of the whole health care system. Secondly, the Auditor General of Canada and the auditors general of six provinces (Alberta, British Columbia, Nova Scotia, Ontario, Prince Edward Island, and Saskatchewan) conducted concurrent performance audits of the development and implementation of Electronic Health Records (EHRs)in their respective jurisdictions during 2009 and 2010. Significant findings were reported. It was agreed with the Department that our office would test 100% of the EHealth development project and operational support contracts. Audit Objectives and Scope 3.9 The objectives of our audit were: * to determine if the Department of Health complied with the Government procurement policy for purchases of services related to the E-Health initiative * to determine if conflict of interest exists in the use of consultants/contractors. 3.10 Our audit was performed in accordance with standards for assurance engagements, encompassing value for money and compliance, established by the Canadian Institute of Chartered Accountants, and accordingly included such tests and other procedures as we considered necessary in the circumstances. 3.11 Our audit work included but was not limited to the following: * interviews with staff of Department of Health and Department of Supply and Services; * interviews with staff of the internal audit team of OoC; * interview with the Chief Information Officer of Management Board; * review of the Province’s guidelines and legislation with respect to purchase of services and conflict of interest; * review of related internal policies and procedures of the Department; and * examination and testing of contract related documents held by the Department of Health and the Department of Supply and Services. Results in Brief Compliance with government procurement policy 3.12 We examined all 289 EHealth development project and operational support contracts (valued at $108.5 million) signed from 2005 to 2011. During our testing, we found 57 instances of noncompliance in the procurement of IT services, particularly: * requirements for exemption from the competitive bidding process not met; * proper contract approval process not followed; and * proper contract amendment process not followed. 3.13 We also noted that the Department made frequent amendments to original contracts. In fact, 59% (67 of 114) of the originally signed contracts were amended on average 2.6 times. 3.14 We realize that it was the Department’s normal practice to divide complex or large IT development projects into several phases and the next phase was always treated as an amendment to the previous one. We also understand amendments were not totally avoidable, given the magnitude and complexity of some projects. However, during our testing we found 24 amendments valued at $7.6 million for system maintenance and operation contracts. We believe for regular system maintenance and operation, as well as routine IT development projects, the Department should have been able to define the scope, deliverables, timelines and the costs to complete the work before entering into contracts. Changes to original contracts creates a risk of project delays and cost overruns, and should be avoided wherever possible. 3.15 It should be noted the Department had put procedures in place to address the OoC recommendations by the time of our audit. Conflict of interest 3.16 During the period under audit with respect to conflict of interest we found the Department relied on consultants extensively for the EHealth initiative. The following three situations appear to have placed external service providers in a conflict of interest position: * The Department contracted consultants as project managers who managed their own firms contracts and/or could access competitor information. * Consultants were part of project evaluation committees tasked with recommending which consultants should be engaged for individual projects. * A consultant was a key member of the EHealth Steering Committee, a position of influence over governance and oversight of EHealth projects and operations. 3.17 Our findings were consistent with those of the OoC. The OoC report included recommendations to address all of these concerns. 3.18 We further noted the Department has put procedures in place to address the OoC recommendations: * The Department is still relying on external resources in some cases to staff project manager positions, but with additional restrictions. For example, external project managers cannot see other firms’ rates when they approve the timesheets for other firms’ personnel and project spending. * A contractor’s firm is not allowed to respond to a Request for Proposal if a member of their staff is part of the project evaluation committee or acting as a project manager for the project. * The external consultant who was a key member of the EHealth Steering Committee is no longer with the Department due to contract expiry. Currently all members of the steering committee are internal permanent employees of the Department of Health. Compensation of Consultants 3.19 Project managers of the two largest multi-year projects under the EHealth initiative are consultants. The Department paid almost $1.5 million to an IT firm for one project manager from 2005 to 2011. It paid another IT firm more than $700,000 for a three year period from 2009 to 2012 for the other project manager. It also contracted a third consultant for ongoing system operation and maintenance support from 2006 to 2011 and paid more than $1.2 million. 3.20 In total, this is over $3.4 million paid to three consultants over six years, averaging more than $200,000 per individual per year. In addition, to the $3.4 million the Department provided office space and equipment to contracted consultants. 3.21 In these three cases, we believe the use of consultants was significantly more costly to the Province than had this work been completed by departmental staff. (i.e. in-sourced) 3.22 In our opinion there are savings that could be realized by in-sourcing the performance of ongoing IT systems operation and maintenance work. Where the expertise to handle this work does not currently exist internally, the Department could contract consultants in the shorter term. Such contracts could provide both for the completion of necessary operation and maintenance work, and the transfer of knowledge to Departmental staff. This would allow responsibility for completion of this work to be transferred to less costly internal resources in the longer term. Implications for the rest of government 3.23 We were informed numerous times during our work that practices with respect to the use of IT consultants are similar elsewhere in government to what we observed at the Department of Health. This would imply many of the procurement and conflict of interest issues our Office, and the OoC, identified in connection with the EHealth initiative may exist in other departments and Crown agencies. 3.24 We believe this is an area that should be addressed by government. From discussions with the recently appointed Chief Information Officer (CIO) of Management Board, we understand that the role of his office will include setting government-wide policies for the procurement of IT resources. It will also include monitoring departmental activity to ensure that CIO policies are being complied with. Recommendations 3.25 Recommendations from our findings and the OoC report are found in Exhibit 3.1. Exhibit 3.1 – Summary of Recommendations Source Recommendations Department’s Response Target Date for Implementation Objective One: Compliance with government procurement policy Office of the Comptroller 3.50 The findings in the OoC’s report are consistent with ours. Recommendations regarding the procurement process from the OoC’s report are applicable to our findings as well. The OoC’s recommendations included: * Contract managers should ensure that the requirements of the Public Purchasing Act are followed. Documentation should be maintained supporting Minister’s exemptions particularly when the exemption for Specific Skills or Sole Source of supply is used. * A purchase order should be obtained prior to the payment of any amounts and the value of the purchase order should not be exceeded. * A signed statement of work should always be obtained prior to the commencement of the project. * When contracts are negotiated and signed with vendors, only contracts drafted by PNB should be utilized. Vendor contracts should not be used. Health is preparing a refresher communication for managers with respect to the requirements of the Public Purchasing Act. Documentation related to any exemption request will be maintained by the Corporate Support Services Branch. The Department of Health currently establishes commitment amounts upon receipt of a purchase order and tracks payments against the commitment. The Financial Services Branch along with the Corporate Services Branch of the Department of Health will review this process to ensure purchase orders cannot be exceeded. The Department of Health will amend its current contract management process to include the statement of work documentation with the contract’s signing documentation. This documentation will be signed prior to commencement of the work. The Department of Health implemented a detailed contract management process in 2007. This process continues to be updated and now includes a series of contract templates to ensure the Department’s best interests are protected. The Department’s templates are now used with few exceptions (exceptions would only include examples such as Microsoft software licensing agreements). Exhibit 3.1 – Summary of Recommendations (continued) Source Recommendations Department’s Response Target Date for Implementation Objective One: Compliance with government procurement policy Office of the Auditor General 3.51 In addition to the recommendations made by the OoC, we recommend: * To avoid frequent contract amendments, the Department of Health adequately plan and define the scope, deliverables, timelines and costs for each IT contract and complete all required documentation before signing contracts or allowing work to commence; and DOH [Department of Health] has a formal Project Management Framework in place that specifies all required steps in the planning and implementation of a project. This includes a formal process for procurement and contracting of external resources when required. Statements of Work (SOW) are developed for all projects. The Contract Officer reviews all IT SOWs with the Director of Development and Delivery to ensure they are as detailed and complete as possible before issue of any SOW or RFP[Request for Proposal], and again prior to the completion of a contract. Implemented * In the event contract amendments are required, the Department of Health properly prepare and approve change requests and amendments to original contract agreements. Since the amalgamation of the E-health and ITS [Information Technology Services] branches to form HBTS [Health Business and Technology Solutions], Change Request policies, procedures and forms have been standardized to eliminate any problems with the approval of Change Requests and the amendment of contracts. This includes the review of all change requests by a committee to ensure due diligence is followed and to recommend an appropriate course of action. Implemented. Exhibit 3.1 – Summary of Recommendations (continued) Source Recommendations Department’s Response Target Date for Implementation Objective Two: Conflict of Interest Office of the Comptroller 3.69 In general, the findings in the OoC’s report were consistent with ours. The OoC’s recommendations related to conflict of interest are applicable to our findings in this area as well. The OoC’s recommendations included: * Employees and contractors should sign off as having read and understood AD-2915 (Conflict of Interest) on an annual basis. For employees, this could be incorporated as part of their annual performance review. As stated in AD-2915 employees must advise the Senior Executive Officer of any conflict of interest situation in which they find themselves. Documentation should be maintained. * Managers and directors should familiarize themselves with the meaning and definition of an "apparent conflict of interest ". A suggested reading could be the document on this topic published by the Treasury Board of Canada Secretariat. * Contractors should not occupy management positions within the department. Where the situation is unavoidable, the contractor should be strictly limited to the financial information which they can access particularly with respect to competitor’s information. All staff and contractors of Information Systems have read AD-2915. There have not been any conflicts of interest declared. This will be an annual process. The Executive Management Committee of Health will incorporate this practice into the annual performance appraisal process for the Department. This has been completed within Information Systems. It has generated considerable awareness and discussion amongst and has increased awareness of the issue. The two contracts where this applies expire before the summer of 2011. Both of these positions have been identified for transition to Health employees. In the event that the recruitment process does not identify a candidate for full-time employment then Health will consider its options. In the event that either of these positions, or any other management position, becomes occupied by a contractor, then all of the actions recommended in this report will be implemented. Any other actions relevant to the specifics of the situation will also be implemented. Exhibit 3.1 – Summary of Recommendations (continued) Source Recommendations Department’s Response Target Date for Implementation Objective Two: Conflict of Interest (continued) Office of the Comptroller * Where contractors are members of project steering committees, they should not take part in any discussions surrounding the contracting/outsourcing of any work for the project. * Contractors should be required to disclose business relationships with other contractors working in the department when a partnership or joint venture type relationship exists. * If a Project Manager or member of a Steering Committee is a contractor and also a partner or principal of a consulting firm, the department should refrain from hiring other contractors from the same company on the project. This has been implemented. Contractors will be asked to leave the meeting and the minutes of the meeting will reflect that. This will become a standard requirement in all contracts within the Department of Health. The requirement will not be restricted to information services. This will be a standard requirement in both the RFP and the resulting contract for this situation. Office of the Auditor General 3.70 We recommend the Department of Health develop and implement a plan to eliminate reliance on consultants serving as project managers and prohibit consultants from serving as members of RFP evaluation committees or project steering committees. HBTS has three staff Project Managers who are working to capacity with existing projects. If projects are required which exceed existing staff capacity consultants will be required to augment staff. However, the default is to use existing staff whenever feasible. Consultants have not served as members of RFP evaluation committees or project steering committees since the audit by OOC. Implemented Exhibit 3.1 – Summary of Recommendations (continued) Source Recommendations Department’s Response Target Date for Implementation Office of the Auditor General Other Findings – Compensation of Consultants 3.81 We recommend the Department of Health develop and implement a plan to in-source all IT operation and maintenance functions over the next two years. DOH has begun the insourcing of selected IT operation and maintenance functions by insourcing the team leads of the application teams. This began in December of 2011 and all team leads have been insourced since that date. DOH is also transitioning relevant infrastructure services to FacilicorpNB as feasible as well as selected maintenance contracts. DOH is developing a business case for submission to OHR [Office of Human Resources] for the insourcing of selected IT positions over the next two years. The capacity to implement the insourcing will be dependent on the ability of DOH to obtain positions, the classifications required to recruit specialized talent as well as efficient and effective recruitment processes. Began in December 2011. Exhibit 3.1 – Summary of Recommendations (continued) Source Recommendations Department’s Response Target Date for Implementation Office of the Auditor General Other Findings – Implications for the Rest of Government Office of the Chief of Information Officer 3.85 We recommend the Office of the Chief Information Officer develop and monitor compliance with a government-wide policy relating to the procurement, contracting and management of IT consultants. That policy should address and mitigate risks regarding procurement and conflict of interest of consultants, and clearly state when the use of internal IT resources is more appropriate. As a minimum, the policy should require that: As we continue to establish the new Office of the Chief Information Officer, we will develop an IM [Information Management] and ICT [Information and Communications Technology] service, procurement-related, policy and in doing so will consider the risk findings raised in this audit. Once the policy is implemented, OCIO utilize a policy compliance process to monitor compliance. Implement in 2013-2014 Q1 * the primary role of IT consultants be to provide specialized expertise to government, typically for development initiatives; * IT operations and maintenance work be in-sourced, with allowances made for knowledge transfer from private sector experts in the shorter term; * a competitive bidding process, in compliance with all pertinent government legislation, be followed for the selection of consultants; * any exemption from the competitive bidding process be properly authorized and made for sound business reasons defensible to the public; * there is sufficient in house government expertise to effectively oversee and manage the work of consultants before a project is started; * the opportunity for real or perceived conflict of interest on the part of contracted consultants is mitigated, in part by requiring that project managers, and members of key project committees be staffed exclusively with in-house resources; and * provincial remuneration levels for IT staff not act as a barrier to the ability of government to hire and retain needed internal IT resources on a permanent basis. Detailed Observations Background 3.26 During 2009, concerns were brought to the attention of the OoC relating to the EHealth contracts administered by the Department. Specifically noted were potential conflicts of interest, concerns around the procurement process for professional services and possible deficiencies in contract management practices. OoC reviewed 15 of the 40 IT professional services contracts signed as of April 2009. 3.27 Based on its review, OoC concluded the concerns brought forward were valid. OoC made ten recommendations to the Department. 3.28 After the results of the OoC report were made public, we were approached by the Department to examine all 289 IT services contracts from 2005 to 2011 to determine if additional problems existed. These contracts were valued at $108.5 million and are summarized in Exhibit 3.2. Exhibit 3.2 - Summary of contract information Contract type Number of contracts Amount (millions) Original contract 114 $78.4 Amendments to original contract 175 $30.1 Total 289 $108.5 3.29 Our work covered the six year period between 2005 and 2011. Departmental and government-wide policies, procedures and requirements changed over that time. Audit Objective 1 3.30 Our first objective was: to determine if the Department of Health complied with the Government procurement policy for purchases of services related to the E-Health initiative. 3.31 We used four criteria to assess this objective. They are listed in Appendix I. 3.32 The Public Purchasing Act and Regulation is the primary legislation covering all the procurement of IT services. The thresholds for purchase of services and associated processing procedures are documented in Appendix II. 3.33 There are also some internal policies and procedures at the Department which outline how IT service procurement should be processed. The details are provided in Appendix III. 3.34 During our testing, we found 57 instances of noncompliance in the procurement of IT services. They are summarized in Exhibit 3.3 below: Exhibit 3.3 - Summary of non-compliance related to IT service procurement policy Instances of non-compliance Number of cases Contract value ($ 000s) Requirement for exemption from competitive bidding process not met 15 $4,945 Sole source exemption requirements not met 12 2,840 Only one quote obtained for contract under $10,000 2 20 Insufficient documentation to support urgency exemption 1 2,085 Proper contract approval process not followed 12 11,133 Contracts started without valid purchase order 4 4,886 Evaluation process not documented properly 4 3,119 Contract approved after start of contract 2 371 Evaluation results not signed off by evaluation committee 2 2,757 Proper contract amendment process not followed 30 15,655 No properly prepared contract amendment 12 4,883 No change request form prepared 9 9,290 Reason for extension not on file 7 606 Purchase order not amended 2 876 Total issues identified 57 $31,733 3.35 In addition, tendering files could not be located in three cases by the Department of Supply and Services which retains these files. All three files were from 2005 and past the seven year provincial retention period. Requirement for exemption from competitive bidding process not met 3.36 The Department submitted 19 sole source exemption requests (total contract value: $3.8 million) for approval by the Department of Supply and Services. The Department of Supply and Services approved six of these requests as specific skills exemptions instead and only 13 as sole source exemptions. We concluded in 12 of the 13 cases (total contract value: $3.6 million) the sole source exemption requirements defined under the government policy were not met. Sole source exemption requests must be accompanied by a quote (cost estimate) from the supplier as well as a letter from the supplier indicating they are the only Canadian source of supply for the particular good or service being purchased. This letter was not present for 12 of the contracts deemed by the Department to be sole source exempt. The Department of Supply and Services (DSS) approved them as sole source exemption mainly because DSS had previous experience with the vendors and was confident that awarding the contracts to the vendors was a reasonable decision. 3.37 The typical rationale the Department documented for sole source requests included the following examples: * the particular firms or individuals have supported the department in past; * use of same tools implemented as standards in the department; * ability to shorten learning curve through prior experience; and * time restraints and contractor’s knowledge of history of projects. 3.38 We believe the above rationale would have justified a specific skills exemption (see the description in Appendix II) rather than the sole source exemption. In fact, the six specific skills exemption approved by the Department of Supply and Services were reasonable. However, the specific skills exemption is applicable only to contracts valued at less than $100,000. Given most contracts were for amounts greater than $100,000 sole source exemptions were requested. In the absence of a competitive procurement process, it is difficult to demonstrate the awarding of contracts to certain service providers was the most economical decision. Also, it introduces the opportunity for favoritism in the selection of vendors. 3.39 The other two issues noted in Exhibit 3.3 (i.e. “only one quote obtained for contract under $10,000” and “insufficient documentation to support urgency exemption”) appear to be isolated incidents. Proper contract approval process not followed 3.40 Another significant issue in our findings noted in Exhibit 3.3 was that the Department did not always follow the documented procurement process. For example, the Department allowed the consultants to commence providing the contracted services without the official purchase order issued by the Department of Supply and Services. The issuance of a purchase order represents the final approval from the Minister of Supply & Services. We understand that an official purchase order may be issued a few weeks later than the signing of the contracts, due to the fact that the Department of Supply and Services may need the information from the final contract in order to prepare the purchase order. In one case from 2005, the purchase order was not issued until ten months after the contractor started the project. 3.41 The other two issues noted in Exhibit 3.3 (i.e. “evaluation process not documented properly” and “evaluation results not signed off by evaluation committee”) appear to be isolated incidents. 3.42 Other examples where the Department did not follow documented policies and procedures included: changing the scope of work without preparing the required change order, amending a contract without preparing a contract amendment, and extending a contract without providing documented rationale to support the extension. 3.43 In all these examples, the Department indicated it was under pressure to move the projects forward as quickly as possible. Proper contract amendment process not followed 3.44 According to the Department’s internal policies, a change request must be prepared when an amendment to the scope of work, dollar value, term and/or addition of resources is required for a specific contract. The change request outlines the reasons for an extension. Therefore, it follows that contract amendments must be prepared where the purchase order has been amended through a change request. 3.45 We found 12 cases where the contracts were not properly amended following purchase order amendments. In such cases, the amended contract scope and terms were not clearly documented. All contract amendments are supposed to be signed by both the Department and the contractor. Therefore, in such instances the Department does not have a valid contract and is at risk in the event there is a dispute with the contracted IT firm regarding the work performed. 3.46 We also found nine cases where the change request form was not prepared and seven cases where the rationale to extend the contract was not documented although the change request form was on file. Without such documentation being available, we do not believe the decision makers in the Department could have made a reasonable assessment of whether to approve the requested changes. Frequent amendments to original contracts 3.47 Often, contracts we examined were amended or extended after they were originally signed. As shown in Exhibit 3.4, 175 of the 289 contracts examined were amendments to original contracts. 67 out of the 114 original contracts (or 59%) had amending contracts. Therefore, these 67 contracts were amended an average of 2.6 times each after they were originally signed. In particular, one contract was amended eight times. Exhibit 3.4 - Summary of contract information Contract type Number of contracts Amount (millions) Original contract 114 $78.4 Amendments to original contract 175 $30.1 Total 289 $108.5 3.48 We realize that it was the Department’s normal practice to divide complex or large IT development projects into several phases, and the next phase was always treated as an amendment to the previous one. We also understand amendments were not totally avoidable, given the magnitude and complexity of some projects. However, during our testing we found 24 amendments valued at $7.6 million for system maintenance and operation contracts. We believe for regular system maintenance and operation, as well as routine IT development projects, the Department should have been able to define the scope, deliverables, timelines and the costs to complete the work before entering into contracts. Changes to original contracts create a risk of project delays and cost overruns, and should be avoided wherever possible. We also noted that projected costs shown in original contracts are relatively lower than final costs actually incurred. It is our understanding that there is no competitive bidding process associated with contract amendments. Therefore a risk exists that contractors will understate their original bids with the expectation of recovering understated amounts in subsequent amendments where there is no competition. Once the Department has signed an original contract, it has essentially committed itself to a particular approach and is therefore unlikely to reject proposed amendments or extensions. Conclusion on Objective 1 3.49 We identified 57 instances among the 289 contracts we examined where the Department of Health did not comply with the Government procurement policy for purchases of services related to the EHealth initiative. In particular, 15 exemptions did not meet the requirements of the Public Purchasing Act and Regulation. The Department did not properly follow the procedures to amend contracts in 30 cases. It did not comply with the government procurement policy for new contracts in 12 cases. However, we noted, in general, the processing and approval of contracts did improve over the period from 2005 to 2011. Recommendations 3.50 The findings in the OoC’s report are consistent with ours. Recommendations regarding the procurement process from the OoC’s report are applicable to our findings as well. The OoC’s recommendations included: * Contract managers should ensure that the requirements of the Public Purchasing Act are followed. Documentation should be maintained supporting Minister’s exemptions particularly when the exemption for Specific Skills or Sole Source of supply is used. * A purchase order should be obtained prior to the payment of any amounts and the value of the purchase order should not be exceeded. * A signed statement of work should always be obtained prior to the commencement of the project. * When contracts are negotiated and signed with vendors, only contracts drafted by PNB [Province of New Brunswick] should be utilized. Vendor contracts should not be used. 3.51 In addition to the recommendations made by the OoC, we recommend: * To avoid frequent contract amendments, the Department of Health adequately plan and define the scope, deliverables, timelines and costs for each IT contract and complete all required documentation before signing contracts or allowing work to commence; and * In the event contract amendments are required, the Department of Health properly prepare and approve change requests and amendments to original contract agreements. Update on the implementation status of OoC recommendations 3.52 The Department has put procedures in place to address the recommendations in the OoC’s report. In 2011, the Department introduced new procedures to address sole source requests by creating a sole source checklist. The checklist is to be used with each sole source request to ensure all appropriate documentation is present in the file.  The checklist requires the Branch Director, Assistant Deputy Minister, Deputy Minister and Minister’s review and signature before it is forwarded to the Department of Supply and Services. These new procedures will help the Department standardize and streamline the sole source request process. 3.53 As previously discussed, we identified purchase order related issues in six cases during our testing. All six issues occurred from 2005 to 2009. We did not find similar issues after the OoC’s report was released in 2010. 3.54 We noted other actions where the Department is addressing the OoC’s recommendations: * the Department prepares an annual refresher communication for managers with respect to the requirements of the Public Purchasing Act; and * the Department now establishes commitment amounts upon receipt of a purchase order and tracks payments against the commitment. Audit Objective 2 3.55 Our second objective was: To determine if conflict of interest exists in the use of consultants/contractors. 3.56 We used four criteria to assess this objective. They are listed in Appendix I. 3.57 During the period under audit, the Department relied on consultants extensively for the EHealth initiative. The following three situations appear to have placed those external service providers in a conflict of interest position. Key findings are noted below with additional information presented in Exhibit 3.5: * the Department contracted consultants as project managers who were often managing their own firm’s contracts and/or could access competitor information; * consultants were part of project evaluation committees tasked with recommending which consultants should be engaged for individual projects; and * a consultant was, for an extended period of time, a key member of the EHealth Steering Committee, a position of influence over governance and oversight of the overall EHealth initiative. Exhibit 3.5 – Summary of conflict of interest Description of conflict of interest Time frame Could the conflict of interest still occur? Department contracted IT consultants as project managers: IT consultants acted as project manager for 126 contracts which represents 52% of the 241 contracts for development projects. There were 11 contracts (for $2.4 million) where project managers managed his/her own firm’s contracts. There were 115 contracts (for $35 million) where project managers could access information of competitors. Ongoing Yes, but additional restrictions have significantly reduced the risk of conflict of interest. Six consultants were part of an evaluation committee that recommended the preferred bidder when tenders were called for specific projects. The evaluation committee members had access to the proposed technical solutions and fees. This would appear to lend an unfair advantage in competing for future IT projects. 2005-2010 No, as the current policy prevents consultants from serving on the evaluation committee. One consultant acted in a senior management role for the Department, as the individual was, for an extended period of time, an important member of the EHealth Steering Committee (i.e. the body governing the EHealth initiative). In this role, the individual had the potential ability to benefit the individual’s firm and affiliated firms and have unfair advantage over other firms. March 2009 to July 2010 No, as this individual’s contract expired and was not renewed. All current steering committee members are now permanent employees of the Department. Department contracted IT consultants as project managers 3.58 A project manager plays a vital role in the completion of an IT project. Departmental guidelines indicate: The Project Manager is responsible for the overall management of the project on a daily basis to ensure that the project is completed on time, on budget and within scope. The Project Manager is also responsible for ensuring that the deliverables or product produced will meet the needs of the business community. 3.59 We found the Department contracted IT experts as project managers for 126 contracts which represents 52% of the 241 contracts for development type of IT projects. These 126 contracts were worth $35.4 million. This created two distinct conflict of interest scenarios: * an external project manager managed a multi-contract IT project where his/her own IT firm won contracts under the same project; or * an external project manager managed a multi-contract IT project where IT firms other than his/her own firm worked on the project. 3.60 In the first scenario, the project manager approved timesheets and the work of their own firm on behalf of the Department. In the second scenario, the project manager could see the entire work of their firm’s competitors which were contracted by the Department under the same project. 3.61 We also noted there were only three staff project managers who were involved in the EHealth initiative. Consultants were part of the evaluation committee 3.62 We found that six consultants were part of a project evaluation committee which evaluated all proposals from different IT firms and recommended the winning proposal for the project. The evaluation committee members had access to the proposed technical solutions and fees. The concern is that the consultants involved in the evaluation committee would, at least in appearance, have an unfair advantage in competing for future IT projects. A consultant was a key member of the EHealth Steering Committee 3.63 The primary function of the Steering Committee as per the Department “is to protect the investments being made in the initiative. This involves taking responsibility for the feasibility, business case and the achievement of outcomes of the project. The Steering Committee will monitor and review the project status, as well as provide oversight of the project deliverable rollout”. 3.64 The Steering Committee is the key body within the governance structure of the EHealth initiative. It is responsible for critical business decisions associated with the initiative. This includes approving budgetary strategy, defining and realizing benefits, monitoring risks, quality and timelines, making policy and assigning resources, and assessing requests for changes to the scope of the project. 3.65 One consultant, from March 2009 to July 2010, was a key member of the EHealth Steering Committee. The major concern is that the consultant, the consultant’s firm, and affiliated firms could benefit from this individual’s unique position and have an unfair competitive advantage over other firms. 3.66 In our view, to eliminate conflict of interest, consultants should not perform management functions. There should be clear delineation between the roles of management and that of consultants. In implementing the recommendations of the OoC, the Department has made progress in this area. However, the Department should remove any potential conflict opportunities and avoid consultants being in a position of management influence. Conclusion on Objective 2 3.67 We found there were many cases of conflict of interest in the use of consultants for the period 2005 to 2011 in the Department. 3.68 The Department relied extensively on consultants for senior and direct management roles including the EHealth Steering Committee, project management and in the evaluation process to engage further IT consultants. This was largely due to the fact the overall EHealth initiative was beyond the capacity of internal resources. Recommendations 3.69 In general, the findings in the OoC’s report were consistent with ours. The OoC’s recommendations related to conflict of interest are applicable to our findings in this area as well. The OoC’s recommendations included: * Employees and contractors should sign off as having read and understood AD-2915 (Conflict of Interest) on an annual basis. For employees, this could be incorporated as part of their annual performance review. As stated in AD-2915 employees must advise the Senior Executive Officer of any conflict of interest situation in which they find themselves. Documentation should be maintained. * Managers and directors should familiarize themselves with the meaning and definition of an "apparent conflict of interest ". A suggested reading could be the document on this topic published by the Treasury Board of Canada Secretariat. * Contractors should not occupy management positions within the department. Where the situation is unavoidable, the contractor should be strictly limited to the financial information which they can access particularly with respect to competitor’s information. * Where contractors are members of project steering committees, they should not take part in any discussions surrounding the contracting/outsourcing of any work for the project. * Contractors should be required to disclose business relationships with other contractors working in the department when a partnership or joint venture type relationship exists. * If a Project Manager or member of a Steering Committee is a contractor and also a partner or principal of a consulting firm, the department should refrain from hiring other contractors from the same company on the project. 3.70 In addition to the recommendations made by the OoC, we recommend the Department of Health develop and implement a plan to eliminate reliance on consultants serving as project managers and prohibit consultants from serving as members of RFP [Request for Proposal] evaluation committees or project steering committees. 3.71 We noted the Department has put procedures in place to address the recommendations in the OoC’s report. 3.72 However, the Department is still relying on external resources in some cases as project managers but with additional restrictions. For example, external project managers cannot see other firms’ rates when they approve the timesheets for other firms’ personnel and project spending. 3.73 The contractor’s firm is not allowed to respond to a Request for Proposal, if he/she is part of the project evaluation committee or acting as a project manager for the project. 3.74 Additionally, the individual who was a key member of the EHealth Steering Committee is no longer with the Department. Their contract expired on 28 February 2011. Currently all members of the committee are internal permanent employees of the Department. Other Findings Compensation of consultants 3.75 Project managers of the two largest multi-year projects under the EHealth initiative are consultants. The Department paid almost $1.5 million to an IT firm for one project manager from 2005 to 2011. It paid another IT firm more than $700,000 for a three year period from 2009 to 2012 for the other project manager. It also contracted a third consultant for ongoing system operation and maintenance support from 2006 to 2011 and paid more than $1.2 million. 3.76 In total, this is over $3.4 million paid to three consultants over six years, averaging more than $200,000 per individual per year. In addition to the $3.4 million the Department provided office space and equipment to contracted consultants. 3.77 In these three cases, we believe the use of consultants was significantly more costly to the Province than had this work been completed by Departmental staff (i.e. in-sourced). Typical salary and benefits for a senior project manager employed within government would be approximately $120,000 per year.1 Therefore, there would be $80,000 potential savings per year per full-time-equivalent employee from insourcing. 3.78 We were informed by Department officials there have been attempts to in-source some positions. However, those attempts were unsuccessful primarily due to the relatively lower compensation the Province offers in comparison with the private sector. 3.79 For systems development work, we believe outsourcing is appropriate where specific IT expertise is needed that does not exist within the civil service. However, as previously mentioned, we do not feel it is appropriate for consultants to serve as project managers, or members of project evaluation or steering committees. 3.80 In our opinion though, there are savings that could be realized by in-sourcing the performance of ongoing systems operation and maintenance work. Where the expertise to handle this work does not currently exist internally, the Department could contract consultants in the shorter term. Such contracts could provide both for the completion of necessary operation and maintenance work, and the transfer of knowledge to Departmental staff. This would allow responsibility for completion of this work to be transferred to less costly internal resources in the longer term. Recommendation 3.81 We recommend the Department of Health develop and implement a plan to in-source all IT operation and maintenance functions over the next two years. Implications for the Rest of Government 3.82 This chapter primarily involved the Department of Health, with limited additional work completed at the Department of Supply and Services. However, we were informed numerous times during our work that practices with respect to the use of IT consultants are similar elsewhere in government. This would imply many of the procurement and conflict of interest issues our Office, and the OoC, identified in connection with the EHealth initiative may exist elsewhere in government. 3.83 Our Office may select other government departments, Crowns and agencies for similar audits in the future. 3.84 However, this is an area that should be addressed on an ongoing basis by government. From discussions with the Chief Information Officer (CIO) of Management Board, we understand that the role of his office will include setting government-wide policies for the procurement of IT resources. It will also include monitoring departmental activity to ensure that those policies are being complied with. Therefore, we have addressed the following recommendation to the Office of the CIO. Recommendation 3.85 We recommend the Office of the Chief Information Officer develop and monitor compliance with a government-wide policy relating to the procurement, contracting and management of IT consultants. That policy should address and mitigate risks regarding procurement and conflict of interest of consultants, and clearly state when the use of internal IT resources is more appropriate. As a minimum, the policy should require that: * the primary role of IT consultants be to provide specialized expertise to government, typically for development initiatives; * IT operations and maintenance work be in-sourced, with allowances made for knowledge transfer from private sector experts in the shorter term; * a competitive bidding process, in compliance with all pertinent government legislation, be followed for the selection of consultants; * any exemption from the competitive bidding process be properly authorized and made for sound business reasons defensible to the public; * there is sufficient in house government expertise to effectively oversee and manage the work of consultants before a project is started; * the opportunity for real or perceived conflict of interest on the part of contracted consultants is mitigated, in part by requiring that project managers, and members of key project committees be staffed exclusively with in-house resources; and * provincial remuneration levels for IT staff not act as a barrier to the ability of government to hire and retain needed internal IT resources on a permanent basis. Appendix I: Audit Objectives and Criteria Objective 1 - to determine if the Department of Health complied with the Government procurement policy for purchases of services related to the E-Health initiative. Criteria * Services are acquired in accordance with government’s legislation, policies and procedures. * Competitive selection processes are used, or the reasons for not doing so are supportable and properly documented. * Contract extensions and amendments comply with government’s policies and are adequately supported. * Recommendations regarding procurement processes in the report of the Office of the Comptroller have been implemented. Objective 2 - to determine if conflict of interest exists in the use of consultants/contractors. Criteria * The roles of a consultant/contractor should be clearly separated from the roles of management. * The processes of awarding, extending or amending contracts comply with the Government Conflict of Interest Policy. * Department staff and consultants/contractors comply with the government’s Conflict of Interest Policy. * Recommendations regarding conflict of interest in the report of the Office of the Comptroller have been implemented. Appendix II: Summary of Relevant Legislation and General Government-Wide Processes Thresholds – Purchase of Services Up to $10,000* Departments buy directly from vendor. • Use good business practices (signed agreement/contract). • Obtain more than one quotation (should get 3 quotes whenever possible). Between $10,000* and $50,000* Public Tender – Departments submit requisitions to Central Purchasing who will issue a Public Tender. Advertised on NBON [New Brunswick Opportunities Network] for at least 12 calendar days. Over $50,000* Public Tender – Departments submit requisitions to Central Purchasing who will issue a Public Tender subject to the Atlantic Procurement Agreement. Must be advertised on NBON for at least 17 calendar days (typically 20 to 25 days). Complexity of the procurement determines length of tender call. Award of Tender When price is the only determining factor award will be made to the lowest bidder that meets the specification. The Purchasing Officer will recommend award to the Minister of Supply & Services. When evaluation criteria other than price has been established award will be made to the highest scoring proposal. An Evaluation Committee will review the proposals and prepare a detailed evaluation. The results of this evaluation will be forwarded to the Minister of Supply & Services for approval. Purchase Order Once approval is received from the Minister of Supply & Services an official Purchase Order (PO) is issued to the successful bidder. The PO is forwarded to the client department and the services can be delivered. A copy of the contract must be provided to Central Purchasing for inclusion in the official file. Service is not to commence until PO has been finalized. Payment It is the responsibility of the receiver of the services to process payments within 30 days of receipt of the service. *Taxes and incidental costs included 3.86 The Regulation 94-157 under the Public Purchasing Act sets out the criteria for the procurement of IT services which does not follow the normal competitive bidding process. 3.87 Section 27.1 of the Regulation requires that requests for Minister’s Exemptions must be made in writing to Central Purchasing. The Minister of Supply and Services may grant exemptions under the following circumstances: * Specific Skills - purchase of services with a total value of less than $100,000 where it can be shown that for reasons of specific skills, knowledge or experience, the choice of vendor is limited to one or a very limited number of individuals, provided that the exemption is not used to unduly restrict competition. * Emergency or Urgency - where the supplies or services are required in the event of an emergency or urgent situation. * Sole Source of Supply - where there is an absence of competition for technical reasons and the supplies or services can be supplied only by a particular vendor and no alternative or substitute exists. 3.88 According to the Procurement Coordinator’s Manual issued by the Department of Supply and Services, the procedure for Minister’s exemptions are as follows: * sufficient documentation to support the exemption; * a request that indicates the section and paragraph of Regulation 94-157 under the Public Purchasing Act that allows that exemption; * a properly completed Supply Requisition * written approval by the Department’s Procurement Coordinator; * for a sole source exemption as listed in section 27.1 paragraph (f) in Regulation 94-157, the request must be accompanied by a quote and a letter from the supplier indicating that they are the only Canadian source of supply for the particular good or service being purchased; and * a purchase order will be issued to the client department to confirm the approval of the exemption. Appendix III: The Relevant Department of Health Internal Policies and Procedures General process for contract approval 3.89 The Contract Coordinator prepares the contract checklist. The Executive Director of E-health and the Director of Information Technology Services (ITS) signs all the contract checklists before they leave the branch. Legal personnel signs off on the contract checklist, following their review of the file and forwards the contract folder to Financial Services for their review. The Assistant Deputy Minister of Corporate Services then reviews and approves the file, and moves the folder forward for approval and signature by the Deputy Minister. Process for a contract change request 3.90 When there is a need to amend the scope of work, dollar value, term and/or addition of resources is identified in a project contract, the project manager must prepare a change request. The change request outlines the reasons for the request, the implications to the project and the financial ramifications, including whether or not this is within the project budget. The change request requires the signature of the Business Owner of the project and the project manager or Director. Approval of a contract change request 3.91 Change requests require the approval of the EHealth Steering Committee or another approving body for ITS. All project related change requests need to be forwarded to the Director one week in advance of the EHealth Steering Committee meeting for distribution and review by the committee members. Once approved by the committee, the Executive Director signs the change request to indicate this approval. Purchase order and contract amendment 3.92 An approved change request is required before the branch can proceed with the purchase order and contract amendment. 3.93 The Director of Contract Management and Corporate Support Services reviews the request, approves or denies the request, and forwards it to the Department of Supply and Services to issue an amended purchase order. General process for amendments to contracts and purchase orders 3.94 The Contract Coordinator prepares the contract checklist. The Executive Director of E-health and the Director of ITS signs all the contract checklists before they leave the branch. Legal personnel signs off on the contract checklist, following their review of the file and forwards the contract folder to Financial Services for their review. The Assistant Deputy Minister of Corporate Services then reviews and approves the file, and moves the folder forward for approval and signature by the Deputy Minister. 1 Includes $88,000 annual salary, 30% benefits, training and professional certificates --------------- ------------------------------------------------------------ --------------- ------------------------------------------------------------ Department of Health – EHealth: Procurement and Conflict of Interest Chapter 3 Chapter 3 Department of Health – EHealth: Procurement and Conflict of Interest 104 Report of the Auditor General - 2012 Report of the Auditor General – 2012 103 Department of Health – EHealth: Procurement and Conflict of Interest Chapter 3 Chapter 3 Department of Health – EHealth: Procurement and Conflict of Interest 114 Report of the Auditor General - 2012 Report of the Auditor General – 2012 113 Department of Health – EHealth: Procurement and Conflict of Interest Chapter 3 Chapter 3 Department of Health – EHealth: Procurement and Conflict of Interest 120 Report of the Auditor General - 2012 Report of the Auditor General – 2012 119