Skip to main content
;

PACP Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

Previous day publication Next day publication
Skip to Document Navigation Skip to Document Content






House of Commons Emblem

Standing Committee on Public Accounts


NUMBER 126 
l
1st SESSION 
l
44th PARLIAMENT 

EVIDENCE

Thursday, May 30, 2024

[Recorded by Electronic Apparatus]

(1535)

[Translation]

    Good afternoon, everyone.
    Welcome to meeting number 126 of the House of Commons Standing Committee on Public Accounts.

[English]

    Today's meeting is taking place in a hybrid format, pursuant to the Standing Orders. Members are attending in person in the room and remotely using the Zoom application.
    Before we begin, I would like to ask all members and other in-person participants to consult the cards on the table for guidelines to prevent audio feedback incidents.

[Translation]

    Please note the following preventative measures in place to protect the health and safety of all participants, including our interpreters.

[English]

    Remember to only use the approved black earpieces. Keep your earpieces away from the microphones at all times. When you're not using your earpiece, place it face down on the sticker placed on the table for this purpose, generally to your right.

[Translation]

    Thank you all for your co‑operation.

[English]

    As a reminder, all comments today should be addressed through the chair.

[Translation]

    Pursuant to Standing Order 108(3)(g), the committee is resuming consideration of Report 1 of the 2024 report of the Auditor General of Canada, entitled “ArriveCAN”, referred to the committee on Monday, February 12, 2024.

[English]

    I'd now like to welcome all our witnesses.
    From Donna Cona, we have John Bernard, chief executive officer, along with Barry Dowdall, president. Thank you for being here today.
    From KPMG, we have Lydia Lee, partner and national leader of the digital health transformation practice, and Imraan Bashir, partner, cybersecurity. Thank you both for coming in. It's good to see you again, Ms. Lee.
     From TEKsystems, we have Christopher Loschmann, director of Canadian government services. Thank you as well for being here today.
    Each of the witnesses collectively, as in each of the individual companies, has five minutes for opening remarks. I believe KPMG will begin.
    You have the floor for five minutes, please.
    Thank you, Mr. Chair.
    Thank you to the members of the committee for inviting KPMG to contribute to this important conversation.
    My name is Imraan Bashir. I'm a cybersecurity partner at KPMG in Canada. I am here following the appearance of my colleagues Lydia Lee and Hartaj Nijjar on April 4, when they spoke about the services KPMG provided to support the ArriveCAN program.
     I've been in the information technology and cybersecurity field for close to 24 years, with my career split across the public and private sectors. I started my career at a leading IT services company before joining the public service. I was a proud public servant for almost 11 years, spending time at Indigenous Services Canada and the Treasury Board of Canada Secretariat under both Conservative and Liberal governments. I joined KPMG four years ago, in May 2020. Since joining KPMG, I have worked with a variety of public and private sector clients to provide cybersecurity services in an ever-evolving threat landscape.
    Lydia and I are here today to represent KPMG Canada, which employs approximately 11,000 people across our country. Our role is to serve and assist our clients, including governments at the federal, provincial and municipal levels, in identifying and closing strategic and operational gaps, providing specialized knowledge and services in areas where support is required. We consider our services to be an important part of our contribution to Canadian society.
    While we are very proud of the services we provide to assist governments, KPMG is not a leading recipient of government contracts. As you are likely aware, an analysis by Carleton University noted that KPMG ranked 112 on the list of contracts awarded across all public service departments and agencies in 2021-22.
    KPMG is very supportive of the important work being done by this committee. In addition to joining committee meetings, we have provided written responses, as requested, to questions that arose from our previous appearance. For today's session, to the extent the committee thinks I can be helpful or of further assistance, I am happy to answer your questions.
    As my colleagues Lydia and Hartaj discussed at their previous appearance, KPMG's work related to the ArriveCAN program fell into two streams. The first stream, led by Lydia, was for the Public Health Agency of Canada. In this stream, KPMG provided in-depth subject matter expertise and global knowledge to assist in developing policies and procedures for the implementation of the ArriveCAN program. The second stream of work was the cybersecurity assessment that was performed for the CBSA's ArriveCAN application and supporting infrastructure. I was the local delivery partner on this work, supported by Hartaj, who leads our national cybersecurity practice. As you know, KPMG is well known in the field for its cybersecurity expertise. We offer a range of services to help organizations identify, assess and mitigate cyber-risks.
    Between October 2021 and March 2022, KPMG provided an independent cybersecurity assessment of the ArriveCAN application. This work was subcontracted to KPMG through GC Strategies in October 2021 at the request of the CBSA. Our scope consisted of five streams of work performed under two separate task authorizations, which involved reviewing the CBSA's cloud security architecture, including a comprehensive security control review; the department's alignment with privacy regulations; its vulnerability management practices; its secure product development practices; and its security incident response protocols and procedures. Our work was completed on time and on budget, in alignment with Government of Canada policies, and was reviewed and ultimately approved by the CBSA.
    We are very proud of the services that KPMG provided during the pandemic to assist not only governments but also health care organizations, academic institutions, not-for-profits and the private sector. We delivered highly specialized expertise at a time of unprecedented uncertainty for Canadians and the world.
    Thank you. We'd be happy to take your questions.
    Thank you very much.
     We'll turn now to Donna Cona for five minutes, please.
    Good afternoon to the committee. Thank you for the opportunity to provide information on Donna Cona's involvement with ArriveCAN.
    My name is John Bernard, and I am the CEO of Donna Cona. I am here with my business partner and the president of Donna Cona, Barry Dowdall. I am a status first nation person from the Madawaska Maliseet First Nation in New Brunswick. Although I grew up on reserve, I moved off reserve shortly after I graduated from university. After moving around to a number of cities, I landed in Ottawa in the late 1980s, working for a few federal government departments: Fisheries and Oceans, Health and Welfare Canada, and finally, as it was called back then, Indian Affairs.
    In 1990, I resigned from the federal government and became an IT consultant working with Systems Interface. Right from the start, I began encouraging Systems Interface to hire aboriginal employees and pursue contracts within the Department of Indian Affairs. Unfortunately, it wasn't until 1996, with the introduction of the PSAB program, that any recognition was given to hiring aboriginals. Part of the PSAB requirement was that a company had to be owned and/or majority controlled by an aboriginal. It was at this time in 1996 that we spun off Donna Cona as 51% owned by me and 49% owned by Systems Interface. Today I own 100% of Donna Cona and continue to hire and promote aboriginals as much as possible.
    Donna Cona provides information technology and information management professional services to several clients, one of them being the federal government. We also provide a crisis counselling service for all indigenous, first nations, Métis and Inuit people of Canada. This service runs 24-7 and handles about 50,000 contacts per year through phone and online chat. We are international standards—ISO—certified, and for the past six years we've been named one of Canada's best-managed companies.
     Donna Cona has hired many indigenous employees over the last two and a half decades. Just as importantly, we've sponsored and supported indigenous associations, communities and students over the last 28 years. Today, Donna Cona has 84 employees. There are 18 indigenous staff and 58 women. We also use many incorporated subcontractors to supply our client delivery services. Thirty per cent of our overall revenue comes from PSIB set-asides. It was once PSAB, but today it's called PSIB.
    The success of Donna Cona and technology afforded me the ability to experience my dream of moving back into my community and investing in businesses in my first nation. In 2007, I built an entertainment centre on the Madawaska Maliseet First Nation that eventually included a 10,000-square-foot events venue, as well as multiple restaurants and electronic gaming. Since 2008, these businesses have returned over $20 million to my community and close to $10 million to the New Brunswick government. With this business, along with a number of other businesses that I own on the reserve, I employ close to 150 employees from the local town and my first nation.
    As today's agenda is to talk about the CBSA ArriveCAN project, the following has been our involvement with the CBSA, and in particular ArriveCAN. We have three supply arrangements with the CBSA that were competitively procured in July 2019 and September 2020. One is for enterprise data warehouse IT services, and the other is for travellers' projects. Neither of the supply arrangements, nor any of the TAs, mentions ArriveCAN.
     With regard to the Auditor General's report, we disagree that we provided $3 million for ArriveCAN. We found, through the time sheets, activities for only the two contracts and determined that approximately $500,000 of the cloud infrastructure development was provided in support of ArriveCAN. We worked with CBSA staff to design cloud data pipelines on AWS cloud services to implement the Public Health Agency COVID-19 analytics architecture in AWS and to provide business intelligence and tech support for reporting purposes.
(1540)
    Once again, thank you for the opportunity to assist the committee in its efforts.
    Thank you very much.
    Lastly, we have TEKsystems.
    Mr. Loschmann, you have the floor for up to five minutes, please.
(1545)
    Thank you, Mr. Chair, the clerk and committee members, for inviting us to appear today regarding your study on the Auditor General's report on ArriveCAN.
    My name is Chris Loschmann. I'm the director of Canadian government services at TEKsystems.
    TEKsystems is a global provider of technology, business and talent solutions. We have over 100 locations worldwide and we partner with over 6,000 customers, including many Fortune 500 companies and public sector clients. We help our customers achieve their business goals through advisory, outcome-based and staff augmentation services. We pride ourselves on our core values and our fundamental commitment to excellence and integrity. We have worked hard to earn the trust and respect of our clients and to follow the rules when it comes to working with the government.
    In March 2020, CBSA publicly posted an RFP for cloud engineering professional services. In June 2020, after submitting our bid and competing with three other bidders, TEKsystems was successful in securing this contract. The scope was to provide highly skilled IT professionals at the request of CBSA on an as-and-when-required basis to assist in deploying and maintaining its applications in cloud environments.
    In May 2021, CBSA publicly posted another RFP competition for cloud cybersecurity services. In October 2021, after submitting our bid and competing against four other bidders, TEKsystems was awarded this second contract. The scope of the work was to provide IT professionals on an as-and-when-required basis to assist CBSA in performing cloud security assessments, vulnerability assessments and cloud security operations.
    It's important to note that these contracts went through an open, fair and competitive process according to procurement rules and regulations. Neither contract was created specifically for ArriveCAN. Within the scope of these contracts with CBSA, TEKsystems was directed by CBSA to provide IT professionals for ArriveCAN. All the work we did on the app came at the direct request of CBSA, as it fell within the scope of these contracts.
    Both of these contracts were ordered after the original rollout of ArriveCAN in April 2020. TEKsystems did not take part in the original development or set-up of the app. We also did not participate in the planning or management of any element of the delivery of ArriveCAN.
    We provided highly sought-after professionals who were specialists in cloud networking and infrastructure services to help build and secure the platform that the application sits on, and we performed cloud-based, back-end development to strengthen and secure the application after its initial rollout. All our professionals go through a rigorous vetting process, including in-person meetings, reference checks and capability testing to make sure they have the skills to meet our clients' needs. We also make sure they have valid security clearance at the appropriate level.
    At the request and direction of the CBSA, TEKsystems delivered $3.2-million worth of staff augmentation services for ArriveCAN. That was confirmed by the Auditor General and her report. We agree with her report and we co-operated with her investigation. Based on her findings, the findings of the procurement ombud and the previous testimonies already received at this committee, we would like to make the following points.
    At no point did TEKsystems contact GC Strategies, Dalian or Coradix regarding any of the services provided to CBSA or the competition of CBSA contracts. We did not partner with any of these organizations for any IT professionals allocated for ArriveCAN or for any work done for CBSA. TEKsystems did not win any non-competitive contracts with CBSA, Health Canada, the Public Health Agency of Canada or any other government department for any IT professionals we provided to CBSA for ArriveCAN. All of our contracts went through an open, fair and competitive bidding process that had multiple bidders. All of the professionals that TEKsystems provided to CBSA went through a rigorous vetting process, reference checks, technical ability screening and security clearance validation.
    Our work with the federal government has always been in accordance with procurement rules, guidelines, policies and procedures respecting the integrity of public institutions. We have a defined public sector practice that invests in making sure we operate ethically and deliver value to our customers and Canadians. We invest significantly in training and compliance for our teams, including annual mandatory legal and ethical training, and third party international standard organization audits.
    We're happy to work with the committee today to answer any questions you may have. Thank you.
     Thank you all very much.
    We'll begin our first round.
    Mr. Barrett, you have the floor for six minutes.
    Just as a warning, I don't have my normal clock here. If it beeps, I'm not trying to be rude. I will endeavour to monitor that.
    As you know, if your question is finished before your time, I will allow the respondents a brief answer. If you do hear the beep, that's not the end-of-game alarm; it just means I'm not being as diligent as I would like to be.
    It's over to you for six minutes, sir.
(1550)
    Mr. Bashir, how many times did you meet with Kristian Firth of GC Strategies?
     Just to clarify, are you referring to my current job at KPMG or previously in the federal government, or both?
     I mean ever.
     Okay, thanks for clarifying.
    I'll separate the answer into two different answers. In the federal government, I did meet with Mr. Firth two to three times at most—like I met with several vendors—generally to discuss some offerings that he had in the security space. I met with him once virtually while at KPMG.
    Can you say where your meetings with him happened? Did they happen in your office, in an office tower here in the NCR, at a private residence or at a restaurant? Where were they?
     The one KPMG meeting I mentioned was virtual. The two to three at most, when I was at the Treasury Board of Canada Secretariat, all occurred in the lobby of 90 Elgin, which is the Treasury Board government building.
    These meetings were just one-on-ones.
     That's correct.
    This is including the virtual meeting when you worked at KPMG. It was just you and Mr. Firth.
    Yes, that is correct.
     Can you quickly give a breakdown of the topics discussed in your meetings while you were a public servant, and likewise when you worked at KPMG?
     Absolutely.
    I should say that all my answers subsequently will be directed through the chair. I'm sorry about that.
    While in the federal public service, many vendors reached out from time to time to explain what types of security products or services they were offering, given my role at the time was director general of cybersecurity.
    In the specific meetings with Mr. Firth, I remember discussing two products related to—I apologize for the lack of detail—something around secure communications and digital identity, but there were no subsequent meetings. He left with a brochure, a pamphlet so to speak, and that was the end of that.
    The KPMG meeting specifically was more of a reintroduction, I suppose. He had apparently been talking to one of my colleagues prior. I was looped into an email thread, and it was apparent that the subject of cybersecurity came up. I subsequently discussed with Mr. Firth the types of cybersecurity services that KPMG—
    Who was the colleague you referenced?
     It's a retired partner who's no longer with the firm.
    Did Antonio Utano, who's a senior official at the Canada Border Services Agency, direct KPMG to work with Kristian Firth and GC Strategies?
     After we submitted a proposal to Mr. Utano, he and I did have a meeting, and it was at that meeting that he asked, ”Can you also submit this proposal through to GC Strategies?”
    Why?
     My understanding was that Mr. Utano was exploring his procurement options. I believe his procurement team had likely given him some advice on what the quickest way to procure was. I understand there was some urgency due to the cybersecurity nature of the work in question.
    I'm sure it did make the procurement process easier, because it skips the procurement process.
    Did it have anything to do with ease of contracting and cash flow? Was that one of the reasons?
     It's hard to speculate. It's probably a question better directed to the CBSA, to be honest.
    What did Mr. Utano tell you about GC Strategies? Had you worked with Antonio Utano prior to this ArriveCAN engagement?
     I'd never worked with Mr. Utano prior to the engagement. I likely crossed paths with him in my time in government at a government event, but I don't recall ever working with him on anything.
    To answer the first part of your question, the way it came up was that we discussed the proposal, and he seemed happy with what he saw and suggested that I pass that along to Mr. Firth afterwards.
     Did it seem normal to you that you'd be directed to submit a proposal to a subcontractor when you were submitting a proposal directly to the federal government? Is that the normal way that you do business?
     The way that I characterize procurement is that there are essentially three steps to it. Step one is to identify what you want to procure. The second step is to identify the vehicle by which you would procure it. The third one is to procure it.
    Having completed the first step of establishing what it was that he wanted to procure, my understanding was that Mr. Utano was simply exploring the options he had. One of the other options he had was the CEPS vehicle, which my colleague Lydia discussed last time. As my other colleague, Hartaj, mentioned, we would have happily competed for it had he wanted to put it out to a full tender as well.
(1555)
     As someone who previously worked for the public service and as a taxpayer, do you find it strange that the Government of Canada asked a company the size of KPMG—11,000 employees I think you said in your opening—to subcontract through two guys who are obviously taking a percentage of the total contract amount? KPMG said how much it was going to cost them to do it, and we know they were adding up to 30% on top of that.
    Would you advise clients to follow that method, or would you advise them to procure the services directly from the vendor?
    Obviously, we'd prefer direct procurement where possible, for sure. I can't begin to speculate on the reasons CBSA may have wanted to go that particular route.
    Do you know of any other instances where this type of direction was given to KPMG or another company to work through GC Strategies or another third party instead of offering their services directly to the government, to CBSA?
    To my knowledge, no, but I know KPMG as a firm, as I believe we submitted in writing as well, has subcontracted for—don't quote me on this; I don't have it in front of me—I believe 13 different companies of varying sizes, from very large organizations to small. The key there is that where we can help provide expertise specifically to the government in areas that we are good at and can provide value for taxpayers, we will entertain that, yes.
     Thank you. I appreciate that answer.
    I think it's obvious, but I'll note that you are being quoted here. If you discover after the fact that the information is a little off, let us know, because this is a Parliament Hill House of Commons committee.
    I appreciate your turn of phrase “don't quote me on this”, but you are being quoted for the official record. I take that in the spirit it was given in your comment.
    Ms. Khalid, you have the floor for six minutes, please.
     Thank you very much, Chair.
    Thank you to the witnesses for being here today.
    I'll start by outlining the role of the public accounts committee. It is to hold to account how tax dollars are spent across the country—for what purposes and whether or not they are justifiable within the reports of the Auditor General and how departments function.
    I know that things become very politicized as they progress, and ArriveCAN is one of those things. I am not questioning the quality of the app, although in the Auditor General's report there were some challenges. What I am questioning today from all of you is how these dollars were spent, which we can't really get to the bottom of. I think we owe it to Canadians to ensure that we understand and ultimately improve the process for how contracting happens and how the Lobbying Act and the conflict of interest code ensure that there is accountability in how tax dollars are spent.
    Perhaps I'll start with Mr. Bashir, if that's okay.
    You have worked in various different departments within the federal government and now you are working for KPMG. Can you help us outline how the Lobbying Act applies to you and how the conflict of interest code has applied to you in your new role, having all of the experience you have within the bureaucracy of government and having built a network of relationships?
    Given the position that I held in the federal public service, I was subject to the Treasury Board directive on conflict of interest, as most are. I believe they term them positions designated to be high risk for conflict of interest.
    What that directive states—and this is the process that I followed upon my departure—is that upon receipt of an offer of employment.... I should say that I did this way earlier than having the offer of employment. When I began thinking about getting an opportunity, I engaged with my values and ethics team immediately, who coached me through the entire process. That involves a discussion with the senior management team and finally culminates in a formal letter from the deputy head outlining post-employment restrictions—some term it a “cool-off period”—upon a departure from the public service.
    In my particular case, I was given a one-year post-deployment restriction that forbade me from soliciting work or even being named on a request for proposal response for the core federal public service. I have that letter. I took that letter to KPMG upon my start date there, and we established the appropriate protocols and ethical walls to ensure that I was completely removed from the federal practice for the entirety of the first year, at which time I worked on other things like provincial government, municipal and other contracts.
(1600)
     I appreciate that. Thanks for sharing.
     Do you feel that those checks and balances were sufficient? In a place like this, you make friends; you make connections. How can the Lobbying Act or the conflict of interest code be more efficient in ensuring that no undue access is given or no undue profit is made on the taxpayers' dime based on relationships that have been going on for decades?
    It's challenging, for sure. I think the directive does a very good job of outlining the requirements from all parties about the person in question and the organizations that need to subsequently follow that. I can't really comment on the oversight of that, as I've never been involved on the other side. I can say it's incumbent upon all parties involved—the departing organization, the new organization and the person involved—to ensure continuous compliance with these requirements.
    Thank you. I appreciate that, Mr. Bashir.
     Mr. Bernard, I'm going to turn to you next.
    How did Donna Cona and TEKsystems become engaged with the government on the development of ArriveCAN?
     I'm sorry. Are you asking me how TEKsystems—
    How did Donna Cona become engaged with the government on the ArriveCAN app?
    I can take that, if you want.
    Yes, please. Thank you.
    Yes, I'll defer to you.
    We won three competitively produced RFPs for CBSA. We were providing resources. Nothing in our contract or in the task authorizations mentioned ArriveCAN, so we had a number of IT professionals, typically cloud people, who were working on it.
    They were essentially building containers, for lack of a better term, on the AWS cloud to bring in data. They brought in some data, as John mentioned, from public health and other applications. They were building this infrastructure on the cloud to accept data from different sources.
    We went through our time sheets when the AG report came out because we didn't have anything that said “ArriveCAN”. We looked through the activities, and that's how we found—
     I'm so sorry. I'm going to stop you there.
    My question, specifically, is this: When the proposal came out and the discussions were going on about developing this app, did you have conversations with any ministers, the Prime Minister, any political figures or any bureaucrats during the whole process?
    No. We competitively won the RFPs, and CBSA contacted us for an “as and when”.
    I will add that I was quite surprised to see my company's name listed in the AG report.
    Thank you very much. That is the time.

[Translation]

    It's now Ms. Sinclair‑Desgagné's turn.

[English]

     If you don't speak or understand French, this is a good time to put your earpiece in.

[Translation]

    Right now, we're in Quebec.
    Ms. Sinclair‑Desgagné, you have the floor.
    We're in the neighbouring country, but thank you, Mr. Chair, for that introduction.
    Mr. Bashir, my question is for you.
    Did you come to KPMG as a partner, or did you become a partner at KPMG?

[English]

    I joined as a direct-admit partner.

[Translation]

    When did you become a partner?

[English]

    If I understood that correctly, I joined as a direct-admit partner in May 2020, when I joined the firm.

[Translation]

    You just said that you came in as a director.

[English]

     Sorry, that was direct-admit partner. That was my mistake. I will slow down.

[Translation]

    Okay. Perfect.
    You joined KPMG as a partner. I imagine that when you arrived, one of the first things you were made to do, since it's the norm in the Big Four, is fairly specialized training on risks and compliance. Is that correct?

[English]

    It cut out a bit at the end, but if I understood you, you are asking about the training I took for risk....

[Translation]

    I'm talking about risk and compliance training, as well as all the training that new employees are normally required to take in firms. The training is highly specialized. I hope you took it.

[English]

     Thank you for the clarification.
    That is correct. Upon joining the firm, and subsequently on a regular basis, we continually take risk, independence, security and privacy training—all of the training.
(1605)

[Translation]

    If you've taken this training, I find it strange that you didn't raise the issue of Mr. Utano, who asked you to go through GC Strategies instead of doing your contract and work directly with the Canada Border Services Agency, knowing that KPMG is already a company pre‑approved by the Canada Border Services Agency.
    First, I find it strange that in your testimony today you said you don't know why CBSA wanted to go through GC Strategies. I think the answer is pretty obvious. If you don't know why, you may need to return for your risk and compliance training. If you knew that at the time, why didn't you sound the alarm? You knew that it was clear that you could have had a contract directly with the Canada Border Services Agency, but that the agency, for an increasingly clear reason, asked you to go through GC Strategies.
    Why didn't you sound the alarm?

[English]

     I have one point of clarification before I answer the question.
    We did not have a direct procurement vehicle with the CBSA at the time. I believe what I referred to earlier was the CEPS vehicle, which was more of a government-wide vehicle. There was nothing direct with the CBSA at that particular time.
     With respect to the training, we fully followed every single process that the training indicates. This included rigorous risk management processes that check each party that we're engaged with. In this particular case, we had to list GC Strategies and CBSA and subsequently go through a three-partner approval process to ensure that we were able to proceed with the engagement. At that point in time, no flags were raised and, as such, we proceeded accordingly.

[Translation]

    What you're saying is that, if you're able to do the work, you find it normal that… I have in front of me information that KPMG is already pre‑approved as a supplier to the government. We feel that the contract is easy to honour.
    Do you find it normal that there's a contract, but that a subcontractor goes through GC Strategies?

[English]

     The procurement method is chosen by the government department at the end of the day. We can't question the government's direction on how to procure a service for them.

[Translation]

    Forgive me for contradicting you, but that is false. That's what Botler AI did: Botler AI talked about widespread corruption at the Border Services Agency. Botler AI is the one sounding the alarm. Indeed, the company had noticed the behaviours, the ones you witnessed, that sparked the entire ArriveCAN affair.
    What you're telling me is that consultants at Botler AI in Montreal may be more aware of or more familiar with the risks and compliances associated with going through a subcontractor like GC Strategies, an empty company or cell that only obtains a commission. What's more, you're telling me that this is completely normal. Finally, you say that Botler AI is aware of this, but that you don't see anything. And yet you've been informed that there was certainly a conflict of interest.
    The reason Antonio Utano asked to go through GC Strategies was because it was in the interest of GC Strategies. You haven't seen anything. I find that really unfortunate, because you could have told us today that, in light of the Auditor General's report, you thought it was strange, and that you should have done things differently and sounded the alarm by saying that you thought this process was not normal.

[English]

     I didn't get a question there, but I guess I would simply say that we follow the process we had in place. I'd also like to add that the Government of Canada had vetted GC Strategies, I believe, 100-plus times, as they were awarded a number of contracts in the last number of years, as this committee has discussed.
     When you couple our processes with the fact that the Government of Canada itself had validated and revalidated the legitimacy of GC Strategies, that information led us to believe that this was a reasonable path forward to procure.

[Translation]

    Also, you were aware of GC Strategies. You knew it was a two‑person company that was just taking commissions; it was supposed to find resources. The only reason we went through GC Strategies was to find resources. In this case, the government had already found resources. You knew that, having met Kristian Firth before. In spite of all that—
(1610)
    I would ask you to ask your question, Ms. Sinclair‑Desgagné.
    I'll ask the same question. Why didn't you sound the alarm, given that the situation was clearly abnormal?

[English]

     I'll refer you to the previous response. We went through our processes and trusted that the government went through its processes as well.
    Thank you very much.
     Next is Mr. Desjarlais, who is joining us virtually.
     You have the floor for six minutes, please.
     Thank you very much, Mr. Chair.
     I'll begin with KPMG.
     Mr. Bashir, when did you start work with the Government of Canada?
    I'm sorry. To clarify again, do you mean when I started work while at KPMG or as a public servant? Can you clarify that, please?
    I mean as a public servant.
    Mr. Bashir, when did you, yourself, start working with the Government of Canada? What was the date?
     My start date was October 2009 as a full-time employee.
    What role did you play prior to your departure?
     Immediately prior to my departure to KPMG, I was the director general of cybersecurity and digital identity at the Treasury Board of Canada Secretariat.
    Throughout your time, from 2009 to that point, would you say you had a good understanding of Canada's procurement system?
     I think I had a decent understanding, for sure. I'd led a handful of procurement processes, but not a large number, if that's what the question is.
     Were you familiar with the process, though—not so much the number, but the process—through which a private firm, in particular, could apply to the government's procurement system?
     Thank you for the clarification. Yes, I am familiar with the procurement process, for sure.
    When was the last procurement process you undertook prior to your departure?
     You're taking me back a bit. I'm going to guesstimate somewhere in the 2018 range.
     Okay.
    Your departure from the government was on what date?
    I departed the public service in May 2020.
    In May 2020 a lot was going on, of course. We had a national and global pandemic.
     It seems to me that it could have been the perspective of KPMG at the time to scout this kind of talent. Did they find you?
    At the time, I was discussing post-government employment with a number of different organizations. I don't actually recall who emailed whom. I think it was kind of mutual. We had some mutual.... People know people in the city, and you sit down and say, would you be interested? It was one of those types of conversations to get it started.
     That's interesting. That is something the Auditor General warned us could be evident in this—these sit-downs, these gatherings, this community. From prior witnesses, we heard about these kinds of community meetings.
    Were any of these community meetings you had with large firms like KPMG, and perhaps others, ever at a restaurant or a club or in a private venue outside of government precincts?
    Absolutely not. No. I'm very well aware of the directive on conflict of interest and the restrictions around hospitality and gifts.
    Where did these meetings happen? Where did KPMG meet you?
    There were phone calls, to be honest, to start everything off. I started off with phone calls and emails, and ultimately—
     You submitted that there was a community, and I highly doubt that it was only a phone call. You do understand that this information is extremely pertinent to our investigation here to understand this claim of the Auditor General, which I believe is worth our investigation, as to where and why and who met with you or other persons.
    I'll give you one more opportunity. Was there ever an instance where you were invited to outside-work dinners or received gifts or favours of any kind?
    The answer is no to that question.
     Thank you very much.
    In relation to Mr. Antonio Utano, did he direct you to work with GC Strategies?
    As I mentioned earlier, when meeting with Mr. Utano after submitting the proposal, what he directed was for me to submit a copy of that proposal to Mr. Firth at GC Strategies, which I did.
    Did you bring up any questions to Mr. Utano as to why you would do such a thing?
    At that meeting we discussed the number of procurement options Mr. Utano had at his disposal, which I think I mentioned could have included the CEPS vehicle and opening an RFP from scratch, or using one of his existing vehicles. All options were discussed, so nothing stood out from that conversation.
     What stood out to me, and what I am starting to understand, is that in that conversation there is a legitimate claim that you were directed by Mr. Utano to work with GC Strategies. At the time of the procurement decision, did GC Strategies, and who they were and what they did, not get brought up in that meeting at all? The particular fact of them being a two-person company that did no work at all...did that ever come up?
(1615)
    No. Neither the number of employees of GC Strategies nor the work they were doing at the time with the CBSA was discussed. What was discussed was only that they had existing procurement vehicles that were set already with the CBSA.
    Do you believe that was a red flag to not question who GC Strategies was, their capacity or their ability to deliver work?
    That's where I lean on our risk management processes that I discussed earlier, to find out if red flags occurred. What we do is we take the information back and we submit that information through that process to validate, and no red flags came up.
    As I mentioned earlier, the Government of Canada itself—and not just the CBSA, but many other departments—had awarded this same company numerous contracts, which further validates our decision.
     You're saying that you went through all the processes. You and Mr. Utano and everyone in the room went through all of the regular procurement processes, including a red flag assessment, which is what you just described. Did no one flag that this two-person company that does no work was a problem?
     I can't speak to the processes that Mr. Utano went through, but certainly I can speak to our processes. Yes, that is the result of our process.
    Do you see that as a critical failure?
    Keep in mind that the processes are at a point in time. At that point in time, that's the information that arose. I suspect, if run today, the result would be different.
    Thank you very much. That is the end of the first round.
    Beginning the next round is Mr. Genuis. You have the floor for five minutes, please.
    Mr. Bernard, based on federal government records, the Auditor General believed that your company did 3 million dollars' worth of work on ArriveCAN. You said that the work was about $500,000. This points to something we know is a big problem: shoddy and impenetrable records. In some cases we've also dealt with the deletion of records, questions or records not kept. Do you have any reflections on how the government records that the Auditor General consulted could have been so off the mark compared to your own assessments?
     I do, but I'll defer that to my partner, because we spoke about this prior to coming in.
    You said about $500,000, and I think in the AG report they talked about how there was some internal financial coding that was unsure. We would submit time sheets with deliverables, and then what happened after that, we don't really know. They would have put whatever coding they had against it, so other than that we're at a loss as to what happens after we submit time sheets.
    You submit time sheets. There's internal financial coding that apparently is inconsistent with the time sheets you submitted or is unreadable to someone looking at it.
    We didn't see the internal coding.
    Right, exactly, but that suggests there's something very dramatic lost in translation, because that's an order of magnitude of six times.
    At the government operations committee we're looking at indigenous procurement and we're planning some further study on it. Mr. Bernard, you told us a story about growing up on reserve, starting a successful business that employs indigenous people and investing back into your community. Based on what we know from your testimony, that seems like precisely the kinds of outcomes that indigenous procurement policies are meant to support.
    However, we also know now clearly that there are instances of abuse as well: tiny companies that become qualified as indigenous but that subcontract the actual work to non-indigenous firms and do not provide benefits back to indigenous communities. You were quoted in The Globe and Mail saying that you “tried for years to advise the government on how it could refine its Indigenous set-aside contracting policies”.
    Sir, what is your advice? How can the current problems—the use of the Dalian model, for instance—be fixed to achieve the kinds of outcomes that the program is supposed to aim for?
    Well, it's actually on record. In 2006 I sat in front of a Senate committee on aboriginal procurement. Back in 2006 I warned of the potential abuse of joint ventures, and to this day, 18 years later, we are seeing the results of that. Basically, I was using terms like, “Aboriginal companies need to learn how to walk before they run,” yet, amazingly, Donna Cona has been in business 28 years, and we find ourselves up against aboriginal firms that just got into business and are running multi-million dollar contracts.
    I guess what I'm trying to say is that being an aboriginal is not a skill, yet in aboriginal procurement with joint ventures, it's almost like if you're aboriginal, all of a sudden that's the quality you're bringing to the joint ventures, and we just don't agree with that. Obviously, you have to start somewhere, so they should be small, but we believe the aboriginal side of a joint venture should progress. They shouldn't be going after a $100-million contract when they were riding an ice cream truck the week before.
    If you go back to the 2006 testimony—which is on record with the Senate committee—in there I actually give three ways that I think it should be addressed. The first one, most importantly, is the joint venture. That's where there's really a lot of room for abuse. Unfortunately, there's no motivation for aboriginal companies to grow, because if you can become a joint venture, you don't have to do anything. You don't even need staff or admin staff, because your joint venture partner has all of that.
(1620)
    I think we need to refer to that earlier testimony, because I suspect you can talk for a long time on this, and maybe we'll have to have you back, but that seems exactly what happened with Dalian and Coradix. Isn't that right? Coradix is a larger, non-indigenous company. Dalian is an indigenous company, with two people, that receives contracts and subcontracts. They're in joint venture, which fulfills a procurement requirement.
    Also on the issue of subcontractors, you mentioned that your company has subcontractors. There's supposed to be a requirement for indigenous subcontractors as part of indigenous procurement, but there seems to be no tracking or enforcement of that whatsoever. What is your experience with indigenous subcontractors, and is the government asking you questions about that? Are you providing data on that at all?
     No, and let's face it, there aren't enough indigenous people to meet some of these contracts. Calling myself an aboriginal company or an indigenous company, just because I own 100% and I'm a status Indian from.... I don't believe that's what it should be. It should be aboriginal benefits. It's not what we....
    People ask me, “Well, you're an aboriginal company, so what does that mean? Do you stand on one leg?” No. We do business just like everybody else. In calling myself an aboriginal company, it's what we do, and not just in hiring indigenous people but in the sponsoring, the supporting and then spinning off other aboriginal business. As I explained about my community, that, to me, is the solution. I'm sorry, but if you're just going to hire aboriginal people and you think you're going to get 50 aboriginal people on a 150-person project, that's just not going to happen in this field.
    Thank you very much. That is the time.
    We move now to Mr. Weiler. You have the floor for five minutes, please.
     It's a pleasure to be joining this committee for the first time and to be joining the study. I have not had the time other folks on this committee have had to look into this in detail, but like all Canadians, I've been following the drama as the different layers of this app got uncovered. It's a pleasure to join in on this process and to look into this in more detail today.
     Mr. Bashir, I start with you. First off, just going back to your experience with the Treasury Board Secretariat, what were the particular roles you had, again?
     I held a variety of roles, but my stint with the Treasury Board started in July 2011. I could walk you through the path, if you'd like.
     What I am most interested in is your relationship with the procurement process while you were at Treasury Board.
     Oh, I probably didn't start procuring anything—like in a role in which I was procuring anything myself—until, probably, 2017, in the role of director general, cybersecurity.
    You mentioned that you had encountered Mr. Firth several times while you were at the Treasury Board. Can you describe the nature of those meetings?
     Yes. I mentioned earlier that Mr. Firth was probably like every other vendor in town, who would send an email and try to get a meeting to discuss a product or a service they offered. There were two in particular that I think I was discussing earlier: One was around secure communications and one was around digital identity. Both were files that fell under my portfolio, so it piqued my interest to hear a bit more.
    The nature of the meeting was a bit of a debrief on the service or the product he was offering at the time. As I mentioned, both meetings occurred in the lobby of the building I worked in, which is 90 Elgin, and nothing really followed after that, to be clear.
    In these meetings with Mr. Firth, and more generally in procurement, was it a common practice that you'd see for the types of services GC Strategies would offer—getting the contract and subcontracting it from there? Was this a regular practice you would see?
(1625)
     My role was a little different at the Treasury Board. For context for the committee, where I worked in the Treasury Board was more of a policy organization—setting policies, standards and directives for the rest of the public service to follow—so we didn't typically procure any goods per se. However, in order to do my job properly and set forth a forward-looking cybersecurity strategy for all of government, it was incumbent upon me to understand where the industry was heading, how technology was evolving and so forth, so that was the general gist of the interactions with Mr. Firth. We didn't really discuss subcontracting or any of those things you asked about.
     I want to jump ahead to your current role with KPMG. Can you walk us through the risk management process when KPMG was considering being part of this contract?
     Absolutely, and my answer will apply to every contract we take on—or any engagement, as we call them.
    To start any process, we run checks on the entity itself—we call it an “engaging party”. In this case the engaging end party was the CBSA. We also have to run KYC—know your customer or know your client—types of checks on any other intermediary that would be involved. In this case it was GC Strategies, so both are listed in what's called a “client acceptance process”. In that process they vet both the entities individually and then the engagement as a whole in consideration of the results of the entity process, if you follow me so far. That is a process that involves a series of questions that have to be answered, including the nature of the work, whether or not we audit the individual or the companies—obviously, that would be a red flag for our firm—and other factors. I don't know all the questions off the top of my head, but there are a number of questions, and as I mentioned, it goes through.... Every public sector engagement has a mandatory three partners on it: first, a lead delivery partner; second, a quality control partner; and third, a client acceptance partner—all vetting that the information has been filled out appropriately.
     Through all of this process, there weren't any red flags that were raised. Is that correct?
     At that particular time, no red flags were raised throughout that process.
     Has KPMG worked with GC Strategies on any other projects?
     Not to my knowledge, no.
     How about with Coradix, Dalian or Coredal?
     No, not to my knowledge.
     Thank you.
    I guess my time is up.
    That's your time.
    Thank you, Mr. Weiler. I appreciate that.

[Translation]

    Ms. Sinclair‑Desgagné, you have the floor for two and a half minutes.
    Thank you, Mr. Chair.
    Mr. Bashir, I think the risk management and compliance process should perhaps be reviewed. By naming Kristian Firth, you should have seen that he worked at Veritaaq Technology House Inc. when it was accused of bid‑rigging in 2009. So his name should have appeared, and a red flag should have been raised.
    In fact, in 2009, if I'm not mistaken, you were employed by the….
    Where were you in 2009?

[English]

    Are you asking where I was as an employee of the federal public service?

[Translation]

    Yes. What department were you in?
    Were you at Treasury Board?

[English]

    No. In 2009, that would have been Indigenous Services Canada. I believe it was called something different at the time—INAC.

[Translation]

    I just want to point this out, in case you weren't aware. In 2009, Mr. Firth worked at Veritaaq Technology House Inc., a company that was charged with bid‑rigging by the Attorney General. This should normally have been raised in the context of the broad processes you have just explained. So it's really too bad that it wasn't done.
    Speaking of bid‑rigging, Donna Cona Inc. faced the same charge in 2009. Mr. Bernard, at the time, you indicated that, unfortunately, those accusations weren't true. I know the trial was stayed, but to my knowledge, Donna Cona Inc. was also not exonerated from these charges.
    What do you have to say about the bid‑rigging charges that you've been subjected to?
(1630)

[English]

     I believe you're speaking about the bid rigging. Is that correct?

[Translation]

    It's called trucage d'offres in French.

[English]

     Yes, we were accused, and all the accusations were dropped. We never had our day in court to defend ourselves or even to ask for an apology. It changed my life, being accused of something like this.
     I have no other information on anybody else who was involved. I was asked, “If you have information, we will waive you,” or whatever. I said, “Well, I have no information because I know nothing about what you're talking about,” but we were accused at the very last minute.

[Translation]

    Okay. How many employees do you have at Donna Cona Inc.?

[English]

    Do you mean today?

[Translation]

    How many employees do you have at Donna Cona Inc.?

[English]

     We have 84 employees right now and probably about 200 or 300 other resources, like subcontractors, who work for us.

[Translation]

    You have very little time left.
    Are 84 employees enough to fill 22 contracts? In fact, since 2004, we've reached 1,098 contracts with the federal government.
    Do you feel that you can do all that work, or do you have to subcontract a lot of it?

[English]

     If you're asking if 84 employees and maybe 200 or 300 others is enough, yes, that's enough.

[Translation]

    Thank you very much.

[English]

    Next up is Mr. Desjarlais for two and a half minutes, please.
    Thank you very much, Mr. Chair.
    What we've heard today several times is how far back these issues of procurement actually go, starting from as early as at least 2009. Our committee actually received documentation of the cost of these insiders against the better wishes for what I believe could have been work done by the public service.
     Between January 1, 2011, and February 16, 2024, when our committee requested the documents, we found that the Government of Canada, through two subsequent governments, was able to give three companies over a billion dollars.
    My concern is about how this can happen. How can consecutive governments explode in resourcing three contractors by continuously feeding into these contractors and subcontractors in a giant web?
     The Auditor General actually found, in finding 1.50 of her report, for those who know it, that:
Multiple amendments were made to those non-competitive professional services contracts. Approximately half of the contract amendments extended the contract beyond the original period, which prevented or delayed opportunities for other contractors to compete for work.
     Ms. Lee, you said that the invoicing was pre-approved by the government and that the process never changed, when it has been established by the AG that this was a non-competitive contract with a lack of proper financial documents to verify these details.
    Ms. Lee, did you have any awareness of how the invoices and task authorization amendments were increasing costs without deliverables to such an extent overall in this project?
     Thank you for the member's question.
    As I mentioned the last time I was here, there are a couple of things. One is on the invoicing. The very first time that we issued an invoice was against the original CEPS, the COVID emergency professional services. It was the first TA, or task authorization, and we asked for the Public Health Agency to approve the level of information, the details that were described in the invoice, to validate that they were getting enough information in order to process the invoice on their side correctly. They verified that, yes, this was sufficient, and we never changed that whole level of detail in all of our invoices for every contract that we had throughout the COVID-19 pandemic.
    Who added the amendments?
     When we got to the end of the CEPS agreement term, the Public Health Agency sponsor at that time said that they wanted to go back to CEPS and ask for the ability to use that vehicle to renew. Our understanding was that PSPC said, “No, you can't use that vehicle any longer.” I don't know why. They said, “Okay, fine. Then we will have to renew our agreement with KPMG through a Public Health Agency direct contract.”
    Thank you—
    That's why we were not given the information.
     Thank you.
     Next up, we have Mr. Brock for five minutes, please.
     Thank you, Chair.
    This is for Mr. Bashir.
    Mr. Bashir, did you read the Auditor General's report?
     Yes, sir, I did.
     There are three sections of significance that reference your company, KPMG. I'm going to read that into the record:
We also found that the Public Health Agency of Canada awarded a professional service task authorization using a non-competitive approach to KPMG. We found no documentation of the initial communications or the reasons why the agency did not consider or select other eligible contractors to carry out the work.
We found that 3 contractors (GC Strategies, 49 Solutions, and KPMG) were originally awarded professional services work with an original estimated total value of $4.5 million through non-competitive approaches. Multiple amendments were made to [these] non-competitive professional services contracts. Approximately half of the contract amendments extended the contract beyond the original period, which prevented or delayed opportunities for other contractors to compete for work. These amendments also resulted in additional costs. We also found that GC Strategies and KPMG were each awarded 2 additional contracts through non-competitive approaches. This further limited the opportunities for other contractors to compete for subsequent work.
We found similar issues in the 2 professional services contracts awarded by the [PHAC] to KPMG. While the first contract included milestones with clear deliverables and pricing, these were later amended and replaced with less-specific deliverables to allow for more flexibility. In addition, the agency did not set out specific tasks, levels of effort, and deliverables for these contracts and task authorizations.
    Mr. Bashir, what I just read out essentially captures the activities of GC Strategies. It highlights, in my opinion, both non-ethical and possibly criminal activities that caused the RCMP to launch an investigation, to ultimately raid the home of Christian Firth of GC Strategies and to possibly lay at least fraud—if not forgery—charges in addition to other criminal activities.
    Were you aware of that, sir?
(1635)
     Thank you for the question.
     I'm aware of what was in the Auditor General's report, so yes, I'm aware that's there.
     Were you aware of all of these amendments that were made? Was the company part of this? Were you engaged in making amendments to this contract, or was it done without the knowledge of KPMG?
     Given that it's a PHAC question, I'll pass that over to my colleague Lydia, who worked on that engagement.
     Thank you for the member's question.
    If I can also bring you back to the testimony that I shared the last time I was here, after the original CEPS TAs expired and the Public Health Agency wanted to try to extend KPMG under that contract and were told by PSPC that they could no longer use that vehicle—and KPMG does not know why—KPMG was informed by the Public Health Agency that they were working through, with their own internal procurement team, a justification and rationale for keeping KPMG on.
     As you'll remember, this was at the height of the lockdown of the COVID-19 pandemic, and the subsequent contracts that were awarded to KPMG by the Public Health Agency were of the same type of work that we had been doing along the first original CEPS agreement, and they—
     Can I be more specific?
     Were you actually involved in amending the terms of your own contract?
     We absolutely were not. We were acting under the direction of the Public Health Agency at that time.
    You're saying—your evidence is—that the activities that the Auditor General highlights were done without your knowledge and consent. Is that correct?
    We understood that the Public Health Agency wished to keep KPMG extended, but in terms of the inner workings of their local procurement team inside the Public Health Agency, we were not involved in any of that.
    Has the RCMP contacted KPMG to this date?
     Regarding the ArriveCAN work that I supported and that Imraan did, we are not aware of any RCMP conversations or communications.
     In relation to any contracts that involve GC Strategies and Kristian Firth, have you been contacted by the RCMP?
     I have not been, personally.
     No, thank you. Neither of us have been.
    Ms. Lee, I asked you specifically on the last occasion if you would forward to the committee any and all levels of communication by the CBSA to KPMG to engage with GC Strategies—
(1640)
    Please ask your question, Mr. Brock.
     I asked for text messages—
    Ask your question, Mr. Brock.
     Mr. Brock, you're out of time, so if you have a question—
     I do have a question.
     Why haven't you delivered that to the committee?
     Thank you very much for the member's question on that.
     Our understanding was that you wanted to understand the way in which we became...well, that Imraan and our team became introduced to GC Strategies at the time, and we did provide all of that information in our written response.
    Thank you very much.
     Up next is Ms. Shanahan. You have the floor for five minutes, please.
     Thank you very much, Chair.
     I want to thank the witnesses for being here today on this topic, but I'm afraid that I have to speak about something as a member here.
    This is the 19th or the 20th meeting, I believe, that the public accounts committee is holding on this topic, because of course we were very much seized with the Auditor General's report regarding the lack of documentation and so on around ArriveCAN, but now we're getting, you know.... It's the 19th or 20th meeting—I've lost track—and members here have become concerned with the scheduling of meetings, so forgive me; I will have questions for you, but it's very important to me that we have some clarification on our schedule going forward.
    We've experienced meetings being called randomly, witnesses being changed and changes in the types of meetings that have occurred, and we have other reports that we need to discuss in this committee, namely around an issue that's very important to the people of my riding, which is biodiversity.
    Chair, I want to put on notice the following motion:
That, given that nature is an integral part of Canadian culture and Canadian identity and provides unmeasurable value to our society; wildfires across Canada are impacting communities, the health of Canadians, and exacerbating the climate and biodiversity crises; every industry relies on a biodiverse supply of natural resources to function; the world is experiencing an unprecedented biodiversity crisis; there are more than one million species facing extinction globally, including 640 at-risk species in Canada; the rapid decline in biodiversity threatens the foundations of our economy, our food security, our health and our quality of life and poses serious and irreversible risks to our communities and livelihoods; there is a climate emergency, as declared by this House on June 17, 2019; nature and climate are intertwined and you cannot solve one crisis without solving the other; that the committee commit to studying 2022 Report 7, Protecting Aquatic Species at Risk, on June 13, 2023; Report 2, Follow-up on the Recovery of Species at Risk, on June 18, 2023; and report 2023, Report 3—Discretionary Powers to Protect Species at Risk, on June 20, 2024.
    I have a copy of the motion to give to the clerk.
    With that, I want to proceed to my questions.
    We haven't heard from TEKsystems yet.
     Mr. Loschmann, can you please tell us how TEKsystems became engaged with the government on the development of ArriveCAN?
     Thank you for the question.
    Mr. Chair, as I mentioned in my opening statement, TEKsystems did not have an ArriveCAN contract. We bid on and won two contracts through an open, fair and competitive process to provide staff augmentation services to CBSA. We were providing professionals to them, and those professionals worked at the direction of CBSA. CBSA asked us for resources, and they placed them on the ArriveCAN project.
    Thank you for that.
    Then are you indeed a subcontractor in the ArriveCAN contract?
     Mr. Chair, TEKsystems was a prime contractor directly to CBSA.
     Thank you very much.
    Chair, I now move,
That the committee immediately conduct a study into the flagrant disregard for public funds exercised by Pierre Poilievre's Conservative Party of Canada members of Parliament, who expensed their travel costs, hotels and per diems to travel to Quebec City for the Conservative Party of Canada partisan convention in September 2023, as a matter of the public interest, and report its findings to the House.
    Chair, I discussed this motion in a previous meeting. We didn't get to conclude that, to debate further on that, but I think it behooves this committee, being the public accounts committee, to investigate the abuse of taxpayer funds, as we have seen by the Conservative Party of Canada.
    It's a matter of utmost importance that members here all conduct themselves in the way they expect contractors and subcontractors to conduct themselves with respect to the use of public funds.
    Chair, you'll recall that I spoke about what some third parties had to say about this report, which was in the media a couple of weeks ago—
(1645)
    Mrs. Shanahan, you're moving to resume debate on this motion. Is that right?
    I am moving this motion, yes.
     I'm ruling this motion out of order for this committee. This is a matter for procedure and House affairs or the Board of Internal Economy.
    On that, you are out of time. I'm going to begin our next—
    Chair, I challenge your ruling.
    I have a point of order before the ruling.
    Well, the chair has been challenged, and I think I have to go directly to the vote on that.
    Can we just vote on the motion and dispose of it so we can get back to this business?
     Well, I already have a speakers list on this motion, so it won't be a snap vote, Mr. Desjarlais. We have a subcommittee meeting on Monday. We can bring it up then, but the chair has been challenged.
    Mr. Clerk, could you call the roll on that, please?
    On a point of order, what is the vote on exactly? Is the vote on the challenge?
    Yes. The clerk will explain.
    It's probably going to be restated, but Ms. Khalid has challenged my ruling. If you vote to affirm my decision, we continue with the witnesses. If you vote against my ruling, we will turn to the motion and, I'm sure, debate that for the remainder of the meeting.
     The option to just vote on it, dispose of it and get back to the meeting isn't possible. That would be my preference.
    Then you would want to vote to affirm my decision.
    I understand.
     That's not accurate, Chair.
     Pardon me—
    Are we having a roll call?
    I'll turn it over to the clerk.
     The vote is on whether the chair's ruling shall be sustained, which is to say, shall the chair's ruling be upheld? If the chair's ruling were upheld, the motion would be admissible and be allowed to be moved.
    Shall the—
    No, that's not right. If my ruling is upheld, we get back to the meeting, and the motion can be....
    If the ruling is overturned—
    For clarity, Chair, the motion would then no longer be able to come to this committee. Is that correct? That was your ruling, if my understanding is correct.
     The clerk said an identical motion could not be moved again.
    On a point of order, is it possible, by unanimous consent, to just deal with the motion that was presented by Ms. Shanahan, dispose of it, and then get back to the meeting that we're having right now? Can we not do that?
    Mr. Desjarlais, I can tell from my speaking list that will not happen.
    I see.
    I'll turn it over to you, Clerk, for the roll call, please.
(1650)
    The chair's ruling is that the motion is inadmissible. Shall the chair's ruling be sustained? That is to say, shall the chair's ruling be upheld?
    It's a tie, so the chair votes.
    (Ruling of the chair sustained: yeas 6; nays 5)
     Thank you.
    Beginning our third round, Mr. Nater, you have the floor for five minutes. Go ahead, please.
    I have a point of order.
    I apologize to my colleague.
    Just in terms of the time now, will our time be recovered, or will the last round of our questions be eliminated?
    It is my intention, Mr. Desjarlais, to recover your time.
    We are beginning the third round. I plan to do three and four, so you will have two more slots, subject to the willingness of the committee. Is that okay?
     That's very good. Thank you, Chair.
     Mr. Nater, you have the floor for five minutes.
    Thank you, Chair, and thank you for ensuring that some members get their time despite the obvious obstructionary tactics by the Liberal national caucus chair.
    Through you, Chair, thank you to our witnesses.
    Mr. Bashir, Mr. Utano indicated to you that you should submit two proposals, one through GC Strategies and one directly to CBSA. Is that correct? Am I interpreting that correctly?
    I'll make just a small clarification: It was the same proposal. Initially we were asked to submit it to Mr. Utano, which we did. Subsequently we met with Mr. Utano to discuss the details of it, and it was at that subsequent meeting that he asked us to send a copy of it to Mr. Firth at GC Strategies.
     It was exactly the same proposal for exactly the same amounts in both submissions.
    That's correct. It was a PowerPoint presentation, to be specific, but it was exactly the same presentation, yes.
     Could you remind the committee what dollar figure was attached to that submission?
    This is going to be a little long-winded, so I apologize. There were originally going to be two separate task authorizations, the first being more of a technical control review. That was in the amount of $255,000. The second task authorization was more procedural in nature, reviewing policies and procedures of the sort, and that was for $145,000, for a grand total of $400,000.
    Did you, in fact, receive $400,000 from GC Strategies for your work?
     I did, from GC Strategies, yes. That is correct.
    Would you have expected to receive exactly the same amount, had you dealt directly with CBSA?
     That is correct.
     By going through GC Strategies, you still got paid the same amount, but taxpayers, in the great scheme of things, paid more. Is that a good assumption?
    That is my understanding of what happened, yes.
     Okay.
    You talked about meeting with Mr. Firth two to three times while you were at the Treasury Board of Canada Secretariat as a senior government official, as a director general. You made the comment that they were like any other vendor. In response to another question, you said there was an element of understanding where the industry was heading.
    My question to you, though, is this: Were you aware that GC Strategies actually didn't do any IT work? Were you aware of that at the time?
    I did not know the nature of GC Strategies' business in great depth. What I did know about them.... To give Mr. Firth credit, he thoroughly read a recent IT strategy we had posted in 2017-18 and sent an email, since obviously I had a public email address at the time, saying he had some suggestions on how I might be able to achieve some of those strategic objectives.
    I didn't do any research into the company. I took the meeting as I would have with any other vendor who had come up with a good idea to investigate further.
     He flim-flammed you.
    Mr. Imraan Bashir: I'm sorry....
    Mr. John Nater: He flim-flammed you. He made you think that they were a reputable IT company when, really, they were two guys who were operating a business.
     He was able to write you a nice email, you know, and compliment you on some strategies and convince you that they were actually a reputable company like any other, when really they weren't. Is that a good assumption?
     I don't know the term that you used there, but what I would suggest is that he brought two valid products to the table. One was to secure communications, as I mentioned. One was digital identity. When I looked up those products, they're legitimate products that he had aligned himself with, so, you know, kudos to him for finding the right products out there.
    I guess kudos to him for pulling the wool over a lot of people's eyes over a number of years and making himself quite wealthy from it.
    I want to go briefly to the risk management process that you spoke of within KPMG. I have two questions.
     First of all, are there records of that process, and would you be willing to share that information with this committee? That's the first question.
(1655)
     We have records of all of these processes, and I'll take that back to the team to see what can be shared.
     Okay. I look forward to seeing that, hopefully.
     Second, what information did you provide to that process within KPMG on your past interactions with GC Strategies? Were they aware that you had personally met with them on at least two and maybe three occasions as a senior official with the Treasury Board of Canada Secretariat?
     I don't recall that being one of the fields I talked about earlier that had to be filled out regarding personal meetings with the organization. The process is more about testing the legitimacy of the organization. I think we looked for any public knowledge of lawsuits or things of that nature, and nothing came up at that time.
     Thank you very much, Mr. Nater.
    Up next is Ms. Yip.
     You have the floor for five minutes, please.
     Thank you very much.
    I'm going to be asking each one of the companies the next two questions.
     Was either of your companies involved in creating the terms of contracts you were awarded?
    Mr. Bashir.
     No, not to my knowledge.
    Okay. Ms. Lee? No.
     Mr. Loschmann.
     Were security clearances a prerequisite to receiving a contract to work on ArriveCAN? I mean, were they acquired before the work began?
     Mr. Bashir.
     Thanks for clarifying.
    In my particular case, security clearances were certainly a requirement given the security nature of the work we were performing, and I can assure you that every member of my team had the requisite security clearance based on the role they had.
     To clarify that statement, on those that were issued, a couple of the members of my team were required to have in-depth access, as you can imagine, to CBSA systems, and they required secret clearances. Other members of my team required reliability clearances, but all folks involved had the requisite clearance, yes.
    Mr. Dowdall.
    Yes, we had the appropriate corporate security clearances, as did our consultants. We have a team that is responsible for making sure that's all in place on any contract.
     Yes, we had all the security clearances.
     We review all our fees and contracts to validate that we meet the security requirements, and we met the security requirements for our CBSA contracts.
     That was acquired before the work began. Is that right?
     We hold a security clearance as a company, and we validate the security clearance of the individuals that we place with the Government of Canada.
     Mr. Bashir, have you ever met Darren Anthony?
     No. I've never met Mr. Anthony.
     Mr. Bernard and Mr. Dowdall, did you have any meetings related to ArriveCAN with officials outside of a normal office setting?
    No.
    Was KPMG involved in conversations around developing the non-competitive contract between GC Strategies and CBSA?
    No, not at all.
    Have you spoken to anyone else looking into this issue, like the Auditor General?
     Me, personally? No, I have not.
     I don't know, Lydia, if—
    If I can clarify, the Auditor General did contact KPMG to confirm the information that was about to go out in the report ahead of time, just before the report was released, to confirm the details, and we complied with her request.
     Mr. Bashir, in your opening statement you mentioned that KPMG serves and assists clients with respect to gaps.
    Do you feel that was done?
     If I understand the question correctly, I believe you might have been referring to my statement about closing strategic and operational gaps.
     Was that the reference?
(1700)
     Yes. I couldn't remember the exact wording. I wanted to hear more about that with respect to the work you were contracted to do.
    Absolutely. Thank you.
    Through the chair, I'll answer that, specifically in my field of cybersecurity, a lot of our work ends up being gap analysis type of work. This means assessing the security posture of systems today, assessing where they need to be and providing road maps on how to get to a state that best protects the information being held by the organization. Closing operational gaps.... That's the reference, certainly, with respect to the engagement I worked on.
    I'll pass it to Ms. Lee to see if there's anything she wants to add.
     As I said before, the last time we were here, the work we did on the Public Health Agency's ArriveCAN program was to help the Public Health Agency understand policy directions they might need to take, change or evolve with the COVID-19 pandemic. We reached out to our global colleagues to find out about global leading practices the Five Eyes or other jurisdictions were doing to help inform those policy directions. That was the nature of the type of support we were providing.
    That is your time, Ms. Yip.
     Thank you very much.

[Translation]

    Ms. Sinclair‑Desgagné, you have the floor for two and a half minutes.
    Thank you, Mr. Chair.
    Mr. Bashir, you've read the Auditor General's report, you've heard, I assume, the various testimonies, and you know that Mr. Firth is under investigation by the RCMP. Would you have done it differently had you known all that?

[English]

     The first thing to state is that we had CBSA asking us to help them augment the security of a system that stored personal information for Canadians. That is squarely in our wheelhouse. I'm proud to have done that work and would do that particular work again for any government agency.
     With respect to the question about GC Strategies, as I stated earlier today, if we were to go through that risk management process again, I strongly suspect flags would be raised and we would not proceed with the engagement through GC Strategies.
    However, I don't want to take away from the fact that the work itself, we still believe and I'm proud to say, was useful.

[Translation]

    Thank you, but that's not the point of the question.
    Mr. Bashir, what do you personally think is abnormal, apart from the red flags that have apparently been raised in the system, now that GC Strategies is under investigation? What do you think is unethical about what happened? Do you think KPMG could have done a better job ethically, knowing now what happened?

[English]

     When it comes to procurement, we have to follow the direction of the agency conducting the procurement. That is what we did at the time and what we would do going forward, relying on our processes afterwards to dictate whether or not it is acceptable for our firm to go forward with the work.

[Translation]

    Listening to you, it sounds as if the partners or those who fill in the various questionnaires—depending on the level within each of the Big Four—don't have the power to decide, and that everything is black or white, depending on what information is put into the system.
    I assume that, if you're a partner at KPMG, you have not only the duty, but also the ability to assert your own approach. If you had different sensitivities, if you had wanted to proceed differently or if you yourself had seen that there was a danger or, above all, a risk to KPMG's reputation, I think you would have preferred not to be here today.
    I understand what you're saying about the system, but would you, as an individual who is supposed to be intelligent and competent, have done it differently?

[English]

    Going forward, I think we'll continue to work together as a partner group and make sure we assess the risks of all engagements to the best degree we can with the information we have at the time.
    Again, I would point out that, having conducted this risk assessment in October 2021 with the information available at the time, I stand by the decision we made to proceed at that given time. Given the new information that has come to light since then, I suspect our decision would be different.
     Thank you very much.
    Mr. Desjarlais, you're up again for two and a half minutes.
     Thank you very much, Mr. Chair.
     Mr. Bashir, when did you first meet with Kristian Firth as a public servant?
(1705)
    I don't have an exact date for you. I can give you a rough guess: some time in 2017 or 2018.
     Are you not required to document when you meet with potential partners who are outside, in the private sector?
    I think the level of documentation varies depending on the nature of the meeting. You know, a half-hour meeting with a vendor—
     You said you met in the lobby of a government building. Did you report that?
    That's correct. At the time, my management knew I was meeting with Kristian Firth, yes.
     How did you report that to management?
     I generally debriefed my leadership team on all vendor meetings.
     Did you write it down?
     I don't recall. It could have been an email.
     You don't recall.
     I don't have access to my email.
    You don't recall. You don't know when, but you know you met with them.
     Yes, I did, to the best of my knowledge. I don't have access to my old emails, but if I could speak generally—
     Whom did you report it to? Who were the members of your leadership team? Who was your supervisor?
     At that particular time, it probably would have been.... I'm sorry. I've worked for a number of different.... In 2017 or 2018, if memory serves, it would have been Marc Brouillard.
     Is that when you met with Kristian Firth? Was it 2017 or 2018? When did you meet with Kristian Firth?
     To the best of my recollection, it was 2017 or 2018.
    The reason I say that—
     You don't know the year.
     Well, the reason I say that—
    You have to know the month, at least.
    If you'll allow me to answer, I know it was in relation to when we released our digital operations strategic plan. In my head, I remember writing that in 2017. I just don't recall when it was published. Mr. Firth would have contacted me after the publication of that digital operations strategic plan.
     We're supposed to believe, Mr. Bashir, that, some time over the course of 2017 or 2018, you met with Kristian Firth in a government precinct and failed to disclose that in writing. Your mind seems to have failed you, as well, even on the month when you met with Kristian Firth.
    Is that correct? Is that what you're telling us?
    Respectfully, you're asking me about a meeting from seven years ago. I'm doing my best to recall. The Treasury Board Secretariat likely has access to my calendar, so I suggest that might be the fastest way to get the exact meeting invite.
     I find it very difficult to believe that, some time in the two years of 2017 and 2018, it escaped your knowledge as to when you met with this person and whether or not you failed to disclose it.
    I'll ask you one more time. Did you disclose your meeting with Mr. Firth to anyone in writing?
    Generally, what would happen after those types of meetings is that I debriefed my management team.
     It's yes or no, Mr. Bashir. It's an easy question.
    Debriefs could have occurred in writing or in person for this particular meeting.
    That is your time, Mr. Desjarlais. You will have another slot.
    I'm going to turn now to Mr. Barrett for five minutes.
     Mr. Bashir, you worked at the Treasury Board, then went to this large Canadian company, an accounting firm. When you were with the Treasury Board, how many times did you hear stories of companies like KPMG being sent work through a subcontract, through two-person, no-value-add firms? It's extraordinary. I've talked to, at these tables, a lot of folks, and the two-person scenario is an outlier.
     How many times did you hear about that?
    I don't know the number of employees of every company, for sure, but I would say it wasn't uncommon to see subcontracting relationships between companies of all sizes.
    You met with 50% of the employees of this company in a government lobby. You mentioned that much. We know they were even able to write their own contract. There seem to be all kinds of exceptions around this two-person company, GC Strategies.
    How many times has KPMG, to your knowledge, been allowed to write a contract and then be the beneficiary of that contract, be the supplier?
     I'm not aware of any times we wrote our own contracts. It's strictly forbidden.
     It's forbidden, but it seems as if, again, there were these exceptions with GC Strategies.
    Were you a director general?
    That's correct.
     Did you do a quick search to see if the individual you were meeting with, Mr. Firth, was registered to lobby before you met with him?
    I don't recall the details of that meeting. I couldn't give you an exact answer.
     Were you in the habit of meeting with lobbyists?
    No, we were not permitted to meet with lobbyists.
     If you didn't check to see if he was a lobbyist, how would you know whether or not you were meeting with someone you were allowed to meet with?
(1710)
     I'm saying me personally. I don't know. My staff may have checked on my behalf as well.
    I have to tell you, absent more of the details, it just seems like you have a bit of a soft spot for Mr. Firth. I don't know how he was able to get this access to you. I don't understand how you would be directed, on behalf of KPMG, to subcontract for the same guy who got this access to you, who was lobbying as an unregistered lobbyist. Your paths seemed to cross. You say, “Well, you know, it kind of all worked out, and it seems like it was okay.”
    I think it's demonstrably not okay. This company has been engaged in all kinds of conduct that's not acceptable for any other vendor. It's obviously not of value to Canadians, the way this was carried out.
    How many hours of programming or cybersecurity work did Kristian Firth and GC Strategies do on the contract with KPMG for ArriveCAN? How many hours was it?
    On my specific contract, they were not involved in my delivery.
     They weren't involved.
    I cannot speak to what Mr. Utano and Mr. Firth did afterwards, but specific to the delivery of—
     I gather that they probably went out for a steak and a beer. That seems to be the pattern here. They went out for dinners, collected 30% commissions and then had someone else do the work and said, “Well, these guys are IT professionals,” but they didn't do any IT work.
    How much exactly was KPMG paid through their subcontract with GC Strategies for the work on ArriveCAN?
    As I stated earlier, the two task authorizations totalled an amount of $400,000.
    Do you know how much GC Strategies billed for that work?
    I do not have visibility into that.
     We know that GC Strategies billed the government $452,000 for your work, and that's on the low end. That is a pretty good payday, $52,000 for doing no value-added work. A senior government official facilitated it all. We know that you had that exploratory meeting with GC Strategies and Mr. Firth, and then were directed to work with GC Strategies.
    At what point did you leave the government to become a consultant for KPMG, or an employee of KPMG?
    That happened in May of 2020.
    Do you think it was appropriate and ethical for the government to have a senior CBSA official direct a business to work with a favoured contractor—I'm asserting that they're a favoured contractor—like GC Strategies? Do you think it was appropriate and ethical?
    I think the Government of Canada can decide the way in which—
    I'm asking you, sir. Make a value judgment. On behalf of KPMG, is this the kind of company that KPMG does business with?
    We would do business with any company that—
    You would do business with any company that's having their doors kicked in by the RCMP, that's obviously engaged in procurement processes that are illegal—
    [Inaudible—Editor] business with any company—
    Thank you very much.
     Could I complete the answer?
    I will allow an answer, Mr. Barrett.
    I'd like to complete the sentence. Thank you, Mr. Chair.
    We would do business with any company that passes our risk management processes, as GC Strategies did at that time.
     Thank you very much.
    Ms. Bradford, you have the floor for five minutes, please.
    Mr. Bernard, in response to an earlier question from MP Khalid, you indicated that you were surprised to see your company listed in the AG's report. Given that you made $3 million on contract work with ArriveCAN, why were you surprised that your company would be listed in the AG's report?
    First, we had no ArriveCAN contracts. We had a call-up with the CBSA as a vehicle, and that vehicle was used.
    I know that the Auditor General says $3 million. We immediately went and looked through all of our time sheets, and we were only able to identify $500,000.
     Clarify “vehicle” for me. Did you not do work on the ArriveCAN app? Can you clarify what your work was?
     In the federal government, procurement vehicles are brought up. We have a number of vehicles. We all do.
    I can talk to you from my side, because I was also in the government and I had vehicles. Oftentimes, we needed to do some IT work, and it had to be done right away. We didn't have the resources, so we'd go through these vehicles.
    We have such vehicles. We all do. We had three of those vehicles. One of them was never used at all. For two of them that were used, we identified at least half a million dollars through the time sheets.
     Now I would like to hear from each one of the companies represented here today.
    The CBSA indicated that contractors were selected because they helped to produce a faster result to build the app faster. Do you agree that Donna Cona, TEKsystems and KPMG helped to speed up the process and, from each of you, how? How did your involvement or participation do that?
    Who wants to start? It doesn't matter to me.
(1715)
     Thank you for the member's question.
    Just to clarify, our work at KPMG was a cybersecurity assessment post-development of the application itself, so I can't really comment on how it sped up the development of the app.
     I can comment on the fact that we did help identify areas for improvement to enhance the security of the application for the benefit of Canadian citizens who used it.
    Okay.
    As was previously mentioned, we think, from the time sheets of the work that was done, our team was building infrastructure on the AWS cloud to accept data and provide business intelligence reports back, but it was not only from Public Health. There were many other applications that were providing data into this infrastructure, so we were building this infrastructure on the AWS cloud.
     I don't know if it helped speed up the app—I have no idea—but we were creating infrastructure for a number of different applications.
    We're not talking about speeding up the app. We're talking about speeding up the process of developing the app, which was the question.
    Well, you had to build something in the cloud, to sit in the cloud, so yes, it would help.
    Okay.
    Mr. Loschmann, how about your company?
    As I mentioned in our opening statement, we bid on and won two contracts with CBSA that went through a competitive process in which we were selected because of our value to the Crown. Yes, I think we delivered value to CBSA.
    Now, for each one of the companies, is there any new information or anything else that you would like to add or clarify during your testimony today? We'll be wrapping up soon. Is there anything?
    If I might, I would just say what I've already said, which is that all of our contracts were competitively procured through the RFP process. There was no sole source or anything. They were all in the RFP process, and we were successful in winning them through a very competitive process. These processes are very competitive.
    Okay.
     Ms. Lee.
     Thank you for the member's question.
     I just want to add, on behalf of KPMG, that we're really proud of the work we did to support both the Public Health Agency of Canada and CBSA during the COVID-19 pandemic. At the time, circumstances for both agencies were incredibly stressful. At all times we followed the government's preferred procurement process, and we did not influence that procurement process. We abided by it at their request. I just want to clarify that.
     Okay.
    How much time do I have left?
    You have about 20 seconds.
    Do you have anything that you would like to add?
    I have no additional clarifications at this time.
    Okay.
    I'll cede my time.
     Thank you very much.
    Beginning our fourth and final round, Mr. Brock, you have the floor for five minutes, please.
     Thank you, Chair.
    Mr. Bashir, I'm still going to be circling back on your relationship with GC Strategies and Kristian Firth.
     Your evidence is somewhat clear: three to four possible meetings with Mr. Firth before you engaged with him pursuant to direction given by Mr. Utano. Did any of those meetings occur at his place of business?
     No, sir, they did not.
     Okay.
    Were they all at the government offices?
     All in the lobby of 90 Elgin, from what I recall...yes.
     Were you familiar with where he conducted his business?
    I did not have any line of sight into that.
    He probably didn't tell you that he operated out of his basement, did he?
    I did not have any line of sight into that either.
    No, he didn't offer that.
     That's correct.
    He didn't tell you where he worked out of? Did he give you a business card at least?
     It's possible. I don't recall, but I don't recall the basement conversation coming up.
     Okay.
    Help me with this, because I have a hard time reconciling the evidence your partner, Mr. Hartaj Nijjar, gave on the last occasion and your evidence today with respect to a very key issue.
    My colleague Mr. Nater used the phrase “flim-flammed”. You weren't familiar with that phrase. It could be “hoodwinked”. It could be “snowed”. It could be “lied to”. You certainly didn't know is what I understand. They offered no IT services whatsoever. They were strictly a middleman connecting the Government of Canada with professionals.
     You're saying that you didn't know that and Mr. Firth didn't volunteer that information. That's what you're telling us today. Is that correct?
(1720)
     That is correct.
     Here's the problem. Your partner, Mr. Nijjar, on the last occasion at committee, said the firm, KPMG, followed “rigorous...processes” and determined “no adverse considerations in contracting with GC Strategies, given that [they were] a well-known entity in the government sector”. Both versions cannot be true at the same time.
    What were those “rigorous...processes” that determined there were “no adverse considerations”? Did you at least do an address check?
    I don't know the details. I'll ask Ms. Lee after this to provide whatever details she can about our acceptance processes, which are executed by another team. My understanding is that they look into a variety of factors, including the board of directors or C-suite, any kind of—
    There was no board of directors. It was a partnership. It wasn't a corporation.
    Let's move on to the other checks.
    My understanding is that they look for any public lawsuits, adverse media attention or things of that nature.
    However, Ms. Lee, please, if I'm missing anything in our....
     That's right. That's correct.
    At that given time, given that these are point-in-time assessments, nothing of concern was raised.
    A leading multinational consulting firm exercises the bare minimum of due diligence to determine that you are legitimately dealing with an IT company that lied to you. Don't you recognize the problems inherent with what you just stated to me? Don't you think that you need to revamp your investigative measures to determine who you're actually dealing with?
    If I may, Mr. Chair, I want to comment on the testimony from Hartaj the last time we were here. He was referring to the client engagement and the engagement acceptance process that we go through for every single project that we do, which is the—
    Ms. Lee, that's fine. This is my time. I have some other questions to ask of you.
    Mr. Utano asked you to deal specifically with GC Strategies in the virtual meeting that you had with him. Is that correct?
    That's correct.
    Did he say why?
    At that time, my understanding was that he was exploring a variety of procurement options—
    He didn't give you any other companies to deal with. He didn't say that you could deal with GC Strategies or with Dalian or with Coradix, and that you could choose. He just said that he wanted you to work with GC Strategies. Is that correct?
    That's correct. At the time, we were exploring going out to full RFP, using the CEPS vehicle or using GC Strategies. Those were the three options.
    That's the first time that you had ever, working with the Government of Canada, worked with a contractor that wasn't directly the Government of Canada. Isn't that fair to say?
    For me, personally, that was my first time, but as our written response stated, our firm has subcontracted in the past with approximately 13 companies.
    Thank you. That is is your time.
    We'll turn now to Mrs. Shanahan for five minutes.
    Thank you very much, Mr. Chair.
    I'd like to thank the witnesses for appearing here today.
     I regret the accusatory nature of some of the questions that you have been subjected to here today. I also apologize for your having been subjected to some housekeeping that I did earlier, but I firmly believe that members of Parliament should be held to the same standard that they expect contractors, employees and the public who have dealings with taxpayer money to be held to. That was the nature of my interventions earlier. We can see that it was shut down for today, but it may be revisited at another time.
    In the meantime, I would like to ask you about the Auditor General's report.
    Were you—and I think someone did answer this—contacted by the Auditor General's office during the writing of the report, Ms. Lee?
(1725)
    KPMG was contacted, I think, a week in advance of the publication of the Auditor General's report to confirm some of the facts that were documented in the report. As I said before and will say again, we read the report, understood all the findings and co-operated fully.
     Very good. You were able to confirm the facts.
     When the report was issued, did you learn anything? Was there anything in that report concerning KPMG that you were not aware of?
    Thank you for the member's question.
    We learned only one thing, which was that she documented that there was no documentation. I can't remember the exact wording, but it was to the effect that there was no documentation or rationale provided by the Public Health Agency for the direct award to KPMG after the original CEPS contracting.
     Our understanding is that the Public Health Agency actually spoke with their internal procurement folks to provide that rationale. We were not given access to any of that documentation, nor were we part of any of those conversations.
     That was the only thing that stood out for us that was different from what we understood happened.
    You were not contacted after the report came out about any follow-up or providing any additional documents.
    We were not. That's correct.
     All right. The same question is goes to Donna Cona and Mr. Dowdall.
    Were you contacted about the Auditor General's report prior to the report coming out?
    Yes. Prior to the release of the report, we received a very brief email, stating that the report would show that we did three million dollars' worth of services work on ArriveCAN. We responded back, after we had gone through our time sheets, and said that, from our records, we believed that number was probably in the range of $500,000. We reported that back.
     We didn't hear anything after that. We had no other contact after that with the AG.
    Once the report was released, was that when you learned that the number of $3 million was still there?
     Yes.
     All right. Have you had any contact subsequently?
    No. We've had none.
     Thank you very much.
    Mr. Loschmann.
     Yes, we were contacted by the Auditor General prior to the release of the report. We co-operated with her investigation and have not heard back from the office since.
     Was there anything in the report that was new to you and you learned once the report was published?
     We've read the report and we agree with what's in it.
     Very good.
    If you are contacted by the RCMP, will you co-operate with ongoing investigations into the ArriveCAN application?
     Thank you for the member's question.
    Just to be clear, for the ArriveCAN work we've done, we have not been contacted by the RCMP. Of course, if we were, we would comply and we would co-operate fully. However, we have not been contacted.
    Excellent.
    I'll ask you the same question.
     We have not been contacted by the RCMP. Obviously if we were, we would co-operate.
    The same question is for you.
     We have not been contacted by the RCMP, but we would co-operate with the investigation.
    Thank you very much for the work you did in the public service.
     I have no further questions.
     Thank you very much.

[Translation]

    I now give the floor to Ms. Sinclair‑Desgagné for two and a half minutes.
    Mr. Loschmann, you just said that you would co‑operate with an RCMP investigation.
    What would you have to say about the current investigation? Have you seen anything that you would like to share with us?

[English]

    We haven't been contacted by the RCMP with regard to the CBSA or ArriveCAN, so I have no further comment.

[Translation]

    When you worked with them, you didn't see anything untoward.
    Some have talked about systemic corruption within the Canada Border Services Agency. Did you see anything suspicious?

[English]

    Thank you the question.
    No, we have not been contacted by the RCMP.

[Translation]

    Thank you.
    I'm going to move on to the questions I was going to ask Donna Cona.
    I'm going to come back to the fact that you were charged and that it changed your life, but we can still see that Dona Cona has continued to receive contracts in droves. In fact, in 2021 alone, I believe the Canada Border Services Agency awarded 21 contracts non‑competitively to Donna Cona. Actually, it was 22 contracts.
    How do you explain the fact that so many contracts were awarded non‑competitively to a single company in a single year?
(1730)

[English]

     I'm sorry. Who...? We didn't have any non-competitive contracts.

[Translation]

    According to the government's website, in 2021, you entered into 22 non‑competitive service contracts with the Canada Border Services Agency. That information is on the open government website.
    Are you challenging the government's numbers?

[English]

     I'm sorry. Could you repeat the question? My understanding is that you're saying we had 20-odd non-competitive contracts awarded.

[Translation]

    Those are government figures, Mr. Dowdall.

[English]

    We don't have any non-competitive.... We can't validate that information.

[Translation]

    So you are disputing the figures on the open government site, which is quite strange. In fact, this is a first.
    Have you never had any contracts awarded in a non‑competitive manner with the Government of Canada?

[English]

     The only ones we would have had would have been possible sole sources under $40,000. That's the only thing we've had. Everything else we've competed for in a typical RFP process.

[Translation]

    Ms. Sinclair‑Desgagné, you have time to ask one last question,
    No, I'm done.
    Okay.
    Thank you very much.

[English]

    Mr. Desjarlais, you have the floor for two and a half minutes, please.
    Thank you very much, Mr. Chair.
    Did KPMG employees who worked on ArriveCAN receive a valid security clearance?
     Thank you for the member's question. I'll comment on the Public Health Agency related work.
    All of the staff who worked on the ArriveCAN program did, yes. For the Public Health Agency, we had all the proper security clearance. We required reliability for those contracts.
    At which level did they receive clearance?
     For the Public Health Agency work, we were required to have reliability security clearance. All of our resources had that—reliability or higher. I myself have secret security clearance.
     If you don't mind me adding, for the cybersecurity assessment work, just to reiterate what I said earlier, I had a mix of some secret-cleared people who were doing more of the hands-on work, with the rest of the staff at the reliability level.
     Did KPMG at any time share the results of the security vulnerability assessment with GC Strategies?
     No.
    Did it share them in any capacity—sharing of reports, potential vulnerabilities found in the assessment, incident response plans or any information, even if it was meeting in a lobby, Mr. Bashir?
    Thank you for the member's question.
    All of our results were shared directly with the CBSA, but I can't speak to who they shared them with after that.
     Moving on to intellectual property, does KPMG consider any algorithm it produces for the government, in particular ArriveCAN, its intellectual property?
     Thank you for the member's question.
    I'll just clarify that for work related to the Public Health Agency, we did not develop any algorithms.
     Similarly, when you say “algorithm”, I just want to clarify that KPMG didn't create or edit any code for the ArriveCAN app. Our work was more of an assessment after the code was developed to confirm that the code complied with the Government of Canada's security standards and policies.
     I understand.
    I'll ask the same question regarding security clearances for TEK and Donna Cona. Did you receive security clearances for all those employees who worked on the ArriveCAN app?
    Yes, we validate the security clearance of all the professionals we place with the government.
    What about Donna Cona? Did they have security clearance?
     We would have security clearance for everybody.
     Thank you. That is your time.
    Thank you, Chair.
     Mr. Nater, you have the floor for five minutes, please.
     Thank you, Chair.
    It's too bad that the Liberal national caucus chair doesn't like our questions, but unfortunately, the government failed. We have to ask questions on behalf of Canadians so that taxpayer money is properly spent.
    Mr. Bashir, you mentioned that you would have briefed your leadership team on your meetings with GC Strategies. Who were the members that you would have briefed on those meetings?
(1735)
    As I mentioned earlier, given the time frame, it likely would have been Marc Brouillard.
     You said “leadership team”. Was it more than one person or just Mr. Brouillard?
     He was my assistant deputy minister at the time. There were a number of other directors general that may have been present, but generally the debrief would have been upwards to the assistant deputy minister.
     Would that have been an oral brief, or would there have been written documentation?
    As I mentioned earlier, the debriefs varied. Sometimes, if there was substance, they would be in writing. Sometimes there was a conversation during a bilateral meeting in person.
    Given that Mr. Brouillard was the chief technology officer of Canada, do you not think he might have had some line of sight into a company like GC Strategies, which was an IT company, supposedly?
    I can't speak to Mr. Brouillard's line of sight into the companies he knows.
    I'll ask you this, then. Did he offer any concerns about GC Strategies?
     At that time, no concerns were raised.
     Mr. Brouillard was the chief technology officer of Canada. Who currently holds that position?
    I think, last I heard, it was Minh Doan. I believe he's on leave of absence, so I'm not sure who is acting in the role at the moment.
     Minh Doan.... That name rings a bell with this committee.
    Have you ever met with Minh Doan?
    Certainly, in a government context, we were on the same committee. I believe it was the enterprise architecture review board. We sat across the table from one another in a format similar to this, but I didn't really work with him too closely.
     Did you ever have any conversations with Minh Doan after leaving government?
    The only time was likely during the presentation of our findings of the CBSA cybersecurity assessment that we conducted. I remember presenting those findings to a CBSA committee, and I believe Mr. Doan was present at that meeting.
     Do you have any records from that meeting?
    At best, I probably have a meeting invite, but I'd have to get back to you on that.
     Who else do you recall was at that meeting with Mr. Doan?
     Mr. Utano certainly would have been present and likely some of his team members. It was a CBSA steering committee, as I recall. I don't know all the names off the top of my head. I suggest it would likely have been a series of IT leaders, if I can characterize it that way.
     Could you get back to us if you have any documentation on who would have been at that meeting?
     Certainly. I'll take that back and get back to you with whatever I can.
    Does KPMG, or you specifically in your role, have any dealings with the Department of Fisheries and Oceans?
    First, personally, I have not had any dealings with the Department of Fisheries and Oceans.
    I can't speak on behalf of the entire firm. I could take that back and get back to you. I don't know of any.
    I don't know if Ms. Lee....
    I have the same answer. I'm not aware.
    What about the Treasury Board Secretariat?
    I recently completed a small engagement with the office of the comptroller general in the Treasury Board Secretariat. It was a roughly $30,000 engagement to provide security advice and guidance on a horizontal audit of IT security.
    That was the last engagement I signed with the Treasury Board Secretariat.
    Did you have any previous dealings with those individuals at the comptroller general's office while you were a public servant?
    When it comes to dealings.... I didn't work with them on a regular basis. I certainly would have passed by them in the hall and said hello, but no, we didn't have any work regularly, given that I was in the office of the chief information officer and they were in a completely separate branch.
     I only have a few seconds left, but I want to go back.
    You mentioned that you would have briefed your manager, but you don't know how you did it.
    Could you commit to coming back to this committee with a confirmation of how you briefed your manager and who you would have briefed, whether it was Mr. Brouillard or others? As well, can you provide any documentation to this committee on how you briefed your supervisors following your meetings with GC Strategies?
    I'll certainly do what I can. I hope the committee understands and respects that I don't have access to my former inbox at Treasury Board, so I can't provide the records themselves. I can certainly do my best to summarize what I recall.
(1740)
     If you could do that.... If you get a response, that's great. If you find the department does not allow you access to your records, we will take that into consideration as well.
    Thank you.
    Ms. Yip, you have the last five-minute round. We'll turn it over to you.
    Thank you, Chair.
     I'm sorry to hear that Mr. Nater is not interested in looking at the misuse of public funds when it's his own members doing it.
     Mr. Bernard, how long have you been doing business with the Government of Canada?
    Do you mean after I resigned? It's been since 1990.
    How large were these contracts, relative to the work that your organization had normally done?
     They started off small, and they just grew over time as we grew.
     Okay. Thank you.
    I'll ask the same question of you.
     Thank you for the question.
    For clarification, what are you asking?
     How long has TEKsystems been doing business with the Government of Canada?
    TEKsystems has been working with the federal government since 2015.
     How large were these contracts relative to the work you normally do?
    The contracts vary in size, but we have several different contracts of various values with the federal government. Some are for $300,000, but our agreements with CBSA, for example, were for $15 million and $7 million, respectively.
     All right.
    Ms. Lee, do you want to finish your answer? I believe Mr. Brock was asking a question, and you weren't given an opportunity to finish your answer. Do you still want to answer that?
     Thank you very much for allowing me to finish my comment.
    I was simply trying to respond to Mr. Brock's question regarding the processes around how we review whether or not we can engage in work with a particular organization, contractor or subcontractor. I was just trying to finish the statement that we do have processes whereby we check clients and we check the nature of the engagement we're being asked to undertake. For all of our public sector engagements, we have three partners who actually have to sign off on something before we're allowed to proceed: the engagement lead partner, a secondary partner who is responsible for looking after the engagement-specific process questions and then another quality partner.
    I simply wanted to say that our processes are incredibly rigorous. They're very detailed. They are reliant on point-in-time information, and our systems continuously update based on current information as things evolve. That's what I wanted to finish.
    Thank you.
     Okay. Do you believe your company gave good value for the work that was done?
    As I said before, we are very proud of the work we fulfilled for the government, for both the Public Health Agency and CBSA, during an incredibly stressful time during the pandemic.
    We do believe the work we did fulfilled roles the government itself could not play within the required time. Therefore, yes, I do think we added tremendous value in the work we provided for the Government of Canada.
     Mr. Bashir, looking back on everything that's happened, would you have done anything differently?
     Thank you for the question.
    I echo my colleague's comments about how proud we are of having done that job. If CBSA required cybersecurity assistance to ensure the continued protection of Canadians' information, that is right up our alley, and we would do that type of work again.
    Going back to what Ms. Lee said, I wouldn't have done anything differently in the sense that we went through the processes we were supposed to go through. The Government of Canada had repeatedly validated GC Strategies as a vendor of choice of record and had awarded, I believe, over 100 contracts since 2015. Given that information, there are no differences to my answer.
    Knowing what we know today and knowing that some adverse information has come up with regard to that company, I don't suppose we'd do work with them going forward. However, I want to echo again that, if a Government of Canada organization required cybersecurity support, we would be there, absolutely.
(1745)
     How much time do we have?
    You have about five seconds, so time for a very quick question.
     Okay.
    Is there anything either of you would do differently?
    That is it. Is there anything else you'd like to add?
     No. Thank you.
     That's very good. Thank you.
    We're ending a little late, but not too bad.
    I want to thank the witnesses for coming in today and for their testimony and participation in relation to the study of ArriveCAN. You can submit to the clerk any documents or information that's been requested.
    Members, before we adjourn, I want to let you know that the panels scheduled for Thursday will be switched. We can expect Minister Hajdu in the first hour and Minister Blair in the second hour. This is at their request, and I am inclined to grant that change.
    Finally, the subcommittee will be meeting Monday at 3:30 p.m. for an in camera discussion.
    On that, I adjourn this meeting. Have a good weekend. We'll see some of you on Monday.
Publication Explorer
Publication Explorer
ParlVU