Skip to main content

PACP Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

Previous day publication Next day publication
Skip to Document Navigation Skip to Document Content






House of Commons Emblem

Standing Committee on Public Accounts


NUMBER 112 
l
1st SESSION 
l
44th PARLIAMENT 

EVIDENCE

Thursday, April 4, 2024

[Recorded by Electronic Apparatus]

(1005)

[English]

     Good morning, everyone. I'm going to open the session.
    Witnesses, I believe you've been instructed on the earpieces. Channel 01 is the English channel. There will be some comments right away en français, so you're welcome to test it out.

[Translation]

     Welcome to meeting number 112 of the House of Commons Standing Committee on Public Accounts.

[English]

    Today's meeting is taking place in a hybrid format. Pursuant to the Standing Orders, members are attending in person in the room and remotely using the Zoom application.
    I remind everyone that all comments should be addressed through the chair.

[Translation]

    Pursuant to Standing Order 108(3)(g), the committee is resuming consideration of Report 1, 2024 from the Auditor General of Canada, entitled “COVID-19 Pandemic: ArriveCAN”, referred to the Committee on Monday, February 12, 2024.

[English]

    I'd like to welcome our witnesses from KPMG: Lydia Lee, partner and national leader, digital health transformation practice; and Hartaj Nijjar, partner and national service line leader, cybersecurity.
    Ms. Lee, I understand you're going to give an opening statement of five minutes.
    I'm going to make a quick comment about today's witnesses, just to set things up for members.
    I invited KPMG to come in today. As many of you know, they were not subject to the audit. That is why the Auditor General is not here. The auditor has no authority to audit a private company such as this.
    That being said, as you'll recall from the Auditor General's testimony, there were so few documents within the federal government that, as chair, I thought it would be worth having them talk to us about the practices and some of the contact with government.
    I expect the questions you're going to get today are going to be along those lines. If you're able to be as forthcoming as possible, the committee would appreciate it.
    Without any further ado, Ms. Lee, I'd ask you for your opening statement. You have five minutes. Go ahead, please.
    Thank you.
    Thank you to the members of the committee for inviting us to contribute to this important conversation about our work with the government during the COVID-19 pandemic. We’re looking forward to answering your questions.
    My name is Lydia Lee, and I am a partner and national leader for digital health transformation at KPMG in Canada. I have more than 25 years of experience in the health care sector, including more than 14 years as a senior leader at a hospital prior to joining KPMG. For much of my career, I have focused on health care transformation, and I am very passionate about helping improve the health and lives of Canadians.
    I’m joined today by Hartaj Nijjar, a KPMG partner and national leader for cybersecurity. Hartaj has more than two decades of experience assisting some of the world’s largest organizations in matters relating to cybersecurity.
    Together, we are here to represent KPMG Canada, which employs more than 10,000 people across the country. KPMG in Canada is fully owned and operated by Canadians. We have been serving Canadian businesses, organizations and communities across the country for over 150 years. Nearly 80% of our clients are small and medium-sized businesses, which are the backbone of our economy.
    Our role is to assist our clients, including governments at the federal, provincial and municipal levels, in identifying and closing strategic and operational gaps by providing specialized knowledge and services in areas where support is required. We consider our services to be an important part of our contribution to Canadian society.
    We are known for our tax, advisory and auditing services, and, as you know, we are the auditor for the House of Commons. We also provide a comprehensive range of services that help Canadian businesses address many of the most pressing economic and social challenges we face as a country. Notably, these include public health and cybersecurity, which is why we are here to talk to you today.
    At the onset of the COVID-19 pandemic, the government urgently looked for outside expertise and invited vendors to respond to a public request for proposals. KPMG responded by competing in this procurement process and was selected as one of six vendors under the COVID emergency professional services, or CEPS, contracting vehicle. This competitive process and the resulting contract provided government departments and agencies with the ability to engage firms like KPMG for specialized global expertise.
     Our engagement with the government during the pandemic included work related to the ArriveCAN program, which fell into two streams. The first, which I led, was for the Public Health Agency of Canada. As we are one of Canada’s largest health care advisory firms, the agency looked to us as it dealt with an unprecedented and rapidly evolving pandemic. In particular, we were asked to provide in-depth subject matter expertise and global knowledge to assist in developing policies and procedures for the implementation of the ArriveCAN program. We analyzed how travellers and government operations would be impacted by the evolving policies, supported extensive stakeholder engagement to solicit feedback on emerging issues, and applied international leading practices to help limit the transmission of COVID-19 to Canadians from international travel at air, land and sea border crossings.
    Put simply, when the government decided to make the ArriveCAN application mandatory, we identified and helped address the significant implications of that decision for all Canadians, including travellers, government operations officials and those in the travel industry. All of the services we provided were part of the public procurement process.
    The second stream was cybersecurity work, conducted by Mr. Nijjar’s team and subcontracted through GC Strategies on behalf of the CBSA. KPMG is known in the field for having strong expertise in cybersecurity. Between October 2021 and March 2022, KPMG provided an independent cybersecurity assessment of the ArriveCAN application. This assessment included a review of practices, procedures and configurations related to the ArriveCAN mobile app, web portals and cloud hosting environment. Our work was completed on time and on budget and was reviewed and approved by the CBSA.
    We are very proud of the services that KPMG provided to assist the government during the pandemic. We delivered highly specialized expertise in a time of unprecedented uncertainty for Canadians and the world. We recognize the importance of the committee’s efforts to review this work and to ensure value for money for Canadians. In each case, we delivered our work on time and on budget using the contracting vehicle identified and directed by the government.
    Thank you. We’d be happy to take your questions
(1010)
    Thank you very much.
    We'll begin our first round. Each of the four members will have six minutes.
    Mr. Barrett, I understand you're up first for the official opposition. It's over to you, please, for six minutes.
    KPMG is one of the biggest accounting firms in the world. How many offices do you have in Canada?
    I don't actually know the answer off the top of my head, but I would be happy to respond to that question immediately after.
    Do you know how many staff KPMG has in Canada?
     I'll also try to answer that question. I know that we have about 800 partners. In terms of the total number of staff, again, I would have to get back to you with that answer.
    You said in your opening statement that KPMG was subcontracted by GC Strategies.
     Off the top of your head—and it's fair enough that you're not sure, as there are a lot of KPMG offices and hundreds of staff—does KPMG operate any of its offices out of the basements of suburban Ottawa residences?
    We do not have any businesses run out of basements that we're aware of.
    That's right, so I find it incredible that KPMG, this massive accounting firm, with hundreds and hundreds of staff and dozens and dozens of offices, ends up as a subcontractor for two dudes working out of a basement in suburban Ottawa. How much were you, KPMG, paid by GC Strategies for your work in ArriveCAN?
     I can take that one, as it relates to the cybersecurity piece of work. We charged GC Strategies $400,000 for the cybersecurity piece of work that we performed for the ArriveCAN app.
    It was cybersecurity work.
    Exactly, yes.
    Could ArriveCAN have gotten off the ground without KPMG's contributions?
    With respect to the ArriveCAN app, KPMG was not involved in the development of the ArriveCAN app. We were involved in the assessment of the security of the ArriveCAN app, and it was already off the ground when we were assessing it.
    Did KPMG contact the Government of Canada regarding work on ArriveCAN first, or did the Government of Canada contact KPMG first?
    KPMG initially participated in the CEPS agreement that I mentioned in our opening remarks. We were awarded a spot on that vendor-of-record contracting vehicle in July 2020, and our work was subsequently contracted off that vehicle.
    How many non-competitive contracts related to ArriveCAN was KPMG awarded?
    What I'd like to say is, first of all, that all of our work was contracted through the government's procurement vehicles that were directed to us—
    That's understood. Just give us the number of non-competitive contracts, please.
    On the contracts that were directed to KPMG, and I'm talking about the Public Health Agency work at this point, we had a TA that was directed to us through the CEPS vehicle, and then there were two subsequent contracts that were directed to us through the Public Health Agency.
    The number is three.
    That's for the Public Health Agency-related work.
    Those non-competitive contracts were amended multiple times: yes or no, please.
    I just want to confirm that the initial TA was through the competitive CEPS vehicle, so that was competitively awarded and then subsequently directed to us.
    I'm sorry. Could you repeat the second question, please?
    The contracts were amended multiple times: yes or no?
    Yes. Our contracts were amended a few times.
    Those amendments saw the fee for service increase, the length of time for the contract increase and the deliverables reduced. Is that correct?
    The initial TA and the initial contract through the Public Health Agency were incredibly detailed in terms of deliverables and key activities that we were asked to provide. The subsequent and final contract that was awarded by the Public Health Agency was less so, by the Public Health Agency specifically, because you have to remember that this was during the third and fourth waves of the pandemic, and they required more flexibility because of wanting to be able to respond to unforeseen events and policy changes at the time.
(1015)
    Just for clarity, the Auditor General said in her report that KPMG had contracts amended to do exactly what I detailed: add additional costs and make the deliverables over a longer period of time, with less specific deliverables. Do you agree with the Auditor General's assessment? Yes or no, please.
     We agree with the Auditor General report findings.
    Thank you.
    Thank you very much.
    Who in the government was KPMG's contact for the non-competitive contracts that KPMG received? I want the name of the individual at the department, please.
    I'd be happy to start the description of that through the Public Health Agency work, and then I might ask Hartaj to speak to the other contract.
    You have about 10 seconds to get us a name before the end of my time, please.
    We were contacted through the CEPS vehicle to work with the Public Health Agency under Sheriff Abdou.
    Thanks very much.
    Thank you very much.
    We'll turn now to Ms. Bradford, who's joining us virtually.
    You have the floor for six minutes, please, Ms. Bradford.
    Thank you to the witnesses for coming today.
    Some of this might be a bit repetitive from your opening comments, but I just want to get it on the record. Could you please help the committee members and the Canadians watching from home understand what specific services were provided for the $5 million received in government contracts by KPMG for the ArriveCAN app? What work did KPMG specifically provide for this?
     I can definitely take that for the Public Health Agency work. I'll ask my colleague Hartaj to speak to the cybersecurity work in a moment.
    The work we did to support the Public Health Agency was focused primarily on helping them to analyze and plan for the operational impacts of all the evolving policies that were happening under the Quarantine Act during the pandemic. This included both detailed and extensive stakeholder engagement within government and helping them to facilitate discussions outside of government—for example, with the travel sector, air operators and so on.
    We also were asked to provide global leading expertise and access to information through KPMG's global network of colleagues to help inform policies that were forming here in Canada. For example, we reached out through our global network to the Five Eyes countries and to other jurisdictions to learn how they were handling the COVID-19 pandemic, quarantine, and quarantine restrictions, and then eventually how they were handling things like lab testing, vaccine administration, documentation and so on for international travel.
    The other thing I'll mention is that at that time, KPMG was providing very specialized expertise to the Public Health Agency to address what we understood were some capability gaps in terms of being able to quickly support their detailed planning in things like human-centred design. We were trying to understand what the traveller's experience would be through all of these policy changes and operational changes at the borders. We were developing journey maps and process designs, all at a very, very rapid pace, to support their constantly evolving policy environment.
    That essentially was the nature of the work we did under the Public Health Agency.
    Maybe I'll let Hartaj speak to the other work.
    Sure. With respect to the cybersecurity work, there were five primary bodies of work. The first was to assess vulnerability management practices around the ArriveCAN environment. How do you identify vulnerabilities and mitigate them in a timely manner? The second was to assess compliance with certain privacy regulations, particularly those surrounding the cloud hosting platform. The third was to assess the cloud hosting platform itself to understand if appropriate security controls were embedded. The fourth was to understand whether appropriate incident response processes were in place. If there was an incident or a breach of some sort, would it be possible to respond and recover in a timely fashion? The last was to do with understanding whether appropriate security practices were integrated within the development processes.
(1020)
    Thank you for those detailed responses.
    Can you confirm the total amount that KPMG received for this work on the ArriveCAN application?
    I want to reconfirm that KPMG did not do any work on the development of the app itself. However, for the Public Health Agency work that was contracted to KPMG, we invoiced about $4.5 million before taxes.
     For the cybersecurity work, we invoiced $400,000.
    Thank you so much. It is approximately $5 million.
     Can you please explain why KPMG was not able to receive a contract directly from the government, or the CBSA in this case, to work on the ArriveCAN app, or for the work it provided in this process? Why did it need to be subcontracted by GC Strategies?
    I can take that question, as I believe it relates to the cybersecurity work.
     KPMG would have been proud to contract under any vehicle, or even to bid in a competitive RFP process. We were asked to subcontract through GC Strategies, and we complied with the government's request.
    How was the decision made on KPMG's end to become a subcontractor for GC Strategies?
     You said it reached out. What was the process whereby you made the decision that you would subcontract through GC Strategies?
     When KPMG is contracting with a party, be it a client, a partner or an entity, we have rigorous client acceptance and engagement acceptance processes that we must follow in every case, and we followed those processes to understand whether there would be any adverse considerations in engaging with GC Strategies. At the time, our results showed that there would be no adverse considerations in contracting with GC Strategies, given that it was, at the time, a well-known entity in the government sector and we were being asked to contract with it by the government.
    Have either of you met with Kristian Firth or Darren Anthony?
     I have not met with either of those individuals, and I believe Ms. Lee has also not met with those individuals.
    I have not.
    Thank you, Ms. Bradford. That is the time.
    Coming up next is our Bloc Québécois member. You might want to get that earpiece ready, if you haven't already.

[Translation]

    We take both official languages seriously here.
    Ms. Sinclair‑Desgagné, you have six minutes.
    By the way, if there are any delays because of interpretation, I’d like to be given a few more seconds to avoid losing speaking time for francophones listening to us.
    Yes, we will proceed as usual.
    Thank you, Chair.
    Good morning, everyone. Thank you for joining us.
    First of all, I’d like to mention that I spent my career at the “Big Four,” which are the major auditing firms Deloitte, Ernst & Young, KPMG and PricewaterhouseCoopers, those four renowned auditing firms. I’m quite familiar with how things work. You’ll agree with me that, human capital aside, what matters most to the Big Four is reputation. Right now, KPMG’s reputation, at least on this committee and in the Auditor General’s report, is shaky to say the least. That’s why I would ask you to answer the questions directly. There’s no need to thank us for our questions; that won’t be necessary. We thank you for your answers.
    My first question is about the contract for which you were a subcontractor for GC Strategies. Who within the government asked whom at KPMG to agree to be a subcontractor for GC Strategies?
    Please provide a quick and brief response.

[English]

    KPMG was contacted by a CBSA official. His name is Mr. Antonio Utano.

[Translation]

    It was this person who asked KPMG, a company with 10,000 employees—as I know—to agree to subcontract, and therefore lose a profit margin that you could have made directly with the government. It was Antonio Utano who asked KPMG to be a subcontractor for GC Strategies.
    First of all, why did you agree to this?

[English]

    KPMG would have charged the government the same amount it charged GC Strategies for the work it actually performed.
     With respect to the work, we were asked to submit a proposal to GC Strategies. Our assumption was that when KPMG was asked to submit a proposal, others were also asked to submit a similar proposal, and that the proposal that was ultimately the best was awarded the work.
(1025)

[Translation]

    Thank you, I know quite well how it works, but I’d like you to answer my question and tell me why you agreed to be subcontractors for a two-person company. Of course, you did the work and you may have charged the same amounts, but you knew very well that something was amiss.
    Let’s take risk factors, for example. You’re partners, so you know that any consultant who signs a contract with someone else has to fill out risk assessments. In this case, going through a contractor like GC Strategies carried a risk, even for KPMG’s reputation, knowing that it was a two-person company that provided no services. KPMG should have seen that. The partners assigned to the project should have noticed that there was a significant risk in going through a two-person company that provided no services.
    It was a reputational risk for KPMG. You’re proving it today.

[English]

    As indicated earlier, KPMG does follow rigorous client acceptance processes.
     At the time, GC Strategies was an organization that had been successfully working in the government sector for a number of years. They had a large government contract, and they were well known in the government sector.
     Our checks did not indicate any adverse implications of engaging with GC Strategies. Furthermore, KPMG was directed to do so by the government. We understood that the government had followed its own processes to vet GC Strategies as well.

[Translation]

    All right.
    If you agreed and you knew GC Strategies’ reputation, you knew GC Strategies. You mentioned that you didn’t know the two people in question.
    Who knew GC Strategies and therefore agreed to be a subcontractor for GC Strategies?

[English]

    KPMG as a whole agreed to work with GC Strategies. We deployed an engagement team to work directly with CBSA once we had been notified that the proposal was successful. We then submitted our engagement letters to GC Strategies. Once they informed us that the engagement letters were approved, we worked directly with CBSA.

[Translation]

    You say it was KPMG as a whole, but one person, a partner or a senior manager, regardless of rank, agreed and was in contact with GC Strategies. An entire team probably worked at least to provide the work to GC Strategies so that subsequently that company would provide the work to the government.
    Can you tell me how many people were on that team and who was in direct contact with GC Strategies, again? At KPMG, who was in contact with GC Strategies and was aware of GC Strategies’ reputation?

[English]

    There was a full team deployed—security cleared at various different levels, from partner all the way down to senior consultant level—to complete the work in the time that it took.
    In terms of the contract itself, it was signed by a partner in our cybersecurity team in Ottawa. He engaged directly with GC Strategies just for the contract. Once that was done, we had very little to do with—

[Translation]

    Does that partner still work for KPMG?

[English]

    Yes, he does.

[Translation]

    Why isn’t he here today, since he’s the one who dealt with GC Strategies? He should be here today to answer questions from the Standing Committee on Public Accounts.

[English]

    The reason I am here today is that I'm the national leader of cybersecurity. Any work that we perform underneath cybersecurity falls within my purview and my responsibility.

[Translation]

    There are empty chairs beside you. He should have been present to answer questions about his relationship with GC Strategies. That’s what we requested. When we ask to speak to KPMG, we are also asking to speak to the people who are connected to the ArriveCAN matter, and in this case, to the partner or person in charge who was in contact with GC Strategies.
    There are people who come with entire delegations. You should have known that the empty chair next to you should have been occupied—
    You have to ask a question, Ms. Sinclair‑Desgagné.
    —by the partner.
    I’m finished, Mr. Chair.
    Very well, thank you.

[English]

    Next up is Mr. Desjarlais.
    Mr. Desjarlais, you have the floor for six minutes. Go ahead, please.
(1030)
    Thank you very much, Mr. Chair.
    I want to thank the witnesses for being present with us today.
     I want to turn to a few topics that I think Canadians are most concerned about in relation to KPMG's work and the work of GC Strategies, the Public Health Agency of Canada and CBSA.
    What is becoming clear in this is that there is certainly a network operating when government contracts are disposed of by way of individuals within CBSA, as we saw with ArriveCAN, who have largely, in some ways, influenced the decision of contractors.
    Mr. Nijjar, you just mentioned that GC Strategies was well known as a government contractor and a trusted source. Why is it that you've come to that conclusion in relation to GC Strategies? Who told you that they were trusted? How long have they been in your network to suggest that they're a trusted partner of the government or of KPMG?
    In terms of GC Strategies' being well known in the community, they had worked in that particular industry sector for a number of years—well over five years—and that was known among folks who worked in that community, within the federal government space.
    Is that because of a subcontract relationship?
    I'm sorry. Could you repeat the question?
    On that last point you made, you said they were well known among the community. How did they come to be well known among the community? Was it because of their nature as a subcontractor? Would people go to GC Strategies looking for work?
    They were well known with respect to doing work in that space. My answer wasn't directly with respect to them being sort of a prime for subcontracting work.
    I'm trying to understand, and I hope you can sympathize with Canadians who are trying to understand, this relationship. How is it that non-competitive contracts were awarded to three groups in particular that were known to each other and that you said were known amongst the community? I'm trying to understand why this network exists. Is it because of GC Strategies, as a conduit for subcontractors, because of their knowledge of subcontractors, that they could secure government contracts? Was that known to the community? Was that also well known?
    At the time, sir, KPMG were asked to subcontract with GC Strategies. As I mentioned earlier, we would have been more than happy to contract through the CEPS vehicle, and we would have—
    I'm sorry. Can you repeat that last part? Were you directed to work with GC Strategies?
    Yes. We were asked to work with GC Strategies. We would have been more than happy to—
    Who directed you to work with GC Strategies?
    It was the CBSA.
    So the CBSA directed you to participate in a non-competitive contract.
    The CBSA asked us to submit a proposal to GC Strategies for the cybersecurity piece of work. We submitted a proposal. At the time, our assumption—again, being asked to submit a proposal—was that it was an ask that may have gone to others as well.
    Did you or anyone in KPMG raise a concern about the use of a non-competitive contract for the purpose of this work, knowing that you're a firm of auditors?
    At the time, we were being asked to submit the proposal by the government. We assumed that the government was using vehicles that were authorized. Again, we were under the assumption that there may have been others also being asked to submit a proposal in a similar capacity. We were under the assumption that it was somewhat competitive.
    KPMG is a very large firm. You do work across the country and around the world. You spoke about your global network and the ability to second information very quickly. It makes sense that you could have raised the concern that you would be more competitive than GC Strategies, don't you think?
    KPMG does not know why the government chose the particular mode of contract that it did. At the time, all we knew was that the government had asked us about our capabilities for this piece of work, and it asked us to submit the proposal to GC Strategies. We did not also know the relationship that GC Strategies had with the government, or indeed what they were going to be charging the government for the piece of work that we ultimately performed.
    Just to that point, and I appreciate the frankness of your answers, let's focus for a second on the value of the task authorization and the total contracts you mentioned for cybersecurity. The cybersecurity work that you mentioned in the previous question totalled $400,000. Is that correct?
(1035)
    Yes. That is correct.
    However, when we look at the task authorizations submitted by GC Strategies, they totalled $540,000, invoices of which are...$40,000...we'd assume that $90,000 went to GC Strategies. Would you agree, or did KPMG take a share of that?
    KPMG is unaware of the figure that GC Strategies charged to the government. We do not have any line of sight or visibility into that at all.
    The Auditor General found “that the Public Health Agency of Canada awarded a professional [contract] task authorization using a non‑competitive approach to KPMG”. However, they found “no documentation of the initial communications or the reasons why the agency did not consider or select other eligible contractors to carry out the work”.
    Can you confirm some of these details with us today? Do you or KPMG have any communication—emails or letters—about those contracts that could be supplied to our committee in regard to the initial communications for the work on the task authorization to KPMG?
    With respect to the initial task authorization, as I said, we were direct-contracted through the CEPS vehicle that I mentioned earlier. For the subsequent contracts that were directly contracted through the Public Health Agency, we were under the impression that the Public Health Agency was providing documentation and justification to their contracting authority to provide the reasons for the direct award.
    We don't have any email communications as such, that you're identifying, but we were under the impression that they had provided the documentation to their contracting authorities as required.
     You have no information about that, then.
    Mr. Desjarlais, that is your time.
    Thank you, Chair.
    I wanted to make sure that the witness had time for a fulsome answer, but you're over the time.
    We're beginning our second round, which consists of six slots.
    Mr. Brock, you have the first, please, for five minutes.
    Thank you, Chair.
    Thank you, witnesses, for your attendance today.
     Since Justin Trudeau formed government, KPMG has been one of the leading recipients of government contracts, to the tune of almost a quarter of a billion dollars. Of that, we heard today that your work surrounding the ArriveCAN app and its implementation came to roughly $5 million.
    I've listened very carefully to your evidence. I've heard references to the CBSA. I've heard references to Public Health. Were any other ministries involved?
     KPMG has been doing business with the federal government for many years—
    I'm not asking that question.
     In relation to the ArriveCAN app and its implementation, were you working with any ministries other than Public Health and the CBSA?
     For the Public Health Agency work we did, we were aware that there were ongoing discussions with other government departments as part of the operational implementation of the program. We were not contracted by...nor did we have any direct contracting or procurement-related discussions as they related to ArriveCAN to support that work.
    Let's talk about the contracts. We've talked about the competitive contract that you were asked to bid on. We also know, through the Auditor General's report, that there were a number of non-competitive contracts that you were ultimately awarded.
    Giving just the number, how many were competitive and how many were non-competitive?
    The initial TA was the competitive steps. That was the—
    Was that the only one that was competitive?
    That is correct for the Public Health Agency-related work.
    If I may add, there were two subsequent contracts directly awarded by the Public Health Agency to KPMG.
    Right.
    They were non-competitive.
    That's correct. They were directed to us.
    What about through the CBSA?
    Thank you.
    For the work we did on the cybersecurity front, there were two contracts that were with GC Strategies. There were no direct contracts with the CBSA.
    They were non-competitive as well. Is that correct?
     You weren't bidding against other companies. You were asked to work with GC Strategies, so it was a non-competitive contract.
    We were asked to submit a proposal to GC Strategies—
    That was ultimately granted.
    —which was granted.
     There were two with the CBSA and two with PHAC—that's four—and one was competitive. They were for $5 million.
     How many employees at KPMG worked on those five contracts for $5 million?
(1040)
     I don't have the number off the top of my head, but I can say that over the close to two and a half years that we supported the Public Health Agency, we had a number of people. I was the engagement partner, but we had a number of people. On the original TA, we might have had 10 or 15 people who were identified and participated in some initial stakeholder engagement.
    As time went on, we had—
    Let's move on to the issue now that you were directed by the CBSA to work directly with GC Strategies. You indicated, sir, when pressed, that it was Mr. Antonio Utano who did that.
     Is that right?
    That is correct.
    Did he reach out directly to you or to another partner?
    Mr. Utano reached out to our federal government practice.
    What does that mean?
    KPMG has a number of industry specialists—
    Whom did he speak with at KPMG?
    He ultimately spoke with a partner in our cybersecurity—
    Who?
    The name of the partner on the cybersecurity team is Mr. Imraan Bashir.
    All right. How was that communicated? Was it in a phone call? Was it by email? Was it by text?
    The initial conversation was through email. The initial outreach was done through emails.
    Do you still have a copy of that email?
    I would need to investigate and check.
    I will be asking you within the time permitted by this committee to submit that email—in fact, any and all written correspondence, whether that's snail mail, email or a text message, between the CBSA and KPMG, to work specifically with GC Strategies.
     Can you provide that to us?
    We will definitely have a look to see what we have and what we can provide and get back to you.
    Okay.
    Were you communicating at all with any other member of the CBSA team?
    No, not to my knowledge.
    Were you communicating with any elected official—the president of the CBSA, the deputy minister, the Minister of Public Safety—anything like that?
    Mr. Brock, your time is up, but I'm going to allow an answer.
    Thank you.
    No.
    Thank you very much.
    All right.
    Chair, could we identify the timeline, please?
    I will at the end, yes. We'll come back to requested documents, and I will explain how that works.
    Ms. Khalid, you have the floor for five minutes.
    It's over to you, please.
    Thank you to the witnesses for being here today.
    Just to build a little bit of context around some of the questions my colleague asked, how much did the Harper government award to KPMG while they were in power?
    I'm not aware of the answer to that question, but as I said before, KPMG has been very proud to support the federal government for a very long time, for many years, well before this body of work.
    Are you able to get us an answer to that question?
    We can certainly endeavour to check that out and follow up with the committee afterward if you'd like.
    Thank you. I appreciate that.
    I know that the issue we're discussing here is not whether the ArriveCAN app was a success or a failure. We're talking about the cost of the app. There has been a lot of disappointment—me included—as to how this money was spent and the process through our federal government as to how it was spent, but it seems to be, more and more, a systemic problem. You, having worked with various governments over past decades, perhaps can help us understand that a bit.
    I know that when the Conservatives were in power they were paying Deloitte $90,000 a day to teach them how to cut costs. There was a quote from the late Jim Flaherty, who was the finance minister. He said, “Private sector advice is valuable, it’s important, it’s essential.”
    Can I perhaps get your viewpoints on how the private sector does lend a hand, especially in instances like the pandemic that we were facing?
    I can answer that in respect of when clients reach out, and by the way, we've worked for clients at the federal level, the provincial level and the municipal level, in the public sector and in the private sector. I worked largely in the public sector health care arena.
     We find that when clients reach out to ask for consulting support, it's typically for two major reasons. One is that they lack the specific expertise or capabilities that are required to address a specific problem within their organization, and the second reason is that perhaps they might need more capacity in a very short period of time to address time-sensitive or urgent requirements.
    Coming back to the experience that KPMG had in this instance that we're talking about this morning, we certainly felt that we were being asked to provide exactly support in those two areas, for both the Public Health Agency and the CBSA.
(1045)
    Thank you. I appreciate that.
    Has KPMG worked with GC Strategies on other projects and any various iterations of GC Strategies as they have worked with government over the years?
    I can take that one. We had not worked with GC Strategies prior to the engagement in question, nor have we worked with them after.
     If GC Strategies were working under a different name, would your answer still qualify for that?
    Yes, I believe my answer would qualify.
    Has KPMG worked with the Coradix, Dalian or Coredal companies in the past?
    To my knowledge, we have not.
    How do you, in KPMG, work with your employees and your contractors as they work with government to ensure there is no overlap or conflict between government employees and KPMG as a consulting agency? Is there a conflict that you provide checks on?
    For any engagement that KPMG takes on, we have not only a rigorous client acceptance and engagement acceptance process, but a conflict check process as well, to understand whether there are any independence or conflict issues that may arise. We take those matters extremely seriously, and those are performed on every engagement.
     What kind of checks do you look for in regard to conflict?
    We look for relationships—personal relationships and family relationships. There's a series of questions we must answer for the engagement team and for the engagement partner with respect to any relationships they may have with the organization, and things of that nature.
    Thank you very much, Mr. Nijjar and Ms. Lee.
    Those are all my questions today.
    Thank you very much, Ms. Khalid.
    We will once again turn to our Bloc member.

[Translation]

    Ms. Sinclair‑Desgagné, you have two minutes and thirty seconds.
    Thank you, Chair.
    Let’s go back to the partner who was contacted about cybersecurity. I believe you said it was Mr. Imraan Bashir. When this person performed what we call a risk assessment at PwC, where I spent part of my career, before signing a contract, he should have seen that it was abnormal for a government employee to ask GC Strategies to subcontract this project to KPMG. This employee, if he was on your team, especially if he was a partner and therefore someone who knows about reputational risks, should have realized that there was a problem.
    Now, I would have put the question directly to this person, as he should have been present today. So I’d like a written answer from him to the following question: Was he aware that GC Strategies was inviting members of the government, including Mr. Antonio Utano, to activities such as events, whisky tastings and golf tournaments? Was he aware of this? I’d like his written response to be provided to the committee, please.

[English]

    Let me just interrupt for a second.
    In terms of how House of Commons committees work, we seek information from witnesses. Members will request information, which we hope witnesses will provide. If you're agreeable to that, we typically hope for an answer within two or three weeks, at which point the committee analysts will reach out.
    You're probably aware of this, but I'll state it anyway. Committees have the power to call documents to be brought forward as well. Those powers are quite sweeping. We do encourage witnesses to work with the committees as much as possible to provide documents. Now, it is quite an extreme measure for committees to compel documents to be brought forward, but it has happened, even in this Parliament.
    I thought I should probably state that. Generally, it's an agreeable practice. Witnesses are here to help committee members understand, and they do endeavour to provide documents.
    Do you have a question for me? Go ahead.
(1050)
    Is it our responsibility to remember everything that's being asked of us, or will we get a summary?
    That's a good question. The analysts will provide a list of what the committee members have asked for.
    Okay. Thank you.
    That's why as the chair I also endeavour to confirm that you've understood the request. I would not want to put a witness in a position where a member has asked for a document and the witness was not aware, or the request kind of flew over, in a way. I believe Mr. Brock was quite clear on what he's hoping to receive. It was just a question of the timeline that I wanted to highlight at the end, but I thought I'd better do that right now.
    Yes, we will loop back around with you and provide information to you. If there is a concern, you can flag that with the committee. We'll of course consider that, but as I said, the powers of the House of Commons committees are quite sweeping when it comes to information.
    I'll turn things back to you to answer that question from Madame Sinclair-Desgagné. If you like, she can ask it again now that I've spent a few minutes....
    Why don't you go ahead and do that again, Nathalie? I've stopped the clock. I'll run it again once you're done the question.

[Translation]

    In fact, I’m asking for an answer from his associate who was in direct contact with GC Strategies. Was Mr. Bashir aware that the two people from GC Strategies were inviting members of the government to events such as whisky tastings, golf tournaments and so on?

[English]

    I'm going to start the clock again right now.

[Translation]

    Mr. Chair, how much time do I have left, is it one minute?
    Yes, you have one minute.
    Very well, thank you.
    I’ll move on to the next question, then—

[English]

    Before we begin, is that something you could work with your colleague to provide?
    Thank you.
    Yes, we can work with Mr. Bashir to try to provide that.
    Thank you. The committee appreciates it.

[Translation]

    Ms. Sinclair-Desgagné, you have one minute left.
    Thank you.
    In her report, the auditor mentions that, when invoices were sent under contracts between KPMG and the government, the invoices were less and less specific about the tasks performed. This led to longer and longer lead times, which in turn increased the price and value of the contracts. That also meant more hours spent on contracts. Invoices were higher and higher, and less and less specific about the tasks performed.
    When you fill out an invoice and send it to the customer, normally you have to be specific about the tasks performed. I know, having done it several times myself. This is true even of our own accounting departments.
    At KPMG, was it Mr. Bashir again who authorized sending the government imprecise invoices?

[English]

    Thank you very much for the question. I'll take that for the Public Health Agency-related work.
     Very specifically, when we were working under the initial TA—the COVID emergency professional services vendor of record—the very first time, we prepared an invoice. We worked extensively with the Public Health Agency and its internal team to make sure that the documentation on the invoice was satisfactory with its requirements to process the payment, and that it provided the level of detail required.
     We had it all pre-approved, and that never changed throughout the entire, as I said, two and a half years that we worked with PHAC.
     Furthermore, our understanding with respect to the OAG report...we were not led to believe by the Auditor General that any of those concerns were actually directed specifically toward KPMG. However, as I said, the Public Health Agency pre-approved the level of detail in all our invoices from the very beginning.

[Translation]

    Thank you very much.

[English]

    Next up is Mr. Desjarlais. You have the floor for two and a half minutes.
(1055)
    Thank you very much, Mr. Chair.
    I now want to return to this significant problem that I believe could have been addressed largely through Public Services and Procurement Canada's policies, but was largely avoided.
     Are either of you aware of the Public Services and Procurement Canada supply manual?
    As I said, KPMG always follows the specific procurement approach that is laid out by the government. Our federal government practice is familiar with all of those policies and procedures for all of the procurement activity that we do with the federal government.
    You're aware that there is the ability for a contractor, and particularly a prime contractor like GC Strategies—or a general contractor, as it's called itself at times—to absorb several task authorizations and then dispose of those task authorizations through multiple subcontractors.
     Are you aware of that practice?
     I am not aware of all of the details, specifically, of the steps you're talking about. However, as Mr. Nijjar and I have said, all of the contracting work we did was at the government's direction throughout the entire time we worked on the ArriveCAN service.
     When the CBSA directed KPMG, was that at the beginning of that work? Was it supposed to be directly related to the work of GC Strategies or the overall work of supporting the government in the Public Health Agency of Canada's overall mandate? Was it narrowly, at the time of direction, by the CBSA?
     Who directed that you work with GC Strategies?
     I think there might be some confusion about the contracting relationship. The Public Health Agency contracted directly with KPMG, and I was the lead partner for that work during the two and a half years we supported the Public Health Agency. None of that work had anything to do with the ArriveCAN app or the relationship with GC Strategies.
     The only work that was done through GC Strategies was the cybersecurity audit that Hartaj spoke about. I hope that clarifies things.
    It does clarify things. The CBSA only directed in the very particular instance the work related to ArriveCAN—that's what you're saying—not the work at the Public Health Agency.
    That is correct. Yes.
    In regard to who from CBSA directed KPMG, has there been any further communication between that individual from CBSA and KPMG past the time of the original contract?
    There has not been to my knowledge.
    Thank you.
    Next up is Mr. Nater.
     You have the floor for five minutes.
     Thank you, Mr. Chair, and, through you, thank you to our witnesses for joining us today.
    I want to clarify a few points, because I'm rather troubled by what I've heard here this morning. Just so I understand this, a senior Government of Canada official came to KPMG and said, “We know you have the qualifications to perform $400,000 worth of cybersecurity assessments, but we're not going to contract with you directly. Instead we want you to go through this two-person basement firm, which will also take a $90,000 cut, rather than dealing directly with the CBSA.” Am I understanding correctly that a senior government official came to you and said, “Go through GC Strategies”?
    The government official asked us to submit a proposal for the cybersecurity work to GC Strategies.
    Is this something you've experienced personally in the past, that a government official has directed you outside the direct contracting relationship to a third party, to, for lack of a better word, a middleman or middle company?
    KPMG is often asked to subcontract by small-, medium- and large-scale organizations when they do not have the capabilities to deliver on the specific piece of work or the requirements and when they feel as though KPMG can deliver very high-quality work, so subcontracting is not unusual for us.
(1100)
    I want to follow up on that. Here's the concern. I'm not going to quibble about KPMG's ability to deliver on contracts. Obviously you're a large, successful firm. There's no question about that. Where I have a concern is that GC Strategies is not an IT firm. They don't have capabilities, period. So it's not a matter of subcontracting for another like-minded business or a similar business. This is a subcontract from someone who had no capabilities. Did it not raise any flags whatsoever that this was being subcontracted, that the Government of Canada was asking you, instead of contracting directly, to go through a third party, GC Strategies, which had no capabilities to do this contract which you were qualified to do?
    As was mentioned earlier, at the time, we did follow our strict client engagement processes and practices. At the time of the engagement, there was nothing that stood out as peculiar from those processes and practices in terms of following the instructions from the government with respect to contracting GC Strategies on this specific piece of work in a time that was unprecedented and in a way that gave us an opportunity to help Canadians, and we complied with the ask.
    I just think Canadians might be concerned by what seems to be a very cozy relationship that GC Strategies seemed to enjoy with senior government officials, in which contracts were awarded through third parties to make this work. We know that hundreds of middleman-type companies are being used.
    I want to address one final point before I run out of time, and that's about developing the details and the specifics of contracts. Has KPMG ever helped the government draft calls for proposals that you have then bid on?
    The answer is no. KPMG has not participated in that process.
    Would that be something that would be outside of the normal practice for a firm like yours or any other firm or should it be?
    The vast majority of the work we do for the government, whether federal, provincial or municipal, goes through a competitive bidding process following a request for proposals. As I said before, we would not be involved in developing those kinds of qualifications or criteria in advance of an RFP.
     I want to quickly address the issue of the cybersecurity work that you undertook.
    The Auditor General noted some concerns with cybersecurity work in general, wherein reliability security status was not held by those who undertook the work. Was your firm fully qualified and fully cleared in terms of reliability security clearance?
    Thank you for the question.
    Absolutely.
    Thank you, Mr. Nater. That is your time.
    I'll turn now to Mrs. Shanahan, who is joining us virtually.
     You have the floor for five minutes, Mrs. Shanahan.
    Thank you very much, Chair.
     I too want to thank the witnesses for being with us here today. It is unusual for the public accounts committee to hear from witnesses outside the Government of Canada, but given that your firm also audits the House of Commons, you're certainly not unfamiliar with the way we work, and I think you are providing some very interesting insights here today as to how consultants work with the government.
     I want to reiterate the words of one of my colleagues earlier about the importance of the Government of Canada being able to contract for the kind of expertise that your firm represents, as was done under the former Harper government. In the words of the late Jim Flaherty, for whom I had great respect, private sector advice is critical to helping the government conduct its work. In that case, it was a $90,000-a-day contract to cut public sector workers, which in hindsight, I think we need to review.
    That said, certainly in the time of the pandemic and the emergency situation crisis, no one knew what was going on. It was all hands on deck with the public sector and the private sector and across the board, wasn't it? I think, as you mentioned in your opening remarks, the global network that KPMG had was certainly very instrumental.
    My first question is this: Why do you think PHAC thought that KPMG was the best fit to complete the work that you were contracted for?
(1105)
    I think there were a number of factors that we understood played into the evaluation through the CEPS vehicle—the COVID emergency professional services—to begin with, and then the subsequent awarding of the TA to KPMG.
     As I did mention, I have over 25 years of very in-depth direct experience in working with the health system in Canada in bringing that expertise forward and in particular in working with public health agencies around the country to help respond to the very critical role that the Public Health Agency was playing at that time, not only to monitor the COVID pandemic but also to put interventions in place to limit and contain the spread of the COVID virus, particularly focused on the important disease factor, which was, at that time, international travellers.
    Because KPMG has such an extensive international network of colleagues around the world in similar federal government, provincial government, municipal government and health systems and public health roles, we were able to contact our colleagues around the world in a manner that I think the Public Health Agency just simply wasn't able to do as fast as we could.
    I will add, further to the member's question, that we have tremendous respect for all the employees we worked with at the Public Health Agency. As you said, it was an incredibly stressful time for everybody, and I think we all felt extremely proud. Our team in particular felt extremely proud to be able to support the government and Canadians during this incredibly difficult time.
    Ms. Lee, I want you to describe further what it was like working at that time and the experience you had in this specific area.
    Do you feel that you were able to bring added value that was appropriate? Is this kind of expertise that you brought something that we should have full time and permanently in the public sector?
     I'm sorry. Was that regarding the cybersecurity work?
    It's regarding Ms. Lee's work for the public sector. I will have further questions on the cybersecurity aspect, but is this expertise that we should have already had in-house in the public sector, or was there value added in bringing in KPMG?
    I think that we did bring in unique and specialized expertise at that time to the Public Health Agency.
    As I said, among the key factors the Public Health Agency was looking at were the compliance and enforcement requirements that it and other government departments would need in order to monitor the policies that were being put in place under the Quarantine Act.
    However, we also took the view that it would be important to consider the actual international traveller's experience with respect to these policies. We imagined people coming in from other countries, either Canadians returning to their families and loved ones or people visiting for either business or personal reasons, being exposed to all of these new policies and procedures upon arrival in the country or even before boarding a plane that was coming to Canada. We were bringing very specific human-centred design expertise, for instance, to help the government identify the specific experience. We developed journey maps and detailed process design maps to help them think through all of the operational impacts that these new policies and evolving policies under the Quarantine Act would have, not just on government operations and the air travel industry, but also, more importantly, on international travellers, especially on Canadians returning to the country.
    Thank you. That is the time.
    Thank you.
    We'll begin our third round.
    Mr. Viersen is joining us virtually. You have the floor for five minutes, please.
(1110)
    Thank you, Mr. Chair.
    I want to thank the witnesses for being here today.
    We understand that the RCMP is investigating the ArriveCAN scandal. Has KPMG been contacted by the RCMP with regard to this?
    The RCMP has not contacted KPMG.
    Okay.
    We know the procurement ombudsman has said that 76% of subcontractors did no actual work. How would you respond to that, given that you're one of these subcontractors?
    I can't comment on all of the other subcontractors that have worked with the government. I'll turn it over to Mr. Nijjar again to comment specifically on the cybersecurity work that we did.
    We performed the cybersecurity work, as I mentioned earlier, over a period of around six months. There was a large body of work that was performed across five different streams that required very specialized expertise and—
    Can you be a little more specific? “A large body of work across five streams” doesn't tell me a lot.
    Again, there were five streams of work, as I mentioned earlier, that were related to vulnerability management, privacy, the cloud, incident response and secure development practices, and each of those—
    What does that mean for me, tangibly? If I'm using this app, are you maintaining the security of my data, my name, my address and that sort of thing?
    We were asked to perform an assessment of the security and privacy of the application and how it protected the information of citizens and other parameters around cybersecurity, and that's what we executed.
    Okay.
    Going back to the suggestion that you dealt with GC Strategies, we heard on February 27 that it was suggested to GC Strategies that they should approach you for this expertise. Separate from this, had you bid on development of the application and lost?
    No, we did not bid on any application development work, as far as I'm aware.
    Do you have any idea why your company would have been suggested to GC Strategies? Do you have a long-standing relationship with the government on this kind of stuff?
    We had no prior relationship with GC Strategies.
    KPMG is known in the industry, within Canada and beyond, as a firm that has very specialized expertise in the area of cybersecurity, with a huge amount of depth and breadth in those five specific areas and beyond. My understanding is that we were approached based on our expertise in these areas and on our experience in being able to deliver on that work.
     Has this kind of situation ever happened to you before, with a Government of Canada official suggesting that you pursue a contract with another company?
    Again, KPMG is subcontracted in numerous different scenarios. However, with respect to your specific question, I'm not aware of an exact scenario outside of this one.
    Does KPMG pay taxes in Canada?
    Yes, it does.
    As a taxpayer of Canada, would you not have concerns around the oddity of this? Did you not think, “Perhaps we should flag this”?
     It's something that doesn't happen often. It was being suggested that you pursue a contract with another company. Did it ever occur to anybody at KPMG that perhaps this should be flagged?
    Thank you for the question. I'll take this one, since it sounds like it's a bit more general than just the CBSA-related work.
     As we've both said this morning, KPMG has extremely strict protocols around client and engagement acceptance. We have to go through a very in-depth process every single time we undertake to work with a new client or an existing client to look for any irregularities, any independence conflicts or other areas of risk that would be a risk either to the client and/or to us, and we follow them to the letter.
(1115)
    I'm very limited here—
    I'm afraid that's your time, Mr. Viersen.
    Okay.
    Ms. Bradford, you have the floor for five minutes.
    Thank you, Mr. Chair.
    Mr. Nijjar, you're coined as skilled in multiple areas of cybersecurity, including information security governance and incident management.
     Is there a higher risk of information security breaches when you have to run through the main contractor in GC Strategies? Does the risk increase when you're running through other people?
    In terms of the risk to us in completing and executing the work, no, it did not increase, as we were working directly with the CBSA.
    In your professional view, is there a higher risk of information breaches when passing information along through multiple middlemen?
     We were not actually passed sensitive information through GC Strategies on the ArriveCAN application. Again, we worked directly with the CBSA team when we were executing the work.
    In your professional view, with the rise in cyber-threats and data breaches, does a private company outsourcing to multiple third party contractors bring any benefit to stopping potential leaks or breaches of private security?
    I'm sorry. Could you rephrase the question?
    We now know that there are increased cybersecurity risks and data breaches happening all over the place, or so it seems. Does a private company outsourcing to multiple third party contractors bring any benefit to potentially stopping some breaches of private security?
    I believe the risk remains the same regardless, because again, the subcontractor in this case asked that we primarily work directly with the CBSA when we were executing the work.
    In your role, your department and company more broadly, do you provide your contractors with services, or are you hired in more of a consultancy role?
    I'm sorry. Could you clarify? To our subcontractors...?
    Right. In your role in your company, would you say that you provide contractors with services, or are you acting more as a consultant?
     If I've understood you correctly, in this case, we were the subcontractor and GC Strategies was the prime. We were providing professional services to the CBSA.
    You weren't really a consultant in this case. You were actually providing services.
    We were consulting to the CBSA, but the services we were consulting on were cybersecurity services.
     Right, so I guess, just to be clear, you were basically doing both: You were providing services, but in a consulting capacity.
    That is correct.
    With ArriveCAN specifically, what were your duties and what was your level of oversight in the project?
    KPMG had no oversight at all of the application's development. Our role was specific to the cybersecurity assessment of the ArriveCAN application and the underlying cloud platform, and that's what we executed. We provided oversight of the work that we performed for that ask.
    How can cybersecurity and ensuring that robust systems are in place go hand in hand with the hiring out of independent third party contractors as subcontractors?
    I'm not clear on your question. Could you kindly rephrase it?
    Cybersecurity is one of your areas of expertise, and so is ensuring that robust systems are in place. How do those go hand in hand with the hiring out of independent third party contractors as subcontractors?
    There is no real difference between the work that we would execute as a subcontractor and what we would do as the prime contractor for that body of work.
     We would have been happy to be the prime contractor, but we simply responded to the request of the government.
(1120)
    Thank you.
    Ms. Lee, you have a very extensive background in digital health. How did you end up at KPMG?
    As I mentioned in my opening remarks, I've been in the health care industry for over 25 years. I worked previously at a large academic hospital network, and was given an opportunity to help KPMG establish an offshoot of its existing health care consulting practice with a focus on digital health care.
    Thank you very much. That is the time.

[Translation]

    The next member, Ms. Sinclair‑Desgagné, will be speaking in French.
    Ms. Sinclair‑Desgagné, you once again have two minutes and thirty seconds.
    Thank you, Mr. Chair.
    Mr. Nijjar and Ms. Lee, have you read the Auditor General’s report?

[English]

    Yes.

[Translation]

    Ms. Lee, have you also read it?

[English]

    Yes.

[Translation]

    All right.
    I will quote the Auditor General’s report.
We found similar issues in the two professional services contracts awarded by the Public Health Agency of Canada to KPMG. While the first contract included milestones with clear deliverables and pricing, these were later amended and replaced with less‑specific deliverables to allow for more flexibility.

    Extensions were not linked to new tasks, and merely pushed back deadlines, thus increasing the price of contracts.
    This completely contradicts what you told me earlier, Ms. Lee. The invoices sent to the Public Health Agency of Canada were less and less specific, and the changes to the contract were not linked to specific tasks and merely increased the price of the contract, without adding new tasks for the same amount. That completely contradicts what you told me.
    Why did KPMG agree to take more money and change the invoices to be less and less specific? Was it a public health order, or did KPMG simply decide to pocket more money?

[English]

    As I said previously, all of the invoices that we submitted to the Public Health Agency were approved by the agency prior to submission. We never changed our approach, from the very first invoice to the last invoice, in terms of the level of detail that was provided to the agency.
    To come back to the other part of your question about flexibility, it was our understanding that the Public Health Agency was specifically very concerned about unforeseen events and that it would require assistance from us in the same vein that we had been providing it from the very beginning under the initial TA.
     The work packages, the work processes and all of the key activities were virtually the same throughout all of the contract work that we did for the Public Health Agency over that two-and-a-half-year period. It never really changed.
    The agency asked for the contracting language to be the way it was, to be less detailed in the final contract, because it couldn't possibly predict what was happening during the third and fourth waves, and it was very concerned.

[Translation]

    So KPMG assumes no responsibility for what was denounced in the report—
    I’m sorry to interrupt you, Ms. Sinclair‑Desgagné. You’ll have another opportunity to ask questions.

[English]

     Next up is Mr. Desjarlais.
    You have the floor for two and a half minutes, please.
     Thank you very much, Mr. Chair.
    I want to turn now to the Auditor General's report and her findings about vendors. The report states, “We found situations where agency employees who were involved in the ArriveCAN project were invited by vendors to dinners and other activities.”
    It goes on to suggest that “In our view, existing relationships between vendors and the agency's Information, Science and Technology Branch, as well as the lack of evidence that agency employees reported the invitations to dinners and other activities, created a significant risk or perception of a conflict of interest around procurement decisions.”
    Wouldn't either of you suggest that non-competitive contracts, particularly given these findings, make it seem as though conflicts of interest could, in fact, be real?
(1125)
    I'd like to start by saying that under no circumstances did KPMG feel there was a conflict of interest. We followed all of our internal processes to comply with our policies and procedures along those lines.
    To your comment about social events and the like, you have to remember that our work was initiated in September 2020, at the height of the COVID-19 pandemic lockdowns. Under no circumstances were any of our team members engaged in any of those activities prior, during or after our contracting.
    I do not agree with the characterization that there was a conflict of interest in what we had done, either to procure the work or to conduct it.
    Has KPMG at any point in time supplied gifts, benefits or dinners to members of the government?
    I am not aware of any of that kind of activity happening.
    With regard to the relationship that may have existed between GC Strategies and KPMG, what was the first interaction between these two groups before the task authorizations?
    The only other contact prior to the ArriveCAN app was a discovery session for GC Strategies to understand our capabilities and experience with respect to cybersecurity. That was a very brief discussion.
    Thank you.
    What was the date of that session?
    That is your time, Mr. Desjarlais. You will have one more opportunity to ask questions.
    Mr. Nijjar, can you provide an answer?
    I believe that it was in July of 2021.
    Thank you very much.
    We'll turn now to Mr. Barrett. You have the floor for five minutes, please.
    We have GC Strategies, two men operating out of a basement. They made millions off Canadian taxpayers during Justin Trudeau's $60-million ArriveCAN scam, and we were told that they would subcontract the work out to people they found on Google and LinkedIn.
    What we've learned today is that Antonio Utano at the Canada Border Services Agency reached out to KPMG. I also got answers to some of the questions I asked you in my first round. I asked how many employees KPMG has in Canada, and the answer is 10,000, and it has 40 offices across Canada. The senior official from the Justin Trudeau government said that if KPMG wanted to do work for the government, it had to be a subcontractor to this two-person firm.
    In your experience, is it the usual practice of the government to direct KPMG, one of the largest firms in the world, to work through a middleman staffed by two people? Is this normal?
    Again, KPMG is subcontracted by organizations that are small, medium and of the same scale as KPMG in multiple different scenarios. I'm not directly aware of similar contracts the government has had with us, but I can certainly check.
     The government has said that it uses 635 middleman IT companies like GC Strategies and Dalian, and you're not sure how many companies of that size KPMG does business with.
    Has KPMG been a subcontractor for Dalian or for GC Strategies on any contracts other than the ones that we've discussed today?
    No, we have not.
    You said Sheriff Abdou was the government contact for the amendments to the non-competitive contracts. Did you initiate the amendments, or did the government initiate them?
    Sheriff Abdou was the DG on the original TA that was directed to us through the CEPS vendor of record. The amendments were always made at the Public Health Agency's request for extension.
    Is it a usual practice for you to amend contracts with the government?
    Contracts vary according to the nature of the client's circumstances and the engagement work itself. This was an unprecedented time, as I think we can all agree. The amendments were made at their request.
(1130)
    The amendments were made at the government's request.
    Did you speak to anyone in the government in advance of your appearance at committee today?
    No, we did not.
    How many firms have had contracts with the Government of Canada with KPMG as a subcontractor? Are you not able to provide that answer today? Was that your previous response?
    Could you ask the question again?
    How many firms contracted by the Government of Canada have used KPMG as a subcontractor?
    I cannot answer that today.
    Can you undertake today to provide to the committee that list of contracts and the contractors by whom you were subcontracted?
    We can certainly go back and see if we have that information—
    It's a yes-or-no question. Will you undertake to provide that?
    That's a yes, Mr. Barrett.
    Thank you very much.
    You mentioned you had a discovery meeting with GC Strategies. Who was there?
    Are you referring to the July meeting?
    Were there multiple discovery meetings, sir?
    There was only the July meeting, and then we were asked to provide a proposal to GC Strategies in September.
    Okay.
    Who was at both of the meetings?
    The July cybersecurity discovery meeting was between Imraan Bashir and GC Strategies.
    Who was there from GC Strategies?
    I believe that was Kristian Firth.
    Okay.
    Was it just the two people at both meetings?
    Yes, I believe so.
    Just for certainty, KPMG has spent zero dollars on hospitality for Government of Canada officials. Is that correct?
    To my knowledge, that is correct.
    Does KPMG provide bonuses for securing contracts with the Government of Canada?
    The way we compensate our staff is actually a pretty complicated process.
    You've done about a quarter of a billion dollars in business with the Government of Canada under Justin Trudeau. We're looking to find out if staff were given bonuses for getting that work, like the three-quarters of a million dollars that KPMG was paid to advise the government on spending less on contracting.
    I will say that no staff member or partner is directly compensated for a particular engagement. We use a complicated, multivariate formula to assess a staff member's performance against the firm's performance, their individual performance and their contribution to Canadian society. It's a holistic formula that gets pulled together to identify compensation for all of our staff.
    Thank you. That is your time.
    Ms. Khalid, we will go over to you for five minutes, please, when you're ready.
    Thank you very much, Chair.
    Thank you to the witnesses.
    Let's unpack the ArriveCAN app and the scope of work and services you provided in general. Were the services that were provided just for the ArriveCAN app, or did they have a broader application within these different departments that we're talking about? I know that there were big conversations about digitalization in general.
    The cybersecurity work was specific to the ArriveCAN app and the underlying hosting platform, which was in the cloud.
    I will defer to Ms. Lee to speak about her body of work.
     For the support that KPMG provided to the Public Health Agency, none of that work had anything to do with the app itself. As I mentioned before, all of the work we did was in analyzing and helping them to plan for the operational impacts of the different policy changes that were coming through OICs under the Quarantine Act. We also helped facilitate a number of stakeholder engagement sessions to receive input on how those changes should come about.
    None of the work that we did, though, had anything to do with the app itself. It was more about how the experience of travellers, the travel industry and the border control measures needed to be changed or updated based on the evolving policies.
    When we see a number of different changes in the work orders, etc., I'm assuming that would be based on new information required in that changing landscape.
(1135)
    If I understand your question, the work was such that every single time there was a new order in council, a policy change under the Quarantine Act, I think you can probably imagine the pressure that put not only on the Public Health Agency, but on the border services—immigration, for instance, and the Transport Canada department.
    Numerous agencies and departments were impacted by these order in council changes and, as I said, our work was to help them really think very deeply and thoughtfully about the ways in which operations would have to be updated to accommodate those order in council changes in a timely manner. Sometimes there was very little time for any of these departments or external stakeholders to respond to those OICs. For that reason, they relied heavily on us to help them analyze in a timely manner what the process impacts would be, for instance, or the downstream impacts to staff training, or supports that might be required at different border crossings to facilitate the implementation of those changes.
    At any time, did you find that you had to do a complete turnaround of information or analysis that you had provided based on orders in council?
    There were numerous times when the Public Health Agency was expected to communicate with their upper management about what they thought they should do to respond operationally. For instance, there were a couple of times when they asked...actually, it was more than a couple of times. There were a number of times when they asked us to reach out to our global network of KPMG colleagues around the world to talk to federal governments in other jurisdictions or to talk to our transport-related colleagues to understand what was happening from an air operator perspective, for instance, or in the airports themselves. We had 24 to 48 hours to turn around a global environmental scan that could inform policies and the implementation of those policies.
    This was actually a constant phenomenon during the pandemic, and it went on for two and a half years because of the multiple waves of the pandemic. The Public Health Agency was under an incredible amount of pressure to respond during this time, and we did everything we could to help them do so in a timely manner.
    Do you think Canadians got value for their dollars with this app?
    As I said, neither the work we did through the Public Health Agency nor the work we did directly...although the cybersecurity work was an audit of the cyber-parameters of the app. None of our engagement work had anything to do with the development of the app itself, so it's very difficult for us to comment on that.
    Thank you.
    Lastly, what steps did both of you take to prepare for the meeting today?
    We of course prepared very diligently, because we take this extremely seriously and we wanted to make sure we could come prepared to answer all of your questions today. We contacted our colleagues who work in this space and, obviously, our colleagues who worked on the engagements. We spoke with our legal counsel and our advisers to prepare so that we could respond to all of your questions today.
    Thank you, but it was short of reading the Auditor General's report.
    Oh, I'm so sorry. Yes—
    They read it. They've already testified to that fact.
    We definitely read it.
    Got it.
     Thank you very much.
    Thank you, Ms. Khalid.
    This is the start of our fourth and last round.
    Mr. Brock, you have the floor for five minutes, please.
     Thank you, Chair.
    Listening to your evidence, with respect, I don't believe you truly recognize how damning your evidence has been to the Justin Trudeau government. You talk, Mr. Nijjar, about exercising due diligence and researching GC Strategies, but GC Strategies, according to the Auditor General, received upwards of $20 million for doing nothing other than connecting government officials with companies such as yours.
    They're a pariah. GC Strategies is persona non grata. They've lost all their contracts with the government. They've lost their security clearance. You aligned yourself with GC Strategies, which brings into question...the RCMP may be knocking on your door. If you haven't lawyered up, you probably should be considering doing that.
     GC Strategies testified—not under oath, but there is the presumption of telling the truth at committee—to committing criminal acts, criminal acts of fraud and forgery. This is the company you've aligned yourself with, to the tune of almost $400,000.
    Is that correct, Mr. Nijjar?
(1140)
    Thank you for your question.
    KPMG is not aware of anything related to GC Strategies outside of the work that we performed—
    Was the amount of the contract $400,000?
    The amount that we charged GC Strategies for the cyber-work was $400,000—
    Yes, $400,000. They received 15% to 30% for doing nothing.
    An hon. member: Point of order.
    Mr. Larry Brock: The government could have contacted you directly—
    Hold on a second. Mr. Brock, I've stopped the clock. There is a point of order.
     I didn't recognize the name, so could you identify yourself again? Is it Mr. Bittle?
    Hi. My name is Chris Bittle. We've been colleagues for nine years—
    Hi, Mr. Bittle. I thought it was you. I wasn't absolutely sure. I heard you in the earpiece, but—
    Mr. Chris Bittle: Fair enough.
    The Chair: Go ahead on your point of order.
     I didn't raise a point of order when Mr. Brock spoke the first time. He's cutting off the witnesses as they're answering his direct questions. I know that this is an issue of intense interest for all of us, but he's cutting off the witnesses in all of their answers, even as they're answering the questions. It's not that they're being evasive.
     I'm having a hard time hearing it. I imagine the translators are experiencing the same thing as well.
    Could he just let them answer?
    Thank you for raising that.
    Mr. Brock, can you just keep that in mind? I'm finding that I'm hearing the answers loud and clear, but I'm in the room. Perhaps you could just be aware of that for people who are not in the room. Of course, it is their right as members to use Zoom and attend virtually.
    Mr. Nijjar, you indicated that you didn't know about the unusual if not illegal practices by GC Strategies. You probably don't even know this: Your evidence today gives credence to what GC really stands for—“Government of Canada”—because it's the Government of Canada that's asking you to work with GC Strategies.
    Moving on, the procurement ombudsman is now investigating a concept known as “bait and switch”: promising resources that drive up the cost of a contract and delivering less. Are you familiar with that concept?
    Yes, we are.
    The ombudsman has discussed it at committee before and is now launching an investigation into this fraud.
    Is this a practice ever used by KPMG?
    The answer is, absolutely not.
    Did this ever apply to the nearly quarter of a billion dollars in government contracts since Justin Trudeau formed government?
    To our knowledge, all of the work that KPMG has done has been under the specific procurement processes set out by the government, and we are extremely proud of the quality—
    So the answer is no.
    —of the work that we've done.
    The answer is no.
    Has KPMG been contacted by the ombudsman on this matter?
    To our knowledge, we have not been contacted by the ombudsman's office.
    Will you work co-operatively with the ombudsman as he investigates the bait and switch? Clearly, you're going to be involved in this, given the amount of monies you've received in government contracts. Will you co-operate?
    As I said, of course we would co-operate with any governmental bodies that would contact KPMG. We have not been contacted by the ombudsman directly. Of course we would comply.
     Now, Justin Trudeau, during the last eight and a half or almost nine years, has increased the size of the federal professional public service by over 40%. In 2015, he promised to cut back on the use of external contracts, yet in the fiscal year 2022-23, he spent $15.7 billion on professional and social services, some of that going to KPMG.
    I know that you are retained by the Government of Canada as a consultant to provide an opinion or a recommendation on the government's ability to cut down on consultants. Leaving aside the irony of hiring a consultant to teach the Government of Canada how to cut back on consultants, I personally could have saved the government almost $700,000 by simply saying, “Use the federal public service that you increased by 40%.”
    Now, you released that report directly to the government. Is that correct?
    Neither Mr. Nijjar nor I was directly involved in that work, but we are aware and we also understand that.... It's very typical for KPMG to be called in to do third party reviews like that.
(1145)
    Thank you.
    The report itself has not been tabled with all parliamentarians. Will you provide this committee with the full report?
    As I said, neither of us was involved in that work, so I can't comment on—
    Someone at KPMG was. Will you find out who was responsible for conducting the work and provide this committee with the report, yes or no?
    Thank you, Mr. Brock.
    Is that something you could endeavour to get back to the committee about?
    Thank you.
    I was simply going to say that our understanding was that if the work was done for the government, it would definitely be on the public record. If we're allowed to disclose it without violating confidentiality, then of course we would be happy to comply.
    That's fine. We'll take it one step at a time. If you're able to get back to us on the status of that, I'll work with the analysts on this side to see if that's available. I'd ask you to report back to us any limitations you have. I do understand that obviously there are client privileges. Parliament supersedes that, but we're not there yet. Let's just see where it's at, as a first step.
    Mrs. Shanahan, you're up again for five minutes, please.
    Thank you, Mr. Chair.
    I can understand the direction of Mr. Brock's questions, and certainly Mr. Barrett's questions, regarding the practices of KPMG with senior government officials, because of course we know that KPMG publicly had its senior officials meeting with top Conservative cabinet ministers in 2014 and 2015. The revenue minister at the time, Kerry-Lynne Findlay; the finance minister at the time, Joe Oliver; and former prime minister Stephen Harper were all very happy to appear in public with officials from KPMG's tax department during a time when CRA auditors were conducting an investigation into the KPMG accounting firm's tax schemes and seeking names of multi-million dollar clients.
    I can understand the direction of these questions, because of course the opposition is desperate to find a link with ministers of the current government. Has either of you ever met with a minister of the current government in line with this contracting work?
    I have not, and I believe that Ms. Lee has not either.
    No, I have not.
    Thank you very much for that.
    Of course, we recognize that it was very critical to have the involvement of your expertise in dealing with the unprecedented situation of the pandemic. Unfortunately, some people decided to take advantage of this crisis for their own interests, including, of course, a Conservative insider who was very proud to show his donor card and talk about his desire to be a candidate for the Conservative Party, as well as the PPC, David Yeo of Dalian.
    I understand that you have not dealt with Dalian, and so much the better, but in your client engagement process, what changes have you made now to the process you have internally, given what you know today?
    In terms of our internal processes, as we described before, we do very specific client and engagement acceptance processes internally in KPMG. We have not changed any of our processes at all. They were rigorous before, and they're really rigorous now, but we haven't fundamentally changed any of those processes.
    The Auditor General did note that there was a lack of documentation regarding the contracts that KPMG had. Do you agree that both sides...? Certainly, PHAC and PSPC have to do their part, but do you believe that both sides should be responsible for ensuring that the necessary documentation is in place when a contract is non-competitive?
    We did everything we were asked to do in terms of providing documentation to the Public Health Agency and, prior to that, PSPC, when we were responding to the CEPS RFP. As I said earlier, we were under the direct impression that the Public Health Agency was also providing the appropriate documentation, but we were not privy to any of that internally with the work we were doing.
    I don't know if there's anything else to add on the CBSA contracting.
(1150)
     No, I think you've covered it. Thank you.
    What kinds of documentation would be normal on your side, even in an unusual circumstance like the pandemic?
    I'll give you a very specific rundown of the kinds of documentation we had for the Public Health Agency work.
    In addition to weekly detailed status reports that talked about the specific status of all of our activities, deliverables and the meetings we were undertaking, which we gave in writing to the Public Health Agency, we also provided all of our deliverables, obviously, to the Public Health Agency sponsors and the team members we were working with. Those were all quality-reviewed by a secondary partner in our firm to make sure we were meeting all of our compliance requirements but also providing the right level of quality and standards to meet the Public Health Agency's requirements.
    Again, as related to any contracting, of course all the necessary statements of work documentation that would accompany the contracts was part of the package we had to provide. We also had to sign a form that said we would maintain the same rate structure and rate card, which was the very same rate card that was established in the original CEPS TA, which we held constant for a two-and-a-half-year period. There was all of that documentation, and of course executed documents for the contracting and so on were provided directly to the Public Health Agency for every phase of the work we did.
    Thank you very much. That is the time.

[Translation]

    Once again, it's Ms. Sinclair‑Desgagné's turn.
    You have the floor for two and a half minutes.
    Thank you, Mr. Chair.
    I'm going to quote the Deputy Auditor General. To summarize the situation, he said previously in committee that he found it confusing that a firm of KPMG's size and reputation had accepted a situation that was highly questionable, to say the least. That surprised a lot of people, myself included. It's very problematic. He said that taxpayers didn't get their money's worth, knowing that KPMG had agreed to a huge profit margin for a third party. As Mr. Brock mentioned, it's almost $20 million in total for an app like ArriveCAN, which is huge. I truly believe that KPMG simply forgot that it had a higher role to play. That role was to ensure that taxpayers get some value for their money, that the government, public servants and all stakeholders obey the law.
    I now want to make a very important point. When you did your research and your risk and conflict of interest analysis, it's quite surprising that it didn't come up that Kristian Firth, who Mr. Bashir had several meetings with and contacted a number of times, was in a senior position at Veritaaq when it was accused of rigged bidding by the government and by the Canada Border Services Agency. That should have been part of your risk and conflict of interest analysis.
    If it came up and Mr. Bashir decided to ignore it, that's very problematic. If it didn't come up, I think you need to review your risk and conflict of interest analysis, because it should have come up. This individual was a senior officer in a company that had been accused by the government. Judges have even asked that all Veritaaq employees receive training to prevent bid rigging. I'm using the English term because I want to make sure you understand the problematic situation in which Mr. Firth had been involved.
    Here's my last question for you today, and I'd like you to choose your words carefully: Do you believe that KPMG has a role to play in helping to enforce the law and in ensuring better value for taxpayers' money? Will you pass that lesson on to your colleagues, particularly Mr. Bashir? I wish he were here today to hear me.
    Thank you.
(1155)

[English]

    Thank you for your question.
    I'm extremely proud of the work KPMG performed on the cybersecurity request. I think we provided tremendous value to the citizens of this country. Any situation in which we as KPMG can help the government and citizens further safeguard and secure their information and provide them with recommendations that would help them do so is, in my opinion, providing tremendous value. That was exactly what we did. We provided multiple areas of improvement, opportunities for improvement, and that was following the execution of a very robust piece of work that we performed.

[Translation]

    Thank you very much.

[English]

     Next up is Mr. Desjarlais for two and a half minutes, please.
    Thank you very much, Mr. Chair.
    I want to follow up on Mr. Nijjar's comment there.
    The Auditor General, in finding 1.74, said:
We found that security assessments were completed [by CBSA] for ArriveCAN in a pre-development environment by subcontractors under GC Strategies contracts.
    I'm assuming that's you, KPMG, and several others.
However, we found that some resources that were involved in the security assessments were not identified in the task authorizations and did not have security clearance. Although the agency told us that the resources did not have access to travellers' personal information, having resources that were not security-cleared exposed the agency to an increased risk of security breaches.
    Mr. Nijjar, that is in stark contrast to your comments about excellent work—beyond the questions Canadians have about value for money, which the Auditor General has been clear ArriveCAN did not achieve. That includes the work of KPMG, which, in many regards, to many Canadians, is a failure.
     Being unable to rely on our public service in such a way that.... A private contractor or subcontractor could even refer some work back to the government. This is a process that is in policy in the Government of Canada. Should there be task authorizations that are of lower qualification that the government can do, this could actually be done. It's the responsibility of the government and the contractors to identify those issues and to refer those issues back to the public service. The Auditor General found no instances of that.
    There are three major issues when it comes to KPMG, in my mind, after today's hearing.
    One, there was clearly no effective value for cost here, something I agree with the Auditor General on. To your own comments, if you actually agree with the Auditor General's report, you would also agree with that. Two, there's a security issue related to the findings of the Auditor General on whether or not certain individuals for a certain task authorization were in fact security-cleared. The Auditor General herself has said that it “exposed the agency to an increased risk of security breaches”. Canadians should be concerned. Finally, there is the lack of principle by KPMG as a contractor of the government to ensure that the public dollar was properly met, and communicating that important need to the government, I think, is also one approach.
    I have no further questions, unless, Mr. Nijjar, you want to share any comments on the Auditor General's finding of a security breach potential.
    What I can say is that I think you raise a number of points.
    For one, on the value, again, my answer remains the same. I think we provided tremendous value, and we highlighted several areas of improvement that I think speak to—
    Do you disagree with the Auditor General?
    Mr. Desjarlais, your time has elapsed. I'm going to allow the witness to answer, but I would ask, because your time is up, that you not interrupt.
    Thank you, Chair.
    Mr. Nijjar, it's over to you, please.
    Thank you, Chair.
    As I was saying, I think we provided tremendous value in helping safeguard the information of our citizens in this country.
    Number two, on the point about security clearance, all of the folks from KPMG who worked on this particular engagement were security-cleared. They had the appropriate level of security clearance, so I do not understand how that is attributed to KPMG. I cannot speak for any other organizations that worked on this on behalf of the government, but everyone from KPMG who worked was security-cleared, and we follow security clearance matters and information security in general. We take that extremely seriously at KPMG.
    I don't know if there was a third question in there. I would defer to Ms. Lee if she heard a third question in there.
    If you have an answer, that's fine.
    Thank you, Chair.
    I would just reiterate that we followed exactly what the government process was for procurement.
     In terms of the value of our services, they were pre-evaluated during the CEPS contract, and we held those constant throughout the two and a half years that we supported the work.
    Also, just to reiterate, all of our resources who were on the contracts associated both with the Public Health Agency and with the CBSA were security-cleared at the level the government asked of us.
(1200)
    Thank you very much.
    We have two more slots.
    Mr. Nater, you have the floor for five minutes, please.
    Thank you, Chair.
    Thank you to our witnesses for joining us here today.
    I want to begin by just making a comment about the concerns we've heard today, and how concerning it is to hear about KPMG, one of the largest firms in Canada at 10,000 employees, being asked by the Government of Canada, by a senior Trudeau government official, to contract through a two-person firm, in a basement, with no IT experience. I can't begin to explain how concerning this is, and it should be concerning for you as well, that you as a—
     I have a point of order, Mr. Chair, if I could interrupt.
    I'm sorry, Mr. Nater, but I have a question for the chair.
    Hold on one second, Mr. Nater.
    Go ahead, Mr. Aldag, please.
    Could you clarify what time we're ending today? I was under the impression that this was a two-hour meeting. I don't know what resources we have. We seem to be at the end of our time. Perhaps you could simply let us know.
    We're down to the last 10 minutes here, or close to—
    Do we have resources to go over the two-hour allotment?
    Yes.
    Thank you.
    It's over to you, Mr. Nater.
    You have four minutes and 20 seconds.
    Thank you, Chair.
    How concerning for Canadians really is this lack of value for money in what was undertaken here? It reminds me of when a Liberal MP wanted to move a motion on financial literacy. Of course the PMO got a hold of that and said, “Oh, you can't do that.” So instead, she wasted resources, over a number of Parliaments, trying to change the name of her riding rather than focusing on financial literacy, which I think is unfortunate.
    I have a point of order, Chair.
    I hope I will have a chance to respond to that, because I did that on behalf of my constituents.
    But that was a good try, Mr. Nater.
    Mrs. Shanahan, there is a Liberal slot next, so you will have a chance to respond however you like.
     I would ask you to mute yourself, Mrs. Shanahan, because right now we're just hearing a lot of laughter, which is rather odd.
    Mr. Nater, you have three minutes and 50 seconds.
    Thank you, Chair.
    There are a lot of odd things going on with this Liberal government, so I'll just leave that there.
    Mr. Nijjar, how many KPMG resources did you personally have working on the cybersecurity assessments?
    There were a number of resources. I don't have the exact figure, but I can get that to you, no problem. There were a number of individuals of various levels of seniority and experience.
    Perhaps you could get that information to us.
     With respect to the various levels of seniority and experience of those individuals, was that information communicated specifically to GC Strategies?
    We identified the individuals to CBSA, and those individuals were on the engagement.
     I do not know if GC Strategies was aware of those individuals. I believe it was. My understanding is that GC Strategies knew the names of those individuals. Those individuals worked on the execution of the engagement.
    Can we be sure that the individuals and their experience were correctly identified both to GC Strategies and, through GC Strategies, to the government? We've heard before about GC Strategies falsifying résumés, falsifying information and providing that information to the government. Can you be sure that the information you provided to the government was correct?
    I cannot speak to the information that GC Strategies shared with the government.
     We provided the names, the experience levels and the security clearance levels of the individuals who were going to be on the project. They were on the project, and they executed on the completion of the work.
    Thank you for that.
    In my remaining time, I am going to move a motion.
That the committee invite Mr. Imraan Bashir, KPMG's National Public Sector Cyber Leader, to appear for no less than two hours on the committee's ongoing ArriveCAN study and that the witness be scheduled to appear within seven days of the adoption of this motion.
    This motion has been shared with the clerk. I believe she will send it out.
    I'm going to suspend the meeting for three minutes.
    I'll explain what's going on here. We have a motion now. We will move right into this motion. It is a matter related to these committee hearings.
    Witnesses, I'm going to suspend for three minutes. Either this can be wrapped up quickly or it's something that will take a little bit of time. For now, I'm going to ask—
(1205)
    I'm sorry, Chair, but I want to clarify something.
    Ms. Khalid, hold on a second. I'll hear you in a second if you have a point of order.
    I'm going to suspend now—
    Why are you suspending, Chair? I have a point of clarification, just because I think it would impact other—
    As a practice, Ms. Khalid.... The motion is with the clerk. It will be sent out very shortly. It's going to be a three-minute suspension. I'm going to come right back. I want to give our witnesses a chance to stand up, and I want to explain what's going on. I'll come right back.
    Is that your concern, Ms. Khalid, or is there something else you wish to ask?
    No, Chair, it's something else that I wish to ask.
     I don't know why you always talk down to me, Chair. It's not nice.
    Ms. Khalid, I'm wrapping things up with the witnesses, and you're interrupting me.
     I'm happy to hear any points of order at any time. It's odd to ask why I am suspending, because I've actually started to make this a practice as motions come up, to give members.... In fact, often it's at the request of the Liberals that I suspend. I'm trying to continue that practice.
    I don't mean to speak down to anyone, but I would ask that at times when I'm addressing the witnesses, the members hold off. I will get to everyone in due course.
    Are there any points of order before I suspend?
     Are you formally suspending the meeting?
    I'm going to suspend the meeting for three minutes.
(1205)

(1210)
    I call the meeting back to order.
    On the speaking list I have Ms. Khalid, Mrs. Shanahan and, I believe, Madam Sinclair-Desgagné.
    Ms. Khalid, I want to apologize. You felt I was speaking over you; that was not my intention. I heard you in my earpiece as I was speaking to the witnesses. I wanted to wrap things up with them.
    For members who are wondering, we have ample resources here to consider this motion.
    Ms. Khalid, the floor is yours.
    I'm sorry, Chair, but my hand has been lowered.
    Mrs. Shanahan is next, I believe.
    Oh, pardon me, Ms. Khalid. Do you want to be put on the list at a later moment? If you do, I'll look for your hand.
    Mrs. Shanahan, please go ahead.
    Thank you, Chair.
    I will speak to my private member's motion at a later time.
    On this, I don't understand the purpose of this motion. In fact I'd like you to consider that it is redundant in view of the motion we adopted yesterday—with a deadline set by you, Chair, with the consent of the committee—about submitting a list of witnesses. We received an email from you and the clerk yesterday inviting us to submit the names of our witnesses prior to April 10, which provides ample time for all parties. I do appreciate that.
     I would ask the chair to provide us with justification as to why this should not be considered redundant. I question why Mr. Nater is presenting this motion at this time.
    We were all getting along so well, Chair.
     I agree. This was a remarkably well-run meeting today, I think, no doubt owing to the testimony of our witnesses.
    I'm going to stay out of this debate, but I will respond briefly, Mrs. Shanahan, because you asked about the conduct of business.
    While yesterday's motion certainly re-establishes some protocols for witnesses, I don't believe it in any way deviates from the rights of members to bring business before this committee. Obviously, if this motion passes, I would take that as a fulfillment of the desire of the majority of the committee members to proceed, which I think is in keeping with the spirit of yesterday's motion.
    I don't believe yesterday's motion...nor do I think it would be lawful for it to cut off avenues that members have to bring business before this committee. On that, I will attempt to stay out of this debate and to direct it.
(1215)

[Translation]

    Ms. Sinclair‑Desgagné, you have the floor.
    Thank you, Mr. Chair.
    I would support this motion, although I think Mrs. Shanahan is right that we could simply request that this witness appear by submitting the list of witnesses to the chair.
    I have a question about that. When we submit the list of witnesses, we meet as a subcommittee and we select the witnesses together, as indicated in the wording of the motion. The subcommittee has to accept each witness. If the subcommittee doesn't agree to call a witness, that witness may not be called. The motion moved here by Mr. Nater is therefore intended to ensure that this witness is on the list. Did I understand my colleague Mr. Nater's intention correctly?
    How did you interpret the motion, Mr. Chair?
    I'm going to give the floor to Mr. Nater since it's his motion. If necessary, I will then answer your question.

[English]

    Very clearly, this is a motion about how we want to see this individual testify. We want to ensure that it happens and that it happens relatively expeditiously.
    I would add that, obviously, when we discuss witnesses in the subcommittee, there is a process, as you all know. I won't get into the details, because the meetings are in camera, but there's give-and-take among members. Given the formality of yesterday's motion, I see that we now have kind of an allotment per party. We haven't discussed this yet, but let's say we agree to a meeting and that the government members have so many witnesses. If they don't provide witnesses, the meeting will still go ahead. We can't have a situation in which if someone doesn't provide a witness, a meeting will stop.
     Given the Standing Orders, I see as entirely appropriate that today's motion will supersede anything. If this committee decides to hear from this witness, the clerk will immediately, without my direction, move to invite that individual. This could also be dealt with in the subcommittee, which would then bring it back to the committee, so it seems, one way or another, we're going to be dealing with this, but this would provide a decision today.
    If it passes, I should say, the clerk will move to find a time and location to have that meeting because of the seven days' notice.

[Translation]

    There you go.
    We'll turn now to Mrs. Shanahan.

[English]

    I'm just going to see how this goes. There is still a government member to hear from, and Mr. Nater has just under two minutes on the clock. If this is going to go on for a while, I might come back to members about excusing the witnesses, but we're not there yet.
    Mrs. Shanahan, you have the floor. Go ahead, please.
    I want to speak further to the motion, because there seems to be a misapprehension about yesterday's motion, which was adopted. Members had ample time to discuss it then.
    Meetings will be scheduled with the consultation and consensus of the subcommittee and committee—however this committee proceeds under your guidance, Chair. Because we were venturing into these unknown waters as far as the public accounts committee is concerned, having numerous meetings and witnesses from outside the scope of the usual Auditor General officials and government departments, each party had the opportunity to invite witnesses. You, with the clerk, have already provided us the opportunity to do that in this scope, with ample lead time to April 10.
    What I'm concerned about in this motion that is before us today is it constricts the time to “within seven days”. We already have a work plan, and we discussed yesterday how important it is for all members to have an established work plan so that we can plan our own work, instruct our staff, do research and prepare ourselves adequately for each meeting. Now it looks like we're going to have to have an extra meeting to accommodate this request when it could be accommodated very easily within the normal practice used by other committees, which was adopted in yesterday's motion.
    Chair, please tell us what this would mean for our work plan schedule, because we were very pleased to receive that work plan yesterday at 8:43 from the clerk.
(1220)
    Thank you.
    I am trying to stay out of this as much as possible.
    Mrs. Shanahan, it's not uncommon for committees to have all kinds of schedules and work plans, but if a motion comes up and is passed, that will obviously change a work plan that was set. That's the reality of this and any motion.
     I certainly don't believe that yesterday's motion suggests that members from the various political parties can't bring forward motions for this committee, in particular, to study because something is thought to be an issue. I think it would set a very dangerous precedent if that right was withdrawn. Therefore, as chair, if this motion passes, I will view it as a direction from the committee.
    Again, I don't believe yesterday's motion ever envisioned that consensus should mean unanimity on anything; rather, it's an ability to structure witnesses...from all the political parties. In fact, I think it was you, Mrs. Shanahan, who said this is not about a veto; this is just about greater input.
    On that, I'm going to step back. Again, this motion is certainly in order, given the Standing Orders.
     Mr. Desjarlais, you have the floor.
    Thank you, Chair.
    I want to thank Mr. Nater for this motion. I believe it's an important piece of our work, and I think we have to invite Mr. Imraan Bashir in consideration of the questions we heard today from KPMG. He is the individual—we know that following my question about a discovery meeting—who actually met with GC Strategies at the time of contract discovery.
     I think it is part and parcel of this work and very important to this work that we invite him, and I support the motion in principle.
    The part that I'm confused about—I think we'll probably have to go to the subcommittee on it—is related to the witness being “scheduled to appear within seven days of the adoption of this motion.” We reviewed the calendar just yesterday morning, and we have scheduled a subcommittee meeting on Tuesday. I'd really seek your advice, Chair, on how you want to do this properly, considering that we have a draft agenda now.
     This is an additional meeting request. We have only a few days. This motion demands “seven days of the adoption of this motion.” Would this mean that whatever work we've done to summon witnesses for our ArriveCAN meeting, this would join that list of witnesses for next week, or would this mean that we would have to postpone the meeting you intended to have for ArriveCAN next week?
    I don't know how much work you've done on next week's meeting schedules and witness invitations before making this kind of decision. I'm sorry, Mr. Chair; I think you understand the procedural difficulty this presents.
     There are obviously challenges that I share with the clerk. As you know, I try to be conscientious of the clerk's ability to bring forward witnesses as quickly as possible.
     I don't have a complete answer for you, Mr. Desjarlais. I don't want to presuppose the outcome of this meeting, but I'll try to answer your question. Should it pass, one option I would give this witness would be to join the Tuesday meeting. The invitations are well on the way. I believe we're just waiting for the paperwork before the notice is sent.
    Do you know who is going to be present? That would affect my decision. If it's someone else really important to the ArriveCAN study, I wouldn't want to divide my time amongst multiple witnesses.
    On Tuesday of next week, they are other contractors, so this person would fit nicely with that.
(1225)
    Do you know which contractors you invited?
    It's on the calendar. I don't have that in front of me right now, Mr. Desjarlais. I believe there are three others.
    Have they confirmed?
    Two of three have confirmed.
    So we'd have four witnesses?
    We expect three, so one option would be to add KPMG here.
     It would not be my intention, Mr. Desjarlais, to upend the Thursday meeting on the indigenous issue. This motion would probably force me to try to find another time.
     Having said that, as well, the committee has always been gracious with both the clerk and the chair, in that if seven days does not work for the witness, I have the flexibility to find another time. Obviously, the Tuesday deadline could be too tight for this witness, and if that were the case, I would then find another time. I would take the seven days as an indication this is pressing, but given the work that we have, given the schedule and given the resource availability for Parliament, it might fall outside the seven days. I would certainly try to do it, but the committee has granted me leeway in the past to schedule meetings outside the seven days should there be a resource challenge or a witness challenge.
    Does that help, Mr. Desjarlais?
    It does help. I'll probably have more questions, but I will reserve them.
    Ms. Khalid, you have the floor, please.
    Thank you, Chair.
    Just to answer Mr. Desjarlais' questions, I have the work plan right in front of me. The witnesses invited for the next meeting on April 9 are Amazon Web Services, Inc., Microsoft Inc. and BDO Canada LLP.
    Chair, I understand and appreciate what you're saying. There is a lot of confusion. I'm trying to resolve this as quickly as possible. One option would be to amend the motion to delete the reference to when those witnesses would be invited. Then, the second is that perhaps we can leave this motion be, and perhaps pick it up again at the subcommittee meeting, where members can actually just go in and have that discussion and answer any of the questions they need to have answered in order to move forward.
     There's not really that much of a time difference between today and the subcommittee meeting. I think it's better that we proceed and that we understand fully what it is that we're doing, rather than passing motions when we're not really sure how they would impact the rest of our work plan.
    Also, as you've said, Chair, there has been a lot of work that has already been done by you and then by the clerk in inviting witnesses, so it doesn't really make sense, I think, for us to rush through this. I think that in principle we all agree that these witnesses perhaps should be invited. I do think that this is a question of timing, and that should be better addressed through the subcommittee as opposed to putting it in a motion. I think we're all on the same page here in terms of where we want to go with the study, and it is part of our study. It's not a one-off. That's why I think this issue is better addressed within the subcommittee and the list of witnesses as opposed to a stand-alone motion.
    I don't know if I'm interpreting this properly, but that's kind of where my headspace is at. Again, I would like to hear from colleagues as to what they're thinking.
     Ms. Khalid, let me respond to some of your points.
    First of all, there is no subcommittee meeting scheduled for next week at this point. Ms. Yip, rightly, asked that I return to the full committee with the subcommittee report, which will be at the end of the meeting time on Tuesday. That time, as of right now, will be very short, because I was expecting to hear about the subcommittee meeting. I could endeavour to find time, but again, that's a question of House resources.
    Ms. Khalid, I am not in a position to withdraw the report; I think you understand that. What I hear is more the sentiment, which I think is directed to the mover of the motion, who will consider that.
    On your third point, you might want to either consult with the mover or consider an amendment, because you mentioned changing the date, if there would be consensus to do that. That might be a possibility. I won't speak to it, but I will flag that this is certainly within your right.
    Ms. Khalid, why don't I come back to you, if that's okay. Is it? Okay.
    It's Mr. Nater, Mrs. Shanahan and then Ms. Khalid.
    You have the floor, Mr. Nater.
(1230)
    Thank you, Chair.
    In an effort to move this along, perhaps I could seek unanimous consent. Obviously I can't amend my own motion, but I would seek the unanimous consent of the committee to pass the motion and just take out the “within seven days”, and then leave it to you, Chair, to schedule it.
    I can't call it. There are still speakers, but I hear you on—
    I'm asking for unanimous consent to do that.
    Is there unanimous consent to eliminate the time and to pass the motion calling this individual in at a future meeting?
    Some hon. members: Agreed.
    The Chair: All right. I deem the motion passed then, with the removal of the “seven days”.
    Thank you.
    Questions are now moot.
    Mrs. Shanahan, your hand is still up. I will recognize you, but I do want to get back to the witnesses. We have about seven minutes with them. Mrs. Shanahan, do you have anything to say?
    Chair, I move to now adjourn.
    All right.
    You can't do that on a point of order.
    Thank you, Clerk.
    (Motion agreed to: yeas 6; nays 4)
    I want to thank the witnesses very much for coming in today. Your testimony will be helpful to this committee's work. The analysts will be in touch about documents.
    Thank you very much.
    This meeting is adjourned.
Publication Explorer
Publication Explorer
ParlVU