Even in the greater context of government incompetence, ArriveCan was an epoch-defining and embarrassing disaster. The original budget of $80,000 somehow ballooned to more than $60 million without anyone noticing. Deep controversy surrounded the practical value - and effectiveness - of such a tool in the first place. And, from the narrow perspective of IT security, I absolutely refused to install the buggy and suspicious app on my phone.
It would be nice if we learned from this experience. It would be even nicer if we implemented effective guardrails to ensure nothing like it happens again.
That would be the task facing the Public Accounts (PACP) and Government Operations and Estimates (OGGO) committees in their recent sessions. What follows is a representation of how their discussions have been going.
Like all of our Parliamentary Briefers, the following summaries and analysis are courtesy of my generative AI research assistants. I’m just here to guide the conversation.
Insights from the PACP Discussions on the ArriveCAN Scandal
The following key points from the discussions provide a deeper understanding of how the scandal was allowed to happen:
Coordination Failures Among Stakeholders:
A witness noted that their role was largely administrative, focusing on coordinating information for stakeholders like CBSA (Canada Border Services Agency) and PSPC (Public Services and Procurement Canada). This highlights potential gaps in communication and accountability across agencies.
Challenges in Reporting Improprieties:
Witness testimony revealed difficulties in reporting issues, with statements like, "My inability to speak out has been stymied by CBSA and PSPC security investigations." This suggests systemic barriers to whistleblowing or transparency.
Involvement of Multiple Agencies:
It was noted that CBSA IT experts were responsible for technical aspects, while PSPC staff were orchestrating contracting processes, indicating a diffusion of responsibility. This division might have complicated oversight and accountability.
Auditor General and OGGO Findings:
Witnesses referenced ongoing investigations uncovering issues beyond ArriveCAN, such as "double-dipping, contracting improprieties, and political pressure." This broadens the scope of the scandal, suggesting that structural inefficiencies and potentially unethical practices were not isolated to this project.
Political and Bureaucratic Pressures:
A notable point was made regarding the focus on CBSA while PSPC's contracting processes, such as through GC Strategies, received less scrutiny. This may point to political or institutional priorities that deflected attention from deeper systemic problems.
Critical Systemic Issues Identified:
One witness remarked, "The ArriveCAN app investigation has uncovered a more damning issue outside of ArriveCAN," suggesting that the project served as a lens into broader systemic failures within government IT procurement and management.
The Audit: Where there any practical agreements on paths forward towards resolving those problems?
Practical Agreements and Proposed Solutions
Improved Transparency and Whistleblower Protections:
Witnesses and committee members emphasized the need for more robust channels to report improprieties without fear of reprisal.
Suggestions included enhanced protections for employees like those involved in CBSA and PSPC to ensure they can report issues directly to oversight bodies or the Auditor General.
Centralized Oversight of IT Procurement:
One recurring theme was the lack of coordinated oversight between CBSA, PSPC, and third-party contractors.
There was broad support for creating a centralized authority or framework to oversee large-scale IT projects, reducing fragmentation.
Auditor General Recommendations:
The committee acknowledged the Auditor General's input on standardizing project management practices and requiring all software procurement contracts to undergo rigorous pre-approval audits to prevent improprieties like "double-dipping."
Reforms to Contracting Processes:
Specific criticisms of PSPC's TBIPS framework (Task-Based and Solutions Professional Services) led to discussions about stricter controls over who approves contracts and how they are monitored during execution.
Proposals included mandatory public disclosures of contract terms, budgets, and outcomes to enhance accountability.
Independent Reviews for Large Projects:
The ArriveCAN scandal highlighted the need for independent technical reviews of software applications before and during deployment to ensure compliance with security, usability, and cost-effectiveness standards.
Discussions also included conducting post-project reviews to assess lessons learned.
Clarification of Roles and Responsibilities:
The diffusion of responsibility between CBSA (managing IT) and PSPC (handling procurement) was flagged as a root issue.
There was a practical agreement to clearly define roles for project leads, especially in cross-departmental collaborations.
Strengthening Political Accountability:
The committee discussed the importance of ministers being more directly accountable for large IT projects, with regular updates to parliamentary committees.
The Audit: What practical and actionable conclusions were reached to actually implement those ideas?
Keep reading with a 7-day free trial
Subscribe to The Audit to keep reading this post and get 7 days of free access to the full post archives.