Disregarded policies and a failure of management led to the development of the inordinately costly and much-maligned ArriveCan app, an investigation by Canada’s auditor general has found.
The federal government launched the app in April 2020 as a way to track health and contact information for people entering Canada during the COVID-19 pandemic, and to digitize customs and immigration declarations.
The auditor found the government’s reliance on sole-sourced external contractors drove up the price of the app, and those costs weren’t properly tracked.
Karen Hogan estimated the app cost roughly $59.5 million, but the management of the project was so poor that it’s impossible to know the final amount for sure.
The first ArriveCan contract was initially valued at just $2.35 million.
On top of that, management practices were missing “at the most basic levels,” she said.
Ultimately, she found most of the problems with the app’s development stemmed from the initial decision to rely on non-competitive contracts with external firms.
Those contracts were then extended and the cost of the work was increased over time.
The government failed to document initial discussions with contractors or the reason it didn’t use a competitive process, Hogan said in a report released Monday.
The Canada Border Services Agency, or CBSA, decided to go with an external firm, GC Strategies, because it didn’t have the resources and skills needed to do the work, the auditor said.
But that decision wasn’t backed up with evidence, and it doesn’t appear that the agency made sure the contractors had the skills to do the work either.
In the midst of pandemic urgency, the government relaxed some contract rules as a way to get work done more quickly.
As time went on, the agency continued to rely on contractors, which drove up the price of the project, Hogan said.
While she estimated the daily cost of work on the app is $1,090, the auditor said the equivalent cost would have been $675 if the work was done in-house by government employees.
The auditor also noted that agency employees involved with ArriveCan were invited to dinners and other activities with vendors.
Her team didn’t do a full audit of the dinners, but said the situation created a risk or perceptions of a conflict of interest.
The CBSA is looking into what happened, and referred part of the investigation to the RCMP.
Hogan also found little evidence the app was properly tested, which may have contributed to more than 10,000 people being ordered to quarantine for 14 days in 2022, even though they had provided proof of vaccination.
“Overall, the Canada Border Services Agency, the Public Health Agency of Canada and Public Services and Procurement Canada repeatedly failed to follow good management practices in the contracting, development and implementation of the ArriveCAN application,” Hogan said in her report Monday.
The app was introduced as a mandatory measure in the early days of the pandemic, when the government effectively closed the borders in an effort to stop the spread of COVID-19.
Canadians and others allowed to enter the country had to provide personal information to the government for quarantine purposes.
As the pandemic response evolved, so did the app. The auditor found ArriveCan was updated 177 times between its launch and when use of the app became voluntary in October 2022.
The government had no evidence that the CBSA did any user testing on 25 substantial updates to the app to make sure it actually worked.
Only three updates appeared to have been fully tested and documented.
“Without having the assurance that testing was completed, the agencies were at risk of launching an application that might not work as intended,” Hogan’s report said.
There were some security tests done during pre-development by subcontractors, but some of the people doing the work did not have security clearance.
“Although the agency told us that the resources did not have access to travellers’ personal information, having resources that were not security-cleared exposed the agency to an increased risk of security breaches,” the report said.