Expensive development of ArriveCan ignores contractual provisions: Auditor General

Ignored policies and management failures led to the development of the overly expensive and harmful ArriveCan app, according to an investigation by the Auditor General of Canada.

The federal government launched the app in April 2020 as a way to digitize customs and immigration declarations, track health and contact information for people entering Canada during the COVID-19 pandemic.

The auditor found that the government's reliance on sole-source outside contractors drove up application costs and that those costs were not properly controlled.

Karen Hogan estimated the cost of the app at about $59.5 million, but the project was so poorly managed that the final amount is impossible to know.

The first ArriveCan contract was originally valued at just $2.35 million.

Moreover, management experience was lacking “at the most basic level,” he said.

Ultimately, he found that most of the problems with app development stemmed from the initial decision to rely on non-competitive contracts with outside firms.

Then those contracts were extended and the cost of the work increased over time.

The government failed to document initial discussions with contractors or why it did not use a competitive process, Hogan said in a report released Monday.

The Canada Border Services Agency, or CBSA, decided to work with an outside firm, GC Strategies, because it lacked the resources and skills to do the job, the auditor said.

But that decision wasn't supported by evidence, and the agency didn't seem to make sure the contractors had the skills to do the job either.

Given the urgency of the pandemic, the government has relaxed some contract provisions as a way to get work done faster.

Over time, the agency continued to rely on contractors, which drove up the cost of the project, Hogan said.

While he estimated the daily cost of the work on the app at $1,090, the auditor said the equivalent cost would be $675 if the work were done in-house by state employees.

The auditor also noted that agency staff involved with ArriveCan were invited to dinners and other events with vendors.

His team did not conduct a full audit of the luncheon, but said the incident raised the perception of risk or a conflict of interest.

The CBSA is investigating what happened and has referred part of the investigation to the RCMP.

Hogan also found little evidence that the app had been properly tested, which may have contributed to more than 10,000 people being sent to 14-day quarantines in 2022, even if they had confirmed vaccinations.

“Overall, the Canada Border Services Agency, the Public Health Agency of Canada and the Public Services and Procurement Agency of Canada have repeatedly failed to follow good management practices in the design, development and implementation of the ArriveCAN application,” Hogan said in a report on Monday.

The app was introduced as a mandatory measure in the early days of the pandemic, when the government effectively closed borders to stop the spread of COVID-19.

Canadians and others allowed to enter the country were required to provide personal information to the government for quarantine purposes.

As the response to the pandemic evolved, so did the app. The auditor found that the ArriveCan app had been updated 177 times since its launch and before the app became voluntary in October 2022.

The government has no evidence that the CBSA conducted user testing on the 25 critical updates to ensure that the app actually works.

Only three updates appear to be fully tested and documented.

“Without assurance that testing has been completed, agencies are at risk of launching an application that may not work as intended,” Hogan's report said.

There was some security testing during pre-development with subcontractors, but some of the people doing the work did not have security clearances.

“While the agency told us that the resources did not have access to travelers' personal information, the non-security-cleared resources presented the agency with an increased risk of a security breach,” the statement said.