Public Procurement accounted for 10.3% of Gross domestic product (GDP) in Portugal in 2021, below the OECD-EU average of 12.9%, but still making it a key economic activity in the country (OECD, 2023[1]). The share of public procurement in terms of GDP increased since 2019 by 0.4 points of GDP. This increase is mainly due to the Recovery and Resilience Facility (RRF), the centrepiece of Europe’s recovery plan, boosting public investment. Efficient and effective procurement is critical to the fulfilment of the basic functions of public administration, including the delivery of public services, to establish citizens’ trust and to ensure sustainable and inclusive economic growth. Well-designed public procurement systems also contribute to achieving pressing policy goals such as environmental protection, innovation, job creation and the development of small and medium enterprises. The COVID-19 pandemic highlighted further the critical role of public procurement and related risks. Public procurement was at the forefront of government’s responses to the crisis as governments required urgent access to emergency response materials or so-called “essential goods” such as protective personal equipment (PPE) to ensure the of public services and the operation of infrastructure.

Public procurement can be impacted by a wide range of risks that can affect the procurement process itself, as well as broader risks to projects or service delivery. Initially focusing on integrity threats, in recent years countries have paid increasing attention to other risks to public procurement outcomes, including information technology (IT), financial, reputational, social and environmental risks. All these risks are relevant to consider as they impact the fundamental purpose of procurement, ensuring that goods, services or works are delivered to the right place at the right time. Figure ‎1.1 provides an example of classification of public procurement risks.

To safeguard public money and to ensure the delivery of public services, the OECD Recommendation on public procurement advises that countries integrate strategies for the mapping, detection and mitigation of risk throughout the public procurement cycle (OECD, 2015[3]). In other words, public buyers should take a structured and systematic approach to address public procurement risks. This recommendation also calls countries to apply oversight and control mechanisms to support accountability throughout the public procurement cycle. In particular, it recommends them to establish clear lines of oversight of the public procurement cycle (OECD, 2015[3]).

The Court of Auditors (Tribunal de Contas, TdC), the national Supreme Audit Institution in Portugal is a key player of the public procurement system safeguarding it from different threats and ensuring its efficiency. Indeed, the TdC oversees the legality, regularity, economy, efficiency, and effectiveness of public procurement activity through different types of audits (a priori, concomitant and ex post audits). To fulfil its mission, a large number of audits of public procurement processes are carried out every year, a time-consuming activity requiring a significant commitment of human and financial resources that could be allocated more efficiently through a proper risk-based approach. Furthermore, it is anticipated that Portugal’s Recovery and Resilience Plan (RRP) will lead to an increase in the number of public contracts, as well as in the value of contracts to be executed by central and local governments which will also impact TdC activity.

Aware of the need to change working methods, TdC identified in its 2020-22 Strategic Plan, the necessity to strengthen the use of risk analysis techniques at various levels of its audit activity, including strategy and priority setting as well as the planning of audits and other control actions. The Strategic Plan also recognised the need to innovate and adapt to the opportunities and challenges posed by digitalisation and the use of artificial intelligence (Tribunal de Contas, 2019[4]). Advancing the risk-based approach of the court will contribute to enhance the efficiency of the public procurement system in Portugal.

This chapter presents the key role of TdC in the public procurement system, it also provides an overview of challenges faced by the public procurement system and discusses the need to strengthen a risk-based approach in public procurement activities of the court. Given the strong data component of a risk-based approach this chapter also discusses the legal framework for the collection and use of data in Portugal.

The mandate and primary purpose of Supreme Audit Institutions (SAIs) is to fulfil the independent public sector external audit function for the national public sector and to oversee and hold the public sector to account for its use of public resources. SAIs promote good governance and provide the supreme law-making body (such as the parliament or the legislature) with independent assessments of selected areas of public administration and assurance about public sector financial reporting, administration, performance and accountability (OECD, 2018[5]).

Supreme audit institutions are traditionally known for their oversight of public expenditure, which remains a core part of the audit portfolio. SAIs undertake i) financial audits to assess the reliability and accuracy of public entities’ financial reporting, ii) compliance audits to assess a public entities’ compliance with its governing authorities, and iii) performance audits. As mentioned in the introduction, the TdC has a key function in the public procurement system in the country which represents 21.6% of the total government expenditure in 2021 in Portugal (OECD, 2023[1]). Aware of the strategic importance of public procurement, the TdC considers public procurement a key area for its work. To understand further the key role of TdC in the public procurement system, it is pivotal to have a clear picture of the public procurement regulatory and institutional framework.

Having in place a coherent and stable institutional, legal and regulatory framework are key starting points to assure sustainable and efficient public procurement systems (OECD, 2015[3]), including for the activities of TdC. The regulatory framework in Portugal is regulated by the Public Contracts Code (PCC) approved by Decree-Law 18/2008, of 19 January 2008. Since then, the PCC has been amended 20 times, the last one taking place in July 2023. The last significant amendment to the PCC was introduced by Decree-Law 78/2022, of 7 November 2022. This decree also amended Law 30/2021 that included special procurement measures in the context of the COVID-19 crisis (Government of Portugal, 2022[6]). The numerous changes to the PCC impact TdC in two ways. First, the TdC must align its audits with the updated regulatory framework and second contracting authorities may face issues in ensuring the compliance of their procurement procedures that may be audited with the updated regulatory framework.

In addition to the PCC, contracting authorities must comply with relevant national strategies on public procurement or those impacting public procurement activities. TdC, through its different audits plays a role in ensuring the proper implementation of the strategies by contracting authorities. In terms of relevant strategies to the public procurement areas, Portugal has a National Strategy for Green Procurement 2020, which defines 21 priority categories of goods and services for Green Public Procurement (GPP) (OECD, 2020[7]). Furthermore, a Council of Ministers Resolution introducing mandatory green criteria has been published in September 2023 (Council of Ministers Portugal, 2023[8]).

On the digital area, under Portugal’s action plan for digital transition, one measure that is led by the agency for modernising the administration is dedicated to the simplification of public procurement for ICT services (Republica Portugesa, 2020[9]).

A well-functioning public procurement system requires the establishment of effective institutions fulfilling different functions. In Portugal, different entities listed in Figure ‎1.2 play a key role in the public procurement system.

As previously mentioned, the TdC oversees the legality, regularity, economy, efficiency, and effectiveness of public procurement activity. In carrying out this mission, the TdC contributes to the sustainability of public finances and the efficiency of public administration. The TdC is organised into three Chambers in mainland Portugal, and two Regional Chambers (for the Azores and Madeira respectively). The TdC approves a Strategic Plan every three years, following a participatory process that culminates in a swot analysis (key weaknesses, strengths, opportunities, challenges and threats) and in a risk analysis outlining the goals and priorities (Tribunal de Contas, n.d.[10]). In terms of controls and audits carried out by TdC, they cover all entities that are listed in Box ‎1.1.

In Portugal, the Institute of Public Procurement, Real Estate and Construction - IMPIC (Instituto dos Mercados Públicos, do Imobiliário e da Construção), a public institute belonging to the indirect administration of the State, is the national public procurement regulator with several attributions related to regulatory, monitoring and professionalisation functions (see Box ‎1.2). In terms of monitoring, IMPIC is managing the public procurement portal “BASE” that includes key public procurement information that the court is using for its control activities (see Section ‎1.4.3).

Another relevant oversight body is the Inspectorate General of Finance (Inspeção-Geral de Finanças – Autoridade de Auditoria - IGF). Under the terms of the Organic Law of the Ministry of Finance (Decree-Law No. 117/2011, of December 15), the IGF is a service of the Ministry of Finance integrated into the direct administration of the State, endowed with administrative autonomy (IGF, n.d.[12]). Among the relevant tasks of the IGF are:

• Carrying out, within the scope of the State's financial administration, auditing and control in the budgetary, economic, financial and asset domains, in accordance with the principles of legality, regularity and sound financial management, contributing to economy, efficiency and efficiency in obtaining public revenue and carrying out public, national and European expenditure.

• Carrying out systematic financial audit actions, including the budgetary audit with the collaboration of the Directorate-General for the Budget, control and evaluation of services and bodies, activities and programmes of the State's financial administration.

• Carrying out financial, system and performance audits, inspections, economic and financial analyses, tax examinations and other control actions on public and private entities covered by its intervention.

The mission of the Portuguese Competition Authority (Autoridade de Concorrência, AdC) is to ensure the application of rules to promote and defend competition in public and private, co-operative and social sectors, respecting the market economy and free competition, for the benefit of people (Autoridade da Concorrência, 2023[13]). AdC has sanctioning, supervisory and regulatory powers. Given that public procurement is a key economic activity, the entity plays an important role in investigating and sanctioning anti-competitive practices in public procurement. Since 2016, AdC launched an initiative to raise awareness regarding bid rigging in public procurement and promoting competition in this area (OECD, 2022[14]).This initiative has been also clearly mentioned in the strategic priorities of the authority for 2023 (Autoridade da Concorrência, 2023[15]). TdC and other bodies such as IMPIC, IGF, Espap and AdC are part of an informal working group on public procurement sharing relevant information and discussing emerging challenges.

Espap, the Entity of Shared Services of the Public Administration, is a public institute of special regime, integrated in the indirect administration of the State. It has a responsibility in several areas including in public procurement. Indeed, Espap has the status of a central purchasing body (CPB) managing several framework agreements on different procurement categories. The list of goods and/or services available for contract, information on suppliers of goods and qualified service providers, as well as the conditions and minimum requirements defined for each framework agreement can be consulted in the National Public Procurement Catalogue (CNCP). The CNCP is one of the tools used by entities and suppliers that are part of the National Public Procurement System (SNCP) (Espap, 2023[16]). Espap also manages the national e-invoicing portal “FE-AP”. All “direct“ state bodies and public entities must use this portal to receive e-invoices. However, other public entities such as Autonomous Regions, independent administrative bodies, Bank of Portugal, and public foundations are free to use any portal other than FE-AP (European Commission, 2023[17]). Another relevant CPB to consider is SPMS that procures goods and services in the health sector. This sector alone represented 37% of procurement spending in 2021 (OECD, 2023[1]).

The PCC, in its article 2 and 7 clearly defines entities considered as “contracting authorities”. In total, Portugal accounts for around 5 000 contracting authorities (CAs). However, not all contracting authorities are registered in the BASE portal. In 2021, 4 169 entities were registered in the BASE portal with 29% of them being regional and local entities and 25% entities at the national level (IMPIC, 2021[18]). All CAs are responsible for the proper implementation of their public procurement procedure from planning to contract management, in line with the PCC.

E-procurement solutions can be provided through a single e-procurement platform with a single business model serving all contracting entities in the country or several platforms, certified and with standardised business processes prescribed in public procurement legislation (EBRD, 2015[19]). Portugal opted for a multi-platform model provided by five main private providers with the following market shares in terms of number of contracts (in 2021): Vortal (46.1%), Acingov (35;3%), Saphetygov (13.1%), Anogov ( 5%) and Compraspt (0.4%). (IMPIC, 2021[18])

According to the BASE portal, there were 178 364 economic operators that were awarded a public contract in 2021, the vast majority Portuguese companies (98.25%).

As part of its mandate, the TdC exercises three types of controls: i) a priori controls; ii) concomitant controls; and iii) ex post controls. The concomitant controls have been reinforced with Law 30/2021 on special procurement measures in the context of the COVID-19 pandemic. Indeed, article 17 of the law includes provisions in relation to the role of the TdC.

The TdC includes 3 chambers in its headquarters:

• The first chamber is in charge of assessing and deciding on cases referred for a priori control and performing some concomitant controls;

• The second chamber is in charge of concomitant and ex post control, issuing the Opinion on then General Account of the State and Social Security and carrying out audits and verifications of accounts and identifying responsibilities;

• The third chamber is in charge of financial liability.

In addition to these chambers in its headquarters, there are two regional chambers of the court in the Autonomous Regions of the Azores and Madeira that perform all types of audits. Figure ‎1.3 provides the organisation chart of the TdC.

Many SAIs (particularly in the EU) moved away from a priori audits, focusing more their efforts on ex post controls. However, in Portugal the TdC performs a priori or ex ante controls for some procurement processes. The purpose of a priori controls is to verify whether the acts, contracts or other instruments generating expenses or representing direct or indirect financial expenditure or liability are in accordance with the laws in force and whether the respective charges have a place in the appropriate budgetary allocation (Tribunal de Contas, 2022[20]).

More specifically, the TdC performs a priori controls in specific cases described in article 46 of the Law of organisation and processes of TdC (Lei de organização e processo – LOPTC) (see Table ‎1.1). The court may approve (give a visa) or refuse the procurement acts or contracts. It is important to note that in most cases contracts can be enforced before the approval of the TdC except if the amount is above EUR 950 000 (Tribunal de Contas, 2022[20]). TdC has 30 days to approve or refuse a contract or an act in the context of a priori control. After this deadline, the contract or act is considered as approved. At the TdC, a team of 40 auditors are part of the a priori control department.

In 2022, TdC performed 1805 a priori controls of procurement processes for a total amount of EU 6.834 million. In terms of procurement volume, nearly half (48.9%) of audit concerned the central administration, 26.4% local authorities, and 17.8%, State and Regional owned enterprises. The share of visas following a-priori audit is high. For instance, between January and September 2023, less than 1% of a priori audits led to a refusal.

According to the annual report of the court, these audits led to a significant reduction of expenditures (Tribunal de Contas, 2023[21]). The main issues identified in a priori controls are the following:

• Execution and Financing of Expenditure: Inadequacy of commitments, etc.

• Indebtedness: Insufficient specification of purposes; inconsistencies in the amounts and applications provided for; exceeding of indebtedness limits; establishment of illegal or disproportionate guarantees, etc.

• Procurement process: Lack of competence for decisions; absence of cost/benefit analysis; absence of a justification for the choice of the procurement procedure; the non-division into lots, the choice of specific award criteria; declarations of absence of conflicts of interest, etc.

• Contractual clauses: Omission of mandatory mentions; blank clauses; discrepancy with the tender documents; non-identification of the contract manager; etc

A priori audits are conducted using the court’s platform dedicated to these controls called e-contas “Fiscalização Prévia”.

In several countries such as Colombia, Peru, Brazil and Spain, SAIs are performing concomitant control as part of their mandate (OECD, 2021[22]).

The first Chamber of the Court may carry out concomitant control to i) the procedures and administrative acts involving staff expenses and ii) to contracts which were not subject to a priori control according to the law. In addition, this Chamber may also decide to audit the execution of specific contracts that have been subject to its a priori audit.

The second chamber carries out all sorts of concomitant control through audits on the financial activities exercised before their closing, including to public contracts before their termination (e.g. infrastructure projects).

In the first Chamber, concomitant audit concerns more particularly “additional works”, which must be submitted to the Court within 60 days of the beginning of their execution. As regards these contracts, the court conducts an in-depth analysis of the justification and legality of such extra works, and identifies any financial liabilities, which are then reported to the Public Prosecutor Service.

In 2022, 1 109 contracts were registered in the TdC platform (e-contas), representing an increase of 3% compared to the previous year. The overall value of these additional contracts amounted to 112 million euros, an increase of 11.7% compared with the previous year. In terms of number of audits, the TdC conducted two concomitant audits in 2022 with a procurement value of EU 2.8 million, it also conducted two audits, one in relation to special procurement measures and the other in the context of the COVID-19 crisis. At the TdC a team of eight auditors are part of the concomitant audit division.

The recommendations addressed to contracting authorities, IMPIC and the government provided through these audits are key to improve the public procurement system. For instance, these audits recommend contracting authorities to comply with all legal regulations relating to the award of complementary works and public procurement (audits within the scope of the contractual modifications), and fill the forms for communicating contracts to the BASE Portal with greater rigor (audits within the scope of the special public procurement measures).

It also recommends the Government to consider clarifying, through legislation, what are the requirements for publishing on the BASE Portal of contracts awarded by simplified direct award and what are the consequences of the respective non-compliance in terms the effectiveness of these contracts. In addition, it recommends providing for more transparency in relation to the Central Register of Effective Beneficiaries for the purposes of scrutiny in the context of public procurement, as provided for in the National Action Plan for Open Administration (2021-23).

The concomitant audits recommended IMPIC to create a specific section on the BASE Portal dedicated to the procedures and contracts covered by the special public contracting measures approved by Law 30/2021. This recommendation has already been implemented during 2023.

The Court verifies the accounts of the entities under its jurisdiction, examines their internal control systems, assesses the legality, economy, efficiency and effectiveness of their financial management and ensures the examination of the national co-partnership to the resources for the European Union, and the application of financial resources provided by the European Union (Tribunal de Contas, 2022[20]).

Procurement processes of entities subject to the Court’s controls (the State and its services, autonomous regions, local authorities, public institutes, social security institutions, public companies, etc.) are usually addressed as part of their financial management. However, specific audits can also concern specifically public procurement activities.

In 2022, 67 audits and verifications of accounts were launched and 50 were completed for a total amount of EUR 31.2 million; these audits were conducted on different topics and areas such as financial adjustment plans for local authorities, cases of risk identified through complaints in the area of public procurement, response to the COVID-19 pandemic, financing of regulatory activity, airport infrastructures, recovery and resilience plan and European funds (Tribunal de Contas, 2023[21]).

In the TdC nine departments are in charge of concomitant and ex post controls, dealing mainly with the following issues:

• Department I: Opinion on the General State Account (Parecer sobre a Conta Geral do Estado)

• Department II: Certification of the General State Account (Certificação da Conta Geral do Estado)

• Department III: Rendering and verification of entities’ accounts (Prestação de Contas)

• Department IV: Functions of sovereignty and Infrastructures (Funções de Soberania e Infraestruturas)

• Department V: Social sector (Setor Social)

• Department VI: Education and teaching (Educação e Ensino)

• Department VII: Economic functions (Funções Económicas)

• Department VIII: European funds, environment and natural resources (Fundos Europeus, Ambiente e Recursos Naturais)

• Department IX: Local government and local business sector (Administração Local e Setor Empresarial local)

Regarding public procurement, through those audits, TdC issues recommendations addressed to three types of stakeholders: i) the government, ii) IMPIC and iii) contracting authorities. These recommendations are key to enhance the public procurement system. Box ‎1.3 provides examples of recommendations issued by TdC.

Despite notable advancements, the public procurement system in Portugal continues to encounter challenges that hinder its effectiveness. These challenges can affect directly or indirectly the activities of TdC in the public procurement area as some of them could represent a risk or contribute to the materialisation of risks or irregularities. These include the lack of competition, transparency and integrity breaches such as conflict of interest fraud and corruption., capability issues of the procurement workforce.

Some of these issues are also identified by key stakeholders in Portugal including the TdC (see sections below). Therefore, it is key to consider them when developing risk-based approaches for contracting authorities but also for oversight bodies, and more specifically for the TdC.

Competition in the public procurement market is key to achieving value for money. In Portugal, some challenges exist in relation to the relatively high numbers of tenders with a single bidder, and the existence of bid-rigging practices, as recent numbers revealed. Indeed, the share of contracts awarded where there was only a single bidder is relatively high in Portugal (20%) (European Commission, 2022[23]). Having more bidders would improve competition, as this means public buyers could have more options, and eventually get better value for money. Moreover, oversight bodies, such as the Supreme Audit Institution TdC and AdC have raised concerns about contract fragmentation in public procurement.

Furthermore, according to civil society organisations, approximately 80% of procurement procedures in Portugal are won through direct awards, indicating a limited level of competition (European Commission, 2021[24]). According to IMPIC data (which is not comprehensive), direct awards represent alone 53.2% of procedures but only 17.6% of procurement volume (IMPIC, 2021[18]). This high percentage of direct awards is followed by opacity because the justification can simply refer to an article in the PCC allowing the use of direct awards without further explanation on the circumstances that determined this choice over an open tender. This decreases the level of trust from citizens and enterprises further creating suspicion and raises the risk of corruption while reducing the benefits of market competition (European Commission, 2021[24]). Data also reveals that the use of direct award is widespread among local authorities (51% in terms of contractual amounts) (IMPIC, 2021[18]).

The AdC, in its 2021 Report stressed the importance of ensuring that public procurement procedures are efficiently designed, enhancing competition, and combatting bid-rigging, given the sizeable public spending, and especially recommended the Portuguese government to combat bid-rigging and promoting competitive and efficient public tenders (OECD, 2022[14]). The AdC issued six sanctioning decisions concerning anticompetitive practices covering different types of behaviours and sectors, including a bid-rigging cartel active in the provision of surveillance and security services in public tenders (Autoridade da Concorrência, 2022[25]). The companies involved co-ordinated the participation in public procurement procedures by sharing clients and fixing the price levels of the services to be provided. This behaviour, which is a violation of Competition Law, leads to less favourable conditions for public purchasers than would result from a situation of effective competition. This translates, in turn, into higher prices, lower quality or less innovation (Autoridade da Concorrência, 2022[25]).

Competition issues are also impacting the access to small and medium-sized enterprises (SMEs) to public procurement opportunities in Portugal. Recent statistics reveal a significant disparity in their participation. In 2021, SMEs, representing 44% of the contractors, accounted for slightly more than a half of the contracts (55%), which is far below the EU average (73%) (European Commission, 2022[23]).

To address these challenges, efforts have already been made, such as the division of contracts into smaller lots that has become a common practice in Portugal, but other barriers remain. Indeed, SMEs struggle to access timely and accurate information about upcoming procurement opportunities (European Commission, 2021[24]). Lack of awareness about relevant tenders and contracts can limit SMEs’ ability to participate effectively in the public procurement system. Furthermore, additional policy efforts are needed to boost the performance of Portuguese SMEs on internationalisation, and to further protect SMEs against late payments from public and private buyers (European Commission, 2019[26]), which are currently calculated around 10 days after due date by Portuguese public authorities, and 57 days by other businesses (European Commission, 2021[27]).

Implementing measures such as promoting open tendering procedures, encouraging transparency, and fostering fair competition can create a more level playing field and provide greater opportunities for SMEs to participate in public procurement processes. In particular, the TdC through its audits can ensure or encourage contracting authorities to avoid direct awarding of contracts, ensuring that the contracts are split in lots when relevant and that public entities pay on time their suppliers.

Despite Portugal being a European leader in publishing information on the tender, award, contract, and implementation of procurement contracts (Open Government Partnership, 2021[28]), according to Transparency International, there continues to be no documented or monitorable practice of publishing and making publicly available all procedural documents for all phases of direct awarding (Transparency International Portugal, 2019[29]).

Although the BASE Portal, established by the PCC and managed by IMPIC was created to centralise relevant contract data, advertise tender calls and contract modifications or conclusions, the Portal is currently not fulfilling all its goals as a significant number of contracts are still not published, and its monitoring capabilities are limited (European Commission, 2021[24]). Many of the issues stem from the fact that the Portal relies on the publication and distribution of public procurement data by the Contracting Authorities and the e-procurement platforms. Consequently, the total number of contracts, as estimated by the European Commission, is three times higher than the number of contracts published in the BASE Portal, despite the legal requirements to publish all contracts in the portal (European Commission, 2021[24]). Public contracts are not transparent by default, which means that there is no critical information in the BASE Portal to assess the formulation of contracts, their value for money, and sustainability (European Commission, 2021[24]).

Furthermore, the extensive use of direct awards for public contracts (53.2% of contracts (IMPIC, 2021[18])), diminishes the benefits of market competition, further emphasising the need for enhanced transparency and accountability (European Commission, 2016[30]).

In addition, e-procurement or the use of electronic means has become mandatory for all institutions in Portugal since 2009, for tenders above a threshold of EUR 5 000. Portugal’s e-procurement system operates exclusively on privately owned platforms, which compete against each other to offer e-procurement services to contracting authorities (European Commission, 2021[24]). In 2020, they were responsible for processing 49.1% of the procedures initiated that year (IMPIC, 2021[18]).

The lack of interoperability between the 5 existing e-procurement platforms in Portugal (ACIN, VORTAL, Saphety level, ANO and MIROMA), poses a significant challenge to the efficiency and transparency of the public procurement process. Indeed, the multiple e-procurement platforms utilised by different entities often operate independently and lack seamless integration (European Commission, 2016[30]).

As in many other countries, Portugal faces some corruption risks in its procurement system, exacerbated during the pandemic with conflicts of interest and a high percentage of direct awards (Open Government Partnership, 2021[28]). According to Transparency international, Portugal ranked 33 over 180 countries in 2022 with an average score of 62/100, and with 41% of the population considering that corruption increased in the previous 12 months (Transparency International, 2022[31]). Furthermore, the special EU Eurobarometer on corruption found that 90% of the population considered corruption as widespread in the country in 2022, which is much higher than the EU27 average of 68% (European Commission, 2022[32]). 48% of the population also consider that bribes and abuse of power for personal gain are widespread among officials awarding public tenders (European Commission, 2022[32]).

In January 2021, Portugal's parliament approved a resolution that urged the government to take measures to mitigate corruption risks during the pandemic. These risks included conflicts of interest and improper allocation of public funds. The objective was also to enhance the transparency of information regarding public investments related to the 22.2-billion-euro Recovery and Resilience Plan (PRR) (European Commission, 2023[33]) through the “Mais Transparência” portal (Open Government Partnership, 2021[28]). The aim was to integrate this data with other datasets, raise awareness, and develop citizen monitoring tools, such as Integrity Pacts, as a means to prevent corruption.

In addition, the Council for the Prevention of Corruption, an administrative entity that functioned by the TdC on preventing corruption and related offences issued a recommendation on the prevention of corruption risks in public procurement. Among the recommendations, the use of competitive procedures instead of prior consultations and direct award, and the adoption of internal control procedures to ensure compliance with the limits on invitations to tender to the same entities in case of direct award (Conselho de Prevenção da Corrupção, 2019[34]). The Council was replaced in 2023 by the National Anticorruption Mechanism (Mecanismo Nacional Anticorrupção - MENAC) (MENAC, 2023[35]).

The capability of the public procurement workforce is a crucial element of a sound procurement system that delivers efficiency and value for money in the use of public funds. Several risks or irregularities of the public procurement system including those identified by TdC are related to capacity issues.

In Portugal there is a pressing need to advance the capabilities of public buyers to navigate the complexities of procurement and drive better outcomes and value for money. In the country, public procurement is not recognised as a specific function/ standalone profession (OECD, 2019[36]). At the central government level, most public procurement professionals are civil servants, but in sub-central bodies, temporary agents with the status of contractual staff also perform some procurement duties. In local contracting authorities, the competency level of procurement professionals and entry requirements are typically lower than at the central level (European Commission, 2020[37]).

In Portugal, there is no competency framework specific to public procurement and there is no mandatory training or certification for public procurement professionals.

Several reports highlighted capacity issues in the public procurement field. For instance, with its recommendation of 2 October 2019, the Council for the Prevention of Corruption suggests, among other measures, the adoption of specific planning instruments for public procurement, the professionalisation of public buyers and the training of contract managers to improve their capability to monitor contracts (European Commission, 2020[39]). As mentioned in Table ‎1.1, one of the commitments of Portugal in terms of Public procurement reform under the RRP operational arrangements is to provide trainings for public administration employees (114 000 officials) through the National Institute of Administration (INA- Instituto Nacional de Administração). Among the relevant topics for the professionalisation of the procurement workforce, the use of information systems and e-platforms as well as innovative procurement are highlighted (European Commission, 2020[39]).

Public procurement is a high-risk area where different oversight bodies are playing a key role to safeguard the efficiency and integrity of the procurement system. Public procurement is also an integral part of the audit universe of the SAIs, including TdC. Once the audit universe has been defined and there is a clear overview of all potential areas of audit, the audit entity needs to choose where it will devote its limited time and resources. This is where risk assessment can be incorporated to assist an audit entity with making the best use of its resources to have the greatest impact and to most effectively achieve its purpose and objectives (OECD, 2018[5]). Several oversight bodies, including the Brazilian Court of Accounts (TCU) and the Office of the Comptroller General (CGU) are increasingly developing a risk-based approach supported by emerging technologies to identify relevant risks (see Box ‎1.4).

This section discusses the definition of irregularities and risks, the risk-based approach of TdC and identifies relevant data sources for a risk-based approach of the court. It also discussed the need to infuse a risk management in contracting authorities to enhance the efficiency of public procurement spending.

The outline of the audit universe can serve as the initial structure to create the risk map, including the development of risk criteria. The audit entity should consider what data and information is needed to develop the risk map and to identify and assess the risks within its audit universe.

For the identification of irregularities in public procurement, the first step is to ensure a common understanding of the concept of irregularities. The European Union defines irregularities as “any infringement of a provision of Community law resulting from an act or omission by an economic operator, which has, or would have, the effect of prejudicing the general budget of the Communities or budgets managed by them, either by reducing or losing revenue accruing from own resources collected directly on behalf of the Communities, or by an unjustified item of expenditure.” (OECD, 2021[40])

For simplification purposes, we can consider irregularities as infringements of provisions of relevant regulatory frameworks, including the public procurement law and financial rules that have a financial impact on expenditures. However, most infringements may have a direct or indirect financial impact and some practices not being considered as infringements can have considerable financial impacts. For instance, not adopting a life-cycle approach when assessing tenders and awarding contracts only based on price considerations can have significant future financial implications, if the operational or disposal costs of a low cost bid turn out to be cumulatively higher than the equivalent amount of a higher initial cost competitor.

Furthermore, for the identification of irregularities it is important to explore the concept of risks. Risks are defined by the International Organization for Standardization (ISO) as the effect of uncertainty on objectives. It can also be defined as an uncertain future condition or circumstance that could impact the achievement of objectives, and one that is often characterised by reference to potential events or consequences. Public procurement objectives go beyond financial objectives, they can have different aspects such as health and safety, gender inequality, or environmental aspects. Therefore, risks can be understood as the possibility that an event, threat, missed opportunity, action or inaction will materialise and may impact the procurement objectives of a public entity and might lead to irregularities.

Risks can therefore be conceptualised in terms of their component causes, events, and consequences (OECD, 2023[2]):

• Risk factors are characteristics of an organisation’s environment, policies, procedures or activities that are associated with risk.

• A cause is a fact or occurrence which alone or in combination has the potential to create risk.

• An event is an occurrence or change in circumstances. Events are usually thought of as something unexpected, but can also be something expected which does not happen.

• Consequences are the outcome of an event affecting objectives and can be certain or uncertain.

Irregularities can be considered as consequences of risk factors materialising. Therefore, when considering a risk-based approach and for the purpose of this report and the analysis, this report will focus on the concept of risks at large rather than irregularities.

The court is in charge of overseeing the legality, regularity, economy, efficiency, and effectiveness of public procurement activities. These concepts are closely link to the concept of “value for money” that guides public procurement decisions and actions to focus on the “most advantageous combination of cost, quality and sustainability to meet defined requirements” (OECD, 2020[7]) and not only on the economic and financial aspects.

In line with its mandate, the court focuses on “Regulatory/Compliance risks” and “financial” risks. Two surveyed departments mentioned they consider operational risks. In relation to sustainability risks in practice, the “a priori” audit department and the ex post audits departments should consider environmental aspects and risks more systematically as part of their controls. In 2020, the TdC published an audit report on the implementation of the National Strategy for Green Procurement (Tribunal de Contas, 2020[41]). However, the consideration of environmental risks does not seem to be a recurrent practice.

The resolution 132/2023 of the Council of Ministers introducing mandatory green criteria has been published in October 2023.This resolution will further embed sustainability aspects in TdC audits to align with government priorities and regulatory frameworks.

Adopting a risk-based approach to all types of audits is relevant as it helps to prioritise and focus on specific high-risk contracts, procurements and entities, enhancing the efficiency of audits. The activities of the court derive from the three-year strategic plan of audit and control activities of the court, which is approved by the General plenary of the TdC by the 30^th of October of the year before the plan is entering into force. At the headquarters, the plan shall be drawn up by the standing committee on the basis of the three-year sectoral programmes of the 1^st and 2^nd Chambers. The three-year programme of the regional courts is drawn up by the Judge concerned and is annexed to the three-year programme of the Headquarters (Tribunal de Contas, 2022[20]).

TdC has approved its strategic plan for 2023-2025 following an inclusive and participatory process within the court. This strategic plan includes a SWOT analysis and a risk analysis that guides its activities (see Chapter 2). “Non-compliance, fraud, shortcomings and misuse in public procurement” has been identified as one of the 13 external risks guiding the activities of the court and was assessed as being a very critical risk. Therefore, public procurement is reflected in the strategic objectives and priority axes of actions of the court (see Table ‎1.2).

A risk-based approach in public procurement could be assessed at two different levels: i) the selection of the audit universe (e.g. audited entities, contracts); and ii) the prioritisation of audits within the defined universe.

The first Chamber of the TdC is in charge of assessing and deciding on cases referred for a priori control and performing concomitant controls. According to the Law of organisation and processes of TdC (Lei de Organização e Processo, LOPTC), this chamber approves by the 15^th of December of each year its annual plan which includes: i) the list of bodies or departments exempted, in whole or in part, from a priori controls in the next year. This decision is based on the reliability of the internal decision-making and control system verified by audits carried out by the TdC and, ii) the list of bodies or departments that will be subject to a concomitant audit in the next year (Tribunal de Contas, 2022[20]).

Furthermore, some audits could be based on complaints submitted to the TdC. Indeed, Article 143 of the TdC’s internal regulation mentions that complaints received by the TdC with relevant facts and elements are assessed by a Judge counsellor who may decide to conduct an audit of financial responsibility, or to consider the complaint for the planning of audit activities (concomitant and ex post audit) (Tribunal de Contas, 2022[20]). However, complaints were also considered for the a priori controls in the process of delivering the visa.

In 2022, TdC received 347 complaints and allegations and for 39% of them (198) the assessment was finalised (Tribunal de Contas, 2023[21]). The most common issues identified in complaints are linked to public procurement:

• failure to adopt legally applicable pre-contractual procedures

• violation of the legal limits of successive award of contracts preceded by direct award or prior consultation with the same economic operators

• participation in procurement procedures of economic operators belonging to local elected representatives or their family members

• contract splitting

• expenditures in the framework of public procurement without the prior authorisation.

Regarding a priori audits, the LOPTC highlights a risk-based approach when selecting the list of bodies or activities exempted (fully or partially) from these audits based on the reliability of the internal decision-making and control system verified by audits carried out by the TdC. However, discussions during the fact-finding mission stressed that this approach has not been formally implemented in the last years. Furthermore, the implementation of this approach could be challenging given the availability of the required data. In this context, for a priori audits, the TdC could benefit from implementing a risk-based approach to support the team in identifying red flags (irregularities and specific issues) in contracts.

In addition, regarding the use of a risk-based approach for contracts submitted to a priori audits, discussions with the department in charge of these audits show a lack of awareness on the potential benefits of this approach. Indeed, this department mentioned that a risk-based approach won’t bring any added value to the work of the department with the main argument that all tenders and contracts falling under the scope defined by law should be audited (see Section ‎1.2.2). However, a risk-based approach does not prevent the a priori audit team from controlling all tenders and contracts in line with the regulatory framework. Indeed, such approach could help to focus efforts, allocate resources by supporting the team in charge of this type of audits to identify some red flags in contracts. The a priori audit department should seize the opportunity of the project aiming at implementing a risk-based approach in the court to test the relevance of adopting such approach.

Regarding the first Chamber concomitant audit activity, the three-year strategic plan includes the number of audits to be completed each year and the topic of the audit. For instance, TdC is planning to complete in the area of personnel management and public procurement 10 audits in 2023 (which includes 4 carried over), 8 in 2024 and 7 in 2025.

Discussions with the team in charge of the first Chamber concomitant audit highlighted that their audits follow a risk-based approach that is not formalised in all cases. Indeed, they take into account several criteria including the contract value, the indication of illegality, the adoption of recent legal regimes, the use of non-competitive procedures, amendments to contracts during their execution. This department welcomed an enhanced and formalised risk-based selection of procurement tenders or opportunities/contracts to audit, in particular in relation to the identification of contractual prices, the type of public procurement procedure used, the exclusion of bidders and the reason behind, the identification and cross-referencing of partners and managers of the awarded companies bidders.

Subject to its three years strategic plan, according to the article 40.º of LOPTC, the second chamber should adopt by the 15^th of December of each year, its annual programme which includes:

List of entities exempted from rendering accounts were initially introduced when the Court used to receive hard copies of documents. However, with e-contas and the automatisation of the process to render accounts led the Court to strategically decide not to exempt any entity from rendering them. Additionally, the electronic rendering of accounts also allows to automatically make verifications in all accounts that previously were only possible for some of them. The mentioned criteria are now used to select, from the rendered accounts, those that will be extensively verified.

Discussions with different teams in charge of ex post audit highlighted that their audits do not follow a formal risk-based approach, but they consider several criteria including the value of contracts, the previous performance of an a priori audit, past audits (including a priori and concomitant) and implementation of recommendations, complaints submitted to TdC, information from media and other sources, etc.

Responses from ex post audit teams to the OECD questionnaire also highlighted that the implementation of a risk-based approach could increase the efficiency of their work and optimise resources, which could be allocated primarily to audits of entities and contracts that present greater risk, in accordance with predefined criteria.

Public procurement can be subject to multiple risks throughout the public procurement cycle (OECD, 2023[2]). Aware of the benefits to have a comprehensive approach to risks impacting the public procurement system, the TdC with the support of the OECD will develop a data-driven risk model; including the development and testing of data pipelines and machine learning models, for the identification of “red flags” focusing on risks and irregularities in public procurement processes.

The first step for the implementation of the data driven risk model is the identification of potential risks that may impact the public procurement system. A careful attention should be paid to this step as it should guide the development of the formulas and the implementation of the model. For instance, ANAC, the Italian anti-corruption authority has developed a set of 17 indicators to help identifying potential integrity risks impacting the public procurement system (see Box ‎1.5).

In Portugal, the Centre of Innovation, Technology and Methodologies (Centro de Inovação, Tecnologia e Metodologias, CITM) within the TdC has been leading the development of a public procurement risk matrix using an inclusive approach by involving the different teams in charge of different types of audits within the court. Risks that were included in this matrix are those for which there could be a possibility to access the variables to calculate and track them (potentially with the signature of protocol of agreements with the data owners). However, it is worth mentioning that additional risks could be relevant for a comprehensive risk-based approach but due data access and availability they were not considered within this list. In addition, this list does not consider data quality and reliability, meaning that some of the risks may not be considered due their lack of accuracy.

The risk matrix includes 35 risks classified by 8 indicator groups with 6 of them following the procurement cycle: Financing (1), Procurement procedure (9), Contracting requirements (1) Evaluation of bidders, tenders and award procedure (7), Contract award and execution (10), Payment and financial obligation (1), Conflict of interest, fraud and corruption (3), Intervening parties (issues with suppliers or contracting authorities (3). According to the TdC the detailed risks should not be presented in this report to avoid the misuse of this information by audited entities. For a greater impact, the TdC could initiate discussions with IMPIC and other relevant bodies to discuss the development of potential mitigation measures that will decrease the materialisation of the risks and irregularities identified.

The TdC is aware that the development of a risk matrix is a dynamic process. The matrix will need to be updated regularly to potentially identify new risks threatening the public procurement system or the that may lead to the identification of new risks or the removal of irrelevant ones. The matrix below reflects the main risks identified by the different audit teams.

The implementation of a data driven risk-based approach to public procurement activities requires identifying the relevant databases. While different databases could be relevant to public procurement, it is pivotal to focus on those containing information and variables related to the list of risks identified.

Most of the relevant variables to the risk matrix developed by TdC can be found in different databases managed by four different stakeholders While this section discusses the main databases for the identification of risks, Chapter 3 provides a quality assessment of these databases which is also key for an accurate risk identification.

Regarding the external databases, the following databases are relevant to consider: BASE, the registry of beneficial ownership managed by the Portuguese Institute of Registries and Notaries (Instituto dos Registos e do Notariado, IRN), and databases managed by the Tax and Customs Authority (Autoridade Tributária e Aduaneira, AT). The other three databases are internal to TdC: i) GENT, the entity management system, ii) GDOC and iii) econtas (see Figure ‎1.6).

Other databases could be relevant such as the e-invoicing database managed by Espap but the information they include in terms of payments is already available in the TDC databases. In addition, considering information to be available in BASE following the publication of ordinance 318-B regulating the operation and management of the BASE portal in October 2023 (Portaria n.º318-B/2023), it is not relevant at this stage to consider data from e-procurement platform providers ( see below the section on BASE).

The relevance of these databases has been confirmed by the different audit teams who responded to an OECD questionnaire. However, the responses to the questionnaire also highlighted challenges regarding the reliability of data available in these databases. In addition, depending on the scope and type of audits performed, some departments mentioned other specific relevant databases to their activities. For instance, the audit department in charge of local governments mentioned the website of municipalities as being a relevant database.

The sections below provide relevant information on external and internal databases relevant to public procurement risks. Chapter 3 provides a detailed assessment of these databases.

As mentioned in Section ‎1.2.1, BASE is the public procurement portal managed by IMPIC that aims at disseminating public information on public contracts subject to the Public Contracts Code (PCC). The platform serves as a centralised hub, aggregating key public procurement information throughout the public procurement cycle (IMPIC, 2022[43]). Box ‎1.6 provides a detailed description of information available in BASE.

Portal BASE offers different type of accesses, including a public view accessible online, showcasing a subset of features and documents. A more detailed information is accessible privately by some stakeholders, specifically auditing entities, such as TdC, IGF, the Public Prosecution Service and the Portuguese Competition Authority (AdC). The law defines what is available in the public and what is available privately to some stakeholders. Concretely, public view includes information on contracts, contracting authorities; bidders and the type of procedure. The privately accessible view includes information on contract managers, bids and all contracts with an amount below EUR 5 000.

The information available in BASE comes from three main data sources.

Public Procurement Electronic Platforms: In alignment with legal provisions (as stipulated in paragraphs c) and d) of article 9 of Order No. 284/2019), electronic platforms relay information to Portal BASE, Specifically, the information from Annex II to Annex XV.

The data that the platform providers must send to BASE is regulated by law. It is therefore not possible for the court to access directly the data provided by the different platform providers (unless protocols are signed with each of the providers). Some issues were identified, including the lack of availability of some structured and unstructured data in BASE that could be relevant to identify and calculate some risks.

For the implementation of e-forms at the national level, ordinance 318-B was published in October 2023 (Portaria n.º318-B/2023). Through this ordinance (in particular in its article 7), platform providers are mandated to send additional data to BASE. This new requirement will have a significant impact on the data available in BASE and its format (structured format) and could support the calculation of additional public procurement risks. For instance, platforms providers will have to send links to the preliminary and final procurement reports. They will also share questions from bidders challenging the ranking of bids, and the NUTS code for the execution of contracts (previously the location was not as accurate). Information regarding questions received from bidders for a specific procedure became available but only in an unstructured format in the evaluation report.

IMPIC is working hard to ensure the integration between the different systems to collect the additional information from the platform providers. The system should be fully operational before the end of 2024.

However, some information that could be relevant in a later stage for a risk-based approach are not available in BASE (as it is not required by law) such as the exact questions asked by bidders at the clarification phase and the justification of the need for the procurement. Therefore, in a later stage, the court could assess the relevance of signing protocols of agreement with each of the platform providers for information that is not available in BASE or propose its inclusion in the next legal review.

The information is stored and gathered by IMPIC, the entity responsible for managing Portal Base. The information is stored in a relational database maintained by the IT team of IMPIC. The database server is managed by the General Secretariat for the Economy (SGE).

The registry of beneficial ownership managed by IRN is a key database with information on individuals who ultimately owns or controls, directly or indirectly, a sufficient percentage of shares or the voting rights or of participation rights in the share capital of a company, and individuals exercising control by any other means over the company. The Registry was created to transpose into the internal legal order chapter III of Directive (EU) 2015/849 of the European Parliament and of the Council, of 20 May 2015, on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (European Parliament, 2015[44]) .This registry has been implemented in Portugal since November 2019, and by January 2021, around 490 500 entities complied with this registration. (Open contracting partnership, 2023[45]). This database is key to identify different integrity risks in public procurement. IRN responds to any request of information from TdC. However, granting access to its database is more challenging (see Section ‎1.5).

AT is in charge of collecting taxes but also undertaking tax inspections to prevent and combat tax fraud and evasions (AMA, 2023[46]). It manages different databases with relevant information including on the tax and financial situation of potential suppliers and payments. Data managed by AT can contribute to the identification of different risks including the non-compliance with payment of taxes. Furthermore, the tax number allocated to companies is key for cross linking different databases with information on economic operators or suppliers.

Within the Court, two main databases are important to consider: GENT and Public Contracting Files (eContas). Both of these databases are a part of (and interact with) the GDoc System (see Figure below). GDoc is the internal document management system within the Court and also includes the TCJURE (legal information system)

GDOC (Sistema de Gestão Documental e Processual) is the internal system of TdC for managing documents and processes that was developed by TdC. It is also the oldest of TdC's IT systems. The user who accesses the system represents a supervised entity and is already pre-registered, with an assigned profile and username.

GDOC cuts across TdC's activity and is integrated with other relevant systems, both GENT and eContas are a part of this system. All of these databases interact with each other and this interaction process is used for risk assessment;

Specifically, after the submission of a reporting map (through eContas Prestação de Contas), internal validation begins at the TdC, in which a report is produced indicating deviations from the validation rules to the information collection structures, which could contribute to the identification of “risks” that each account can hold.

This system is used for the purposes of analysing a priori audits, complaints received, and reports from internal control bodies, consisting of several modules, including:

• "A priori control" module, which allows extracting information on the number of contracts, objects, values, type of procedure used, the meaning of the decision, recommendations, follow-up, etc.

• Entry, validation, and registration module for opening and reopening visa/approval processes. “Prior control” processes are required to obtain a visa (i.e., permission of the Court), to materialise the contract. A visa could be approved or rejected by TdC according to the characteristics of the contract.

• Denunciation process module.

GENT serves as the comprehensive database of entities under the jurisdiction and control of TdC (the universe of public entities that report to TdC).

Data included from this database comes from different sources: data from other information systems managed by the court such as TCJURE (legal information system), GESPRO (process management system), but also unstructured data filled manually by a dedicated team based on unstructured data from regular analysis/profiling of the Official Government Gazette of the Portuguese Republic.

This database is key to provide information on entities when performing different types of audits and enables to identify entities through an identification number common to different sources. This relational database encompasses 99 original tables. According to TdC 53 of them are relevant for a risk-based approach in public procurement.

eContas is the platform used by public entities to submit their public procurement files as an integral part of their Annual Financial and Budgeting Reporting to TdC, but the platform is also used to obtain visas from TdC. One of its objectives is to facilitate the relationship and communication between the Court and supervised entities in the fulfilment of their obligations, providing greater rationalisation and efficiency in communication, particularly in the provision of management accounts. The eContas platform also allows the submission of the contracts for prior audit through econtas “Fiscalização Prévia”.), additional contracts through econtas “Prestação de Contas”) and contracts within the scope of the special measures for public procurement through eContas-MECP for concomitant audit.

The reports submitted through eContas “Prestação de Contas” serve to complement the standard financial data, such as income statements and balance sheets. These reports are standardised into reporting maps, which are then stored in eContas.

This portal is integrated to the wider GDOC platform and aims to facilitate the relationship and communication between the Court and the entities subject to its control, namely in the fulfilment of their obligations, including on public procurement. Access to the eContas platform is exclusively granted to registered users within the IT support system for TdC activities, ensuring a controlled and secure environment.

Entities have to report a wide range of information to the Court, some of which is defined by the Court itself (either from the point of view of the reporting process: scope of the information, content, periodicity, etc., or from the point of view of the structure of the map/files to be reported), but some other information is used from other reports to other entities such as information provided to the Ministry of Finance.

The reporting and provision of information by entities under the jurisdiction and control of the TdC is defined based on the entity's "Accounting Regime" and also (as a sub-grouping within each Regime) by form of Delivery. There are different accounting regimes, which bring together more than 520 information sheets defined by the Court. Approximately 6 500 entities present their annual reports with accounting standards tailored to their characteristics. Figure ‎1.8 provides an overview of eContas data flow.

The information contained within this database play a key role in identifying risks and irregularities in public procurement. It provides essential insights into various aspects of public contracts, including payments period of execution.

To support the efficiency of the public procurement system, it is key to infuse a risk management culture in public entities undertaking procurement activities. This culture could contribute to reducing irregularities identified by oversight bodies. Indeed, many of the recommendations of the TdC aim at strengthening a risk-based approach in contracting authorities by for instance implementing adequate internal control mechanisms to mitigate a number of risks.

In Portugal, there is no dedicated strategy on risk management in public procurement covering different categories of risks. However, the country has developed relevant tools in relation to corruption risks. In 2009, the Council for the Prevention of Corruption that has been replaced by the National Anticorruption Mechanism (Mecanismo Nacional Anticorrupção - MENAC) deliberated, by Recommendation No. 1/2009, of July 1, that all entities engaged in the management and administration of public funds, securities and assets should draw up plans for the prevention of risks of corruption and related violations (PPRCIC). (OHCR, n.d.[47]). Those plans should include:

• Identification of risks of corruption and related infractions in each area

• Identification of the measures adopted to prevent risks

• Identification of those responsible for managing the risk management plan

• Drawing up an annual execution report; and that the PPRCIC and the annual execution reports should be submitted to MENAC, as well as to the oversight, supervisory and control bodies.

For the implementation of the adoption of the National Anti-Corruption Strategy for 2020-2024, Decree-Law 109-E/2021 mandated entities subject to it to implement a General Regime of Prevention of Corruption (Regime Geral de Prevenção da Corrupção- RGPC). Entities subject to the RGPC are: i) All private legal persons having their head office or branch in Portugal who employ 50 or more workers; ii) All public services of the Direct, Indirect and Autonomous Administration of the State, including the public corporate sector, municipal councils, parish councils, and other entities that employ 50 or more workers; and iii) Independent administrative entities. The RGPC sets obligations for these entities, including the development of risk prevention plans (PPR) as part of their Regulatory Compliance Programme (PCN). Given that public procurement is a high-risk area in terms of corruption and other integrity breaches, PPRs should also cover this area (Council of Ministers - Portugal, 2021[48]).

To infuse a risk management culture in public procurement, the government of Portugal should consider developing a dedicated and comprehensive public procurement risk management strategy considering all categories of risks.

In their responses to OECD questionnaires, several stakeholders mentioned some traditional or emerging risks identified in public procurement in the last 3 years. For instance IMPIC mentioned i) the incorrect choice of procedures, often by the use without due grounds of the material criteria, or by the fractioning of the expense; ii) the invitation to present an offer in direct award or in prior consultations by economic operators that should not be invited under the provisions of paragraphs 2 and 6 of Article 113 and paragraph 2 of Article 114 of the CCP; and iii) the excessive use of the award methodology based on the lowest price, even in procedures of complex services. A part of its mandate, the PCA identified the following risks: agreements between competitors aimed at sharing geographic markets, allocating customers or agreeing on prices or other trading conditions, and practices involving the abuse of a dominant position.

AdC, as part of its mandate, mentions the risk of agreements between competitors aimed at sharing geographic markets, allocating customers or agreeing on prices or other trading conditions. It also mentioned the risk of practices involving the abuse of a dominant position.

IGF has published in 2021 a detailed report on risk management in public procurement where it highlights key aspects to introduce in the regulatory framework, organisational risks of public procurement (procurement plans, conflict of interest, capacity of the procurement workforce; segregation of duties, turnover of officials and economic operators to be invited) public procurement risks by type of stakeholders (Leader, Jury, suppliers, auditors and contract manager (IGF, 2021[49])).

The identification of public procurement risks and irregularities requires information located in different databases such as procurement databases, invoicing, tax and social security or beneficial ownership databases. However, the access to relevant databases can represent a challenge. The OECD Recommendation of the Council on Enhancing Access to and Sharing of Data highlights the need to” adopt a strategic whole-of-government approach to data access and sharing to ensure that data access and sharing arrangements help effectively and efficiently meet specific societal, policy, and legal objectives that are in the public interest (OECD, 2021[50]).

In Portugal the legal framework regarding data access, collection and use are governed by different laws, including the data protection law (Law no. 58/2019). While different data/ information can be shared upon request, it is relevant for the TdC to have a regular access to relevant data for collection and use.

Regarding the access to the public procurement database, article 454-C of the public procurement code mentions that all contracting authorities and IMPIC must guarantee direct access to the public procurement information databases and presenting the requested documents or records to the Public Prosecutor's Office, the Competition Authority and the auditing and supervisory entities (including the TdC), for the performance of their respective missions (Government of Portugal, 2022[51]). This article was added in 2018. Therefore, the access to TdC to BASE is granted by law since then. In practice, protocols of co-operation were signed with these different entities to access data in the “reserved area”. Entities can only access data in consultation mode, they are not allowed to edit or alter the data. In addition given that the database includes personal information such as “the identification of the natural person”, ”the tax identification number” and “the nationality of suppliers”, entities having access to the database should also comply with the legal provisions in force on the protection of personal data.

IRN manages the central register of beneficial ownership (CRBO). The regular access of TdC to the CRBO database is particularly relevant to assess specific procurement risks in relation to compliance and competition. However, IRN have a special data reserve and data protection obligations under the General Data Protection Regulation which prevents them from sharing information.

For the tax authority AT, sharing information on tax activities is also subject to Article 64 of the General tax law on “confidentiality”. This law mentions that all people working for the tax authority have to keep confidential the data collected on the tax situation of the taxpayers and all elements of a personal nature that have been obtained. However, the law also mentions that these obligations are waived in several cases including in case of “ Legal co-operation of the tax administration with other public entities, to the extent of its powers (Autoridade Tributária e Aduaneira, n.d.[42]).

To overcome the challenge to access data on a regular way, TdC held discussions with IRN and AT to sign protocols. Discussions with AT were fruitful and led to the signature of a protocol and discussions at the technical level. However, the signature of the protocol with IRN is more challenging. The signature of these protocols could enable TdC to identify additional risks, further enriching the risk model it is developing.

This chapter focuses on the key role of TdC in the Portuguese public procurement system which represents a significant share of GDP. The court is in charge of overseeing the legality, regularity, economy, efficiency, and effectiveness of public procurement activities through the different types of controls it performs (ex ante, concomitant and ex post).

Implementing a risk-based approach for an audit body when dealing with public procurement activities is key to make the best use of its resources, to have the greatest impact and to most effectively achieve its purpose and objectives. A risk-based approach should consider i) the challenges of the public procurement system (competition, transparency, integrity, etc.) and different categories of risks or irregularities including environmental ones.

While some control department of the TdC (concomitant and ex post) implement some kind of risk-based approach, this approach is not formalised. The teams in charge of these audits identified the implementation of a risk-based approach as a great opportunity to increase the efficiency of their work and optimise resources, which could be allocated primarily to audits of entities and contracts that present greater risk, in accordance with predefined criteria. As a priori audit department considers that it needs to look at all submitted requests, the risk-based approach was not identified as an immediate priority. Nevertheless, this department should also seize the opportunity provided by this project to test the relevance of adopting such approach.

The implementation of a risk-based approach to public procurement activities requires identifying relevant databases as input. While different databases could be relevant to public procurement, it is pivotal to focus on those containing information and variables related to the list of risks identified (internal databased to the TdC and external ones). In parallel to the work of the TdC in implementing a risk-based approach, it is essential to also infuse a risk-based approach in contracting authorities by developing of a dedicated and comprehensive public procurement risk management strategy considering all categories of risks.

Finally, a data driven risk-based approach for public procurement can be further enriched if multiple data sources are used. In this context, it is pivotal to assess the legal framework for collecting and using data from different databases While different data/ information can be shared with TdC upon request, it is relevant for the TdC to have a regular access to relevant data for collection and use which requires the signature of protocols with different data owners. Increasing the number of databases accessed on a regular basis (through the signature of protocols) increases the number of risks identified risks and reinforces the data driven risk-based model.