Home > Proactive Disclosure > Audits and Evaluations > A&E Reports > 2010-2011 > Audit of Governance of Specialized IT Resources

Audit of Governance of Specialized IT Resources

May 2010

Previous page | Table of Contents | Next page

Executive Summary

The delivery of information management (IM) and information technology (IT) services in a scientific department like Environment Canada (EC) is a complex issue. Aside from cross-cutting services like IT security, infrastructure management, operations and the development of office applications, scientific departments must also develop and implement complex scientific systems, often involving complex data capture and manipulation in a real-time environment, the modelling of complex systems, and the in-depth analysis of model output to allow for forecasting of trends.

Over the past few years the Department has undergone some major transformations, including the creation of a Chief Information Officer (CIO) reporting to the Deputy Minister and the shift from regionally delivered services to nationally delivered services.

During these transformations, many IM and IT staff were moved out of the program areas that they had traditionally served and into a new centralized service organization under the CIO. The staff that moved to the new organization were generally meant to be those who deliver generic IM and IT services. While IM and IT staff with highly specialized skill-sets were not migrated to the Chief Information Officer Branch (CIOB), in recognition of the need to have these staff closely associated with the scientists that they support, the Deputy Minister made it clear that they were to receive functional direction from the CIO.

In its recent Directive on the Management of IT, Treasury Board (TB) has assigned the governance of IT activities to the CIO of each department.¹ Past management accountability framework assessments for the Department have identified opportunities for improvement in the area of its governance of these non-CIOB staff and the IT services that they deliver.

Throughout this report, staff carrying out IT activities in the program areas are referred to as embedded IT staff and the IT work that they carry out is referred to as specialized IT activities.

Overall Objectives and Scope

The objective of this audit was to provide assurance that the governance of specialized IT activities and selected, specialized IM activities in EC, and the risk management and controls supporting this governance, are adequate and sufficient.

This audit focused on specialized IT activities, in the context of the overall governance of IT activities in the Department. During the development of the audit program, this focus was expanded to include specialized IM activities related to the management of Crown data captured and maintained by the Department.

This audit was included in the departmental Audit and Evaluation Plan 2009–2010 as approved by the Deputy Minister, upon recommendation of the External Audit Advisory Committee.

Statement of Assurance

This audit has been conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Policy on Internal Audit of the Treasury Board of Canada.

In our professional judgement, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations as they existed at the time, against the audit criteria.

Summary of Findings and Conclusions

In recent presentations² the CIO has assessed his organization’s IT maturity³ to be at level 1 (reactive) with pockets of activity at levels 3 (service) and 0 (chaotic). CIOB notes that recent accomplishments have put it firmly on the path toward a solid maturity rating of 2 (proactive). Their target is to attain a maturity level of 4 (value), which implies that the organization will have become a strategic business partner. This assessment aligns fairly well with the observations made in this audit that steps are being taken in many areas to address current weaknesses in the governance of specialized IT activities.

Our conclusion that the current overall level of governance for specialized IT activities is not yet adequate, and that a number of changes are required to allow the maturity level to rise, is a reflection of where the Department is on the maturity curve and supports continued activity to raise the overall maturity rating. These changes can be grouped by governance themes as follows:

• Governance structure and process ownership
  
  In order to ensure that IT resources are allocated to activities that are aligned most effectively to departmental priorities and objectives (including program outcomes and results), there is a need to provide more clarity surrounding the committee structures that make IT investment decisions. To accomplish this, it is first necessary to establish the ownership for each of the IT processes that are carried out in the Department. This theme has been addressed in Recommendations 1 through 3 of the report.
  
  
• Delivery of service – establishing what, who and how
  
  Establishing what work will be carried out in the program areas, who will carry out the work and how that work will be conducted also must be clarified. What work should be carried out by embedded staff is the subject of recommendation 5. Within the context of the process ownership environment established in recommendation 2, the criteria for determining which IT staff should be embedded in the program areas are the subject of recommendation 9. Establishing the standards and architecture within which specialized IT activities will be carried out is the subject of recommendations 6, 7, 8 and 10. This theme will address issues of management of change, methods of engagement, training and communication.
  
  
• Monitoring and reporting
  
  In order to ensure that governance is adequate, investments are optimally aligned with priorities, and there is adequate oversight and compliance, the CIO will have to provide mechanisms for monitoring the activity of embedded IT staff and tools for reporting on those activities to all boards and the Executive Management Committee (EMC) (within the context of complete reporting on the run, renew and transformational activities)
  
  

The major risk to the Department arising from these findings is that, without a clearly defined IT governance structure to define what needs to be accomplished, a clear understanding of who will provide the work and how they will carry it out, and the capacity to monitor and report on the full range of IT activity, the Department may not have the necessary information to make good IT investment decisions or take advantage of efficiencies that can be reinvested in new and transformative initiatives. These factors may result in a diminished capacity to ensure program delivery objectives.

Accomplishing these fundamental changes will require the co-operation of all parties. In particular, as the CIOB’s maturity level continues to rise and as it continues to roll out its service catalogue for IT services, program Assistant Deputy Ministers (ADMs) will have to commit to using services from the catalogue where they exist and where they are a good fit for required IT activities.

Recommendations

1. EC’s governance structure should clarify how IT investments, both within CIOB and the program areas, align to EC strategic imperatives, program outcomes and results (program activity architecture), and how they are incorporated into EC’s integrated investment planning process.
   
   Accordingly, the CIO, in consultation with EMC colleagues, should develop and present for board and EMC discussion and approval an updated IT demand and supply governance structure. To assist with this effort, the CIO should work with the Chief Financial Officer (CFO) to ensure that financial coding for expenditure reporting is sufficiently granular to ensure appropriate accounting, monitoring and reporting of IT-related expenditures for an EC view.
   
   Furthermore, and in support of the above, the CIO should confirm plans to provide EMC with better data on IT demand-and-supply-related expenditures, in order to make the case for, and help executives prioritize, IM and IT investment decisions. This would include periodic reporting on IT resource utilization and allocation in support of run, renew and transformational expenditures.
   
   
2. Established IT processes should result in the greatest value being created for EC (such as development or testing of applications, having criteria to decide when development should be carried out in the program area rather than CIOB, etc.).
   
   Accordingly, the CIO, in consultation with EMC colleagues, should establish and broadly communicate an ownership framework for all IT processes (such as for the development or testing of applications).
   
   This ownership framework should define:
   
   • who will own each process and in what situations, and who is accountable to execute which parts of the process;
   • the functional reporting relationships that will exist between the process owners and the CIO; and
   • the line reporting relationships that will exist between these same process owners and the client program areas.
   
   
3. The CIO, in consultation with EMC colleagues, should ensure that adequate mechanisms exist for making IT investment decisions (including investments for ongoing operations and investment decisions for embedded IT staff and their associated activities) in the new integrated planning process. The resulting plan should be presented to EMC for ratification of cross-board priorities and for approval.
   
   
4. The CIO, in consultation with the ADMs responsible for program delivery and with the assistance of the CFO, should develop better tools for reporting the expenditures made in IT. These tools should give the boards and EMC a complete breakdown of all expenditures in IT, including those required for the maintenance of the infrastructure and operations, and they should allow branch ADMs to report on the extent and nature of all IT activity being carried out in the program areas so that the boards and EMC can review the investment decisions that have been made.
   
   
5. The CIO, in consultation with the ADMs responsible for program delivery, should create criteria for deciding when it is appropriate for program areas to carry out IT activity. Once created, the criteria should be presented to the EMC for approval.
   
   
6. Building on the strong work already being undertaken as part of the transformation of CIOB in the areas of architecture, processes and standards, the CIO should, in consultation with the ADMs responsible for program delivery, establish mechanisms to engage programs/clients in developing, broadly communicating, and publishing EC’s Enterprise Architecture Vision, processes and standards. This would include program area participation as members of the Architecture Review Board.
   
   Further, the CIO, in consultation with ADMs responsible for program delivery, should establish and implement mechanisms for appropriate oversight, monitoring and reporting of IT activity, to assure compliance with standards and optimal use and investment of IT resources.
   
   The CIO, in consultation with ADMs responsible for program delivery, should establish an IT resource “blueprint” comprising competencies, knowledge and skills standards, and training and learning.
   
   
7. The CIO, in consultation with EMC colleagues, should establish an enterprise data management program that includes, as a minimum, a sustainable centralized inventory of Crown data under the custody of the Department. This inventory should include (but not be limited to) information about: the nature of the data that is held; the volatility of the data; the source(s) and location(s) of the data; the contact information for the appointed steward of the data; and the criticality or sensitivity of the data.
   
   This centralized inventory (corporate metadata repository) should be the system of record for departmental metadata, and departmental processes should be established to ensure that appointed data stewards create and maintain the metadata for all data of business value. Data producers, consumers and data management systems across the Department should reference and update this corporate metadata repository when inquiring about the existence of departmental data.
   
   
8. The ADMs responsible for program delivery should ensure that all departmental databases under the control of their branch are represented in the corporate metadata repository.
   
   
9. The CIO, in consultation with ADMs responsible for program delivery, should create criteria for deciding when it is appropriate for program areas to staff IT-related positions. The criteria should:
   
   • clearly define the scope and nature of the roles these staff will play, and define the functional relationships that these staff will have with the CIO;
   • be accompanied by directives and guidance on the use of architecture, standards and procedures for conducting the IT activity.
   
   
10. The CIO should ensure that newly hired IM and IT employees receive mandatory orientation on standards, architecture and IT processes. Further, the CIO should ensure that CIOB places no impediments in the way of embedded IT staff attending any IT training that is available to CIOB staff.
    
    
11. Program ADMs responsible for specialized IM and IT personnel should:
    
    • ensure that branches develop specific succession plans for each employee (or group of employees) who has a specialized skill set that is necessary to carry out a given job;
    • ensure that employee training and development plans for embedded IM and IT staff include training on departmental architecture, standards and processes; and
    • ensure that specialized IM and IT activities are carried out by properly qualified staff.
    
    

¹ Directive on the Management of IT (2009)

² External Audit Advisory Committee meeting of January 2010

³ Using a maturity scale developed by Gartner Inc., which can be found in Annex 4: Maturity Levels (Source: Gartner Inc., April 2006)

Previous page | Table of Contents | Next page