This audit was included in the departmental Audit and Evaluation Plan 2009–2010 as approved by the Deputy Minister, upon recommendation of the External Audit Advisory Committee, in May 2009.
The subject area for the audit was an area of high risk identified by the Chief Information Officer (CIO) during interviews while preparing the audit plan. The CIO expressed concern about our ability to speak to the governance of information management (IM) and information technology (IT) activities in the Department as a whole, because the extent and nature of the activities that are being carried out in the program areas was not transparent.
Preliminary survey work for the audit was carried out from April 2009 to July 2009. The audit program was prepared and approved in August 2009, and the audit fieldwork was carried out between September 2009 and December 2009.
The Treasury Board Secretariat’s (TBS’s) Organizational Readiness Office and the CIO’s Council have established three “generic” models for delivering IT services within the Government of Canada, one each for large, medium and small departments and agencies. Common to all of these models is the centralized delivery of IT services with all IT staff reporting to a CIO. In this report, these generic models for IT service delivery will be referred to as CIO models.
In 2005, Environment Canada (EC) embarked upon a process to transform IT services from a highly decentralized model to a centralized model, creating a new Chief Information Officer Branch (CIOB) in the process. To deliver on this transformation agenda, the Department named a CIO and adopted a modified CIO model for large departments and agencies. The Department’s Executive Management Committee (EMC) supported the creation of this organization and its mandate in 2007.
Under the old model, IT services had been delivered and governed in a very decentralized fashion. Each program and region had their own IT delivery mechanisms and governance strategy. The modified CIO model was meant to operate in a way that can be thought of as centralized delivery of standard IT services (delivered by CIOB), augmented by centrally governed but program-delivered specialized IT services. The new model was also meant to support the Department’s move to a set of nationally delivered services rather than the regionally delivered services that had been in place prior to the transformation.
Although the CIO model developed by TB is based upon providing IT services centrally, in a scientific department like EC, program delivery often depends upon IT staff with highly specialized skill sets working in a real-time computing environment. These skills are often not generally available in the wider IT community. For example, the community of developers that can do algorithmic development in a real-time programming environment, such as those delivering EC’s weather and climate modelling services, is very small.
The modification to the CIO model was intended to allow IT staff that had these specialized skill sets to remain in the program areas while receiving functional direction from the CIO. As a result, many of the IT staff that had been embedded in the program areas prior to 2005 were moved to the newly created CIOB during the transformation, including most of the staff that had been delivering traditional IT activities. Many of the IT staff with specialized skill sets were left within the program areas to receive line direction and to carry out their specialized IT activities.
In this audit report, development IT activities that are carried out in the program areas and that require specialized technical or subject matter skills will be referred to as specialized IT activities, while staff members who deliver the services are referred to as embedded IT staff.
EC’s 2006–2007 management accountability framework (MAF) assessment found that the CIO had direct control over only 80% of the computer systems (CS) community, raising a question about the level of governance over the remaining 20% of the community that resided in the program areas. This created an “opportunity for improvement” rating on the level of corporate engagement in IT management.
Work carried out during the preliminary survey confirmed that the 2006–2007 MAF assessment was still valid. Using information from the Human Resources Management Information System, we found that 16% of all non-vacant CS positions resided outside CIOB. To obtain a complete picture of specialized IT activity it was also necessary to consider embedded non-CS staff who carry out IT activities. Including this group, the MAF estimate of embedded IT staff appears to still be reasonable.
The most recent round of MAF assessments highlighted two other areas where there were still opportunities for improvement in the stewardship area. Business continuity planning and the management of IT security were areas of concern to TBS, because a department cannot protect resources or continue to provide services of which it is unaware.
Because specialized IT activities in the Department represent such a significant investment, the governance of those activities is critical to ensure the security of departmental resources and the continuity of the critical services that the activities deliver. As both of these areas have been the subject of a recent audit, they were only addressed peripherally during the current audit. However, given the highly specialized nature of the skills required to do this type of activity, recruitment and retention (including succession planning) becomes a very important factor for ensuring the continuity of services delivered by embedded IT staff. For this reason, succession planning was a specific factor considered during the audit.
During the preliminary survey, one of the program executives expressed concerns about whether the full extent and nature of the scientific data within the Department was known. This led to a discussion about whether staff have a common understanding that data created or captured by the Department are owned by the Crown. The imperative for scientists to “publish or perish” was also discussed, as it may lead certain scientists to assume personal ownership of the data they capture rather than recognizing that the data belong to the Crown.
To accommodate this concern, the scope of the audit was extended to include the governance of data resulting from specialized IT activity in EC. However, as there is a planned audit to address the overall governance of IM in fiscal year 2010–2011, we decided to restrict the scope of activity in this area to the governance of Crown-owned scientific data sources created or collected by the Department. We note, however, that IT activities do not function in isolation and that IM activities form part of the four domains of IT activity identified by the Office of the Comptroller General.
Another indicator that received an “opportunities for improvement” rating in the 2006 and 2007 MAF assessments was the measurement of the value derived from IT investments. TB’s new Directive on Management of Information Technology reinforces the need for this requirement, by giving the CIOs the responsibility for monitoring and measuring IT management performance using both governmental and departmental key performance indicators. Discussion on this topic led us to look at how specialized IT activities are reported to the CIO so that the CIO can meet monitoring requirements set out in the Directive.
The objective of this audit is to provide assurance that the governance of specialized IT activities in EC, and the risk management and controls supporting this governance, are adequate and sufficient.
This audit focused upon specialized IT activities, in the context of the overall governance of IT activities in the Department. The scope also included an IM focus that was strictly related to the management of Crown data captured and maintained by specialized IT resources or in the systems that they develop. It included an investigation of the governance of embedded IT staff, as the quality of governance that staff receive will reflect upon the governance that is provided to applications and assets.
The audit was national in scope, and included interviews with staff from the National Capital Region and a number of regional offices.
As per the TB Internal Auditing Standards for the Government of Canada and the Institute of Internal Auditors’ International Professional Practices Framework, assurance has been provided through the following methodologies:
The criteria that defined our expectations in this audit are based on the control objectives outlined in the Control Objectives for Information and related Technology (COBIT 4.1) framework for IT governance. The criteria can be found in Annex 1.
COBIT is an internationally accepted framework for the governance of IT, focusing on the processes that are necessary to carry out IT activities (including IM functions). In an annex to its Financial Management Policy Framework, TB has endorsed COBIT, stating:
“Control framework(s) for information technology (IT) in relation to internal control over financial reporting…. Is a suitable control framework for information technology (IT) in relation to departmental internal controls over financial reporting and access security processes. Treasury Board recognizes that such IT frameworks should include at least:
In its Government of Canada IT Services Program Framework, TB further endorses COBIT when it says:
“COBIT provides an industry best practice reference model of common IT management and governance processes within four groups: Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. ITIL provides a framework of common IT processes for the service delivery and service support processes (IT Service Management Framework).”5
This audit has been conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the TB’s Policy on Internal Audit.
In our professional judgement, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations as they existed at the time, against the audit criteria.
4 Report of the Senior Committee on the Review of the Financial Management Framework of the Government of Canada, Annex E-3 (www.tbs-sct.gc.ca/fm-gf/ktopics-dossiersc/gapr-pcrg/framework-cadre/framework-cadre12-eng.asp).
5 Profile of GC Information Technology Services, Chapter 3.0 (www.tbs-sct.gc.ca/cio-dpi/webapps/technology/profil/profil04-eng.asp).