Audit of Governance of Information Management
As part of the 2010–2011 departmental Audit and Evaluation Plan recommended by the External Audit Advisory Committee (EAAC), Internal Audit was tasked with the conduct of an audit of the governance of information management (IM). The audit team engaged the John Burns Centre for Public Management Inc. (CPM) to carry out this audit.
Information management involves the management of information (that has business value) throughout the information’s entire life cycle. This includes the management of information from collection or creation of the information right through to its final disposition. It also includes all of the planning and architectural work that is involved in ensuring that the information is adequately maintained. It includes managing information stored on all media and formats.
The Government of Canada’s Policy on Information Management assigns roles and responsibilities generally to managers and employees and specifically to the IM Senior Officer (IMSO) who is, in the case of Environment Canada (EC) also our Chief Information Officer (CIO). At various fora, including the Internal Auditors Network, the Government of Canada has expressed concern with departments’ ability to maintain the public record (and corporate memory). This concern has been addressed in the TB Directive on Recordkeeping, which was introduced in 2009 and comes fully into effect in 2014. The directive derives its authority from the Library and Archives of Canada Act, the Financial Administration Act and the Access to Information Act.
During fiscal year 2010–2011 (the period covered by the audit), the governance of IM was provided within EC by the Information Management Directorate (IMD) in the Chief Information Officer Branch (CIOB). In early 2011–2012, the CIOB was renamed the Corporate Services Branch (CSB). For consistency, this report will refer to the organizational structure as it existed at the time of the audit fieldwork.
EC manages a lot of information, both unstructured and structured.1 For example, in the National Capital Region (NCR), EC manages nearly 30 terabytes of unstructured information (correspondence, reports, websites, etc.). This national information is often replicated and augmented by information generated in the regions.
Except for corporate data such as finance and HR, structured data is more branch-specific. A single branch (the Meteorological Service of Canada (MSC)) generates roughly 10,000 terabytes for weather and environmental science. Further, EC scientists collect and manage many hundreds of data sets in connection with their scientific research. Many of these datasets are enormous but fairly simple, while others have relatively few records but contain complex information. Prior audit work has found that there is no consistent method for managing this structured data from branch to branch and from region to region. Consistent management of this data by programs would allow for the leveraging of this data for future research projects, research by third parties and decision making.
Access to timely, accurate and reliable information is an essential component for decision making and overall performance. EC relies on the effective governance of IM as a critical success factor towards accomplishing departmental objectives.
Information management issues have plagued departments across government for many years, so it is not surprising to find that EC has also been experiencing many seemingly intractable issues of its own. A number of the recommendations arising from the Review of Information Management conducted in 2001 are still outstanding 10 years later.
Although EC’s IM governance received a strong rating in the Management Accountability Framework (MAF) Round VIII results, that assessment did identify opportunities for improvement in the area of IM. Risk assessment work performed as part of the scoping exercise for this audit confirms the significance of these opportunities for improvement as well as highlighting a few more.
A preliminary risk assessment was conducted at the beginning of this audit and its results are available in the Audit Plan document. The risk assessment gave rise to the following audit objectives to provide assurance that:
- EC IM governance (i.e. management accountability for IM, governance committees, the IM strategic plan, roles and responsibilities and linkage to GoC-wide IM strategy) supports strong IM corporate processes and awareness;
- the Department is making progress towards compliance with the TB Directive on Recordkeeping and related aspects of the Library and Archives of Canada Act;
- IM processes related to classification of information meet the needs of EC in relation to the confidentiality, integrity and availability of information; and
- IM tools and processes facilitate EC’s operational and administrative requirements.
Further, in order to improve the efficiency of the follow-up process, a final objective was to establish whether outstanding recommendations from the 2001 audit are still applicable and have them addressed by the action plan for this audit.
The management of all records2 related to the business of the Department, regardless of format, was included. As a result of the risk assessment and in consideration of work from previous audits, the audit fieldwork focused almost exclusively on the management of unstructured information within the Department. Thus, library services and structured data were considered to be out of scope.
Within the context of unstructured information, the audit considered IM governance activities within the whole of EC for fiscal year 2010–2011. All of the audit work was carried out in the National Capital Region (NCR); auditing of regional activity was limited to document reviews and interviews conducted by teleconference.
All related and relevant documentation and materials, such as policies, procedures and standards, along with pertinent information regarding the IM governance framework at EC, the work of committees and previous audit results were reviewed.
Sixteen key stakeholders across the organization were interviewed to gain an understanding of all the main governance activities, including three members of the IM Directorate, two regional IM representatives, and eleven users of information across the organization. Eight of the stakeholders interviewed were in the executive ranks and eight were managers or information users.
The audit team developed testing checklists based on established audit criteria (Annex A) and on requirements outlined in applicable directives and policies, including
- the TB Directive on Information Management Roles and Responsibilities;
- the TB Policy on Information Management;
- the TB Directive on Recordkeeping; and
- the Library and Archives of Canada Act.
1.5 Statement of Assurance
This audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing and the Policy on Internal Audit of the Treasury Board of Canada Secretariat.
In our professional judgement, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations, as they existed at the time, against the audit criteria.
1. Stuctured data is a term for data that is stored in predetermined fields in a relational table or other database. Structured data is often codified. Unstructured data, on the other hand, such as e-mails, reports, agendas and records of decision are less rigid in their format and content.
2. “Records” as defined in the Library and Archives of Canada Act.
- Date modified: