Audit
of
Information Technology Planning
Final Report
May 14, 2004
Table of Contents
Executive Summary
1.0 Introduction
1.1 Background
1.2 Objectives of the Audit
1.3 Scope of the Audit
1.4 Audit Approach
2.0 Audit Findings
2.1 Management Control Framework
2.2 Investment Management
2.3 Resource Management
2.4 Project Management
3.0 Management Response and Action Plan
Executive Summary
As part of its approved Audit Plan for the 2003-2004 fiscal year,
the Internal Audit and Assurance Directorate of the Corporate Management
Branch of the Public Service Commission (PSC) undertook an Audit
of Information Technology (IT) Planning at the PSC.
The purpose of the audit was to assess the adequacy of the IT planning
process with respect to: priority setting for technology investment;
funding strategies and sources; business case development; and the
decision-making, approval/governance structure. The audit criteria
were based on the Control Objectives for Information and related
Technology (COBIT) Framework, specifically the planning and organization
domain of COBIT, which covers strategy and tactics, and the way IT
can best contribute to the achievement of business objectives.
Recently, the PSC has experienced significant change in terms of
its mandate, structure and resources; this is expected to continue
for the near future. The efficient and effective provision of technology
services is seen as a key component of the PSC's delivery of
its programs, no matter what changes may occur. Having a sound framework
for managing IT will be paramount to the successful use of technology
to advance the goals of the organization.
A framework for managing IT in the PSC exists and the various elements
that make up the framework are defined and available to all staff
on the PSC intranet site. These includes IT policies, committees
(mandate, roles and responsibilities), processes (software certification,
project management methodology), and procedures (planning, project
management). The project management framework for planning, developing
and implementing IT projects, if is consistently followed, provides
a framework for sound project management.
How IT services will be planned and delivered during and after the
transition to the new PSC is an area of concern. Over the last few
years, IT planning has been initiated and a number of processes put
in place to develop an IT plan. However, despite attempts to formalize
and standardize the IT planning process, client commitment to IT
planning has been less than supportive. Arising from a combination
of historical causes and the current organizational changes, the
lack of a partnership between the Information Technology Services
Directorate and the business areas is a hindrance to effective IT
planning.
The audit concluded that there are opportunities for improvement
in the following areas.
- IT planning was initiated but has not been effectively
continued at the PSC. There is no IT strategic plan. In order
to sustain the IT infrastructure and services in support of program
delivery, a formal strategic IT plan is necessary.
- The leadership provided by ITSD and the capability of
the organization to meet PSC business objectives relies heavily
on good
communication. The level and type of communication between ITSD and
program branches are not effective. There is tension and distrust
between ITSD and the business areas and there is a lack of partnership
to develop and implement IT activities.
- The PSC is annually investing in IT, i.e. hardware,
software and new application development. It is difficult to ascertain
if
the PSC is investing in information technology effectively and at
the level required to effectively support the program areas and to
sustain ongoing IT services. Investment in technology often takes
place in the last quarter using surplus funds.
- Despite recent efforts to address the issue of managing
information resources, the PSC has not addressed the requirement
for an information architecture to optimize the use of information
in the organization. Significant work is needed to develop and implement
an Information Management (IM) infrastructure and capability.
- Assessing risk and ensuring the continued provision
of IT services is an important element of managing IT resources.
- A draft Business Continuity Plan (BCP) has been prepared.
The organization is at risk until the plan is finalized, distributed
and tested in order to
ensure the continuity of IT services in the event of a disaster.
- The department is moving toward risk management; improvements are required
in its application and coverage.
1.0 Introduction
The audit of IT planning at the PSC was approved by the Internal
Audit and Evaluation Committee in accordance with the PSC 2003-2005
Internal Audit Plan. The audit engagement was recommended based on
an assessment of the following risk factors:
- Strategic Planning: Risk that the technology planning
process may not be clearly defined and formalized, resulting in planning
and delivery uncertainties.
- Investment: Risk that the PSC may not be investing adequately
in technology.
- Cost (Duplication): Risk that many duplicate and/or standalone
systems or databases are maintained without a common technology infrastructure,
creating excessive maintenance and overhead costs, unproductive workflow,
and a lack of integrated information to support decision making.
1.1 Background
The PSC is the independent agency responsible for safeguarding the
values of a professional Public Service: competence, non-partisanship
and representativeness. It does this by administering the Public Service Employment Act (PSEA) and a merit-based system and by carrying
out other responsibilities as provided for in the PSEA and the Employment Equity Act (EEA). The mission of the PSC is: to maintain and preserve
a highly competent and qualified Public Service in which appointments
are based on merit; and to ensure that the Public Service is non-partisan
and its members are representative of Canadian society.
The PSC has approximately 1,600 staff, of whom 900 are located in
the National Capital Region. The PSC consists of five branches: Recruitment
and Assessment Services; Learning and Development Programs; Merit
Policy and Accountability; Recourse; and Corporate Management. The
PSC has its national headquarters in Ottawa and operates in through
six regional and eleven district offices.
With the passage of the Public Service Modernization Act, the PSC
is undergoing a significant change in terms of its mandate, structure
and resources. However, the efficient and effective provision of
technology services is seen as key to the ongoing effective functioning
of the PSC. Some concern has been expressed about how IT services,
including planning, will be delivered during and after the transition
to the new PSC. Regardless of the future situation, having a sound
framework for managing IT will be paramount to the successful use
of technology to advance the goals of the organization.
The Information Technology Services Directorate (ITSD) functions
under the leadership of the Director General, ITSD as part of the
Corporate Management Branch (CMB). Its resources include some 85
FTEs and a $7.2M salary and non-salary budgets.
There have been and will continue to be significant changes at the
PSC. The executive management team has experienced a number of changes
- for example, a new President and Commissioners and several new
Vice Presidents. The key players of IT planning committees have also
changed several times in the last two years.
1.2 Objectives
The audit objectives were to assess the adequacy of the planning
process with respect to:
- priority setting for technology investment;
- funding strategies and sources;
- business case development; and
- the decision-making/approval/governance structure.
1.3 Scope
Based on the Control Objectives for Information and related Technology
(COBIT) Framework, the audit examined the planning and organization
domain which covers strategy and tactics, and the way IT can best
contribute to the achievement of business objectives. COBIT defines
four domains that group together the processes and activities related
to IT. Furthermore, it covers the planning, communicating and managing
of the steps to support the realization of the strategic vision.
Finally, it examines the organization as well as the technological
infrastructure which is in place.
The audit was limited to the Recruitment and Assessment Services
Branch, Merit Policy and Accountability Branch, Recourse Branch and
Corporate Management Branch and Legal Services which constitute the
future PSC.
1.4 Audit Approach
The audit approach included an extensive review of documented policies,
procedures, guidelines, and plans, and interviews with approximately
25 individuals at various levels across the PSC.
Through the use of an integrated methodology and drawing from the
Information Systems Audit and Control Association's COBIT framework,
the audit team was able to undertake a comprehensive analysis of
the issues and generate this report.
The general approach and methodology was consistent with accepted
practices, processes, procedures and standards as defined by Treasury
Board Secretariat's 2001 Policy on Internal Auditing, the Institute
of Internal Auditors, the Information Systems Audit and Control Association,
and the Canadian Comprehensive Auditing Foundation. Our audit team
conducted this assignment in compliance with these recognized standards
and practices.
The audit is a result of a high degree of cooperation and collaboration
involving IT staff, program staff and their respective managers and
some regional staff.
2.0 Audit Findings
The audit scope included the examination of four major areas. Based
on the results of the audit, the findings are grouped into these
areas.
It is important to note that this is an audit of IT planning at
the PSC, and not solely of planning carried out by ITSD. IT planning
is a corporate activity that requires the efforts, support and commitment
of the whole organization. The IT organization provides the IT leadership,
and is a main player in carrying out the IT planning process.
2.1 Management Control Framework
2.1.1 Organizing
An adequate accountability framework has been defined and includes
a Steering Committee; however, this committee is no longer operating
effectively.
Finding
For the effective delivery of IT services, a governance structure
must be put in place with roles and responsibilities defined and
communicated. An authority and accountability framework must be defined
and followed and an IT Steering Committee established and given the
mandate to strategically direct the organization with respect to
IT.
The PSC intranet site, which is available to all staff, describes
the IT function, organization, policies, committees, roles and responsibilities,
processes, and activities of ITSD. It documents the authority and
accountability framework for IT service delivery.
The e-Business Steering Committee (EBSC) is a subcommittee of the
PSC Executive Management Committee (EMC) with a mandate to maximize
the effective use of information and information technology (I&IT)
in support of the PSC's Strategic Goals and Objectives by:
- developing a client-focused strategic vision for the PSC's use
of I&IT, including the PSC contribution to Government On-Line
(GOL) initiatives;
-
developing and managing the implementation of an I&IT Governance
Framework for the PSC, including approval of related principles,
roles and responsibilities, processes and policies, and reviewing
and prioritizing I&IT investments for funding consideration
by EMC; and
- recommending to EMC an Information and Information Technology Strategic
Plan as part of the PSC business planning process.
Although much of the governance structure exists, it is no longer
effective for IT planning purposes. For example, despite the essential
role played by the EBSC, the group has not met regularly for the
last year. In addition, the EBSC has not provided an I&IT Strategic
Plan as part of the PSC business planning process.
Managers interviewed during the course of the audit did not see
the EBSC as an effective committee to ensure the appropriate use
of information technology. For example, the move to shared services
for IT, although a major shift in the IT delivery concept, was never
tabled or discussed by the EBSC. Business managers see a disconnect
between ITSD and the business side of the PSC resulting in a lack
of a partnership in the planning, development and delivery of IT
services. With the many changes coming to the PSC information sharing
and planning are more critical for the long term delivery of programs
that are highly dependent on IT services.
Conclusion
A governance structure for IT planning has been put in place by
ITSD. If consistently followed, this structure provides a framework
for IT planning. However, it is currently not effective as a mechanism
to plan and manage IT services, as it does not have the full support
of all business areas. The planning structure will only work effectively
when there is a partnership and commitment among ITSD and the business
areas to ensure the effective delivery of IT services.
Recommendation
- It is recommended that the Vice President, Corporate Management
Branch:
- ensure the EBSC become more active in the achievement
of its mandate
- ensure efforts are made to establish a partnership among
the business areas and ITSD for IT planning and management of IT
resources.
2.1.2 Planning
In order to sustain the IT infrastructure and services in support
of PSC program delivery, a formal and fully documented strategic
plan for IT services is necessary.
Finding
A Strategic IT Plan should strike an optimum balance between information
technology opportunities and the business requirements of the host
organization. The undertaking of a strategic planning process at
regular intervals leads to long-term plans, which are periodically
translated into operational plans and give clear and concrete short-term
goals. Defining a direction takes advantage of available and emerging
technology by creating and maintaining a technological infrastructure
plan.
ITSD supports the PSC Branches in achieving their business goals
and objectives. As part of a planning process, an IT Planning and
Review Group (ITPRG) consisting of ITSD representatives and representatives
of the various Branches of the PSC was created. ITPRG's mandate
is to develop an annual strategic IT plan, through identifying initiatives
within the branches, by providing input into the plan, by prioritizing
and reviewing IT initiatives, and by sharing and exchanging information
about electronic service delivery throughout the year. This process
describes a working partnership through which IT services can be
planned and managed.
However, despite a significant effort by ITSD and branch representatives,
the ITPRG has not developed a strategic IT plan since 2002, but rather
has generated a list of recommended initiatives for approval and
funding by EBSC. The representation at ITPRG has not been effective
as membership continuously changes. There is concern about whether
the members are at the appropriate level to be able to represent
their organization. The ITPRG meetings are no longer viewed by many
business members as a useful exercise. For example, the priority
setting process is seen as flawed as the priorities of the larger
branches and those with more available funding appear to benefit
at the expense of other branches. Many individuals interviewed indicated
that the requirements of smaller initiatives were not given serious
consideration even though from an operational perspective they were
very important to the delivery of the requesting program.
ITSD has developed a multi-year plan for the ever-greening parts
of the PSC's IT infrastructure. It highlights the financial
requirement to ensure sufficient IT to support the primary business
functions of the PSC. It is based on a cycle of replacement, e.g.,
replacement of desktop computers every three years and an upgrade
of the desktop Operating System and Office Automation Suite, to keep
current with industry trends and government standards. The current
Ever-Green Plan requires updating and is not considered to be effective
because it depends on year-end surplus funds.
ITSD has developed a Systems Rationalization Strategy and Plan.
The focus is on legacy applications that are supposed to be replaced
with more modern solutions in view of the PSC transformation and
the Public Service Recruitment System initiative. These legacy systems
often are not decommissioned and continue to be used. Clients must
be willing to support the turning off of systems that have been replaced;
this is not always the case at the PSC. Systems rationalization involves
assessing systems and their maintenance costs and decommissioning
the appropriate system at the appropriate time. Although this was
productive it is not clear how it integrates with the Ever-Green
Plan or the Short-Term IT Plan.
Conclusion
Although IT planning was initiated through ITSD, it has not been
effectively supported or continued at the PSC. It puts the ongoing
availability of the IT infrastructure and services and, subsequently
the delivery of business programs at risk.
Recommendation
- It is recommended that the Vice President, Corporate Management
Branch:
- Ensure the implementation of a Strategic IT Planning
process that results in:
- a strategic IT plan;
- an evergreen plan;
- a systems rationalization plan;
- an IT operational plan; and
- a partnership between ITSD and business areas in the planning process.
2.1.3 Communicating and Leadership
The leadership provided by ITSD and the capability of the organization
to meet PSC business objectives relies heavily on good communication;
however, the level and type of communication between ITSD and program
branches is not effective.
Finding
Communicating is a key element in creating a positive work environment,
and fostering the necessary sense of partnership between the IT service
provider (ITSD) and the service consumers (the business lines). Management
aims and direction need to be communicated to ensure user awareness
and understanding, by establishing and communicating policies and
standards to translate the strategic options into practical and usable
user rules/procedures. It is also important for IT group to understand
the business lines.
IT policies and standards are available to staff on the intranet
site. We found that staff interviewed are aware of their availability
and content. Reminders are issued by ITSD on employees' obligations
to comply with the policies and procedures.
Memoranda of Understanding (MOU) have or are being developed between
ITSD and PSC directorates to provide a framework for responsibilities
and accountability. The MOU details the specific services to be provided
by ITSD to the directorate within appropriate budget, efficiency,
quality and time frame controls.
Each member of the ITSD management team has been assigned a number
of branches, regions or directorates. The level and depth of the
interaction has varied from client to client. Some have met with
their ITSD representative on a regularly scheduled basis. For others
it has rarely occurred. Most clients do not see this arrangement
as an effective means to communicate. They felt they were one-sided
efforts with little information or direction or leadership coming
from ITSD.
Committees such as the ITPRG are not seen as a good forum for exchanging
information and are perceived to be more beneficial to ITSD than
the business areas. The recent announcement of the move to shared
services without consultation of its partners has increased a pre-existing
concern about whether ITSD considered their clients to be partners
in the effective delivery of IT services.
Conclusion
There is a lack of cooperation and partnership among the business
areas and ITSD, and scepticism among business areas of ITSD's
commitment to client requirements and service. This is not an recent
issue.
Recommendation
- It is recommended that the Vice President, Corporate Management
Branch:
- ensure better mechanisms for client support and commitment
to IT planning;
- promote an environment of client consultation, partnership, and full
disclosure;
- promote a planning process that enables clients to feel their needs
are understood and considered in the IT planning process; and
- ensure ITSD provides IT leadership to the PSC.
2.2 Investment Management
The PSC is annually investing in information technology, in terms
of hardware and software as well as new application development.
It is not evident whether such investments are at the level required
to effectively sustain ongoing IT services.
Finding
An effective investment management process is essential in ensuring
that sufficient funding is available to sustain the IT infrastructure
at a level sufficient to support business requirements. An IT operational
budget should be established and approved by the organization, which
is in line with the organization's short-term and long-term
budget, business and IT plans. Actual spending should be done in
accordance with the organization's processes and procedures.
Finally, the delivery of IT services should be cost justified and
in line with industry costs.
ITSD's operating budget is established and approved each fiscal
year. A-Base costs are managed as per PSC processes and procedures.
ITSD has started to record staff time in an effort to more effectively
cost services.
The PSC still tends to operate on "year-end money" investment
basis. Previously, year-end surplus funds were used to upgrade the
technical infrastructure. In each last quarter there would be acquisition
of hardware and software in line with the Evergreen replacement time-lines
and PSC IT standards. These large volume acquisitions were seen as
more cost-effective than smaller purchases. However, with this method
of replacement there is a risk that the infrastructure will not be
upgraded if a spending freeze is imposed. It is the perception of
many business areas that IT costs are simply increasing without substantiation.
Generating, managing and reporting on key information is essential
in actively managing the overall PSC IT investment. No standard costing
structure exists to support the full cost of IT across the PSC, although
efforts have been made recently to develop an IT Costing Model. The
effort to arrive at an overall IT cost for the PSC has not been supported
by the client branches.
Conclusion
It is difficult to ascertain if the PSC is investing in information
technology effectively and whether it is at the level required to
effectively support the program areas and to sustain ongoing IT services.
Recommendation
- It is recommended that the Vice President, Corporate Management
Branch:
- ensure the collection of appropriate IT statistics and
costs to support the investment in IT services;
- ensure that full costs for IT in the PSC are recorded, analyzed and reported;
and
- address the year-end funding issue in the PSC.
2.3 Resource Management
2.3.1 Manage Human Resources
Finding
Sound human resources management requires effective determination
of the number and level of staff required, work descriptions, objective
and measurable performance evaluation, and assessment of the skills
of current employees. The objective is to maximize personnel contributions
to the IT process through sound management techniques.
In 2002, ITSD developed an ITSD Technology Vision: Strategic Value
Through People and Partnerships. It states, "ITSD's strategic
initiatives target three areas: investments in our people, investments
in the technology infrastructure, and investments in Internet-based
e-tools." Since then, ITSD management has placed a high priority
on ensuring that all staff understand and support this vision.
A new organizational structure was implemented, and a new management
team established. A staff stabilization exercise was completed through
competitive processes. A restructuring of the ITSD offices was designed
to put a "new face" on the organization and improve employee
working conditions. A fish mascot "Chuck Highliner" was
chosen, and customer service and teamwork were promoted through four
key behaviours: Have fun; Make their day; Be there; and, Attitude.
All ITSD employees receive an annual, written performance evaluation
highlighting their accomplishments. A training plan for each employee
is completed based on this performance evaluation. ITSD is committed
to creating a learning organization through investments in the training
and development of our people.
The PSC is in a state of significant change as the result of the
Public Service Modernization Act (PSMA) and other politically initiated
changes. ITSD is in a state of flux now as plans are made for a shift
to shared services model of operation.
Conclusion
Despite the current environment of significant change, ITSD is attempting
to manage its human resources as effectively as possible.
2.3.2 Manage Information Resources
Although recent efforts have started to address the issue of managing
information resources, the PSC has not addressed the requirement
for an information architecture to optimize the use of information
in the organization.
Finding
Information for the PSC, as a knowledge-based organization, is a
primary resource for operations. All services provided to internal
and external clients involve information. Consequently, its management
throughout its life-cycle is essential for effective and efficient
service delivery. All three types of information (corporate, operational
and management) must have features of quality, accuracy, integrity
and reliability, if effective decision making is to take place. A
successful IM strategy depends on a strong underlying architecture.
This would include IM policies, an IM governance and accountability
framework, IM standards and practices, technology based systems,
and trained resources.
The PSC is in the process of developing an IM strategy and vision.
An IM Committee, chaired by the Director General (DG), ITSD as
Chief Information Officer (CIO), has responsibility for developing
a strategy that includes both electronic and paper-based information
and its security. The initial vision is organization-oriented and
does not reflect the actual data architecture and delivery. There
is concern by business managers that the focus is on the technology
and not the business lines. With the CIO role being in ITSD, it
is critical that ITSD understand the issues facing service delivery.
Interviews raised concern that ITSD did not have this understanding
and that there is currently no real information architecture. The
new PSC will be almost exclusively a knowledge-based organization.
With the discussion of shared services and the potential of IT
moving to another organization, the location of the IM function
is a concern.
The PSC has used the Information Management Capacity Check (developed
by the National Archives of Canada) to assess its IM deficit and
to develop an action plan and strategy to build its IM capacity.
The assessment uses five levels of rating: non-existent (1); early
stages of development (2); good management practices(3); advanced
(4); and best practice (5). The IM Capacity Check assesses an organization
against criteria in the following six areas:
- organizational context - capacity to support, sustain and strengthen
IM capabilities;
- organizational - capacity to develop people, process and technology
resources required for sound IM
- management of IM - capacity to effectively manage activities in support
of IM as it relates to the effective delivery of programs and services;
- compliance and quality - capacity to ensure information holdings
are not compromised;
- information life cycle - capacity to support each phase of the information
life cycle; and
- user perspective - capacity to meet the information needs of all
users.
The results of this assessment concluded that the PSC on average
rated a one or two in all categories.
Conclusion
The PSC has identified the need for information management and has
completed significant effort such as the Information Management Capacity
Check and the IM Strategy and Vision. However, more work is needed
before the PSC develops and implements an effective IM infrastructure
and capability.
Recommendation
- It is recommended that the Vice President, Corporate Management
Branch:
- ensure that an Information management framework is developed
and implemented consisting of:
- a strategic IM vision;
- an appropriate accountability structure; and
- an information architecture for the PSC.
2.3.3 Risk Management and Continuity Planning
While some Threat Risk Assessments have been completed, they have
not been completed for all IT systems, services and facilities, making
it difficult to determine whether sufficient safeguards exist to
respond to a threat to the provision of IT services.
A draft Business Continuity Plan (BCP) has been prepared; however,
until it has been finalized, distributed and tested, the organization
is at risk of not being able to provide continued IT services if
there is a disaster.
Finding
Assessing risk helps to ensure the achievement of IT objectives
and the necessary responses to threats to the provision of IT services.
A risk assessment framework includes different kinds of IT risks
such as technology, security, continuity and regulatory.
The Public Service of Canada is moving toward a risk management
approach to the work environment. The government's risk management
policy makes it incumbent on managers to be informed about the security
threats, vulnerabilities, impacts and risks to which their business
operations may be subject. The standard approach to assessing risk
is the use of the Threat and Risk Assessment (TRA).
At the PSC, all new information systems development projects operating
under the IT Project Management Framework are required to do TRAs
at various stages of development. Major projects have completed TRAs.
However, there has not been a TRA of the technical infrastructure.
It is important that IT risk assessment is linked to the overall
risk framework and business of the organization. To date, TRAs carried
out at the PSC seem to be focussed on specific IT applications and
services, and not linked to overall business delivery.
Federal government policy requires departments and agencies to establish
a business continuity planning program to provide for the continued
availability of critical services and assets. The program must include
a governance structure, monitoring of overall readiness, and continuous
review, testing and audit of the Program.
Like most departments and agencies, the PSC developed a BCP for
IT as part of its Year 2000 business resumption planning. More recently
a draft BCP was prepared and discussed at Executive Management Committee.
The PSC is now waiting for Treasury Board standards to be produced
in order to create a final version.
Conclusion
Although the department is moving toward security risk management,
improvements are required in the application and coverage of the
process. The PSC requires a final BCP for IT services, but it must
reflect the reality of PSC services.
Recommendation
- It is recommended that the Vice President, Corporate Management
Branch:
- ensure a review of the IT risk assessment process and
initiate improvements to expand and broaden its coverage to align
with the
PSC risk management framework;
- pending finalization of government-wide standards, ensure that updated
plans for all business operations at all sites are in place to
provide for the continued availability of IT services and assets; and
- ensure an overall Threat Risk Assessment is conducted for the PSC.
2.4 Project Management
2.4.1 Organization and Management
Finding
Project success is more likely when effective project management
occurs. This requires sound management techniques, complete system
planning, and formal processes to manage risks that comply with organizational
standards and constraints.
The definition of I/IT projects has been established. A committee
structure for review and approval has been implemented. The e-Business
Steering Committee (EBSC) approves and reviews projects over $50K.
The Project Review Committee is the authority on policies, architecture,
guidelines and standards used to plan and manage IT development
projects. It has the authority to approve projects under $50k,
make recommendations on projects going to EBSC for approval, and
monitor projects. It ensures projects progress efficiently and
effectively while responding to the strategic objectives of the
PSC.
A Technical Review Committee has been established as the authority
on the IT framework for policies, architecture, guidelines and standards
used to plan and manage the technical soundness of IT projects. This
is achieved through screening of project initiation forms and project
proposal documents. In addition, the committee reviews risk management
plans and privacy impact assessments to ensure risks associated with
new technology or conformance to the architecture or performance
are known. This Committee also approves major changes and configuration
management of the PSC infrastructure.
All policies and procedures with respect to projects are available
to all staff through the PSC intranet site. Staff interviewed as
part of this audit were aware of the processes to be followed. The
audit did not confirm that the processes were being followed for
all projects. Currently the largest projects fall within this framework.
Conclusion
The PSC, through ITSD, has established a project management framework
to plan, develop and implement IT projects. If it is consistently
followed, it provides for sound project management.
2.4.2 Project Control
Finding
Formal processes used to control projects should include areas such
as: project planning; project tracking and oversight; quality assurance;
configuration management; and systems development methodology.
A project development methodology has been developed which is based
on the Treasury Board's Enhanced Management Framework for IT
Projects. It is a risk-based approach, which is available on the
PSC intranet site, and is to be followed by I/IT projects. A change
management process has been established and all software is to be
certified by ITSD before going into production. A test laboratory
is available to project developers for testing; however, there are
concerns about the amount of time it takes to set it up for testing
a new version or upgrade.
The Project Review and Technical Review committees monitor project
progress. We found that written status reports are not always completed.
Minutes of meetings usually comprise the formal documentation of
status.
Conclusion
Formal processes have been established with the intent of ensuring
that projects are controlled during planning, development and implementation.
3.0 Management Response and Action Plan
Recommendations |
Responsibility |
Action Planned |
1. It is recommended
that the Vice President, Corporate Management Branch:
• ensure the EBSC becomes more active in the achievement
of its mandate; and
• ensure efforts are made to establish a partnership among the business
areas and ITSD for IT planning and management of IT resources. |
VP, CMB |
The PSC supports
this recommendation and recognizes that the current IT planning
and accountability framework is not fully effective, although
efforts were made to establish partnerships.
The PSC is in the process of establishing a new IT Committee
that will meet on a regular basis (monthly) and will be chaired
by a Vice-President from one of the program areas. The new
IT committee will serve to highlight IT interdependencies with
other directorates within the PSC. Status updates on projects
and government IT trends could be a standing agenda item, but
the focus will be on the appropriate transformation of PSC
operations and business activities. EMC will be assured that
recommendations put forward will have arisen from a consultative
process. Secretariat support will be provided by ITSD.
Target date: June 2004 |
2. It is recommended that the
Vice President, Corporate Management Branch:
Ensure the development of a Strategic IT Plan process that
includes:
•
a strategic IT plan;
• an evergreen plan;
• a systems rationalization plan;
• an IT operational plan; and
• a partnership between ITSD and business areas in the planning process.
|
VP, CMB |
The PSC supports this recommendation.
Through the new IT committee, the PSC is working towards establishing
an integrated corporate planning function in which the various
components of a Strategic IT plan will be included. Any on-going
maintenance costs incurred by deviating from the plan will be
presented to the IT Committee. The IT Committee will ensure consultation
in the planning process and continual feedback between the working
and executive levels.
The PSC is in the process of conducting an in-depth needs
analysis (to rationalize usage of IT services) and developing
guiding principles and policies on IT equipment that will result
in the development of evergreen plans in the domain of both
hardware and infrastructure.
Target date: June 2004 |
3. It is recommended that the
Vice President, Corporate Management Branch:
• ensure better mechanisms of communication are implemented;
• promote an environment of client consultation and partnership; and,
• ensure ITSD provides IT leadership to the PSC. |
VP, CMB
DG ITSD |
The PSC supports this recommendation.
The VP CMB will solicit assistance from the DG, Communications
to ensure mechanisms for communicating are refined and implemented.
The messages articulated in the IT Vision and Strategic Direction
will be tailored to the branches and functional communities and
presented clearly using a communication style appropriate to
the situation. ITSD will pursue its efforts to ensure leadership
and promote consultation and partnership through various events
and initiatives such as the service catalogue, the Technology
Partners Conference, open house, planning day with branch representatives,
citizenship ceremony, Volunteer Day, etc. ITSD has and will continue
to foster good relationships with the IT community at large.
ITSD will demonstrate community leadership this year through
active participation in Agriculture Canada's innovative ‘pre-qualified
pool' staffing initiative. The formation of an IT Committee,
meeting monthly and chaired by a Branch VP, will serve to promote
an environment of client consultation and partnership.
Target date: Continuous throughout the year. |
4. It is recommended that the
Vice President, Corporate Management Branch:
• ensure the collection of appropriate IT statistics
and costs to support the investment in IT services;
• ensure that full costs for IT in the PSC are recorded, analyzed and reported;
and
• address the year-end funding issue in the PSC. |
VP, CMB |
The PSC supports this recommendation.
CMB is actively engaged in gaining an understanding of the full
cost of technology support within the PSC along with the future
costs based on a needs assessment. CMB will provide a cost per
desktop and the proportional cost per branch for further analysis
and refinement along with options by the end of May 2004. Based
on private industry and other government departments the IT group
will expand the set of appropriate statistics to support investment
decisions. This will done in consultation and with input from
branch heads. The year-end funding model will be addressed by
senior management since funding allocations and spending need
to be viewed from a PSC business and operational perspective.
Target date: September 2004 |
5. It is recommended that the
Vice President, Corporate Management Branch:
Ensure an Information Management framework is developed and
implemented consisting of:
• a strategic IM vision;
• an appropriate accountability structure; and
• an information architecture for the PSC. |
VP - CMB
DG ITSD |
The PSC supports this recommendation.
The PSC is in the process of refining the tabled IM strategy,
vision and accountability structure and will do so before developing
an information architecture. Given the PSC's changing
environment, a delegation model will be discussed and refined
through consultation and will be demonstrated in incremental
fashion.
Target date: September 2004 |
6. It is recommended that the
Vice President, Corporate Management Branch:
•
ensure a review of the IT risk assessment process and initiate
improvements to expand and broaden coverage to align with the
PSC risk management framework;
• pending finalization of government-wide standards, ensure that updated
plans for all business operations at all sites are in place to provide for the
continued availability of IT services and assets; and
• ensure an overall Threat Risk Assessment is conducted for the PSC |
VP CMB |
The PSC supports this recommendation.
The VP CMB and the DG, ITSD will review the PSC risk management
framework and integrate IT risk management into the overall IT
Strategy and Management Framework, and the PSC Risk Management
Framework
As an initial step, in 2003, the DG ITSD mapped the PSC Project
Management (PM) framework to the TB Enhanced Management Framework.
Based on this mapping exercise, a Risk Assessment and Review
Document (RAID) was incorporated into the Project Management
Framework. In addition, an IT Business Continuity Plan was
developed for HQ and tabled at EMC. For major projects a TRA
and Privacy Impact Assessment is performed.
Pending finalization of government-wide standards, the VP,
CMB, in partnership with branch heads will update plans for
all business operations at all sites for the continued availability
of IT services and assets.
Further study on the cost, timing and resource implications
is required before committing to an overall TRA for the PSC.
Target date: Incrementally as resources permit |
|