The scope of the audit included an examination of the activities in the Office of the Chief Information Officer (OCIO) during the period November 2008 to March 2009.
May 2010
Generally, information represents one of the more valuable assets for an organization’s operations. Information Management and Information Technology (IM/IT) governance integrates and institutionalizes good practices to ensure that IM/IT supports business objectives by maximizing benefits, capitalizing on opportunities, and gaining improved business services.
The objective of this audit as approved in the 2006-2009 Audit Plan is to conduct an audit, under the Treasury Board of Canada’s Policy on Internal Audit, to provide assurance to the President and Senior Management on the adequacy and effectiveness of the governance controls over Information Management and Information Technology. The scope of the audit included an examination of the activities in the Office of the Chief Information Officer (OCIO) during the period November 2008 to March 2009.
Finding 1: Function and Project Oversight
The existing governance committee structure does not provide comprehensive oversight for the IM/IT function.
Recommendation 1:
The VP, Finance, Administration and Information Technology should ensure the establishment and implementation of a senior management IM/IT oversight committee and a comprehensive supporting committee structure.
Finding 2: Management of Information and the Delivery of IT Services
The management of information and delivery of IT services are not well planned, formalized or monitored.
Recommendation 2:
The VP, Finance, Administration and Information Technology should strengthen management practices to ensure that the management of information and delivery of IT services is well planned, formalized and monitored.
Finding 3: IM/IT Policies and Procedures
A full suite of IM/IT policies and procedures has not been established, approved and communicated.
Recommendation 3:
The VP, Finance, Administration and Information Technology should develop and implement a consistent policy framework with consideration being given to the Treasury Board policy suite renewal. The CIO should produce approved policies and procedures in keeping with this framework.
Finding 4: Systems Development
Information systems are not developed using current practices or in compliance with Treasury Board policy.
Recommendation 4:
The VP, Finance, Administration and Information Technology should ensure that systems development processes meet current and accepted industry practices and Treasury Board requirements.
Finding 5: Management of High Risk Initiatives
High risk initiatives are not adequately managed and IM/IT activities do not meet government operational security expectations.
Recommendation 5:
The VP, Finance, Administration and Information Technology should ensure that MITS requirements are fully implemented and accurately reported within a reasonable timeframe.
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.
In my opinion, CFIA Information Management and Information Technology governance has deficiencies that represent multiple areas of risk exposure requiring significant improvements related to the governance, control, and risk management processes.1
Peter Everson
Chief Audit Executive, Canadian Food Inspection Agency
Generally, information represents one of the more valuable assets for an organization's operations. Information Management and Information Technology (IM/IT) governance integrates and institutionalizes good practices to ensure that IM/IT supports business objectives by maximizing benefits, capitalizing on opportunities, and gaining improved business services.
The objective of this audit as approved in the revised 2006-2009 Audit Plan is to conduct an audit, under the Treasury Board of Canada's Policy on Internal Audit, to provide assurance to the President and Senior Management on the adequacy and effectiveness of the governance controls over Information Management and Information Technology.
The scope of the audit included an examination of the activities in the Office of the Chief Information Officer (OCIO) during the period November 2008 to March 2009.
To help organizations achieve their IM/IT outcomes several frameworks for control have been introduced. Control Objectives for Information Technology (COBIT) is an industry standard that is widely accepted as a baseline of best practices, and is used in IM/IT circles for as a guide to directing and controlling IM/IT activities (see Appendix A). This audit of IM/IT governance was conducted using compliance with COBIT guidance to identify areas where both adequate and efficient control processes exist and are operating as intended, and where improvements might be possible. COBIT focus areas that included:
An audit program was designed using COBIT as a basis for audit objectives and criteria. We conducted interviews with the Office of the Chief Information Officer (OCIO), and Departmental Security Officer (DSO) personnel at CFIA. Three information systems under development were examined for compliance with expected system development practices. These included Laboratory Sample Tracking System (LSTS), Compliance Verification System (CVS) and Single Window Import initiative. Interviews were documented and documents analyzed and appropriate tests were performed to corroborate information that was obtained.
This section presents detailed findings from the audit of IM/IT governance in the Office of the Chief Information Officer (OCIO). Findings are based on the evidence and analysis from both our initial risk analysis and detailed audit conduct.
We would expect that the IM/IT function is managed through a committee structure that advises on strategic direction and reviews major investments on behalf of the Management Committee.
Strategic decisions for projects are made at the Sub-Committee on Information Management and Technology (SCIMT) rather than the senior Science and Technology (S&T) Committee or a high-level senior management IM/IT Steering Committee that provides oversight in meeting business and strategic objectives. SCIMT permits non-official members to make decisions. No architecture committee has been established to coordinate the evolution of the enterprise architecture for information, infrastructure, applications and security.
Other committees intended to provide input on IM/IT priorities and monitor projects such as; the Regular Business Application Committee (BAC), Corporate Support and Managed Services Committee (CSMSC) and Essential Infrastructure Committee (EIC) are not meeting regularly due to lack of attendance by members.
In terms of our review, governance was inconsistent in that a Project Steering Committees was not established for a significant project such as the Compliance Verification System (CVS); while an effective steering committee was in place for the Data Centre Project. A two-project leader approach is used where system development and the business area each provide a project manager to jointly manage a project.
There is a risk that IM/IT strategic decisions and activities will not fully consider the business objectives of the Agency. In addition, the risk also exists that project decisions will not be made by appropriate personnel on a timely basis to deliver IM/IT projects successfully (on time, within budget and meeting the user requirements).
Recommendation 1:
The VP, Finance, Administration and Information Technology should ensure the establishment and implementation of a senior management IM/IT oversight committee and a comprehensive supporting committee structure.
We would expect that both information management and IT services are properly planned and communicated; and aligned with the corporate business strategy and plans.
There is currently no information architecture, no enterprise data dictionary to manage electronic information and no enterprise content management system.
IM/IT planning is incomplete and not monitored. Examples of this include: IM/IT strategic planning that is not linked to business and technical strategies; operational plans not developed from strategic plans or with business area input. IM/IT has no service catalogue, no service level agreements and no mechanism for identifying the cost and performance of services.
IM/IT processes are not formalized, clearly defined or approved; nor are they monitored for compliance with expectations. Processes are not being performed in a consistent manner (e.g.: virus procedures are not defined with clear roles and responsibilities nor monitored and corrected on a timely basis).
A regular replacement and upgrade program does not exist for computer equipment and desktop software. Computer hardware was being purchased using funding that would lapse at the end of the year and warehousing the purchases. For the past two years no new desktop computers were purchased; significantly aging the asset base and requiring a significant capital funding for 2009-10 and future years. The planned upgrade for desktop software has been deferred due to funding.
The risk is for uneconomical, inefficient and ineffective delivery of IT services and information management for the Agency. CFIA is specifically at risk as technical advancements current services are being implemented and delivered on an aging IT infrastructure.
Recommendation 2:
The VP, Finance, Administration and Information Technology should strengthen management practices to ensure that the management of information and delivery of IT services is well planned, formalized and monitored.
We would expect that a suite of policies and procedures exists and is approved by the Senior Management Committee to support the IM/IT strategy. We would expect that policies and procedures are communicated to all staff, with clear accountabilities and that they be periodically reviewed for relevance. We would expect that standards, procedures and practices are identified and maintained for key IM/IT processes.
Numerous draft policies and procedures are incomplete or unapproved (for example: the IT Security Framework and the Certification and Accreditation Framework and the Security Incident Response Policy). Many IM/IT policy initiatives have not been submitted for policy implementation tracking.
The draft Finance, Administration and Information Technology (FAIT) policy framework also does not require instruments to be formally approved by CFIA's Senior Management Committee (SMC). However, they are approved by the Resource Management and Oversight Committee (RMOC).
There is no Agency-wide policy framework and each Branch has adopted their own set of policy instruments, structure and contents. The draft FAIT policy framework does not specify the various policy instruments and their purposes to provide for consistent content.
Current IM/IT policies and procedures differ from Treasury Board's policy suite renewal structure that follows a structure to better align responsibilities and accountabilities in the federal government (i.e. Policy, Directives, Standards, Guidelines, Tools).
The risks associated with not having an up-to-date set of approved policy instruments is that accountabilities, roles and responsibilities are unclear and that staff may not perform work in a consistent, high quality, and repeatable fashion.
Recommendation 3:
The VP, Finance, Administration and Information Technology should develop and implement a consistent policy framework with consideration being given to the Treasury Board policy suite renewal. The CIO should produce approved policies and procedures in keeping with this framework.
We would expect that an IM/IT project management framework - consistent with applicable Treasury Board policies - is used to guide the development of information systems; on time, within budget and meeting user requirements.
The current IM/IT Project Management Framework is inadequate as it does not include all project phases from project initiation to obsolescence. Also, it does not provide guidance for best practices in managing projects nor incorporate the information security requirements.
The framework is not being followed in the development of information systems. For the two development projects reviewed, Laboratory Sample Tracking System (LSTS) and Compliance Verification System (CVS), we found that no business cases were prepared and that they were non compliant with Treasury Board Project Approval Policy regarding approval of these projects.
Project management practices were not effective in delivering projects. LSTS for example, was originally to cost $1.2 million and take two years to complete. The project is still under construction and total project costs reported in the Capital Project Briefs have increased from the original $1.2 million in 2005-06 to $4.4 million in 2006-07, $4.8 million in 2007-08 and $7.4 million in 2008-09.
We found that Project Managers do not follow project management practices as per the Treasury Board Project Management Policy and do not receive adequate training. The Project Management Office does not effectively monitor project deliverables.
The risk associated with not following an approved framework is that projects will continue to be developed late, over budget, and not meet the functionality of the users.
Recommendation 4:
The VP, Finance, Administration and Information Technology should ensure that project management processes meet current and accepted industry practices and Treasury Board requirements.
We would expect that the management of IM/IT activities would adhere to TB's Management of Information Technology Security (MITS) operational security standard. MITS is a government-wide initiative and encompasses numerous information security controls that reduce the risk of threats against Agency information.
Several high risk situations exist where appropriate corrective action has not been taken. These include:
These high risk situations represent an overall security risk profile that may not be acceptable to the Agency. Without action, Agency operations will continue to be vulnerable to numerous threats to its information and assets and may be unable to sustain its mission during an incident.
Recommendation 5:
The VP, Finance, Administration and Information Technology should ensure that MITS requirements are fully implemented and accurately reported within a reasonable timeframe.
General Response:
We concur with the findings.
The IM/IT function at CFIA is undergoing significant changes as the results of increasing awareness of the importance of this to the overall direction and effectiveness of the delivery of the Agency's mandate. This change needs to be supported by consistent and continuous engagement between the partners charged with this function- the business lines and the OCIO.
There is an existing governance model for this function. The current model holds the CIO is responsible for all aspects of the IM/IT function, except for the development of applications and systems in support of a business line. In this situation there is dual accountability. Existing committees attempt to allow collective decision. The business line side of this balance is disaggregated (individual proponents of individual initiatives) and does not provide leadership of the system changes being delivered on its behalf by the OCIO. For this reason, the governance model needs to be revised and provide clear direction to the CIO, holding him accountable for results.
Appendix B: Management Action Plan
The audit highlighted the need for renewed IM/IT governance and a strong service model that clearly identifies accountabilities within CFIA for operating, maintaining and building IM/IT services. This new model needs to clearly articulate roles, responsibilities and accountabilities and needs to include the Business Lines not just as partners but as Service Owners. A consistent framework from a services perspective will be used to develop this model of roles, responsibilities and accountabilities (framework shown on the above).
The overall management response to this audit will result in significant changes to the management and oversight of the IM/IT function within the agency along with five main themes as follows:
Management Response:
We concur with the findings and recommendations of the audit.
The Vice-President of FAIT will make proposals to the president for renewed IM/IT Governance based on clearly articulated roles, responsibilities and accountabilities for the IM/IT function in CFIA. Proposals will include the implementation of senior management oversight over the operational functions of the CIO and a governance model that will allow accountable business line leads to provide direction and oversight over IM/IT enabled project. A consistent framework from a services perspective will be used to develop this model of roles, responsibilities and accountabilities (framework shown above).
Governance
1. The VP, Finance, Administration and Information Technology should establish and ensure the implementation of a senior management IM/IT oversight committee and a comprehensive supporting committee structure.
Proposed Management Actions | Responsible Official | Implementation Date |
---|---|---|
The OCIO will develop and seek approval of an IM/IT service model based on the framework inserted above in the Management Response box. The Service Model will allow the VP FAIT identify a senior management IM/IT oversight committee and supporting committees. | Chief Information Officer | |
1. Develop and seek approval for an accountability matrix to operate, maintain, and build IM/IT services in the CFIA. | CIO | Q1 FY 2010/11 |
2. Establish an oversight framework for the function where CIO is the lead. | VP FAIT | Q3 FY 2010/11 |
3. Develop and seek approval for a governance structure based on the framework inserted above in the Management Response box for functions where business lines are the lead. | VP FAIT | Q1 2010/2011 |
4. In the interim, VP FAIT will provide oversight for CIO accountabilities and RMOC will be asked to provide oversight for these areas where there are business line accountabilities and for resource allocations to IM/IT operations, IM/IT enabled projects and IM/IT projects. | VP FAIT |
Management Response:
We concur.
Governance
2. The VP, Finance, Administration and Information Technology should strengthen management practices to ensure that the management of information and delivery of IT services is well planned, formalized and monitored.
Proposed Management Actions | Responsible Official | Implementation Date |
---|---|---|
1. CIO will establish a business management capacity which will provide integrated operational and business management for the sector. | Chief Information Officer | April 2011 |
2. A CTO position will be created, reporting directly to the CIO who will be responsible for directing and delivery of IM/IT services to clients effectively and efficiently. | CIO | June 2011 |
3. CIO will develop and seek approval from RMOC or its replacement body in corporate governance for an IM/IT Service Model based on the framework inserted above in the Management Response box for Item #1. | CIO | Q2 FY 2010/11 |
4. SLA will be developed for client service standards, and approved through RMOC, or its successor. | CIO | Starting April 2011 |
5. Formal protocols and operational procedures will be developed and enforced through the CTO. | CIO | Q4 2010/2011 |
6. VP FAIT will provide oversight on CIO operational practices through FAIT B.M.C. | VP FAIT | Now |
7. CIO will develop a multi-phased plan for the development and delivery of core capacity in the service delivery area. | CIO | April 2011 Q2 2010/2011 |
Management Response:
We concur.
Governance
3. The VP, Finance, Administration and Information Technology should develop and implement a consistent policy framework with consideration being given to the Treasury Board policy suite renewal. The CIO should produce approved policies and procedures in keeping with this framework.
Proposed Management Actions | Responsible Official | Implementation Date |
---|---|---|
Develop and implement a consistent policy framework for IM and IT policies. The framework will consider the Treasury Board policy suite renewal and begin with IT Security Policies. | Chief Information Officer | |
1. Within this context, develop an overall administrative policy framework and implementation plan. | VP FAIT | Q1 2010/2011 |
2. Development of the Policy Framework. The policy framework will be approved by RMOC or its successor. | CIO | Q1 FY 2010/11 |
3. Incorporated Policies into the Framework | CIO | |
|
Q1 – Q2 FY 2010/11 | |
|
Q2 – Q4 FY 2010/11 |
Management Response:
We concur.
Controls:
4. The VP, Finance, Administration and Information Technology should ensure that systems development processes meet current and accepted industry practices and Treasury Board requirements.
Proposed Management Actions | Responsible Official | Implementation Date |
---|---|---|
1. Create EPMO capacity in VPO FAIT. | VP FAIT | April 2010 |
2. Establish RMOC as project management oversight body. | VP FAIT | April 2010 |
3. Develop and deliver an PMF framework for CFIA. | EPMO | June 2010 |
4. Conduct an independent review of IM/IT enabled projects currently underway to confirm scope, cost estimates and authority levels. | VP FAIT | June 2010 |
5. Establish an EPM project dashboard | EPMO | Sept. 2010 |
6. Broaden project management currently delivered by OCIO to the executive level and Business Line PM/Project Leader. | EPMO | Sept. 2010 |
7. Review and refresh within the OCIO ensuring that it is consistent with current industry best practices and meets Treasury board requirements. | ||
|
CIO | Q2 FY 2010/11 |
|
CIO | Q2 – Q4 FY2010/11 |
8. Review and refresh the OCIO Systems Development Life Cycle (SDLC). Taking into consideration best practices (Industry and Government) for currently accepted processes and emerging approaches for systems development. | ||
|
CIO | Q2 FY 2010/11 |
|
CIO | Q2 – Q4 FY2010/11 |
Management Response:
We concur.
Risk Management:
5. The VP, Finance, Administration and Information Technology should ensure that MITS requirements are fully implemented and accurately reported within a reasonable timeframe.
Proposed Management Actions | Responsible Official | Implementation Date |
---|---|---|
1. A review of the status of MITS compliance is being conducted and a costed delivery plan developed. Progress on MITS is subject to two constraints: funding and capabilities at the GOC level. | Director, IT Security | Q1 2010/2011 |
2. An IT Security workplan is being developed, in alignment with larger compliance requirements under the Policy on Government Security. Attention will be given to the highest risk elements, and bring IT Security to a position of Acceptable compliance with MITS requirements. This plan will be approved by RMOC or its replacement committee. | CIO | Q4 2010/2011 |
1 The audit opinion is based on overall materiality and risk as represented by the noteworthy findings and recommendations reported.