Archived information

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Audit of Records Management

Harnessing the Power of Information

Foreign Affairs and International Trade Canada
Office of the Chief Audit Executive

September 2012

Table of Contents

Executive Summary

In accordance with its approved Risk-Based Audit Plan for 2011-2012, the Office of the Chief Audit Executive conducted an internal audit of records management at the Department of Foreign Affairs and International Trade (DFAIT). Within the overall theme of information management, this records management component was identified as the next priority, in a planned suite of audits, by the Departmental Audit Committee. This is a reflection of the elevated information management risk outlined in the 2011-2012 Corporate Risk Profile. This audit work also builds upon the results of the Horizontal Internal Audit of Electronic RecordkeepingFootnote 1 conducted by the Office of the Comptroller General in 2010-2011.

Records management comprises the creation, receipt, maintenance, use, safeguarding and disposal of records of business value. The Treasury Board of Canada Directive on Recordkeeping defines information of business value as published and unpublished records that enable and document decision making in support of programs, services and on-going operations. Such records support departmental reporting, performance and accountability requirements.

Departments should know the information of business value under its control, where such information resides and its condition. As such, departments must implement records and information management systems and practices that demonstrate good stewardship of information assets. Effective records management underpins the overall information management regime and is the foundation for:

In keeping with global technological advances, DFAIT’s information and records management regime has transformed substantially from a predominantly paper based environment to one dominated by electronic records. This has resulted in a shift from a centralized and structured filing system maintained by dedicated filing clerks to a largely decentralized and unstructured system in which the information creator is also the custodian and records manager.

Why is this important?

In this age of continual technological advances, expectations that information will be instantly available are high. Globally, information is being created at an increasing rate. DFAIT’s shared network repository grows by at least 100GB a month and grew fivefold between 2006 and 2011. Within the federal government environment, balancing the ability to effectively manage records of business value to facilitate timely retrieval on the one hand, with maintaining costs at an acceptable level and ensuring the safekeeping of records, on the other hand, is critical.

In 2010-2011, based on the tracked Information Management/Information Technology (IM/IT) capital and operating expenditures, the Department spent $189MFootnote 2 or roughly 8% of the total budget (excluding Vote 10 - Grants and Contributions) on IM/IT.

DFAIT serves more than 12,600 users located at Headquarters, multiple locations in the National Capital Region, Regional Offices in Canada, and at Missions around the world. The Department manages information specific to each of these locations as well as important issues that cut horizontally across these boundaries. Complete and timely information is essential for effective issues management at DFAIT. As well, DFAIT has a large proportion of employees whose positions are rotational in nature. Ensuring that records of business value are available supports knowledge management and takes on increased significance in this environment where employees change jobs/locations frequently.

Sound records management contributes to the timely provision of information under the Access to Information and Privacy Act which is essential to meeting legislative requirements and mitigating reputational risks to the Department.

What did we examine?

The objective of the audit was to assess the extent to which the records management framework at DFAIT enables effective integration of critical information for decision making and knowledge management. The focus of this work was on unstructured records – information held outside of the financial and human resources systems. The complete audit objective, criteria, scope and methodology are contained in Appendix A: About the Audit.

The audit addressed, in greater detail, two elements identified in the Office of the Comptroller General of Canada (OCG) Horizontal Internal Audit of Electronic Recordkeeping1. These two elements include the extent to which:

What did we find?

The Department faces challenges in managing records effectively indicating that it remains a key corporate risk. These challenges impact the Department’s ability to manage information as an asset and to facilitate effective integration of critical information for decision making. Key elements of a sound records management regime were not in place. These include:

Key Recommendations

The audit makes several recommendations throughout the report to strengthen records management. Fundamental to the overall success will be ensuring that:

The Chief Information Officer strengthens information and records management in the Department by implementing a policy to:

This policy framework should support Departmental managers and employees in fulfilling their information management responsibilities with respect to the identification and management of information of business value throughout its life cycle.

Successful implementation of all recommendations will improve the information, records and knowledge management regimes in the Department and make it possible for DFAIT to harness the power of its information. Further recommendations and the Management Action Plan to address recommendations are included in Appendix B.

Conclusion

The Department does not have an effective records management framework in place. Key elements with respect to governance and oversight are lacking. The deployment of a diverse set of tools, practices and systems with incompatible functionality has resulted in uncoordinated and largely unsatisfactory approaches to records management. Thus, the Department does not know the information assets of business value under its control, their location and condition. This undermines the Department’s ability to access key information in a timely manner to facilitate effective integration of critical information for decision making. Although progress has been made in recent months, significant and sustained effort is required to improve records management at DFAIT to support decision making and knowledge management across the Department.

Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support a high level of assurance on the accuracy of the information in this report. The results are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management. The results are applicable only to the processes examined. The evidence was gathered in compliance with Treasury Board Policy, Directives, and Standards on internal audit for the Government of Canada.

Yves Vaillancourt
Chief Audit Executive

1.0 Background

Records management comprises the creation, receipt, maintenance, use, safeguarding, and disposal of records. It includes processes for capturing and maintaining evidence and information of business value. The following graphic depicts the life-cycle of records. Enabling the effective management of records throughout their life-cycle requires knowledge of the business; system support; naming conventions consistently applied; appropriate access rights; effective search engines; knowledge of disposition practices such as archiving, transferring and deleting; and, importantly, compliance with the policy and standards established throughout the process.

Figure 1: Life-Cycle of Records Management

The Treasury Board of Canada Directive on Recordkeeping defines information of business value as published and unpublished records that enable and document decision making in support of programs, services and on-going operations. Such information also supports departmental reporting, performance and accountability requirements.

The Treasury Board of Canada Policy Framework for Information and Technology directs that records and information be treated as assets. This means that departments should know the information assets of business value under their control, where such information resides and its condition. As such, the Department must implement records and information management systems and practices that demonstrate good stewardship of information assets. This is particularly challenging at DFAIT due to the combination of top secret, secret, protected and unclassified records being supported on different systems.

Furthermore, no government or ministerial record can be disposed of, without the written consent of the Library and Archives Canada, as per the Library and Archives of Canada Act. The full listing of all components of the Treasury Board Policy Framework and related instruments is documented in Appendix C: Applicable Policies, Directives and Legislation.

Accountability, Roles and Responsibilities for Information and Records Management

The Treasury Board of Canada Policy on Information Management assigns accountability for information management in departments to the Deputy Minister. The policy requires that the Deputy Minister designate a Senior Officer for Information Management; at DFAIT, this role has been assigned to the Chief Information Officer.

The Treasury Board Directive on Information Management Roles and Responsibilities (Section 6.1) and the Directive on Recordkeeping define the following roles and responsibilities.

Senior Officer for Information Management (DFAIT Chief Information Officer)

Managers

Employees

Information Management Expenditure Profile

The audit could not accurately determine the overall dollar amount spent on information and records management at DFAIT. Many units have a role in information management, yet associated costs at the unit level are not identified in the Department’s financial systems. Although not fully representative, our assessment of the information management spending within the Department is based on the IM/IT expenditure. In 2010-2011, based on the tracked IM/IT capital and operating expenditures, the Department spent $189M on IM/IT or roughly 8% of the total Departmental budget (excluding Vote 10 - Grants and Contributions) on IM/IT.

While the Information Management and Technology Bureau and the Infrastructure Technology Bureau had overall accountability for IM/IT governance in the Department, they only accounted for roughly 60% of the IM/IT budget. There were many branches that controlled the remaining 40% of the IM/IT budget. This level of decentralization depicted by the numbers above continues to exist today and enhances complexity.

DFAIT Governance Structure for Information and Records Management

The governance structure over information management within the Department continues to evolve. Currently, information management investment decisions are made through several committees as depicted in the figure below.

DFAIT Governance Structure for Information and Records Management
Text Alternative

The chart shows the Governance Structure for Information Management. The committees are shown below:

IM/IT Investment Committee
(Chair: Chief Information Officer)
Membership: DG Level Reps from PAA Areas; Missions/Regional Office Reps

  • Operations Committee
  • Resource Management Committee

Web Management Committee
(Co-Chairs: Chief Information Officer & Director General of Communications)

DFAIT Accreditation Authority Committee
(Chair: Director IT Client Support)

Business Systems Advisory Committee
(Chair: Deputy Chief Information Officer)

Information Management Advisory Committee
(Chair: Chief Information Officer)

Technology Advisory Committee
(Chair: Chief Technology Officer)

Initial contact is done through the AID IM/IT Initiative Request Form, IT Professionals and Business Planning/Retreats. Therefore, the application requires IM/IT Program Management (Baseline/Architecture; Change Management, Contracting, Project Management, Information Management), followed by the Business Systems Advisory Committee, the Information Management Advisory Committee and / or the Technology Advisory Committee.

2.0 Observations and Recommendations

Effective records management in DFAITs complex and diverse environment is challenging. Designing and implementing a Department-wide approach to the management of information would enable DFAIT to protect and harness the power of its information. Within this context, observations follow relating to the Department’s:

2.1 Implementing a policy to strengthen the functional authority over information management

Effective governance requires clearly assigned functional authority for information, records and knowledge management. This is especially important where responsibilities for information management are widely dispersed. Functional authority should be anchored by the development and implementation of relevant information management policies, strategies, procedures, directives, and guidelines. The functional authority would be expected to exercise control and oversight over information, records and knowledge management through ongoing monitoring and reporting activities.

The Deputy Minister assigned Departmental responsibility for information management to the Chief Information Officer as required in Section 6.1 of the Treasury Board of Canada Directive on Information Management Roles and Responsibilities. Although overall responsibility rests with the Chief Information Officer, authority to acquire information management related tools and services is delegated throughout the Department. Thus, many divisions and missions have developed and implemented their own solutions (e.g. wikis and mission intranet sites) and practices with respect to the management of information resources without liaising with the Chief Information Officer to ensure coordination across the Department. This has resulted in inefficiencies as solutions that provide the same functionality (e.g. Client Relationship Management Databases including the system of the Trade Commissioner Service TRIO and a large number of home-grown solutions) are duplicated across divisions and missions.

The Chief Information Officer has made efforts to implement a common approach to information and records management. The Information Management Improvement Program was initiated in 2006 to promote the adoption of sound information management practices in DFAIT and increase usage of the Departmental document management system - InfoBank. Use of InfoBank, however, was not a mandatory requirement. Consequently, six years after the launch of this program, only 56% of headquarters staff and 40% of mission staff use InfoBank. Furthermore, many units continue to have inconsistent record management file plans, structures and processes.

The exercise of functional authority over information management is not effective. This is primarily because an approved policy for information management and accompanying strategic direction is not in place to empower the Chief Information Officer to enforce a common approach to information management. The Chief Information Officer has vetted a Draft 2012-2015 Information Management Policy through various committees and stakeholders. However, this policy has not yet been presented to, and approved by, the Operations Committee.

In the absence of a Departmental policy, it is not possible to mandate and oversee a coordinated approach to information management. This poses risks related to effectiveness and efficiency as the Department cannot obtain relevant information on a timely basis to facilitate decision making. The Department is also unable to respond effectively to regulatory requirements such as Access to Information and Privacy (ATIP) requests. As well, there is a risk that the Department may not meet the 2015 deadline for full compliance with the Treasury Board of Canada Directive on Recordkeeping.

Implementing a performance measurement framework over information, records and knowledge management

Performance measurement is important since it indicates whether objectives and goals are being met. To the extent that objectives are not met, corrective action can be initiated. In the absence of a Departmental policy for information management and related objectives, it is challenging to define performance measures, indicators, and associated targets aligned with priorities.

In addition to financial and people management, information management is a core resource management function. Given the dispersed information management responsibilities in DFAIT, performance assessment is a key management control to enforce alignment with corporate decisions. There is no requirement, however, to include commitments/accountabilities with respect to information management in individual performance agreements. The Chief Information Officer recognizes the importance of performance assessment and has addressed it in the Draft 2012-2015 Policy on Information Management (Article 2.3.7).

Recommendation:
  1. The Chief Information Officer should strengthen information management in the Department by implementing an approved Departmental policy to clearly establish:
    • the functional authority of the Chief Information Officer;
    • Departmental strategic direction for information management;
    • roles, responsibilities, authorities and accountabilities of all parties involved in information management;
    • overall objectives and performance measures; and,
    • effective oversight.

2.2 Implementing a comprehensive Knowledge Management Strategy to mitigate loss of corporate memory

Knowledge is a mix of personal (95%) and documented (5%) information gained from daily work and personal experiencesFootnote 3. As such, knowledge management is the set of activities used to identify and store such information so that it can be leveraged and analyzed for decision making.

Within DFAIT, a comprehensive approach to knowledge management linked to Departmental strategic objectives is not yet in place. The Department relies on handover notes for sharing information and knowledge between the incumbent and the predecessor. This process is not always effective and is dependent on the thoroughness of the departing member of staff.

Some branches have created and implemented a handover checklist for rotational staff. The Consular Branch for example has had an intranet page (wiki) dedicated to preparation of handover notes for Management and Consular Officers since 2010. The Client Services Division of the International Platform Branch has a similar intranet site that takes the idea further and proposes that completion of the handover package be included in the officer’s performance assessment for any year in which there is a transition.

This year, the Chief Information Officer has created a handover package that can be used by all staff in the Department to create effective transition notes. In addition, a suite of tools has been developed and publicized to all staff to encourage sharing of information, knowledge and experiences with a view to working more effectively and collaboratively. While this is a good start, in the absence of clearly established functional authority for information management, there is no assurance that this package will be used consistently across the Department to accomplish the intended objectives.

Transfer of knowledge is currently heavily reliant on verbal briefings and consultations owing to challenges with finding and retrieving documented information. Staff indicated they do not typically have access to emails or other documents created by their predecessors since they are not always stored or transferred to a common repository such as InfoBank or the Outlook Public Folder. Verbal briefings and consultations are not effective knowledge management tools as they rely on the memory of predecessors as opposed to Departmental repositories with effective search engines.

The absence of a comprehensive knowledge management regime in the Department results in a loss of corporate memory. As well, it impedes efficient and effective responses to information requests as employees liaise with their predecessors or traverse multiple systems to locate relevant documents. In some instances, the documents sought cannot be found at all (e.g. loss of official documents at one of the missions included in the audit).

The Chief Information Officer Bureau recognizes the importance of knowledge management and has incorporated it as a business requirement in the draft Information Management Strategy.

Recommendation:

  1. The Chief Information Officer should define and implement a knowledge management approach for the Department to protect against the loss of corporate memory.

2.3 Implementing a comprehensive life cycle process to manage information as an asset

Information is considered to be of business value when it is used to support effective decision making and facilitate ongoing operations and the delivery of programs and services. Such information constitutes a critical asset that must be managed effectively.

Effective information management requires that information of business value be identified, acquired, captured, and managed in departmental repositories throughout its life cycle. Information management in this context ensures that the Department knows the information assets under its control, their location and condition. This is a requirement of the Government of Canada Policy on Information Management and related instruments; specifically, the Treasury Board Directive on Recordkeeping.

With the adoption of modern information technology practices, the model of dedicated file rooms and clerks has mostly disappeared. Responsibility for document management has been transferred to employees without guidance to enable a consistent approach.

Information of business value is not always identified and captured.

The Department does not have processes to identify and organize information assets of business value. Some guidelines have been communicated to assist employees in determining if the information under their control is transitory or if it is of business value. InfoBank has functionality that can be used to label information of business value. As noted previously, however, most of the Department does not use InfoBank and similar functionality is not available in other repositories. As a result, it is not possible to ensure that all information assets of business value are identified.

Processes to maintain and protect information assets are inconsistent across the Department

Divisions choose their repositories and define their own processes for handling draft and final copies of documents. This often results in multiple drafts of a particular document saved within or across repositories (e.g. Shared Drives, InfoBank, Outlook and Wiki). Given existing processes, it is often not possible to determine the status (e.g. draft, final, approved and by whom) of duplicate documents located in various repositories.

Although there is a process to transfer information of business value to a central email repository, not all divisions are aware of it and/or using it consistently. This repository is unidirectional; users can send information to it, but cannot retrieve information without IM/IT support. This is a disincentive to using this repository.

The audit further notes that the Department is not equipped to manage records from an ‘issues’ perspective. This would ensure that all documents related to a particular subject are identified through the use of consistent naming conventions, key words or ‘tags’ allowing them to be retrieved efficiently when required. Current information management life cycle practices do not make it possible to extract files associated with a given issue/subject effectively. This increases the risk that the Department will not have all relevant information available to respond to emerging and evolving issues in a timely manner.

Information retention and disposition decisions cannot be made and executed effectively

Library and Archives Canada provides Government of Canada institutions with the mechanism and authority to dispose of their information resources either by transfer to Library and Archives Canada, destruction or alienation (transfer of ownership).

It is incumbent upon the Department to establish records and disposition authorities to guide the management of information of business value. The Chief Information Officer is responsible for: establishing, implementing and maintaining retention periods for information resources of business value; developing and documenting a disposition process for all information resources; and performing regular disposition activities for all information resources.

Retention and disposition schedules dictate the treatment of information assets at different stages of their life cycle. While some schedules exist for paper records, retention and disposition schedules for different classes of electronic information have not been defined. Proper disposal of records, and the resulting decrease in the number of records, has two important effects – reduction of storage costs; and, more efficient responses to Access to Information requests.

Ineffective life cycle processes impede effective search and retrieval of critical information

Ineffective information life cycle management processes compounded by limited search capabilities and the geographic reach of the Department impede the effectiveness of document retrieval capabilities. This affects the quality and timeliness of advice provided since information of business value is not readily available. When documents cannot be found in a timely manner, wasteful rework may be necessary and decisions and actions may have to be taken without appropriate and complete information.

Ineffective information life cycle management processes also affect the Department’s ability to fulfil obligations related to legal discoveries and Access to Information and Privacy (ATIP) requests as information cannot be found in a timely manner. The Department reduced its backlog of requests and the number of complaints between 2008 and 2011. Nevertheless, significant challenges remain. For the same period, the average days to complete an ATIP request at DFAIT increased by more than 50% from 163 days in 2008-2009 to 242 days in 2010-2011Footnote 4.

The Chief Information Officer recognizes that the current information life cycle process is unsustainable and is working to address it

The Draft Information Management Strategy acknowledges that the status quo is not acceptable noting that “DFAIT is not in command of the information assets it creates in missions and at headquarters”Footnote 5. This strategy envisages a Department-wide initiative to document business processes and outline a new information classification structure with associated retention and disposition schedules to support information quality, sharing, and collaboration.

Recommendation:
  1. The Chief Information Officer Bureau should support Departmental managers and employees in fulfilling their responsibilities by:
    • defining and implementing Departmental processes to ensure on-going identification and management of information of business value throughout its life cycle; and
    • documenting and implementing disposition schedules for various classes of information.

2.4 Ensuring benefit realization from future investments in information management

Successful implementation of IM/IT projects requires effective oversight; not only the tracking of targets such as time and budget but also the value proposition demonstrating alignment with Departmental priorities.

DFAIT has made progress in the development and implementation of a governance structure to oversee IM/IT projects. The Director General level IM/IT Investment Committee created in 2010 has been instrumental in prioritizing proposed IM/IT investments and allocating funds to projects aligned with Departmental priorities. The Chief Information Officer has also implemented a project management regime to control the implementation of corporate IM/IT projects.

The Information Management Strategy indicates that the current Departmental document management system, InfoBank, is not sustainable and does not meet the Department’s needs. Additionally, it is nearing the end of its useful life. In this regard, a new document and records management system is under consideration. It is envisaged that it will have streamlined processes that will help manage all content throughout its life cycle. This system is intended to be deployed across the Department to foster sharing and collaboration and ensure that records of business value are available for decision making in a timely manner.

If approved, this initiative will require large investments in terms of funds, time, and human resources. As the plans for these investments are refined, it will be prudent to reflect upon the reasons why the comparable Information Management Improvement Program objectives were not fully realized. This will allow the lessons learned from that initiative to be applied to the current initiative to mitigate risk and enhance the potential for realizing the initiative’s overall objectives.

Recommendation:

  1. To ensure that overall objectives are realized, the Chief Information Officer Bureau should ensure that lessons learned throughout the Information Management Improvement Program are applied to current and future information management initiatives.

3.0 Conclusion

The Department does not have an effective records management framework in place. Key elements with respect to governance and oversight are lacking. The deployment of a diverse set of tools, practices and systems with incompatible functionality has resulted in uncoordinated and largely unsatisfactory approaches to records management. Thus, the Department does not know the information assets of business value under its control, their location and condition. This undermines the Department’s ability to access key information in a timely manner to facilitate effective integration of critical information for decision making. Although progress has been made in recent months, significant, sustained effort is required to improve records management at DFAIT to support decision making and knowledge management across the Department.

Appendix A: About the Audit

Objective

The objective of the audit was to assess the extent to which the Records Management framework at DFAIT:

  1. Demonstrates accountability and stewardship of information assets; and
  2. Facilitates effective integration of critical information for decision making and results reporting.

The audit addressed, in greater detail, two elements identified in the Office of the Comptroller General of Canada (OCG) Horizontal Audit of Recordkeeping. These two elements include the extent to which:

Criteria

A. The Records Management framework at DFAIT demonstrates accountability and stewardship of information assets

Audit Criteria: 1. Records Management policies and standards are established at a Departmental level in compliance with privacy and access to information legislation, Treasury Board and Library and Archives Canada policies and best practices.

Related Management Accountability Framework – Key ElementsFootnote 6: Policy and Programs PP-4

Audit Criteria: 2. Procedures, processes, and systems used by each business unit are adequate and consistent with the Records Management policies and standards established by the Department. This includes:

  1. Creation and classification (including determination of records of business value, security and privacy, naming conventions, version control, retention period, type);
  2. Storage (data repositories and applications);
  3. Retrieval (including folder structure and search capabilities);
  4. Disposal and archiving of records (including periodic clean-up and transfer of permanent records to Library and Archives Canada).

Related Management Accountability Framework – Key ElementsFootnote 6: Policy and Programs PP-4; Stewardship ST-8, ST-9

Audit Criteria: 3. Business units have effective Records Management practices. This includes:

  1. Effective and appropriate Records Management strategies are established which address both operational and senior management Information and Knowledge management needs;
  2. Management has established an effective process, aligned to the strategy, to ensure records, Information and Knowledge management needs are met;
  3. Records are stored in a structured manner to facilitate response to issues and programs on a collaborative, cross branch basis as appropriate (i.e. there is an environment where all branches work together to define information and knowledge needs and to develop, utilize and share systems/repositories);
  4. Records Management resources are planned and allocated to address Information and Knowledge management objectives; and,
  5. Employees are trained/educated about relevant policies and sound Records Management practices.

Related Management Accountability Framework – Key ElementsFootnote 6: Policy and Programs PP-4; People PPL-4; Stewardship ST-8, ST-9

Audit Criteria: 4. Business units have effective oversight over Records Management practices. This includes:

  1. Effective feedback and reporting mechanisms to monitor existing Records Management practices; and,
  2. Effective monitoring to determine and respond to new and emerging information and knowledge requirements.

Related Management Accountability Framework – Key ElementsFootnote 6: Policy and Programs PP-4

B. The Records Management framework at DFAIT facilitates effective integration of critical information for decision making and results reporting

Audit Criteria: 5. Data elements used for generating information are useful and appropriate (complete, accurate, authentic, timely and available).

Related Management Accountability Framework – Key ElementsFootnote 6: Stewardship ST-9

Audit Criteria: 6. Information, defined as aggregated or summarized data, used to decide upon a course of action, is reliable, relevant, timely and cost effective. The assessment will consider the information related to:

  1. Decision making;
  2. Results reporting;
  3. Historical significance;
  4. Knowledge management; and,
  5. Knowledge transfer.

Related Management Accountability Framework – Key ElementsFootnote 6: Stewardship ST-8, ST-9

Audit Criteria: 7. The process for gathering knowledge is a top down approach. That is, it begins with senior management determining key goals and critical success factors. Then, determining the information and underlying data that senior management requires to derive the appropriate course of action for managing activities and measuring progress towards goals.

Related Management Accountability Framework – Key ElementsFootnote 6: Governance and Strategic Directions G1, G-2, G-3, G-4

Scope

The audit focused on Records Management systems, processes, and controls within:

The missions included in the audit are listed below.

The rationale for the selection of these organizational entities was largely based on the preliminary review which indicated that, with the exception of COSMOS and TRIO, few structured applications exist to support the operations of these groups.

Corporate applications, including the financial and human resources systems, were not included in the scope as the focus of this work was on the critical Records Management elements for policy and program areas.

Methodology

In the risk assessment phase of this audit, interviews were conducted and documentation was reviewed in order to understand:

The audit plan and procedures were designed based on this understanding. In order to assess the identified high risk areas and provide assurance on the effectiveness of records management practices, the following methods were used to gather audit evidence:

Appendix B: Management Action Plan

Audit Recommendation 1

The Chief Information Officer should strengthen information management in the Department by implementing an approved Departmental policy to clearly establish:

Management Action

Under Information Management Strategy Initiative 3, a comprehensive draft Information Management Policy (IB2976074) was completed in FY 2011-12 and the Policy on Information Management (IB4340208), and Directive on Recordkeeping (IB4340183) were approved by Information Management Advisory Committee in June 2012. These key policy instruments clearly outline the information management and record keeping roles and responsibilities for the Chief Information Officer and all departmental stakeholders.

An implementation plan is being developed to support the provisions of the IM Policy and Recordkeeping Directive. Once approved, the implementation plan will be executed through communication and training.

Under Information Management Strategy Initiative 3, a performance management framework supporting the Information Management Strategy will be developed in FY 2012/13.

Information Management is to be included in the Departmental Performance Management Framework.

Information Management accountability to be included in Performance Management Agreements/Program.

Under Initiative 1 of the Information Management Strategy, Information Management Agreements between the Chief Information Officer and departmental branches/missions are to form the basis of Information Management / Records Management service delivery, support and performance monitoring.

Area Responsible

Information Management and Technology Bureau (AID)

Expected Completion Date

Complete

Audit Recommendation 2

The Chief Information Officer should define and implement a knowledge management approach for the Department to protect against the loss of corporate memory.

Management Action

A project on knowledge transfer for the handover process that is part of a rotational work environment is now underway. AID is engaging rotational staff to identify gaps and opportunities in knowledge transfer in the current handover process and practices. The project will report on its findings and make recommendations for change in the handover process and existing knowledge transfer practices. It will also form the basis for the department's Knowledge Management Strategy.

Area Responsible

Information Management and Technology Bureau (AID)

Expected Completion Date

Complete

Audit Recommendation 3

The Chief Information Officer Bureau should support Departmental managers and employees in fulfilling their responsibilities by:

Management Action

Under IM Strategy Initiative 5, 40% of DFAIT’s Information Resources of Business Value will be identified in FY 2012/13 and the remaining 60% in FY 2013/14. This information will be incorporated into Information Management Agreements to ensure that branches and missions have effectively identified and are managing their information resources of business value.

Under Information Management Strategy Initiative 6, Information and Knowledge Management (AIM) is currently reviewing and simplifying the file classification plan used to link retention and disposition periods to classes of information.

Disposition authorities for legacy information being negotiated with Library and Archives Canada (LAC). A comprehensive Disposition Plan will be complete by the end of FY 2013/14 to enable LAC to issue comprehensive disposition authorities.

Area Responsible

Information Management and Technology Bureau (AID)

Expected Completion Date

Complete

Audit Recommendation 4

To ensure that overall objectives are realized, the Chief Information Officer Bureau should ensure that lessons learned throughout the Information Management Improvement Program are applied to current and future information management initiatives.

Management Action

Lessons learned from the Information Management Improvement Program (IMIP) and the implementation of InfoBank are currently being applied in planning for the implementation of all Information Management Strategy initiatives. A document highlighting key lessons learned and defining principles for decision-making is being prepared.

Area Responsible

Information Management and Technology Bureau (AID)

Expected Completion Date

Complete

Appendix C: Applicable Policies, Directives and Legislation

Source: Treasury Board of Canada

Instrument:

  1. Policy on Information Management
  2. Directive on Information Management Roles and Responsibilities
  3. Directive on Recordkeeping
  4. Government of Canada Information Management Strategy
  5. Strategic Direction for Government: Information Management

Source: Department of Justice Canada

Instrument:

  1. Library and Archives of Canada Act
  2. Access to Information Act
  3. Privacy Act
Date modified: