Audit of information management and information technology governance

Global Affairs Canada
Office of the Chief Audit Executive

Tabling date
September 2018

Executive summary
1. Background
2. Observations and recommendations
3. Conclusion
Appendix A: About the audit
Appendix B: IM/IT governance framework
Appendix C: IM/IT oversight bodies
Appendix D: Management action plan
Appendix E: Acronyms

Executive summary

What we examined

The objective of this audit was to provide assurance that governance structures, mechanisms, accountability and resources are in place to ensure effective management of Information Management and Information Technology (IM/IT) throughout the Department, and that governance structures ensure accountability for IM/IT.

The scope of the audit included IM/IT governance activities conducted during fiscal years 2016-17 and 2017-18, affecting the management of IM/IT at headquarters and missions.

Why it is important

IM/IT is essential for large organizations to operate effectively and to deliver value. All functions of an organization are impacted by rapidly changing IM/IT innovations. The IM/IT environment at Global Affairs Canada (Department) is complex, encompassing headquarters and regional offices within Canada, and Canada’s network of 178 missions in 110 countries around the world. The network hosts 31 partner organizations located in the missions. ^{Footnote 1}

IM/IT governance is an integral part of enterprise governance and requires leadership and organizational structures to ensure the Department’s IM/IT sustains and extends organizational strategies and objectives^{Footnote 2}.

The Department’s IM/IT spending for fiscal year 2016-17 was approximately $120 million on IM/IT operations and project development.^{Footnote 3}

What was found

The audit found that governance structures, mechanisms, accountability and resources are in place to oversee IM/IT throughout the Department. However, weaknesses were identified in the following areas: design of the governance framework and functioning of oversight bodies; IM/IT project oversight; communication with partner departments regarding IM/IT requirements; and monitoring of service performance and human resources capacity information.

Specific areas of improvement include:

There is no senior management oversight body dedicated to IM/IT.
There is overlap between the mandates of corporate-level oversight bodies, and the IM/IT- specific oversight bodies.
Some IM/IT oversight bodies are not functioning as designed, including inactivity and poor attendance, leading to performance issues.
Not all IM/IT projects follow the same established project implementation oversight mechanisms.
A formal communication forum is not in place in which GAC and SSC can discuss IM/IT requirements and challenges with partner departments.
IM/IT oversight bodies are receiving insufficient information to effectively monitor the performance of departmental IM/IT services, and the level of IM/IT human resource capacity.

Recommendations

Based on the findings above, the audit team recommended the following:

The ADM of Corporate Planning, Finance and IT should establish an ADM-level IM/IT steering committee mandated to provide strategic direction and decision making for IM, IT and data management. The ADM of Corporate Planning, Finance and IT should also modify the mandate of the IM/IT Strategic Committee to review and recommend IM/IT plans, investments, and IM/IT policies, and monitor IM/IT performance.
The ADM of Corporate Planning, Finance and IT should mandate that all IM/IT-enabled projects be subject to the Department’s project intake process, and CIO-endorsed project management methodology to ensure coherence in application development and integration.
The ADM of Corporate Planning, Finance and IT should meet regularly with relevant ADMs from key partner departments in the international network, along with SSC, to discuss IM/IT initiatives and challenges at missions abroad.
The ADM of Corporate Planning, Finance and IT should ensure regular reporting on service performance and human resource capacity information to the highest level IM/IT-specific governance body.

Statement of Conformance

In my professional judgment as the Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.

Chief Audit Executive

1. Background

The audit of information management and information technology (IM/IT) governance is included in the Global Affairs Canada (GAC) 2017-2020 Risk-Based Audit Plan, which was recommended by the Departmental Audit Committee and approved by the Deputy Minister on May 8, 2017.

The Treasury Board (TB) Policy Framework for Information and Technology defines information management as: “A discipline that directs and supports effective and efficient management of information in an organization, from planning and systems development to disposal or long-term preservation”; and information technology as: “any equipment or system that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. It includes all matters concerned with the design, development, installation, and implementation of information systems and applications to meet business requirements.”

The Policy Framework for Information and Technology is intended to provide guiding principles to sound information and technology management practices across government, as well as the strategic context for the Policy on Information Management and the Policy on the Management of Information Technology. Under this policy framework, the Deputy Head is responsible for effective management of information and technology throughout the Department, the sound implementation of investment decisions in the management of information and technology, and the ongoing performance measurement of the management of information and technology.^{Footnote 4} The TB Policy on Management of Information Technology, updated April 1, 2018, requires that Deputy Heads are responsible for ensuring the efficient and effective governance and oversight of IT within their departments, including IT investment decisions, ongoing management, compliance with policy, standards and directives, and performance measurement. In relation to investments, it additionally states that Deputy Heads are responsible for ensuring the departmental IT investment plan is integrated into the overall departmental business plans.

IM/IT governance is an integral part of enterprise governance. It consists of leadership and organizational structures and processes that ensure the organizations’ IM/IT sustains and extends organizational strategies and objectives^{Footnote 5} IM/IT is fundamental to the operations and program delivery of Global Affairs Canada, and to the international programs of its partner departments and agencies. The Department’s IM/IT environment is complex, encompassing headquarters and regional offices within Canada, and Canada’s network of 178 missions in 110 countries around the world. The network hosts 31 partner organizations located in the missions^{Footnote 6}. Jointly, the Department and Shared Services Canada (SSC) support the global IM/IT infrastructure serving Canada’s mission network. ^{Footnote 7} The Department’s IM/IT spending for fiscal year 2016-17 was approximately $120 million on IM/IT operations and project development.^{Footnote 8}

The Department’s IM/IT governance structure is intended to engage GAC senior management and partner departments and agencies to set direction for IM/IT investments, oversee mission-critical systems, services and projects, and set enterprise-wide policies and standards for IM/IT services^{Footnote 9}. It consists of 9 key committees across three levels of governance (See Appendix B, Figure 1), in addition to lower-level committees (See Appendix B, Figure 2) and ad-hoc working groups that support the key committees. (For descriptions of the oversight bodies, see Appendix C.)

The ADM of Corporate Planning, Finance and Information Technology Branch (SCM) is accountable for the Department’s IM/IT function and now holds the Chief Information Officer (CIO) role and responsibilities. These responsibilities include the governance of the departmental IM/IT environment and making operational decisions related to corporate IM/IT services^{Footnote 10}. Core CIO function responsibilities are managed through the IM/IT bureau (SID). The DG of SID position had been vacant since September 2017 with a rotation of acting SID personnel fulfilling this role. However, a new permanent DG of SID was appointed in July 2018.

Currently, SID is undertaking a transformation process to achieve better business value, be more client centric, develop a skilled and adaptive workforce, and establish modern IM/IT service delivery.

2. Observations and recommendations

2.1 IM/IT Governance Framework

Oversight Bodies

Design of the Governance Structure

The audit team expected to find an information management (IM) and information technology (IT) governance structure that is integrated with the corporate governance structure, and includes internal governance bodies supporting IM/IT oversight, with documented and communicated roles, responsibilities and accountabilities. The audit team also expected to find that an oversight body be in place to provide strategic direction and oversight over IM, IT, and data given their evolving nature and criticality for business operations.

An IM/IT governance structure was found to be in place at various levels within the Department. At the level below the Executive Board, the following level-2, corporate oversight bodies were found to have IM/IT-related responsibilities:

Corporate Management Committee (CMC) is responsible to approve corporate planning documents, review IM/IT initiatives from a corporate management perspective and provide corporate leadership, strategic guidance and oversight for IM/IT. Its role includes reviewing the annual IT Plan; and
Resource Management Committee (RMC) is responsible to oversee the alignment of investment planning, including IM/IT resources, against departmental priorities, as well as to provide leadership, strategic guidance and oversight on the alignment of financial, non-financial and human resources with departmental priorities. Its role includes reviewing the annual IT Plan.
ADM Steering Committee on Security was mandated to provide strategic and integrated guidance and oversight on security and the safeguarding of information and assets.

Below this level are level-3 committees with a specific IM/IT focus. These include the IM/IT Strategy Committee (ISC), Information Data Governance Council (IDGC), and DG Security Committee, below which are specialized IM/IT committees and groups.

ISC is a DG-level IM/IT committee responsible for reviewing, and approving or rejecting IM/IT-related strategic plans and policy instruments, as well as evaluating, prioritizing, approving or rejecting, and monitoring new IM/IT investments (projects). Its role includes reviewing the annual project prioritization process and IT Plan.
IDGC is a DG-level committee designed as a strategic and authoritative body to review plans and policy instruments with the purpose to oversee data, knowledge, and information activities and to support the implementation of the IM Strategy and GoC priorities. KIMAG and DMAG report to IDGC, with the purpose of providing a forum to business stakeholders and data practitioners to discuss business data, knowledge and information management.
DG Security Committee aims to ensure an integrated approach to the implementation of risk-based mitigation measures addressing personnel, operational, physical and IM/IT security, and is responsible for operational-level policy recommendations on exceptional and/or complex IM/IT security issues and their implementation. IM/IT is a standing agenda item at this committee. This committee reports to the ADM Steering Committee on Security.

Based on the Terms of Reference for the above-mentioned committees, the audit team found that a governance framework has been established with some integration into the corporate governance structure, and that committee mandates, membership, roles and responsibilities, and meeting frequency are documented and communicated.

The audit found, however, that ISC and IDGC share some responsibilities, particularly with oversight of strategic IM planning and policy setting. In addition to an overlap in mandate, it was also noted that when IDGC was last active, eight of its members were also members of ISC, representing a third of the ISC membership. This situation led to an overlap of governance with regards to IM-specific issues.

The audit found that decisions made at the level-3 ISC in 2017-18 were limited to approving the IT Plan, Project Prioritization, and policies. Since the IT Plan is also tabled at RMC and CMC with the purpose of providing a coordinated and holistic approach to departmental resource allocation that is aligned with corporate business priorities, it is not clear that the ISC approval stage is necessary. The overlapping mandates of these bodies does not provide for an efficient decision-making process.

In addition to some overlap in mandates and decision making, the audit found that the governance framework does not include a senior management level oversight body in place with a mandate dedicated to provide strategic direction for IM/IT. Similar to the ADM Steering Committee on Security, this body would provide a forum for senior managers to discuss IM/IT requirements, strategies, and investments to facilitate corporate coherence and alignment to departmental priorities. Without this type of body, there is a risk that data, information and technology will not receive sufficient strategic direction to ensure they support the collective needs of the Department in a coherent and optimal manner.

Functioning of the Oversight Bodies

The audit team found a number of issues with the functioning of multiple committees, including inactive, not fully established committees, and committees with attendance issues.

In particular, the key IM-related committees were inactive at the time of the audit. This included IDGC and its level-4 committees, DMAG and KIMAG. Specifically, in the 2017-18 fiscal year, these committees met twice in the case of IDGC and DMAG and three times for KIMAG, with the last meetings occurring in June 2017. While there was evidence of IM being periodically discussed at ISC, and some key issues tabled at CMC for direction, there is a risk that IM does not receive adequate oversight.

With respect to ISC, the audit team found that engagement by committee members representing business lines was weak. Based on attendance reports in the committee records of decision, meetings were found to have met membership quorum only twice out of the 10 meetings held in 2017-18, including instances where decisions were taken without quorum. In addition, delegates to committee members are common at these meetings with some members always sending delegates. Low membership attendance at meetings undermines the effectiveness of the committee in fulfilling its mandate. Interviewees indicated that nature and content of the topics discussed at meetings is complex and difficult to follow for those without some foundational IM/IT knowledge, which can lead to a lack of engagement by business stakeholders at meetings and compound attendance issues. The audit team found that over 90% (36 out of 39) of items on ISC agendas were for information or update purposes, and that members representing business lines had not tabled an agenda item. Together, these findings position the committee in a more passive role.

Given that the key DG-level IM/IT committees are either inactive, or are experiencing issues with attendance and level of engagement, as well as having overlapping mandates and membership, the audit team found that the governance structure is not functioning in an optimal manner, as certain roles and responsibilities are not being fulfilled. This puts the Department at risk of ineffective and inefficient oversight over IM/IT operations.

Strategic IM/IT Direction, Planning, and Policies

The audit team expected to find governance mechanisms in place to set strategic direction for IM/IT activities, which are aligned to departmental and Government of Canada (GoC) priorities. This strategic direction would be reflected in IM/IT planning and directional documentation, which would be integrated into departmental business planning, and considers IM/IT resource allocation. It is also expected IM/IT guiding policies and procedures are in place, comprehensive, and up-to-date.

Through a review of departmental strategic planning documentation, along with interviews with SID management, the audit team found that IM/IT strategic priorities are aligned to departmental and GoC priorities, and are reflected in core departmental planning documents. For example, the GAC IT Plan 2018-2021 includes alignment to business priorities identified in the Departmental Plan 2018-2019, as well as GoC priorities and strategic actions identified in the GoC Strategic Plan for IM and IT 2017-2021. The IT plan includes financial and human resource considerations, including breakdowns by expense category and program area. The current IM guiding document, the IM Strategy 2014-2017, has been extended to remain in place through 2018-2019, and it identifies GoC and departmental priorities and initiatives. This strategy is, however, at risk of becoming outdated and misaligned with priorities beyond the 2018 extension. SID management indicated plans to replace this strategy, likely with an IT and IM integrated “Digital Plan”. The audit team noted that the IM/IT planning process includes a step to canvas ADMs across the Department for their input on priorities, although as previously mentioned, there is not an ADM-level IM/IT steering committee with dedicated responsibility to feed strategic direction and priorities into the IM/IT planning process.

The audit found that the Department complies with requirements related to IM/IT stated in GoC policies, standards, directives and guidelines, including establishing a strategy for the improvement of the management of information, implementing a process to assess against objectives of the IM policy and periodically reviewing and assessing IT services provided to stakeholders. The team found that principles and policies were in place to support decision making. In addition, the audit team found that the department had a variety of legacy IT policies which are pending update once a new TB IT policy suite is released to ensure departmental policy alignment to Treasury Board direction.

Decision Making

The audit team expected to find that the IM/IT governance decisions were are made in a consistent and timely manner.

Key IM/IT decisions made by oversight bodies include the review and approval of the IT Plan, the IM Strategy, the prioritization of IM/IT investments, and IM/IT policies.

The audit team found that the 2018-2021 IT Plan was reviewed and approved by the IM/IT Strategy Committee, which is in line with its mandate, although the decision was made at a meeting that did not reach quorum. The IT Plan was then submitted to CMC for endorsement to provide corporate leadership and strategic guidance, and to RMC to provide oversight on the alignment of investment planning against departmental priorities. Ultimately the 2018-2021 IT Plan, was formally approved by the Deputy Minister of Foreign Affairs.

The audit team expected the GAC IM/IT governance bodies to prioritize IM/IT projects and investments. IM/IT project planning stems from a bottom-up intake process in which proposed IT projects or IM/IT-related business challenges are identified by branches and submitted to SID. This intake process identifies projects that are to be prioritized for implementation. GAC has a process to prioritize projects based on the standard GoC IT Prioritization Framework prescribed by TBS, which ranks achievable projects using 85% GoC factors (such as alignment with GoC priorities, support for a critical service, benefits realization) and 15% Departmental factors (such as alignment to Department mandate, and addresses a persistent IM/IT challenge). This project prioritization process is conducted by SID with the scoring process (including Departmental factors) and the final prioritized list presented to ISC for approval. The prioritized list is included in the annual IT Plan, which sets the Department’s project priorities for both SSC and the Department. This process is necessary as there are consistently more projects identified (77 in the 3-year 2018-2021 IT Plan) than there is capacity to deliver on.

As with the 2018-2021 IT Plan, the audit team found that the 2018-2019 project intake and prioritization was approved by ISC, although at a meeting without quorum. As noted, the prioritized projects are included in the annual IT plan, which is reviewed and endorsed also by CMC and RMC. While CMC and RMC reviewed the IT Plan, there is no evidence that a detailed review of the results of the project prioritization process occurred at these bodies. The audit also found that there is limited latitude for oversight bodies to challenge and adjust the final prioritization of projects, as it is delivered within a prescribed GoC methodology. Interviewees expressed concerns that the methodology does not sufficiently consider departmental business needs, which presents a challenge to aligning IT investments with those needs.

In terms of IM/IT policy decisions, the audit found that in 2017-18 the ISC endorsed the Single and Mobile Device Policy at a meeting in which it had achieved quorum.

The audit found that oversight regarding IM/IT operational issues managed under SID, which make up the bulk of the departmental IM/IT spending, are done through the IM/IT Operations Committee (OPS), which is made up of SID senior management. The purpose of this committee is to ensure consistent, effective, and efficient service delivery by reviewing, discussing, recommending, resolving and approving or rejecting non-standard GAC IM/IT day-to day operations requests in the delivery of support and services. A review of OPS committee records of decision found that decisions are taken regularly by the group.

Overall Functioning of Oversight Bodies

Given the highlighted overlapping IM/IT mandates and decision making between corporate oversight bodies, and IM/IT specific level-3 bodies, there is a risk that the governance framework is not designed to be efficient, and given that level-3 bodies are not functioning as designed, there is a risk that the framework is currently not effective. It is not clear that the ISC is effectively a decision making body, as the few ISC decisions are duplicated at higher level committees. With significant time and resources invested in running the level-3 committees, it is not clear that significant added value is being derived from the investment. A governance body that is more focussed on monitoring of IM/IT services and investments, as well as reviewing and endorsing IM/IT policy and plans, may be better placed to add value to level-2 committees and the IM/IT function, given these findings and those later in this report.

As noted earlier in the report, the governance framework does not include an ADM-level IM/IT steering committee dedicated to providing a strategic, coherent vision regarding the direction of IM/IT operations and investments. This gap puts IM/IT at risk of not receiving sufficient strategic and coherent direction and priority setting. Similar to the ADM Steering Committee on Security, this body could work in close coordination with CMC and RMC to foster effective senior level IM, IT, and data related decision making that aligns across GAC priorities. This body could then be supported by a level-3 operational committee, such as ISC, to work towards the implementation of the strategic vision.

Recommendation 1:

The ADM of Corporate Planning, Finance and IT should establish an ADM-level IM/IT steering committee mandated to provide strategic direction and decision making for IM, IT and data management. The ADM of Corporate Planning, Finance and IT should also modify the mandate of the IM/IT Strategic Committee to review and recommend IM/IT plans, investments, and IM/IT policies, and monitor IM/IT performance.

2.2 IM/IT Project/Investment Governance and Oversight

The audit team expected to find that governance and oversight mechanisms are in place for initiated IM/IT projects and investments to help ensure: coherent integration into existing departmental IM/IT environment; effective management; and successful implementation.

In 2017, GAC implemented a framework that covers project approval and gating called the IM/IT Bureau Project Management Life Cycle Standard (PMLC). Based on this intranet-posted process on managing an IM/IT project, all IM/IT initiatives have an initiating phase, a planning phase and an executing/monitoring and controlling phase. Projects are expected to proceed through a series of project phase gates towards project completion and closing. Approval to progress from one gate to the next is overseen by a Project Oversight Committee (POC). In addition, the audit team found that project-level governance is required, and includes a steering committee, project sponsor, project manager and reporting on deliverables.

The audit team observed that the Trade program’s Export-Import Control System (EICS II) project currently has its own project governance structure implemented in order to address significant project issues. Since initiation in 2012, the project has experienced serious management issues, including improper project scoping, exceeding available funding, exceeded departmental spending authorities, and initiation without policy authority, which were allowed to occur due to failures of project management, oversight, and governance. Due to these challenges and the project’s complexity, the current project governance is extensive, with oversight bodies that include TBS and SSC representation as well as deputy-level periodic updates. Three members of SID management are included on the project’s steering committee, and the DG of SID is a member of the Senior Review Board, which makes gating approval decisions. Interviewees indicated that the large scope of the project necessitates the independent governance approach outside of the PMLC, as it is too large and complex to be overseen and managed through the SID project governance and management mechanisms. EICS II performance metrics are, however, included in the project dashboard provided to the ISC.

The audit also found that International Platform (ACM) Branch implements self-funded IT projects and investments, which do not go through the project intake and prioritization process and may not follow the PMLC, unless SID or SSC resources are required. These projects follow a branch-specific project delivery methodology, although they are still included in the SID annual list of projects for visibility and follow-up. They are, however, managed internally within ACM by in-house IT personnel and project managers. These projects do not follow the project intake and PMLC project approval gates and, therefore, do not benefit from the specialized IM/IT advice from SID’s Enterprise Architecture Review Board (EARB) regarding selecting a IM/IT solution, and the project implementation expertise and experience of members of POC.

According to the TBS Directive on Management of Information Technology, the CIO is responsible for coordinating and directing IT. As such, having projects progress automatically without the IT organization deciding whether they are viable may lead to ad-hoc systems, system development not in line with GoC priorities, unplanned maintenance costs, investment legacy systems that should be replaced with newer solutions, as well as to increased system compartmentalization. In addition, undertaking the implementation of departmental IM/IT projects under different governance processes and delivery frameworks can lead to lack of coherence with the departmental approach to IM/IT application development and implementation, making managing information and enterprise architecture, and application rationalization more challenging. The latter is highlighted by a recent third party assessment done of GAC’s application portfolio assessed the Department’s Application Organization maturity as “ad hoc”, falling below the benchmark for government.

Recommendation 2:

The ADM of Corporate Planning, Finance and IT should mandate that all IM/IT-enabled projects be subject to the Department’s project intake process, and CIO-endorsed project management methodology to ensure coherence in application development and integration.

2.3 Risks and Dependencies

Risk Management

The audit team expected to find that IM/IT related risk management is integrated into the Department’s risk management processes and control frameworks, such that these key risks and associated controls are formally identified, risk management strategies are developed, and progress against these strategies is tracked.

The audit team found that corporate IM/IT related risks are integrated into the Department’s risk management processes and control frameworks. For example, the Department’s 2017-18 Corporate Risk Profile (CRP) includes IM/IT related risks: Cyber Threats, and alignment of IM/IT Resource Management to departmental needs. The CRP articulates the key risk drivers, mitigation and response measures, and lead groups responsible for responses. The Integrated Corporate Business Plan, IT Plan, and IM
Strategy are all aligned to the CRP, and include the risk responses and actions to mitigate these risks, as well as reporting on progress against these actions. In addition, the audit team identified a number of mechanisms in place for programs and missions to communicate IM/IT business risks to SID at the operational level. These include outreach by SIE Client Relations to their portfolio groups; through Strategia business plans from missions; and proactive client consultations with programs and missions by SID.

Communication with Other Government Departments

The audit team expected to find governance mechanisms, or forums, in place between GAC and Shared Services Canada (SSC) with the objective of sharing expectations, requirements, priorities and challenges regarding IM/IT services provided by SSC. In addition, the audit team expected to find that formal communication forums exist between GAC and Partner Departments who rely on IM/IT services provided by GAC and SSC in the network of missions abroad. The objective of these forums would be to discuss requirements, plans, and challenges regarding the use of shared IT infrastructure, network, hardware, and software in missions abroad.

The audit team found that mechanisms have been established for GAC and SSC to communicate service expectations and requirements, and are operating as designed. Multiple formal governance forums have been established at various levels, from the manager level to an annual meeting between Deputy Heads. These SSC established and managed forums include:

Annual meeting with deputy heads to hold briefings and discussions on SSC operational status, Government of Canada priorities, and GAC/SSC initiatives, projects, and challenges.
Quarterly ADM meetings co-chaired by the GAC CFO and SSC ADM with a mandate to provide strategic direction for IM/IT services to the international platform, and to highlight significant challenges and issues.
Monthly DG-level partnership meeting, co-chaired by GAC DG of SID, are held to discuss priority project updates, updates on service delivery, and planned and ongoing initiatives (including Infrastructure purchases). Action items are actively logged and tracked.
Weekly meetings held with SSC and GAC managers to discuss operational issues.

Based on interviews, and a review of committee agendas and minutes, these forums are meeting as planned, and are attended by key SSC and GAC representatives, with agenda items raised by both parties. These mechanisms provide GAC with an opportunity to communicate departmental expectations and requirements for Shared Services Canada service delivery, and receive information from SSC on the status of these services and support. In addition to the above SSC managed forums, SSC representatives regularly attend key GAC IM/IT and security governance committees, including the IM/IT Strategic Committee and the DG Security Committee.

With regards to communication with partner departments, the audit team found that there are no formally established IM/IT dedicated forums where GAC can discuss plans and needs with partner departments. In addition, the audit team was informed that a key partner department had recently implemented a case management application that used a large proportion of shared bandwidth, which had significantly slowed down network speeds in some missions, resulting in a negative impact on GAC operations. Without a dedicated mechanism for this partner department to share IM/IT plans, such as the configuration of a new application, GAC did not have the opportunity to identify and discuss the potential impacts on the shared infrastructure. Without an effective communication mechanism, such as the quarterly ADM meetings between GAC and SSC, there is a risk that issues such as this will continue to occur and negatively impact the operations of the users on the shared international network.

Recommendation 3:

The ADM of Corporate Planning, Finance and IT should meet regularly with relevant ADMs from key partner departments in the international network, along with SSC, to discuss IM/IT initiatives and challenges at missions abroad.

2.4 Monitoring

The audit team expected to find that IM/IT oversight bodies receive sufficient information to monitor the progress of project implementation, the performance of IM/IT services and support, as well as sufficient information to monitor IM/IT human resource capacity, including competency and training needs.

Monitoring of projects is conducted by ISC through a monthly dashboard that reports on the status of active IM/IT projects, including a number of key project health and performance indicators (budget, scope, and schedule). However, the project dashboard is only scheduled for quarterly discussion at meetings and is only allocated ten minutes on the agenda. ISC participants indicated that there is not always enough time for questions or more detailed discussion.

The audit team found that oversight bodies are provided with limited information to monitor performance of IM/IT services. The information provided is limited to ongoing projects and help desk support services. The ISC receives the results from the annual client satisfaction survey on the performance of IM/IT Help Desk support, providing client satisfaction metrics, both domestic and internationally. Beyond this item, there is no other regular information regarding the performance of IM/IT services being provided to oversight bodies.

Management informed the audit team that SID’s transformation program will develop a new set of IM/IT performance metrics that will be aligned to the evolving service delivery model. Once implemented, SID expects that data against these indicators will be collected and expected to be regularly reported through the governance framework.

Regarding HR requirements, information circulated to oversight bodies is limited to the annual review of the IT Plan, which outlines at a high level HR planning for the IT function, and includes details regarding required resource levels, competencies and capacity alignment to priorities, and recruitment initiatives. In addition, the audit team found that two committees internal to SID bureau, BMC and OPS, tabled human resources requirements and activities, although it was not a standing item.

One of the deliverables for the IM/IT transformation program is the development of a talent management strategy, which will align skill sets, training, and recruitment to an evolving client centric service model. This work will be essential to address capacity needs as IM/IT services evolve at a time where, as management have indicated, the Government of Canada faces recruitment and retention challenges for specialized IM/IT resources due to competition from the private sector. In order to ensure that oversight bodies receive adequate information that human resource capacity is sufficient for objectives to be met, they should receive regular updates of progress against the needs set out in this talent management strategy, once developed and implemented.

The audit team found that oversight bodies do not regularly receive information regarding IM/IT service performance, such as reporting against service standards or benchmarks, or information regarding Human Resource requirements, such as reporting on specific capacity gaps. Without regular service delivery performance information, and human resource capacity information, oversight bodies will be unable to effectively monitor progress against IM/IT objectives and priorities for service delivery.

Recommendation 4:

The ADM of Corporate Planning, Finance and IT should ensure regular reporting on service performance and human resource capacity information to the highest level IM/IT-specific governance body.

3. Conclusion

Appendix A: About the Audit

Objective

The objective of this audit was to provide assurance that governance structures, mechanisms, accountability and resources are in place to ensure effective management of IM/IT throughout the Department, and that governance structures ensure accountability for IM/IT.

Scope

The scope of the audit included IM/IT governance activities conducted during fiscal years 2016-17 and 2017-18, affecting the management of IM/IT at headquarters and missions. The audit examined:

IM/IT governance framework and oversight bodies;
Development of IM/IT strategies and plans, and risk management;
Decision making processes and procedures;
Oversight of IM/IT projects and investments;
Development of IM/IT human capacity and capabilities; and,
Monitoring and reporting related to IM/IT.

Criteria

The following criteria were developed based on a detailed risk assessment:

An IM/IT governance framework and oversight bodies are established for setting IM/IT strategic direction and objectives.
IM/IT governance decision-making processes and procedures are established.
IM/IT risks and dependencies are assessed and adequate mitigation strategies and processes are in place.
IM/IT activities are actively monitored by IM/IT oversight bodies.

Approach and Methodology

The audit was conducted in conformity with Treasury Board Policy and Directive on Internal Audit and the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Audit. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that the audit objective is achieved.

In order to conclude on the above criteria, the following methods were used to gather evidence:

Identify and review relevant regulations, policies, directives and guidelines on IM/IT governance;
Review and analyze financial and non-financial information related to IM/IT projects.
Review of relevant documentation related to IM/IT oversight bodies;
Perform walkthroughs of IM/IT governance processes and systems, and identify and assess efficiency and effectiveness of organizational structures and their decisions;
Conduct interviews with departmental officials;
Conduct other audit tests as deemed necessary.

Appendix B: IM/IT Governance Framework

Figure 1: Documented IM/IT Governance Structure – High level

Text version

This image depicts Global Affairs Canada IM/IT Governance Framework at a high level. The top level below the Minister is the Deputy Minister level. The Level one committee supporting this is the Executive Board. Level two committees include the Resource Management Committee, the Corporate Management Committee, and The Assistant Deputy Minister Steering Committee on Security. These level two committees report to the Executive Board. The Level three committees include: the IM/IT Strategy Committee, which reports to the Resource Management Committee, the Information and Data Governance Council, which reports to the Corporate Management Committee, and the Director General Security Committee, which reports to the Assistant Deputy Minister Steering Committee on Security. Additionally, there is a level two committee called the Global Affairs Canada/Shared Services Canada Joint Governance Committee, with a level three committee reporting to it called the Shared Services Canada-Global Affairs Canada Partnership Committee.

The GAC documented governance structure includes the “DG IM/IT Security Committee”. Based on audit team’s understanding, this committee has been folded into the “DG Security Committee” as of July 2017 – the available departmental governance structure was not yet updated to reflect this change.

Figure 2: Documented IM/IT Governance Structure – Entire Structure

Text version

This image depicts the entire structure of the department’s IM/IT Governance Framework. The highest level includes the four deputy ministers, and directly below that is the Executive Board. The Executive Board is a corporate governance body, and four other corporate governance bodies’ fall under its jurisdiction. They are the Resource Management Committee, the Corporate Management Committee, the Shared Services Canada/Global Affairs Canada Assistant Deputy Minister Governance Committee, and the Assistant Deputy Minister Steering Committee on Security. The Resource Management Committee has one IM/IT Bureau Governance Body that falls under its responsibility – the IM/IT Strategy Committee. The IM/IT Strategy Committee also reports to the Corporate Management Committee. Below the IM/IT Strategy Committee is the IM/IT Bureau Management Committee, along with the Architecture Review Board, which is a subset of the IM/IT Bureau Management Committee. Three IM/IT Bureau Governance Bodies report to the IM/IT Bureau Management Committee: the IM/IT Operations Committee, the IM/IT Enterprise Architecture Review, and the IM/IT Project Oversight Committee. Reporting to the IM/IT Operations Committee is the Change Advisory Board. Also reporting to the Corporate Management Committee is the Information and Data Governance Council. Both the IM/IT Strategy Committee and the Information and Data Governance Council are made up of departmental members. Under the Information and Data Governance Council are the Data Management Advisory Group and the Knowledge Management Advisory Group. Reporting to the Data Management Advisory Group is the Open Government Directive Initiative Working Group, which is not fully established yet. Reporting to the Knowledge Management Advisory Group is the Information Management Council, also not yet fully established. The Shared Services Canada-DAFTD and Partnership meeting is another IM/IT Bureau governance body. Relating back to the corporate governance bodies, as mentioned above, the next one on the chart is the Shared Services Canada/ Global Affairs Canada Assistant Deputy Minister Governance Committee. Following that is the Assistant Deputy Minister Steering Committee on Security. Reporting to that is the Director General IM/IT Security Committee, and participants include the IM/IT Bureau, Security and Emergency Management Bureau, and Shared Services Bureau. Falling under the jurisdiction of the IM/IT Bureau and Security and Emergency Management Bureau is the DFATD Accreditation Authority Committee, which is an IM/IT Bureau Governance Body. On the final tier is the Shared Services Canada-DFATD IM/IT Security Senior Advisors Forum, which reports to both the DFATD Accreditation Authority Committee and to Shared Services Canada.

Source: IM/IT Governance Portal on the GAC Wiki (Wiki@international)

Appendix C: IM/IT Oversight Bodies

Level 1 Committees

Executive Board (EXBO) – Chaired by the Deputy Minister of Foreign Affairs, the Executive Board is the senior decision-making body for the Department. It provides overall governance, strategic direction and decision-making in support of the Deputy Ministers in the achievement of GAC’s strategic outcomes. It is also a key forum for senior executive engagement. Level 2 Committee Chairs will bring forward IM/IT related items for strategic direction and/or decision as required. ^{Footnote 11}

Level 2 Committees

Resource Management Committee (RMC) – Chaired by the ADM of Strategic Policy (PFM), the purpose of this committee is to provide leadership, strategic guidance, advice and oversight on the alignment of financial, non-financial and human resources with departmental priorities. The committee is to oversee the alignment of investment planning against departmental priorities including IM/IT resources.^{Footnote 12}

Corporate Management Committee (CMC) – Chaired by the ADM of Human Resources (HCM), the purpose of this committee is to provide leadership, strategic guidance, advice and oversight for the corporate management of the Department, including with respect to IM/IT, and the management and sustainability of the Department’s network of missions (abroad and within Canada). The Committee works to promote coherence and integration across departmental management practices. CMC is to review IM/IT initiatives from a corporate management perspective.^{Footnote 13}

ADM Steering Committee on Security – Chaired by the ADM of International Security and Political Affairs (IFM), the purpose of this committee is to provide strategic and integrated guidance, advice and oversight to enable the Department to coherently fulfill its security, health and safety obligations towards Government of Canada personnel, and to safeguard Government of Canada information and assets in the delivery of the Department’s mandate, both abroad and in Canada.^{Footnote 14}

Level 3 Committees

IM/IT Strategy Committee (ISC) – Co-chaired by the CIO and DG of Trade Commissioner Service - Operations (BTD), this committee has a strategic role in approving IM/IT‑related strategic plans and policy instruments, and a steering role in prioritizing and approving new, significant IM/IT investments and those that require RMC funding. ISC is to report to RMC on IM/IT investments, and as required to CMC.^{Footnote 15}

Information and Data Governance Council (IDGC) – Co-chaired by the CIO and DG of Human Rights, Freedoms and Inclusion (IOD), the purpose of this Council is to provide strategic oversight and direction of department-wide data management, knowledge management and information management. It is to provide advice on these issues to CMC and RMC. This committee has been inactive since June 2017.

DG Security Committee – Co-chaired by the Departmental Security Officer (CSD) and the DG of Planning and Stewardship (ARD), the purpose of this committee is to ensure an integrated and coordinated approach to the implementation of risk-based mitigation measures addressing, personnel, operational, physical and IM/IT security. The Committee is to make recommendations on operational matters, including in the implementation of the Departmental Security Plan.^{Footnote 16} (The former DG IM/IT Security Committee was amalgamated with this committee in March 2017.)

Committees Below Level 3 (partial list)

IM/IT Bureau Management Committee (BMC) – Chaired by the CIO, the purpose of this committee is to make decisions concerning IM/IT strategic planning, policy direction, enterprise priorities, resource allocation and administration.^{Footnote 17}

IM/IT Operations Committee (OPS) – Chaired by the Deputy CIO and Executive Director of SIE, the purpose of this committee to ensure consistent, effective, and efficient service delivery by reviewing, discussing, recommending, resolving and approving or rejecting non-standard GAC IM/IT day-to day operations requests in the delivery of support and services.^{Footnote 18}

Enterprise Architecture Review Board (EARB) – Co-chaired by the DG of SID and the Executive Director of SIA, the purpose of this committee is to bring together the broader EA community, within the IM/IT Bureau, to provide strategic direction, set technology standards and support IM/IT delivery by reviewing and endorsing solution architectures needed to enable business outcomes and drive innovation.^{Footnote 19}

Project Oversight Committee (POC) – Chaired by the CIO, the purpose of the committee is to review and endorse or defer departmental IM/IT initiative requests for projects during the initiative planning phase. It also ensures the successful delivery of IM/IT enabled projects through approvals, guidance, resolutions and review of projects health through the lifecycle of each project including maximizing the benefits from the projects. It is also its mandate to promote and support project management philosophy, methodology, standards and success.^{Footnote 20}

Data Management Advisory Group (DMAG) – Co-chaired by the Executive Director of SIIB and the Deputy Director of SWE, the purpose of this group is to identify issues, opportunities and linkages relating to common data of interest as well as repositories and sources for data to perform research, analysis and to validate information required to support operations, planning, performance management and fact based decision making. It also serves to provide recommendations for resolutions to ensure value and that data changes do not impact negatively business operations, as well as form working groups of Subject Matter Experts to provide guidance and recommendations to manage changes relating to strategic, tactical, and operational planning. The group also seeks to promote awareness of change impacts and to ensure data is aligned with enterprise-wide IM Strategy as well as learn and apply Government of Canada policy framework and industry best practices and innovations relating to information and data management.^{Footnote 21} This committee has been inactive since June 2017.

Knowledge and Information Management Advisory Group (KIMAG) – Co-chaired by the Director of PVA and the Executive Director of SII, the purpose of this group is to provide advice on activities related to IM/KM at GAC including, but not limited to: policy, processes, tools, products, planning and reporting, services, and communications.^{Footnote 22} This committee has been inactive since June 2017.

Departmental Authorization Authority Committee (DAAC) – Chaired on a rotating basis by DAAC members within SID, the purpose of this committee is to balance business needs and risks posed by operating IT systems, including those developed and owned by GAC, provided by SSC or other government departments, and provided by third-parties.^{Footnote 23}

Interdepartmental Committees

In addition to GAC’s internal structure, IM/IT governance seeks the input of interdepartmental committees.

GAC/SSC Joint Governance Committee – The purpose of this interdepartmental ADM-level committee is to highlight international IT infrastructure requirements and challenges, and explore opportunities to strengthen international IM/IT services to ensure sustainability and leverage the benefits of new technologies.^{Footnote 24}

SSC-GAC Partnership Committee – The purpose of this interdepartmental committee is to enable the CIO and IM/IT executive team at GAC to share and discuss areas of mutual interest and concern with the SSC Account Executive and Executive Service Delivery Manager.^{Footnote 25}

Appendix D: Management Action Plan

Audit Recommendation	Management Action Plan	Responsible Area	Expected Completion Date
The ADM of Corporate Planning, Finance and IT should establish an ADM-level IM/IT steering committee mandated to provide strategic direction and decision making for IM, IT and data management. The ADM of Corporate Planning, Finance and IT should also modify the mandate of the IM/IT Strategic Committee to review and recommend IM/IT plans, investments, and IM/IT policies, and monitor IM/IT performance.	Establish a sub-committee of Executive Committee (EXCO) chaired by an Assistant Deputy Minister (ADM) with membership comprised of ADMs. This committee will provide leadership, strategic oversight, and decision-making on IM/IT matters, and ensure cohesion with Departmental priorities, such as the Departmental Data Strategy.	SCM	July 2019
	Once this new ADM committee is established, ISC would report to the Resource Management Committee (RMC) for strategic oversight. ISC will escalate matters to the ADM committee as required.	SCM - SID	July 2019
	Modify the mandate of the IM/IT Strategic Committee (ISC) to ensure it includes the elements of reviewing and recommending IM/IT plans, investments, IM/IT policies, and monitoring IM/IT performance.	SID	December 2018
	Revitalize the role of the ISC to a functioning body that provides recommendations for endorsement to the new sub-committee.	SID	April 2019
The ADM of Corporate Planning, Finance and IT should mandate that all IM/IT-enabled projects be subject to the Department’s project intake process, and CIO-endorsed project management methodology to ensure coherence in application development and integration.	Develop a policy instrument to mandate that IM/IT-enabled projects across the department be subject to the Department’s project intake process, and CIO-endorsed project management methodology.	SCM	September 2019
	Communicate this new policy across the department. This will help to ensure coherence in application development and integration.	SCM	November 2019
	Once the policy instrument is in place, Branch clients can refer to MODUS for appropriate project management guidance for successful project implementation.	SID	December 2019
The ADM of Corporate Planning, Finance and IT should meet regularly with relevant ADMs from key partner departments in the international network, along with SSC, to discuss IM/IT initiatives and challenges at missions abroad.	Add IM/IT as a standing item to existing governance bodies dealing with partners: the Committee on representation abroad (CORA), which is comprised of representation from partner departments, including CSIS, DND, RCMP, IRCC and SSC; the Inter-departmental working group on common services abroad (IWGCSA); and, Ensure members from partner departments are aware of the terms of reference which relate to IM/IT in their Memorandum of Understanding (MOU) with Global Affairs Canada.	SCM – SID	November 2018
	Meet with Assistant Deputy Ministers of key partner departments semi-annually (or as needed) to provide direction and/or discuss significant issues which arise in the international network. In addition, discuss matters with the interdepartmental counterparts which are escalated from CORA and IWGSCA.	SCM	December 2018
The ADM of Corporate Planning, Finance and IT should ensure regular reporting on service performance and human resource capacity information to the highest level IM/IT-specific governance body.	Develop and define the framework, metrics, key performance indicators, tracking, and reporting mechanisms to measure service performance and HR capacity information.	SCM - SID	September 2019
	Provide regular reporting on service performance and HR capacity to the new ADM committee.	SCM	October 2019

Appendix E: Acronyms

ADM	Assistant Deputy Minister
CFO	Chief Financial Officer
CIO	Chief Information Officer
CRP	Corporate Risk Profile
EICS II	Export-Import Control System II
GAC	Global Affairs Canada
HR	Human Resources
ICBP	Integrated Corporate Business Plan
IM/IT	Information Management / Information Technology
IM	Information Management
IT	Information Technology
PMLC	IM/IT Bureau Project Management Life Cycle Standard
SCM	Corporate Planning, Finance and Information Technology Branch
SID	Information Management and Technology Bureau
SSC	Shared Services Canada
TB	Treasury Board
TBS	Treasury Board Secretariat

Footnotes

Footnote 1

Departmental Plan 2018-19 – Raison d’être, Mandate and Role: Who we are and what we do. GAC web site, accessed July 25, 2018.

Return to footnote 1 referrer

Footnote 2

White Paper, Getting IM/IT Governance Right In Complex Enterprises, A Critical Success Factor Framework, Sierra Systems. P.3.

Return to footnote 2 referrer

Footnote 3

$109M for IT and $11M for IM, based on the GAC IT Expenditure Report for fiscal year 2016-2017 and a financial report generated by the Financial Support Unit, Information Management and Technology, respectively.

Return to footnote 3 referrer

Footnote 4