Audit of Information Management – Readiness to Implement the Policy on Service and Digital

June 2020

Acronyms and symbols
Executive summary
1. Background
2. Observations and recommendations
3. Conclusion
Appendix A: Management response and action plan
Appendix B: About the audit

Acronyms and symbols

ADM: Assistant Deputy Minister
CIO: Chief Information Officer
ELFS: Enterprise Level Folder Structures
GC: Government of Canada
IM: Information Management
IMA: Information Management Advisor
IM/IT: Information Management and Information Technology
IT: Information Technology
ITP: IT Professional

Executive summary

In accordance with Global Affairs Canada’s approved 2019-2020 Risk Based Audit Plan, the Office of the Chief Audit Executive conducted an audit of Information Management (IM).

Why it is important

To support the ongoing transition to digital government, the Treasury Board has revised its policies on information management, information technology and service. Effective April 1, 2020, existing policies were replaced by the new Policy on Service and Digital, which represents an integrated set of requirements for Government of Canada organizations to manage service delivery, information and data, information technology (IT), and cyber security in the digital era. This expanded and integrated policy focus will have significant implications in relation to current Global Affairs Canada information management, including governance, planning and delivery processes.

What we examined

The objective of the audit was to assess Global Affairs Canada’s state of readiness to implement the Policy on Service and Digital with respect to information management. The audit focused on governance structures; strategic and operational planning processes; enterprise information architecture; capacity and capability management; and performance measurement. Interviews were conducted and documentation was reviewed up to and including November 2019.

What we found

The audit concluded that the Department has made progress in preparing to implement the Policy on Service and Digital with respect to information management. However, opportunities exist to identify and formalize the Department’s approach to address the full requirements of the Policy in a more coordinated and integrated manner, including departmental governance and planning process considerations. Furthermore, opportunities for improvement exist to clarify the roles of the Department’s IM, data management and IT support networks, to mature enterprise and information architecture, and to refine IM performance measurement tools to address the broader and strategic IM considerations of the Policy on Service and Digital.

Recommendations

The Department should:
1. Develop a formal plan to address the requirements articulated in the Policy on Service and Digital, including designation of an official responsible for leading the service management function.
2. Review the recent changes to departmental governance committees to ensure alignment with the requirements of the Policy on Service and Digital.
In coordination with recommendation 1, the CIO should develop a supporting departmental Information Management Plan to ensure appropriate and coordinated focus on the scope of change to be undertaken in relation to IM policy, governance, strategy, people, processes, and systems.
The CIO should fully articulate a plan for addressing the enterprise and information architecture strategic actions identified in the departmental IT Plan and ensure that planned architectures align with associated requirements of the Policy on Service and Digital.
The CIO should, in consultation with impacted departmental stakeholders:
1. Review the discrete IM, data management and IT support networks to ensure clarity in roles and responsibilities, satisfaction of client service needs, and operational efficiency.
2. Update current IM support processes and IM planning/assessment tools to ensure that these processes and tools reflect and respond to the new and broader focus of the Policy on Service and Digital.
The CIO should refine the current information management performance measurement reporting approach and tools to address the broader and strategic information management considerations of the Policy on Service and Digital.

Statement of conformance

The audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Treasury Board Policy and Directive on Internal Audit, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.

1. Background

In accordance with Global Affairs Canada’s approved 2019-2020 Risk-Based Audit Plan, the Office of the Chief Audit Executive conducted an audit of Information Management (IM). The audit was initially identified to provide assurance that there is an effective management control framework for information management.

In August 2019, the Treasury Board issued a new Policy on Service and Digital (the new Policy) to take effect on April 1, 2020. This policy supports the ongoing transition to digital government and replaces the existing Treasury Board Policy Framework for Information and Technology, Policy on Information Management and other policies related to information technology (IT) and service. The new Policy represents a significant evolution of the strategic direction of the Government of Canada (GC), and provides a set of requirements for integrated management of departmental services, information, data, information technology and related cyber security considerations. This expanded and integrated policy focus will have significant implications for government departments’ current IM, including governance, planning and service delivery processes. As a result of the introduction of the Policy on Service and Digital, the audit objective was amended during the audit’s planning phase to focus on the Department’s readiness to implement this policy with respect to IM.

Information management represents a discipline that directs and supports effective and efficient management of information and data in an organization, from planning and systems development to disposal or long-term preservation. The availability of high-quality, authoritative information to decision makers supports the delivery of programs and services, thus enabling departments to be more responsive and accountable to Canadians. As recognition of this importance, the new Policy requires departments to ensure “that information and data are managed as a strategic asset to support government operations, service delivery, analysis and decision-making.”

Departmental Context

Effective IM represents a challenge for Global Affairs Canada (the Department) in a current operational environment characterized by:

Multiple mandates (i.e. foreign affairs, trade and development) serving distinct client bases, and organizational complexity resulting from the amalgamation of the former Department of Foreign Affairs and International Trade and the former Canadian International Development Agency in 2013. This has required integration of corporate processes and systems, including those related to IM;
A global workforce of more than 11,000 Canada-based and locally-engaged employees across an international network, including headquarters, 178 missions and 6 regional offices;
An operational requirement to provide IM support (e.g. access to IM tools) to other government departments’ employees located in missions;
A vast array of structured and unstructured information, maintained in various forms (e.g. paper records, localized databases, various collaboration forums [e.g. Wiki]), and various corporate information systems and tools; and
Dependencies on key partners (e.g. Public Services and Procurement Canada, and Shared Services Canada) for providing essential services such as software (e.g. GCDOCS) and network connectivity that underpin the Department’s IM processes.

These complexities and associated management challenges are increasing at a rapid pace as the GC and the Department continue to advance digital service and open government agendas, and a comprehensive data strategy while continuing adoption of emerging IM technologies such as cloud services and enhanced collaboration tools. These changes will have fundamental impacts on how the Department manages its information and data.

Key Departmental Stakeholders

While all employees are responsible for applying effective information management, a key departmental stakeholder is the Assistant Deputy Minister (ADM) of Corporate Planning, Finance and Information Technology, who is the Chief Information Officer (CIO). Supporting the CIO is the Director General of Information Management and Technology (IM/IT), whose bureau includes teams focused on IM (such as the IM Support and Services unit), data and analytics, cyber security, and architecture.

Other collaborating departmental stakeholders to be considered within the emerging IM landscape include the designated official responsible for leading the departmental service management function as referenced in the new Policy; the Chief Data Officer, a key driver in the implementation of the Department’s Data Strategy; and the Chief Security Officer, who has a role in maintaining cyber security.

It is within this context that the audit of Information Management was undertaken.

2. Observations and recommendations

This section presents key audit findings and observations organized into four themes, as follows:

The IM implications for the Department related to the adoption of the Policy on Service and Digital. This theme specifically focuses on departmental governance implications, including roles and responsibilities, and departmental planning implications;
The departmental approach to establishing enterprise information architecture as a foundational element to implementing the new Policy;
The departmental approach to ensuring that organizational IM capacity and capability needs are appropriately defined and managed to support implementation of the new Policy;
The Department’s performance measurement processes and practices to ensure consistency and quality in IM across the Department.

These themes are drawn from the audit criteria described in Appendix B.

2.1 IM implications related to the adoption of the new policy

Effective April 1, 2020, the new Policy represents a set of requirements for integrated management of departmental services, information, data, information technology and related cyber security considerations. Key elements in the new Policy direction include:

Client-centric focus in the design and delivery of digital government services;
Management of information/data as a strategic asset;
Integration of privacy and cyber-security; and an
Integrated approach to governance, planning and reporting.

This policy focus will have significant implications on current Global Affairs Canada governance, and its planning, service delivery and reporting processes. In preparation for the April 2020 implementation of the policy, the Department began a policy suite reset initiative, led by the Information Management and Technology bureau. In the early stages of the initiative, a mapping exercise is underway that has identified more than ten internal IM and IT policy instruments and more than one hundred supporting internal guidance documents (e.g. directives, process descriptions) that require review and possibly revision to align with the new Policy.

Governance Implications of the New Policy

The new Policy includes a requirement that the Department establish governance to ensure the integrated management of service, information, data, IT, and cyber security within the Department. A new corporate governance committee structure (i.e. Deputy Minister and ADM-level committees) was recently implemented within the Department to strengthen current governance, management and decision-making processes. The new structure established committees responsible for particular areas mentioned in the new Policy, such as the ADM-level Corporate Management Committee responsible for IM/IT policy and planning, and the ADM-level Security Committee responsible for IM/IT security. However, the new Policy requirement for establishment of governance focused on integrated management of service, information, data, IT, and cyber security has not been specifically addressed by the new departmental governance structure. This is likely due to a misalignment in timing between the conduct of the corporate governance committee structure review and the August 2019 issuance of the new Policy.

Beyond the corporate governance considerations of the Policy, the Directive on Service and Digital requires that the CIO chair a departmental architecture review board that is mandated to review and approve the architecture of all departmental initiatives to ensure their alignment with enterprise architectures. In this respect, the Department has an existing Enterprise Architecture Review Board, the focus of which is to provide strategic direction, set technology standards and support IM/IT delivery by reviewing and endorsing solution architectures needed to enable business outcomes and drive innovation. The focus of this group tends to be in relation to specific IT projects versus the establishment of broader departmental architecture considerations. Also, while the board brings together representatives from the Department’s enterprise architecture community (e.g. Digital Transformation Division, IT Client Relations and Planning, Business Intelligence and Analytics Program) and includes the Director General of IM/IT as a voting member, it is co-chaired by two Directors, and not the departmental CIO as described under the new directive.

Roles and Responsibilities Implications of the New Policy

The new Policy establishes requirements for departments’ deputy heads to designate senior management representatives to have functional responsibility for various elements included in the scope of the policy. Specifically, the policy requires designation of the following:

a) A departmental CIO responsible for leading the departmental IT, information and data management functions. The CIO is to have direct access to the deputy head.

The Department’s senior official and designated CIO is the ADM of Corporate Planning, Finance and Information Technology.

With regard to information and data management functions performed by the IM/IT bureau, the CIO announced a restructuring, which took effect in October 2019, to bring an improved and more integrated focus on the way in which the IM/IT bureau delivers data, information and knowledge management solutions, and also manages enterprise services. A new Enterprise, Information and Analytics Services Division integrates the IM/IT bureau’s teams focused on IM, open government and data management.

In relation to broader data management roles and responsibilities, in early 2019, the Department launched a comprehensive five-year Data Strategy to enable its employees to collect, access, analyze, and use high quality data to inform decision-making and better communicate results to Canadians. Implementation of the strategy involves the implementation of change across five “action pillars” including: Culture, Access and Analytics, People, Performance and Results, and Management and Governance. While the Data Strategy is being led by the Department’s Chief Data Officer (ADM, Strategic Policy), two of the pillars, the Access and Analytics pillar and the Management and Governance pillar, are being led by representatives of the IM/IT bureau. The responsibility for these two pillars is consistent with the CIO’s and, as such, the IM/IT bureau’s responsibilities for IM/IT enablement and data management.

b) An official responsible for leading the departmental cyber security management function.

The Department has not designated an official to lead this function. Rather, there are primarily two bureaus, the IM/IT bureau and the Security and Emergency Management bureau, within the purview of the CIO and Chief Security Officer respectively that fulfill IM/IT security functions within the Department. While an agreement on respective roles and responsibilities of these two bureaus was approved in 2017, this agreement requires update in order to address the requirement of the new Policy.

c) An official responsible for leading the departmental service management function. This official is to have direct access to the deputy head.

Designation of such an official remains a significant and unresolved question for the Department. Establishment of this role and its relationship with other departmental functions, including the IM function, will be key in driving the Department forward in meeting the objectives of the new Policy, such as client-centric service design and delivery.

In September 2019, the Department completed an initial service inventory, as required by Treasury Board and the new Policy. In the absence of a designated official responsible for service management, this exercise was led by IM/IT bureau representatives, involving input from departmental representatives. The resulting service inventory was acknowledged by interviewees as being a first attempt that does not represent the full scope and extent of services delivered across departmental business lines to their various client groups. Accordingly, this service inventory does not yet provide the foundation for establishment of departmental information, data or information technology priorities.

Planning Implications of the New Policy

The new Policy requires the Department to develop an annual forward-looking three-year departmental plan for the integrated management of service, information, data, IT and cyber security, which aligns with the CIO of Canada’s enterprise-wide integrated plan, is informed by subject-specific plans or strategies as appropriate, and includes a progress report on how it was implemented in the previous year.

Under existing Treasury Board policies, some of which were replaced by the new Policy, certain subject-specific plans or strategies were already required. The development of an integrated plan represents a new requirement. At present, the Department maintains a number of distinct planning processes for IT, IM and data. The resulting planning deliverables include IT, IM and data-related strategies and/or plans, such as the:

IT Plan 2019-2022 – articulates strategic priorities and supporting key initiatives that demonstrate alignment with the digital focus of the new Policy and overall Government of Canada Strategic Plan for IM/IT 2017-2021;
Data Strategy 2019-2024 – articulates departmental strategies in five action pillars (Culture, Access and Analytics, People, Performance and Results, and Management and Governance), with a vision of positioning the Department as one of the “best in class” in strategically harnessing data to serve citizens and in making a difference in the world.
Open Government Implementation Plan 2015-2019 – describes the planned departmental activities and deliverables based on the Directive on Open Government.

In addition, the IM/IT bureau recently drafted an IM Plan 2019-2022 that represents a high-level overview of departmental IM priorities, including:

Manage and Protect Information;
Discover and Share Insights;
Turn Data and Information into Knowledge;
Modernize Service Delivery; and
PIVOT into Organizational Excellence.

Each of these priorities is supported by a description of key activities and expected milestones to be achieved over the three-year term. However, the sequencing of the various elements and required departmental resource investments have not yet been developed or endorsed within the IM/IT bureau or broader departmental governance.

Collectively, these departmental IT, IM and data-related plans provide a foundation for the Department to guide various activities and initiatives; however, they do not satisfy the new Policy requirement for the Department to have an annual forward-looking three-year departmental plan for the integrated management of service, information, data, IT and cyber security. While the Department should be able to leverage elements of its existing plans and planning processes, senior management attention will be required to establish a process for, and develop an integrated departmental plan that addresses the policy requirements.

Overall, the Department has begun to determine the IM implications related to the adoption of the new Policy. However, additional management focus is required to ensure that required changes in departmental governance and planning processes are appropriately identified, assessed and implemented.

Recommendation 1: The Department should:

Develop a formal plan to address the requirements articulated in the Policy on Service and Digital, including designation of an official responsible for leading the service management function.
Review the recent changes to departmental governance committees to ensure alignment with the requirements of the Policy on Service and Digital.

Recommendation 2: In coordination with recommendation 1, the CIO should develop a supporting departmental Information Management Plan to ensure appropriate and coordinated focus on the scope of change to be undertaken in relation to IM policy, governance, strategy, people, processes, and systems.

2.2 Departmental information architecture

Information architecture refers to how an organization defines its information assets, as well as the assets’ sources, structure, classification and associations. Information architecture is fundamental to enabling an organization to understand and utilize information across the organization to achieve desired outcomes.

As part of the Directive on Service and Digital, Treasury Board issued a supporting appendix of Mandatory Procedures for Enterprise Architecture Assessment. With respect to information architecture, the guidance outlines mandatory assessment procedures for:

Data Collection – ensure data is collected in a manner that maximizes use and availability of data;
Data Management – demonstrate alignment with enterprise and departmental data governance and strategies;
Data Storage – ensure data is stored in a way to facilitate easy discoverability, accessibility, and interoperability; and
Data Sharing – data should be shared openly by default as per the Directive on Open Government.

In relation to the expectations of the guidance, the limitations of the Department’s existing legacy IM infrastructure must be recognized. Currently, the Department does not have a common or standard enterprise records management system. Due to complexities arising from government reorganization (i.e. merger of the former Canadian International Development Agency and former Department of Foreign Affairs and International Trade, each of which used different enterprise records management systems), and complexities associated with maintaining an international network of missions, the departmental enterprise IM infrastructure is currently comprised of a variety of platforms. These include:

Multiple, structured electronic records management platforms (i.e. InfoBank, EDRMS, and GCDOCS pilots) that have limited integration with one another thereby impacting information sharing and interoperability for employees;
GAC network-distributed shared drives, which are relied upon heavily but which provide limited functionality to support information life cycle management; and
Cloud services, including reliance on “non-approved” cloud services (e.g. Dropbox) that, based on anecdotal information, are considered more responsive to the needs of departmental employees. Use of cloud services that have not been reviewed and approved for use represent obvious privacy and security risks for the Department.

Working within the current infrastructure limitations, the IM/IT bureau has developed and implemented Enterprise-Level Folder Structures (ELFS) across the various departmental IM platforms. ELFS represent a common information categorization scheme that is used in part to establish, communicate and support adherence to information life cycle requirements, such as the retention requirements for various types of information. While the ELFS demonstrate that the Department has had some focus on establishing a common information architecture for its legacy IM platforms, it is recognized that these platforms have not collectively been designed with appropriate attention towards the data collection, management, storage and sharing expectations of the current Treasury Board Directive on Service and Digital.

Recognizing these limitations, the IM/IT bureau has identified information architecture as a foundational element of focus and 2019-2020 priority within its Digital Experience Program implementation of the Microsoft 365 suite of products. This multi-year change program, which is at an early stage of development, is focused on enabling a modern digital workplace characterized by:

Improved and streamlined collaboration tools;
Anytime, anywhere access to information and data, including access via mobile devices; and
Integration with a GC standard enterprise records management system (i.e. GCDOCS).

As well, the IM/IT bureau has begun to focus on broad enterprise and information architecture considerations including identifying the development of enterprise architectures for business, information, applications and technology as a strategic action in the IT Plan 2019-2021. This action has not yet been articulated in a detailed manner but is planned to include development of reference architectures for new technology offerings (e.g. cloud services, modern networks), update of existing enterprise architectures, and development of transitional architectures to guide the migration away from legacy investments to a well-understood and functioning enterprise model.

Recommendation 3: The CIO should fully articulate a plan for addressing the enterprise and information architecture strategic actions identified in the departmental IT Plan and ensure that planned architectures align with associated requirements of the Policy on Service and Digital.

2.3 IM support for implementation of the new policy

The Policy on Service and Digital establishes departmental responsibilities and various requirements to support open and strategic management of information and data. These requirements include ensuring that information and data are managed to enable data interoperability, reuse and sharing to the greatest extent possible within and with other departments across the government to avoid duplication and maximize utility, while respecting security and privacy requirements.

The Department’s current capacity to support this objective is limited by challenges in its existing IM infrastructure (as already outlined above) as well as its IM support capacity, which is fundamentally important to implementing the new Policy.

Current IM Support Model

Operating within the limitations of the current IM infrastructure, the Department maintains an IM support model that is comprised of the following key elements:

An IM support network, including:
- A centralized IM Support and Services unit, consisting of IM Portfolio Leads and IM Support Officers, that supports the adoption of IM processes, tools and systems throughout the Department;
- A decentralized network of Information Management Advisors (IMAs) who are embedded in departmental organizations (i.e. missions, regional offices, and divisions and branches at headquarters) and who hold the role of IMA in addition to their normal job responsibilities;
Establishment of executive IM responsibilities that are articulated in a guide and to be included in executive performance management agreements;
Establishment of IM oversight processes for departmental organizations, which include the completion of bi-annual IM self-assessments and development of annual IM Improvement Plans;
Establishment of IM committees, one for each executive’s organization (whether at headquarters, or in a regional office or mission);
Mandatory on-line training on the Fundamentals of IM to be completed by all departmental employees; and
IM support guidance (e.g. guidance on how to categorize information) that has been developed and made available to all employees on the Department’s Modus intranet platform.

In relation to this IM support model, the Department has established basic processes to ensure that organizational IM capacity and capability needs are appropriately defined and managed; however, an opportunity exists to improve the consistency of IM practices across the Department. Specifically, there is inconsistency in the adoption of common IM oversight practices within branches/missions, including the nomination of local IMAs, establishment and operation of local IM committees, and the thorough completion of periodic IM self-assessments and IM improvement plans. Consistent adoption of common IM oversight practices is dependent on the degree to which each executive considers IM a priority.

An opportunity also exists to better support open and strategic management of information and data. That is, the role of the IM Portfolio Lead is focused on monitoring compliance with basic IM oversight process requirements and supporting departmental organizations’ ad hoc training requests. The role is less focused on actively supporting departmental organizations in identifying and responding to their strategic IM needs, challenges and opportunities.

Looking toward the future, the Department has initiated a Digital Experience Program which is expected to enable a modern digital workplace (e.g. improved collaboration tools; anytime, anywhere access to information and data including access via mobile devices). This multi-year program will have significant change implications for the IM support model including the required competencies of IM support resources. As this initiative is at an early stage, the Department has not yet fully assessed and addressed the changes that will be required in IM support to respond to a digital workplace.

Data Management Support Network

In January 2019, the Department initiated a comprehensive five-year Data Strategy to enable departmental employees to collect, access, analyze and use high quality data to inform decision-making and better communicate results to Canadians. This Strategy includes five areas of focus (also referred to as action pillars) including Data Governance and Management. As part of this pillar, a Data Governance and Stewardship Framework was developed to clarify data roles and accountabilities, and is in the early stages of implementation.

A key element of the Framework is the establishment of Data Stewards (e.g. Director/Executive Director level staff who are embedded in program areas), essentially a distributed network of resources who are accountable for program data, overseeing the management of data collected, acquired and produced. Of the Data Stewards’ responsibilities, those related to security and privacy, access and sharing, and archiving and disposition are similar to and potentially overlap with the expectations of IM Portfolio Leads and decentralized IMAs. Interviews indicated that the alignment of these two models has not yet been established.

IT Support Network

In addition to the IM support network and the data management support network, the Department has established a decentralized network of IT Professionals (ITPs) that support mission IT needs. While the role description of ITPs includes reference to combined IM/IT responsibilities, this IM support role is typically limited to technical support for IM infrastructure and not broader IM process considerations. The alignment of the ITP network in relation to the network of IM Portfolio Leads and IMAs has not been clearly established.

Overall, the Department has established some management processes to ensure that organizational IM capacity and capability needs are appropriately defined and managed; however, opportunities exist to update current IM support processes and tools to better reflect the new and broader policy focus, and to improve the alignment between the currently discrete IM, data management and IT support networks that assist employees.

Recommendation 4: The CIO should, in consultation with impacted departmental stakeholders,

Review the discrete IM, data management and IT support networks to ensure clarity in roles and responsibilities, satisfaction of client service needs, and operational efficiency.
Update current IM support processes and IM planning/assessment tools to ensure that these processes and tools reflect and respond to the new and broader focus of the Policy on Service and Digital.

2.4 IM performance measurement processes and practices

A key element of the new Policyrelated to IM is the direction that information and data be managed as a strategic asset. In relation to this expectation, the Department has identified basic performance indicators that provide a basis for year-over-year comparison, in addition to implementing a suite of performance measurement tools and reporting capabilities to support assessment of IM practices.

Key elements of the current IM performance measurement approach include the implementation of an IM self-assessment template and standard IM Improvement Plan. They are expected to be completed on a semi-annual and annual basis, respectively, by each division at headquarters, regional office and mission. The complementary tools are designed to establish and improve the current state of each organizational unit’s IM governance, IM learning and IM practices and processes.

The results of the IM self-assessments are summarized and tracked by the IM Support and Services unit. Individual scorecards are communicated to organizational units on a quarterly basis. Comparative results were communicated, primarily for information purposes, to the IM/IT Strategy Committee.

Based on a review of comparative results of all divisions, regional offices and missions for 2018-2019, there is wide variance in the relative measured IM performance across the organizational units. Typical gaps included not having an IM committee, or not having completed at least two information clean-up activities.

While these measurement tools and reporting provide basic insight into the IM approaches across the Department, they do not provide broader insight into the type of performance considerations contemplated under the new Policy, such as:

User satisfaction with the methods, mechanisms and tools used to support information and data life cycle management; or
Assessment of the degree to which information and data are managed as a strategic asset to support service delivery, analysis and decision-making.

Overall, the Department has established performance measurement processes and practices to encourage consistency and quality in IM across the Department; however, opportunities exist to improve current IM performance measurement tools and reporting to incorporate a broader focus to, for example, enable assessment of the degree to which information and data are managed as a strategic asset within the Department.

Recommendation 5: The CIO should refine the current IM performance measurement tools and reporting approach to address the broader and strategic IM considerations of the Policy on Service and Digital.

3. Conclusion

The audit concluded that the Department has made progress in preparing to implement the Policy on Service and Digital with respect to information management. However, opportunities exist to identify and formalize the Department’s approach to address the full requirements of the new Policy in a more coordinated and integrated manner, including departmental governance and planning process considerations. Furthermore, opportunities for improvement exist to clarify the roles of the Department’s IM, data management and IT support networks, to mature enterprise and information architecture, and to refine IM performance measurement tools to address the broader and strategic IM considerations of the Policy on Service and Digital.

Appendix A: Management response and action plan

Recommendation	Management Response	Management Action Plan	Date	Accountability
1. The Department should: Develop a formal plan to address the requirements articulated in the Policy on Service and Digital, including designation of an official responsible for leading the service management function. Review the recent changes to departmental governance committees to ensure alignment with the requirements of the Policy on Service and Digital.	The Department agrees with the recommendation and will address the requirements of the Policy on Service and Digital by developing a formal plan, ensuring that key areas are addressed through the departmental governance structure, and designating a senior official responsible for the service management function.	1-A1. The Department will clarify roles and responsibilities of the various functions including designating a senior official responsible for leading the departmental service management function. Consult with other departments to identify governance options in implementing the Policy; Consult with implicated GAC officials – CIO, Chief Data Officer, Security Officer – regarding governance options including roles and responsibilities; Designate the appropriate official responsible for leading the service management function.	December 2020	Deputy Head
		1-A2. Develop an annual forward-looking three-year departmental plan for the integrated management of service, information, data, IT and cyber security, which aligns with the CIO of Canada’s enterprise-wide integrated plan.	June 2021	CIO, in collaboration with other designated officials.
		1-B. Determine the appropriate senior level committees to provide integrated departmental oversight to the management of service, information, data, IT, and cyber security. Update the appropriate Terms of References, as needed, to reflect changes to committee mandates.	January 2021	Deputy Head
2. In coordination with recommendation 1, the CIO should develop a supporting departmental Information Management Plan to ensure appropriate and coordinated focus on the scope of change to be undertaken in relation to IM policy, governance, strategy, people, processes, and systems.	Management agrees with the recommendation. Management recognizes the importance of a sound Information Management Plan that positions GAC to implement the Policy on Service and Digital. The CIO and Information Management unit will develop a three-year IM Plan, which will be integrated into the Department’s Digital plan.	1. Develop a 3 year IM Plan aligned with Government of Canada policy requirements and departmental priorities, in consultation with the IM-IT Strategy Committee.	January 2021	ADM Corporate Planning, Finance and Information Technology (Chief Information Officer) DG, IM-IT Bureau (SID)
		2. Table the new IM Plan to Corporate Management Committee for Approval.	March 2021
		3. Post the new IM Plan on the departmental intranet, supported by communication and outreach.	April 2021
		4. Monitor and report progress to IM-IT Strategy Committee.	June 2021
3. The CIO should fully articulate a plan for addressing the enterprise and information architecture strategic actions identified in the departmental IT Plan and ensure that planned architectures align with associated requirements of the Policy on Service and Digital.	Management agrees with the recommendation. The IM-IT Bureau will assign leads for Business, Information, Application, Technology and Security (BIATS) Architecture. These leads and the Enterprise Architecture lead will prepare the required plans.	Review IM-IT architecture strategic actions as part of GAC’s digital initiative planning and delivery.	January 2021	ADM Corporate Planning, Finance and Information Technology (Chief Information Officer) DG, IM-IT Bureau (SID)
		Assess and endorse planned architectures, via the Departmental Architecture Review Board (DARB), to ensure alignment with associated requirements of the Policy on Service and Digital.	March 2021
4. The CIO should, in consultation with impacted departmental stakeholders: Review the discrete IM, data management and IT support networks to ensure clarity in roles and responsibilities, satisfaction of client service needs, and operational efficiency. Update current IM support processes and IM planning/assessment tools to ensure that these processes and tools reflect and respond to the new and broader focus of the Policy on Service and Digital.	Management agrees with the recommendation. The IM-IT Bureau will review the IM-IT support networks, ensuring clarity in roles and responsibilities and implementing metrics to ensure effectiveness and efficiency.	1. Review the work description for an IM/RM officer to better align client support services related to information management, records management and data management.	July 2020	ADM Corporate Planning, Finance and Information Technology (Chief Financial Officer) DG IM-IT Bureau (SID)
		2. Review and update IM and IT support network roles and responsibilities.	January 2021
		3. Review the IM roles and responsibilities within bureaus and missions.	March 2021
		4. Review and update current IM support processes and IM planning/assessment tools.	March 2021
		5. Table the revised support model and organization change management plan to the IM-IT Strategic Committee for approval and implementation.	March 2021
5. The CIO should refine the current information management performance measurement reporting approach and tools to address the broader and strategic information management considerations of the Policy on Service and Digital.	Management agrees with the recommendation. As part of the new IM Plan, a revised information management performance measurement and reporting approach and tools will be established.	1. Define the updated IM performance measurement and reporting approach as part of the new IM Plan.	March 2021	ADM Corporate Planning, Finance and Information Technology (Chief Financial Officer) DG IM-IT Bureau
		2. Implement required tools and processes.	April 2021

Appendix B: About the audit

Objective

The objective of this audit was to assess Global Affairs Canada’s state of readiness to implement the Policy on Service and Digital with respect to information management.

Scope and Methodology

The scope of the audit included the Department’s IM activities conducted during fiscal year 2018-2019 and 2019-2020 up to and including November 2019.

The scope did not include examination of IT activities (e.g. global implementation of GCDOCS) or IM activities undertaken by other government department employees located in Canadian missions.

The audit methodology included, but was not limited to, the following:

Identification and review of relevant regulations, policies, directives and guidelines on information management governance and requirements;
Review of relevant documentation (e.g. review of meeting materials and decisions) related to information management governance and coordination bodies;
Review of available documentation related to the Policy on Service and Digital to assess the implications on the departmental IM governance, planning and monitoring processes;
Interviews with key departmental stakeholders and staff;
Detailed analysis of the centralized (Information Services Division) and decentralized (IM Advisor) departmental IM organization, resources and current resource management processes;
Detailed analysis of available IM performance monitoring frameworks, processes, tools and reporting; and
Application other relevant methods as deemed necessary by the audit team.

Criteria

The criteria were developed following the completion of a detailed risk assessment and considered the Audit Criteria related to the Management Accountability Framework developed by the Office of Comptroller General of the Treasury Board Secretariat. The audit criteria were discussed and agreed upon with the auditees. The detailed criteria are presented as follows.

Audit Criteria are reasonable and attainable expectations against which compliance, the adequacy of controls and overall performance are assessed. These audit criteria are based on acts and regulations, policy, guidelines, generally recognized industry norms, results of previous audits or other criteria developed in consultation with Program management. The following criteria were assessed during this audit and form the basis for developing audit observations and recommendations.

Criteria 1

The Department has adequately determined the information management implications related to the adoption of the Policy on Service and Digital.

1.1 The Department has developed appropriate plans and mitigation approaches to address the governance implications, including roles and responsibilities, related to the Policy on Service and Digital.

1.2 The Department has developed appropriate plans and mitigation approaches to address the departmental planning implications related to the Policy on Service and Digital.

Criteria 2

The Department has developed comprehensive plans for establishing its enterprise information architecture.

Criteria 3

The Department has established effective management processes to ensure that organizational IM capacity and capability needs are appropriately defined and managed to support implementation of the Policy on Service and Digital.

Criteria 4

The Department has established effective performance measurement processes and practices to ensure consistency and quality in IM across the Department.

Report a problem or mistake on this page

Date Modified:: 2021-04-01

Language selection

Search and menus

Search