AUDIT OF INFORMATION MANAGEMENT PROJECT AU1202

EXECUTIVE SUMMARY

INTRODUCTION

In accordance with the Government of Canada Policy on Information Management and related policy instruments, Natural Resources Canada (NRCan) is required to manage information throughout its life cycle in a way that supports sound and timely decision making while maintaining compliance with legislative requirements. In 2010 NRCan implemented the “NRCan Policy on Information Management” to further complement and extend the Treasury Board Secretariat IM Policy and Directives by fostering a culture of information sharing. The primary objective of the departmental policy is to make information resources accessible, shareable and useful in order to advance science, policy, program delivery and management priorities, while respecting information privacy and security requirements.

Following previous challenges encountered with retrieval of information and various compliance issues, senior management expressed concerns with departmental practices and electronic software tools used to manage information at all stages of its life cycle, including information classification, retention, retrieval and disposal.

The audit was conducted from August 2011 to May 2012.

AUDIT OBJECTIVE

The objective of the audit is to provide reasonable assurance that the governance, capacity, information architecture, electronic tools and service delivery over information management (IM) are in place to provide readily accessible information which meets program and policy requirements and supports decision making across the Department.

SCOPE

The scope of this audit included the governance, policy, IM practices and electronic software tools at headquarters and in the regions. The audit focused on all stages of the “information life cycle” to assess the continuous management of information at NRCan. The department has conducted two previous audits on this topic, the Audit of Information Management (2006) and a Follow-up Audit of Information Management (2009).

STRENGTHS

Since the 2009 audit, IM functional specialists have provided training and awareness sessions and promoted an IM Awareness wiki site which contains on-line training resources. After the approval of the departmental IM Policy in April 2010 the unit initiated a calendar of events which included presentations, training and showcases. The wiki also includes such topics as Web 2.0, Knowledge Search, NRCan Sharepoint Orientation, Welcome to wiki, NRCan IM Policy, Information Classification Structure, and “To Keep or Not to Keep”.

Within the Department, administrative files are handled within appropriate maintenance schedules using a departmental computer system. The headquarters records offices have coordinated processes for storage, and disposition of records based on approved processes known as Multi-Institutional Disposition Authorities. The audit also noted several initiatives undertaken by the Sectors which included the conduct of internal workshops to help staff manage their workloads for such things as “unstructured data” (i.e. email); and a project within the Canadian Forest Service sector to digitize paper-based information holdings.

There is currently an initiative underway at NRCan which involves Library and Archives Canada referred to as the Recordkeeping and Disposition Authority Project. A Memorandum of Understanding with Library and Archives Canada exists to describe the deliverables for the project. This initiative will lead to the issuance from LAC to NRCan of authorization to dispose of departmental information resources. This ultimately gives the Department greater oversight of its own information resources.

AREAS FOR IMPROVEMENT

Audit results indicate that opportunities exist in the governance of IM to enhance the policy framework within the Department by updating the policy and related guidance in order to address emerging trends in “e-discovery”, “cloud computing” and the growing usage of social media. A significant opportunity exists to strengthen staff awareness of IM requirements by introducing a formal training requirement for all staff in order to reinforce staff understanding of their responsibilities for the oversight of the information handled daily.

Using the previous two audits in this area as a baseline, the current audit also considered upcoming IM requirements driven by the more recent Directive on Recordkeeping. In order to position NRCan in a ready state to meet the requirements of the Directive by 2014, the IM Program needs to proactively engage the sectors to establish performance metrics and a monitoring regime for IM, a regime, which will need to incorporate some elements of compliance assessment.

The planned implementation of a new document and records management system at NRCan during 2012 – 2013 will present opportunities to implement technology which facilitates improved information handling compliance and has stronger integration with daily business processes. Early indications are that some focus by management will be needed to deal with cultural acceptance and “buy in” from areas which have had no formal IM training and limited exposure to the requirements of information handling and IM performance measurement. Therefore, the audit recommends, in concert with the deployment of a new application for document and records management at NRCan, that a training strategy be developed which includes the identification of IM training needs for staff and that management explore the option of making IM training mandatory.

Moving forward, the audit also identified some sectors which may be able to take a lead as “early adopters” of the new records management system by sharing internal sector dashboards on performance measures already in use and in communicating to the rest of NRCan, local sector IM initiatives underway.

AUDIT CONCLUSION AND OPINION

The Department has made significant progress since the 2009 audit in the establishment of an Information Classification System for use by Sectors and in providing on-line access to tools for staff. With respect to service delivery for IM by functional specialists, the audit found that service delivery is established, provides assistance to sectors and has established processes for the handling of administrative records.

These positive accomplishments must be placed in the context that a number of issues require management attention, in synchronization with the deployment of a new records management system, in order to optimize usage of the system. Therefore, the audit cannot provide reasonable assurance that the governance, capacity, information architecture, and electronic tools are operating in a sufficiently integrated and comprehensive manner to support all decision making across the Department. Audit Branch considers that the Management Action Plan presented for this audit adequately addresses the issues identified.

STATEMENT OF ASSURANCE

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entity examined.

Christian Asselin, CA, CMA, CFE
Chief Audit Executive

TABLE OF CONTENTS

INTRODUCTION

In accordance with the Government of Canada Policy on IM and related policy instruments, NRCan is required to manage information throughout its life cycle in a way that supports sound and timely decision making while maintaining compliance with legislation requirements. In 2010 NRCan implemented the “NRCan Policy on IM” to further complement and extend the Treasury Board Secretariat IM Policy and Directives by fostering a culture of information sharing. The primary objective of the departmental policy is to make information resources accessible, shareable and useful in order to advance science, policy, program delivery and management priorities, while respecting information privacy and security requirements.

Following previous challenges encountered with retrieval of information and various compliance issues, senior management expressed concerns with departmental practices and electronic software tools used to manage information at all stages of its life cycle, including information classification, retention, retrieval and disposal.

The audit was conducted from August 2011 to May 2012.

AUDIT OBJECTIVE

The objective of the audit is to provide reasonable assurance that the governance, capacity, information architecture, electronic tools and service delivery over IM are in place to provide readily accessible information which meets program and policy requirements and supports decision making across the Department.

DEPARTMENTAL RISKS

The management of information at NRCan impacts all lines of business and is a key component of departmental service delivery. In addition to legacy information currently held in all departments, new information is being created at an unprecedented rate. Without the ability to effectively manage this information, NRCan may be at risk of losing its ability to identify and retrieve information needed for decision making in an organized and timely fashion. This could also result in an inability to meet information requests from Canadians and to fully support statutory and other mandated requirements for the handling and safeguarding of information required in the conduct of departmental operations.

SCOPE AND METHODOLOGY

The audit methodology was based on Treasury Board guidelines on internal auditing and standards defined by the Institute of Internal Auditors.

These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives were achieved. The audit included various activities, as considered necessary, to provide such assurance. These included regional office and headquarters interviews, a tour and review of processes at the Headquarters Records Office and Executive Records Office, documentation review, examination of departmental operations and processes for the management of information with various Sectors.

The scope of the audit included the governance, policy, IM practices and tools at headquarters and in the regions. The audit focused on the information “life cycle” to assess the continuous and effective management of information. The audit did not include library operations, but did include that component of library activities which deals with functional guidance to NRCan personnel on the disposition and retention of bibliographic materials. The audit also included a review of the Memorandum of Understanding with Library and Archives Canada along with associated progress reports for an initiative underway related to recordkeeping and the retention of corporate information repositories.

The audit did not assess the operations of the Access to Information and Privacy Secretariat. However, the audit scope includes Access to Information from the perspective of departmental capabilities to respond to requests for information pursuant to the act.

The scope of the audit considered the 2011 Audit of IM in Large departments and Agencies under the auspices of the Office of the Comptroller General. The Office of the Comptroller General audit did not consider paper based information holdings nor scientific repositories of materials, which in NRCan are extensive. In order to provide a departmental context for IM the NRCan audit included both electronic and paper based information resources provided in the Treasury Board Secretariat Policy on Information Management and the Treasury Board Secretariat Directive on IM Roles and Responsibilities.

By definition information resources include: “Any documentary material produced in published and unpublished form regardless of communications source, information format, production mode or recording medium. Information resources include textual records (memos, reports, invoices, contracts, etc.), electronic records (e-mails, databases, internet, intranet, data etc), new communication media (instant messages, wikis, blogs, podcasts, etc.), publications (reports, books, magazines), films, sound recordings, photographs, documentary art, graphics, maps, and artefacts.”

Scope Exclusions:

  • web content management solutions
  • management of classified documents
  • structured data (i.e. PeopleSoft, SAP financial information, etc.)

The audit included the following Sectors: Corporate Management and Services, Innovation and Energy Technology, Public Affairs and Portfolio Management, Earth Sciences, Minerals and Metals, Canadian Forest Service, Energy, the Major Projects Management Office, Science and Policy Integration, the Atomic Energy of Canada Limited Restructuring; and various regions (Atlantic, Great Lakes, Central, and Pacific).

CRITERIA

Please refer to Appendix A for the detailed audit criteria. The lines of enquiry and criteria were developed from relevant policies, procedures and directives and from related audits including those conducted in 2006 and 2009. The lines of enquiry guided the audit fieldwork and formed the basis for the overall audit conclusion.

FINDINGS AND RECOMMENDATIONS

COMPLIANCE WITH POLICIES AND DIRECTIVES

Summary Finding

In 2009 NRCan conducted the Follow-up Audit of IM. The audit recommended the implementation of monitoring to ensure NRCan complies with IM policy. Since then, NRCan has launched an IM awareness campaign, however no performance monitoring of IM practices has yet been initiated. In the absence of performance monitoring, it is not possible to ensure that the department is complying with IM policy and to confirm that the departmental roles and responsibilities in this regard, are being met. In the current audit, it was identified that the current departmental IM policy needs to be updated. The Departmental IM Policy applies to information processing on a government network. However, “cloud computing” an area of interest by sectors, specifically processing of or storage of NRCan information on a non-government infrastructure is not addressed in the policy, therefore, a gap exists.

Supporting Findings

Performance Monitoring

In 2009 it was noted that apart from Management Accountability Framework1 assessments, full implementation of the audit recommendation had not yet been achieved because a monitoring framework and IM awareness campaign had not yet been established. Since 2009, the department has launched an IM awareness campaign, however, at the time of the current audit no performance monitoring of IM practices had been initiated.

In order to position NRCan in a ready state to meet the requirements of the Directive on Recordkeeping by 2014, the IM Program needs to proactively engage the sectors to establish performance metrics and a monitoring regime for IM, a regime, which will need to incorporate some elements of compliance assessment.

There are several indications that some sectors may be able to take a lead as “early adopters” of IM performance metrics by sharing some internal senior management dashboards on performance that are already in use. Samples were obtained and shared with key IM stakeholders during the close out briefings for the audit.

Cloud Computing

During the audit, several sectors identified an interest in using Cloud Computing to meet their IM processing requirements. The NRCan Policy on IM applies to personnel and information stores being held, processed, or transferred on a "government network". Currently, the specific usage of Cloud Computing (on a non-government infrastructure) is not addressed in the departmental Policy on IM.

The National Institute of Standards and Technology defines Cloud Computing as: “a model for enabling convenient, on-demand network access to a shared pool of configurable resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” In lay terms, Cloud Computing refers essentially to services that are available online, through the Internet.

The introduction of Cloud Computing as a potential IM solution for NRCan data storage and/or processing creates a risk that departmental policy can not be applied to personnel using this mechanism. The corporate IM policy applies to personnel and information stores being held, processed, or transferred on a "government network". Any usage of external cloud service providers, (i.e. non-Government of Canada) circumvents the applicability of the departmental policy because the data is, by definition, not stored on the NRCan nor any Government of Canada computer network.

When talking about the “cloud” it is important to note that a physical infrastructure exists to support these online services. Data stored “online” is on physical servers of the cloud service provider, and these servers are located in various geographical locations. These comments refer to any acquired services from outside the Government of Canada.

The Directive on Recordkeeping2 requires that information resources of business value are protected by identifying and documenting the risk profile of information resources, taking into consideration legal and regulatory risks, access to information, security of information and the protection of personal information and responding to and mitigating documented risks to the protection of information resources.

With cloud computing, there are several well known risks; namely:

1) Contractual Risk: The Terms of Service with Cloud providers are typically standard agreements, and non-negotiable. These Terms of Service may be changed or even outsourced to other 3rd parties without users being notified. Under these circumstances, NRCan information could be in the control of any outside organization without the knowledge of the original NRCan stakeholders.

2) Ownership of Data: Most Terms of Service for cloud providers are unclear in what they will do with the data and their rights generally include the right for the provider to reproduce data, distribute it to third parties and publish it.

3) Location: Generally there is a distinction between storage of data (i.e. content) and storage of users' personal information, which may also be collected and stored by cloud providers. Some cloud providers indicate in their privacy policies where users' personal information will be located, but do not specify where data is actually located. In the above instance - if a NRCan sector planned on storing personal or client information with American cloud providers, the United States Patriot Act would apply thus allowing full review and storage by non-Canadian government authorities.

4) Security and Data Recovery: Data stored on behalf of NRCan with cloud providers may not be adequately safeguarded. In a review of six service providers’ standard agreements conducted by the Department of Justice and provided to NRCan, most cloud providers disclaimed any liability and gave no warranties with respect to their services.

There are some stated benefits of Cloud Computing in costs, performance, and delivery of Information Technology services; therefore with continuing budgetary pressures, it is expected that interest by sectors will continue. Where Cloud Computing is being considered, a robust oversight role by the Chief Information Officer should be in place which would entail such things as:

  • Ensuring that services are authorized through a Certification and Accreditation process;
  • Ensuring that entry into an agreement for cloud usage has met NRCan IT requirements for approval and has included consultation with Legal Services;
  • Consideration that the Terms of Service agreement clauses allow cost-effective sharing of services across NRCan;
  • Ensuring that incident reporting, forensics, disaster recovery and business continuity planning are addressed in the service agreements with the providers;
  • Ensuring that where information on individuals is to be maintained (i.e. Grants and Contribution Programs) procedures for access to protected information will be required; and
  • That the life cycle (i.e. classification, retention, retrieval and disposal) for information stored in the cloud will adhere to departmental and Government of Canada IM requirements.

One additional consideration could include identifying a preferred cloud service provider after having conducted an evaluation of the vendor and of their Terms of Service for confirmation that they meet departmental requirements.

RISK AND IMPACT

Without an established program of performance monitoring in operation there is a moderate risk that assessments of departmental compliance with IM policy may be inaccurate or incomplete. Without specific guidance to sectors on the use of cloud computing, there is a moderate risk that key aspects of policies related to storage of corporate data on government networks, may be circumvented. This would impede the ability of NRCan to meet various policy requirements and could introduce potential vulnerabilities to these same corporate information repositories.

RECOMMENDATIONS

1. The Chief Information Officer consult with sectors to define and establish appropriate metrics for inclusion in the IM Performance Monitoring regime and establish timelines for the start up of monitoring.

2. The Chief Information Officer review the NRCan IM policy and incorporate requirements to address Cloud Computing.

MANAGEMENT ACTION PLAN

Management accepts the recommendations of the audit and also recognizes that some fundamental changes are required in how NRCan delivers and measures performance of its Information Management Technology (IMT) services, with particular respect to how they are governed. Significant transformational changes need to take place in the corporate IM landscape that are defined against business needs and are aligned to strategic outcomes that take us from a paper based organization to a digital organization. This transition will be done over a few years and will require careful planning that will be captured in the IMT Strategic Plan. The confluence of new technologies combined with the need to define and develop necessary technical, operational and service-level expertise and partnerships will require a multi-facetted IMT Strategic Plan that reflects a collaborative approach that is adapted to an evolving set of corporate and user needs.

The Business Transformation Committee is currently leading the review of the departmental IMT Strategic Plan and IMT Governance and will be making recommendations for change back to the Department’s Executive Committee by the Fall of 2012. In formulating its recommendations for change, the findings and recommendations of this audit will be fully addressed. In support of the Management Action Plan, a detailed work plan will be developed and monitored by the ADM CMSS. The work plan will include key GCDOCS milestones as monitored by the Business Transformation Committee.

TIME FRAME

Completion by March 2013

Recommendation One

The Chief Information Officer Branch will consult with all Sectors to ensure the IMT performance measuring framework and metrics are appropriate for use in the department. Implementing the performance measuring framework will be phased-in, such that some metrics are enabled earlier while others will be aligned with the final rollout of the GCDOCS solution. Chief Information Officer Branch management will set and communicate performance indicators for regular reporting and monitoring with the sectors.

TIME FRAME

METRICS: Start in April 2013
End in April 2014 with GCDOCS rollout completion to all employees

Recommendation Two

NRCan IM Policy includes requirements for both managers and employees to create, classify and store information on departmental supported systems. The Chief Information Officer Branch will develop the appropriate policy instrument that extends these policy statements (Directives and/or Guidelines) to govern employee use of external cloud based systems and other types of external repositories. An engagement process will then be initiated to ensure broad awareness across the department of the new policy instruments.

It should be noted that NRCan is an early user within the Government of Canada of cloud computing; our expertise and initiative will serve to address and capture the issues at play for NRCan and the Government of Canada and we will work in close consultation with Justice Canada and Treasury Board Secretariat.

TIME FRAME

CLOUD COMPUTING: Start in October 2012
Completion by December 2012

ELECTRONIC TOOLS TO SUPPORT INFORMATION MANAGEMENT

Summary Finding

Electronic tools are available uniformly across sectors, however, usage is inconsistent and does not focus on IM policy requirements.

Supporting Findings

The audit assessed whether IM tools and applications are employed throughout NRCan which respect proper controls and are used in a manner consistent with the departmental information architecture. This includes such things as having increased policy compliance through deployment of compliant tools and applications.3 The audit assessed usage of electronic tools to support staff distributed across Canada.

Use of IM Tools

The results of the audit interviews indicate that NRCan staff in different sectors and regions have their own information repositories and software tools. During the audit, issues with electronic tools were identified and include the following:

  • NRCan library staff indicated that there are electronic inventories of scientific collections; but there is no overarching inventory that can search these collections;
  • Each collection may employ different software which is not necessarily consistent nor compatible across the department;
  • Some of the electronic tools are nearing the end of their useful life cycle as they have been in place for over 15 years;
  • Minerals and Metals Sector maintains 10 years of records on paper and there are no limits on the volume of paper that may be retained; and
  • At a basic level, some sectors have encountered problems in retrieving and reviewing documents originally created in Word Perfect.
Disposal and Retention and Public Access

With respect to retention and disposal of materials, current guidelines and processes are being drafted in collaboration with Library and Archives Canada for the identification, retention and disposition of records of business and enduring value.

At the time of the audit, the audit team could not provide any assurance that materials are being handled for appropriate adherence to retention and disposition cycles of departmental records.

MANAGEMENT INITIATIVE

Digitization of Paper to Electronic Format: The Canadian Forest Service Sector has an initiative with a budget of $400,000 to complete the digitization of assets of national value, and a number of other smaller digitization activities related to specific project work. These activities include scanning pictures, slides, maps and research records, most of which are stored in the regions or in their own information repositories. This initiative includes collections that date as far back as 1912.

RISK AND IMPACT

There is a moderate operational risk that the inconsistent usage of electronic tools may impede the efficient achievement of the objectives of the IMT Strategic Plan. Electronic tools should facilitate the governance framework by helping employees meet the more prescriptive elements required for the management of IM. If a record cannot be found, it cannot be used or preserved; if an information resource is hard to find, it costs more to retrieve; if an information resource is kept beyond its useful life, storing it is an unnecessary expense. If information is not readily accessible, this can contribute to an increase in requests from the public for access through Access to Information processing. In summary, a governance framework is not very useful without the tools to implement the desired model.

RECOMMENDATION

The Chief Information Officer as part of the requirements definition for the new IM system, verify that features exist to facilitate compliance with IM policies, and incorporates, where possible, embedded retention and disposition requirements.

MANAGEMENT ACTION PLAN

Library and Archives Canada aims to provide NRCan with its disposition authorities this year, following our two year joint project. The Chief Information Officer Branch, working with the GCDOCS Implementation Project Team, will ensure that NRCan’s implementation of the system will embed retention and disposition requirements to ensure compliance with the Directive on Recordkeeping (2015) and other existing Government of Canada and NRCan policies. The resulting requirements will be reviewed with Business Transformation Committee to ensure alignment with NRCan business requirements and Government of Canada and NRCan policies.

The GCDOCS project will have a targeted communication plan and engagement strategy. The Chief Information Officer Branch will ensure that these initiatives are aligned to the IM requirements of the NRCan IM policy.

TIME FRAME

TOOLS: Completion by April 2014 with the rollout of GCDOCS to employees

E-DISCOVERY

Summary Finding

New legal standards are emerging for the search for, retrieval and disclosure of electronically stored information in the litigation process. NRCan is not well equipped to respond to an e-discovery request as it cannot automate the search for relevant electronically stored information nor can it efficiently validate the completeness and accuracy of the materials produced. Materials generated for social media are particularly problematic because of the vast array of different databases that must be identified and searched.

Supporting Findings

NRCan is not well positioned to respond to a legal e-discovery in a cost effective manner because the department does not have an efficient e-discovery mechanism. Currently, there is no way to validate whether the process has captured the entire set of documents required by the legal process. Without an efficient retrieval mechanism, employee time and costs associated with the retrieval of information can become excessive. It is possible that, even after a rigorous manual search, a court order could demand additional information, the cost of additional retrieval, not having been budgeted for. This issue is significant because of the cost implications associated with each request and the information retrieval process.

The key references that are linked to e-discovery are derived from the Policy on IM which mandates that “All information is managed to ensure the relevance, authenticity, quality & cost-effectiveness of the information for as long as it is required to meet operational needs and accountabilities.” In addition, the Directive on Recordkeeping mandates the “Documentation of record keeping practices within the department that, among other things, address…legal requirements.”

Risk Drivers and Issues

The risks identified and current constraints on e-discovery at NRCan include the following issues:

  • There is a great dispersion of databases at NRCan, and attempting to conduct searches on all databases is a very time and resource intensive process to respond to a request.
  • The volume of e-discovery activities are difficult to predict, and can impact budgets significantly. Based on Department of Justice research, the cost of discovery ranges from $30 to $50 per page for final disclosure. A typical large e-discovery can generate the need to retrieve 100,000 pages of documents which could cost between $3 million to $5 million per request. Based on current volumes, NRCan has approximately two large e-discovery requests per year.
  • If a court finds that NRCan’s conduct of an e-discovery was insufficient, then the court will order NRCan to repeat the e-discovery more rigorously. This would increase NRCan’s litigation costs.
  • If courts find that some departments’ conduct of an e-discovery is insufficient, then courts may feel obliged to increase the legal standards for conducting e-discoveries. This would entail an increase in litigation costs for the entire government because the law would require more resource-intensive e-discoveries.
  • From an Access to Information perspective, there is a legal risk of not disclosing the proper information in accordance with the terms of the Access to Information request. Furthermore, the department may have an inability to meet disclosure deadlines.
  • There is a legal risk of modification of documents. There is a concern with the constant updating (or “ever greening”) of documents through tools such as the wiki. This impacts litigation when a document is altered from the point in time of notification of litigation. At the time a legal hold is placed on a file, the related documents must not be altered. Without a process to “lock” files, there may be no guarantee that the hold conditions are not violated.
  • Untimely or unreliable document disclosure creates the risk that litigation strategies will need to be subsequently reconsidered, hampering NRCan’s legal position and causing increased legal costs.
Social Media

During the e-discovery process, it is becoming more common practice to ask for instant messages and social media posts. E-mail and electronic documents are no longer the primary source of information to address an e-discovery request. An emerging trend in e-discovery is that instant messages and social media are part of the new e-discovery diligence. The graphic below illustrates the complexity of information search and retrieval within NRCan at the time of the audit where an e-discovery request involves multiple layers of the information stores depicted below:

Figure 1

[Text version - Figure 1]  [Larger image of Figure 1]

For the department, without a formal approach to addressing social media, it will be difficult to know where and when relevant information flows that could serve an e-discovery request.

RISK AND IMPACT

There are moderate operational risks associated with the effective and efficient use of resources for search and retrieval of materials included in the scope of an e-discovery request. Equally important however, are the risks associated with failure to comply with the applicable laws, regulations, and policies inherent to any litigation process.

RECOMMENDATION

The Chief Information Officer in consultation with Legal Services incorporate changes to NRCan Policy on IM to address social media usage in order to enhance departmental capacity to efficiently respond to these requests.

MANAGEMENT ACTION PLAN

The Chief Information Officer Branch working in concert with Legal Services will develop/enhance the appropriate policy instruments with respect to preservation and discoverability of all official records and communications created and captured on social media.

The existing Treasury Board Secretariat Guideline for External Use of Web 2.0 (2011), and the NRCan Guidelines for the responsible use of Social Media, will be the starting point for policy review and renewal. Involvement of other Government of Canada stakeholders in the consultation (e.g. Privacy Commissioner, Justice Canada, and Treasury Board Secretariat) will help ensure that the new policy instruments align with Government of Canada direction. Once completed the new/enhanced policy instruments will be communicated to NRCan staff through an active engagement process.

TIME FRAME

E-Discovery: Start in October 2012
Completion by December 2012

TRAINING AND AWARENESS

Summary Finding

NRCan personnel do not have a common understanding of IM policy requirements. There are few common processes used by staff for the management of information (classification, retention, retrieval and disposition of information).

Supporting Findings

One key line of enquiry for the audit included an assessment of the training of staff to ensure usage of a common body of knowledge and utilizing the right tools for the handling of information, both paper-based and electronic.

All Government of Canada employees are responsible for managing their own information. These responsibilities include (among other things) documenting decisions, storing, protecting and preserving information, and at the end of the useful life-cycle of that information; following approved processes for the disposal of information.

At the time of our audit, training in IM was not mandatory for personnel at NRCan. Staff interviewed during the audit from the following sectors (Earth Sciences Sector, Strategic Partnership Initiative, Innovation and Energy Technology Sector and Energy Sector) indicated that they had received no training on the IM requirements of their positions and were unaware of any centrally driven training having been conducted in their respective sectors.

The audit results indicate that apart from IM specialists, staff are not able to differentiate records of business 4 value versus those of transitory 5 value. In the absence of understanding what to keep and what can be discarded, the audit identified sectors where practices range from saving everything to those maintaining only the most recent version of a document with deletion of all previous versions. In the latter case, this could have a negative impact on the ability of NRCan to comply fully with Access to Information requirements or where documents are required for litigation. In the former instance, saving all records adds to the cost of storage and makes searches of materials more difficult and costly where an Access to Information request is being actioned.

The results of the audit indicate that staff do not have a common understanding of IM policy requirements. The audit team was advised that the headquarters group responsible for IM have provided some 300 training and awareness sessions over the past two years and established an IM Awareness wiki site with on-line training resources. Despite this proactive approach, these on-line resources are used on an “as time permits” basis by staff and as such have only reached between 10% and 15% of the departmental workforce.

As identified previously, employees have a responsibility to execute various aspects of IM in support of achieving departmental outcomes. The audit did identify two sectors which have integrated the usage of an Information Classification System into operations. In addition, within the Department, administrative files are handled within appropriate maintenance schedules using a departmental computer system. The headquarters records offices have coordinated processes for storage, and disposition of records based on approved processes known as Multi-Institutional Disposition Authorities. However, an opportunity exists to focus on specific topics for inclusion in training prior to the implementation of a new departmental records management application.

MANAGEMENT INITIATIVE

One area of strength identified during the audit is in Minerals and Metals Sector which has conducted internal workshops for Minerals and Metals Sector staff which address the management of unstructured data for internal approval processes for projects by managers, policy advice, studies, and bulletins.

RISK AND IMPACT

There is a moderate risk related to strategic objectives, the efficient use of operational resources and compliance with policies. Without a common understanding of IM principles and practices as promoted through departmental training, there could be an adverse impact on the ability of NRCan to meet: its policy requirements for IM, compliance with central Government of Canada mandates such as Access to Information and Privacy and the requirements of the Directive on Recordkeeping.

RECOMMENDATION

The Assistant Deputy Minister - Corporate Management and Services Sector in collaboration with the Chief Information Officer develop training initiatives that identify IM training needs, address staff IM accountabilities and policy requirements and explore the option of making training mandatory in advance of monitoring against the Directive on Recordkeeping.

MANAGEMENT ACTION PLAN

The Chief Information Officer will review and revise existing IM training materials and tools and will work closely with the GCDOCS Implementation Project Team to ensure that a targeted training strategy is delivered, and that appropriate tools and resources are made available to employees across NRCan. The Chief Information Officer with the Assistant Deputy Minister Corporate Management Services Sector will determine how best to align the training on the new policy requirements with the option of making IM training a mandatory requirement. Sectors will be fully engaged in this training as they bring in new employees to NRCan. If mandatory IM training is recommended, the Chief Information Officer will ensure targeted performance metrics are defined against the Management Accountability Framework.

TIME FRAME

TRAINING: Start in December 2012
Completion by December 2013, before the rollout of GCDOCS to employees

APPENDIX A – AUDIT CRITERIA

The audit criteria are presented below, by audit Line of Enquiry.

Line of Enquiry Criteria
1. Policy & Governance
NRCan has governance structures in place to effectively support an IM strategy and IM outcomes.
1.1 Monitoring and reporting processes are in place for IM.
1.2 NRCan participates in and complies with government-wide direction for information and recordkeeping.
2. People & Capacity
NRCan is developing highly-skilled workforces to ensure that capacity exists to deliver IM outcomes.
2.1 The department has a common body of knowledge, learning and assessment tools.
2.2 The departmental personnel have a common understanding of common policy instruments and assessment tools.
3. Enterprise Information Architecture
NRCan is developing information architecture and processes that respect their IM risks and controls, and operational requirements.
3.1 Information and records are identified and managed as valuable assets to support the outcomes of programs and services, as well as operational needs and accountabilities.
3.2 Government/NRCan programs and services provide convenient access to relevant, reliable, comprehensive and timely information.
3.3 Units/sectors within NRCan which play a central role in IM are assisting NRCan to ensure information is shared within and across the department to the greatest extent possible.
4. IM Tools & Applications
IM tools are developed and implemented that respect appropriate control requirements of the department and of the business users, and are compliant with the information architecture within and across NRCan.
4.1 NRCan provides common and enterprise-wide tools and applications used across sectors.
5. IM Service Delivery
Recordkeeping practices ensure that information is timely, accurate, and accessible in the delivery of programs and services.
5.1 All information is managed to ensure the relevance, authenticity, quality, and cost-effectiveness of the information for as long as it is required to meet operational needs and accountabilities.
5.2 Records disposition authorities pursuant to section 12 of the Library and Archives of Canada Act enable NRCan departments to carry out its records retention and disposition plans.
5.3 Departmental programs and services integrate IM requirements into development, implementation, evaluation, and reporting activities.
6. Directive on Recordkeeping
NRCan’s Recordkeeping practices adhere with Treasury Board Secretariat Policies, Directives, Standards, Guidelines and Procedures, and enable the Department to create, acquire, capture, manage and protect the integrity of information resources of business value.
6.1.1 Information resources of business value are identified, based on an analysis of departmental functions and activities, carried out by a department to enable or support its legislated mandate.
6.1.2 Information resources of business value are protected by identifying and documenting the risk profile of information resources, taking into consideration legal and regulatory risks, access to information, security of information and the protection of personal information and responding to and mitigating documented risks to the protection of information resources.
6.1.3 Key methodologies, mechanisms and tools to support the departmental recordkeeping requirements throughout the information life cycle include the following:
Identifying, establishing, implementing and maintaining repositories in which information resources of business value are stored or preserved in a physical or electronic storage space;
Establishing, using and maintaining taxonomies or classification structures to facilitate storage, search, and retrieval of information resources of business value in all formats;
Establishing, implementing and maintaining retention periods for information resources of business value, as appropriate, according to format;
Developing and implementing a documented disposition process for all information resources; and
Performing regular disposition activities for all information resources.
6.1.4 Documentation of Departmental recordkeeping practices are in place and are aligned with business activities, and address accountability, stewardship, performance measurement, reporting and legal requirements.
6.1.5 There is (ongoing) communication with, and engagement of, departmental managers and employees on the risks associated with poor recordkeeping and their responsibilities for recordkeeping within the Department and the Government of Canada.
6.2.1 Monitoring and reporting requirements have been established and implemented to ensure that the Deputy Minister is made aware of any significant difficulties, gaps in performance, or adherence issues, developing proposals to address them.

APPENDIX B – STANDARD AUDIT RISK RATING

Standard Risk Types

The standard risk types are classified based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO6) Internal Control-Integrated Framework as follows:

Strategy – High-level goals, aligned with and supporting the Department's mission.

Operations – Effective and efficient use of resources.

Monitoring – Accurate assessments or evaluation of activities.

Reporting – Reliability of operational and financial reporting.

Compliance – Compliance with applicable laws, regulations, policies and procedures.

Standard Audit Risk Ratings

Audit findings are rated as follows:

Major: A key control does not exist, is poorly designed or is not operating as intended and the related risk is potentially significant. The objective to which the control relates is unlikely to be achieved. Corrective action is needed to ensure controls are cost effective and/or objectives are achieved.

Moderate: A key control does not exist, is poorly designed or is not operating as intended and the related risk is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid sole reliance on compensating controls and/or ensure controls are cost effective.

Minor: A weakness in the design and/or operation of a non-key process control. Ability to achieve process objectives is unlikely to be impacted. Corrective action is suggested to ensure controls are cost effective.

APPENDIX C – GOVERNANCE STRUCTURE

The following are the high-level roles and responsibilities as defined by the policies and directives identified in Authorities and References:

  • Deputy Minister - The Deputy Minister is accountable for effective and well co-ordinated IM throughout his or her department.
  • Assistant Deputy Ministers are responsible for ensuring the appropriate management direction, processes and tools are in place to efficiently manage information under the control of the department to support the department's business and to retain the quality of information throughout the information life cycle.
  • The Chief Information Officer is responsible for developing supporting policy instruments that integrate Government of Canada and departmental requirements for IM and give detailed guidance and measurable direction to employees and managers; developing an IM Policy implementation plan that provides employees and managers with achievable, measurable and understandable milestones; designing, developing and providing IM awareness and training to assist managers and employees in meeting their requirements under the IM Policy, and monitoring and reporting on compliance with the Government of Canada and NRCan IM Policies and related policy instruments.
  • Access to Information and Privacy Coordinator - The Access to Information and Privacy Coordinator establishes effective processes and systems to respond to access requests as well as documenting deliberations and decisions made concerning each request.
  • Program Managers - Program Managers have the role of managing resources, tools and processes in order to achieve assigned deliverables and outcomes. Managers, in relation to information classification shall:
    • Foster a culture of information and knowledge sharing and promote contribution to and use of the integrated knowledge base
    • Ensure that new tools such as SharePoint, project management tools and scientific databases incorporate department-wide information classification structures
  • Employees shall:
    • Store data, information and knowledge they create or receive on behalf of the department in shared departmental repositories such as SharePoint, NRCan Wiki and database tools, where permissible
    • Apply common department-wide information classification terms to all information resources
    • Ensure that information resources created on external and partnership sites on behalf of the department are captured in shared departmental repositories to ensure accessibility and searchability

1 The Management Accountability Framework (MAF) is “a key performance management tool that the federal government uses to support the management accountability of deputy heads and to improve management practices across departments and agencies”. (Treasury Board Secretariat: http://www.tbs-sct.gc.ca/maf-crg/index-eng.asp )

2 Section 6.1.2

3 http://www.tbs-sct.gc.ca/im-gi/ims-sgi/tools-outils-eng.asp

4 Business Value: “information resources of business value…enable decision making and the delivery of programs, services and ongoing operations, and support departmental reporting, performance and accountability requirements.” Directive on Recordkeeping, Section 3.3, 2009

5 Transitory Records: “…Required only for a limited time to ensure the completion of a routine action or the preparation of a subsequent record.” Library and Archives Canada , Multi-Institutional Disposition Authorities, www.collectionscanada.gc.ca

6 COSO defines internal control as a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
Source: http://www.coso.org/resources.htm