Audit of Information Technology Governance (Project AU1601)

TABLE OF CONTENTS

• EXECUTIVE SUMMARY
  • Introduction
  • Strengths
  • Areas for Improvement
  • Audit Conclusion and Opinion
  • Statement of Conformance

• INTRODUCTION
  • Audit Objective
  • Audit Considerations
  • Scope and Methodology
  • Criteria

• FINDINGS AND RECOMMENDATIONS
  • IT Governance and Strategic IT Planning
  • Identification of IT-Enabled Projects
  • Communication Between Committees
  • CIO Organization Evolution

• APPENDIX A – AUDIT CRITERIA

EXECUTIVE SUMMARY

INTRODUCTION

Information Technology (IT) Governance “is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives”^{Footnote 1}. The primary goal of a sound IT governance framework is to ensure that the investments in Information Management and Technology generate business value, and to mitigate the risks that are associated with IT such as cyber security threats and misalignment of IT and business priorities.

In delivering its mandate to enhance the responsible development and use of Canada’s natural resources and the competitiveness of Canada’s natural resources products, Natural Resources Canada (NRCan) is heavily reliant on various IT systems and processes. In addition, the creation of Shared Services Canada (SSC), in August of 2011, inherently created challenges in the area of IT Governance, as SSC became responsible to manage, maintain, and protect NRCan’s networks, data centers, and email infrastructure.

Considering the importance of IT to NRCan’s mandate, the complexities related to its decentralized IT model, and its dependency on SSC networks, IT Governance has been consistently identified as a core risk for NRCan’s ability to achieve its organizational objectives. Within this context, the Audit of IT Governance was included in the Department’s Risk-Based Audit Plan, and approved by the Deputy Minister on March 12, 2015. This audit provides a baseline for further work described in the Departmental Risk-Based Audit Plan over the next three years.

The objective of the audit was to provide reasonable assurance that NRCan has an adequate IT governance structure in place to support the management of IT across the Department. 

STRENGTHS

The Department has an IT governance structure in place, where IT stakeholders throughout the Department meet on a regular basis through numerous committee structures to discuss IT-related matters. In addition, the Department was noted as a contributor to the Government of Canada’s IT direction through its active implementation of central IT initiatives, and the Department has regular meetings with SSC to monitor performance and suggest areas for improvement.  

AREAS FOR IMPROVEMENT

The following opportunities for improvement were identified during the audit:

• Develop an IT vision and strategic priorities to guide IT planning efforts;
• Develop a performance measurement framework and IT risk management process to support IT planning efforts;
• Aligning IT investments to agreed-upon departmental business priorities and standards;
• Align processes through which IT activities, projects and investments are identified;
• Develop criteria to prioritize projects;
• Ensure a more efficient exchange of information between existing IT committees; and
• Align the structure of the CIO organization with evolving requirements for business enablement.

SSC plays a significant role in managing NRCan’s IT infrastructure. We encourage NRCan management to consider how SSC can support NRCan’s IT Governance structure and efforts to address the identified areas for improvement.

AUDIT CONCLUSION AND OPINION

Although key elements of a governance structure are in place, including IT committees at the Departmental and Sector level, overall, the Audit Branch concludes that NRCan’s IT governance structure is inadequate to fully support the effective management of IT. Management attention is required to ensure the department has an integrated approach to IT management to enable the resolution of issues identified in a timely manner.

STATEMENT OF CONFORMANCE

In my professional judgement as Chief Audit Executive, the audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

Christian Asselin, CPA, CA, CMA, CFE
Chief Audit Executive
March 10, 2016

ACKNOWLEDGEMENTS

The audit team would like to thank those individuals who contributed to this project and particularly employees who provided insights and comments as part of this audit.

INTRODUCTION

IT Governance “is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives”^{Footnote 2}. The primary goal of a sound IT governance framework is to ensure that the investments in Information Management and Technology generate business value, and to mitigate the risks that are associated with IT such as cyber security threats and misalignment of IT and business priorities.

IT governance should be viewed as how IT creates value as part of the overall Corporate Governance Strategy of the organization, and not be seen as a discipline on its own. In taking this approach, all stakeholders would be required to participate in the decision making process. This creates a shared acceptance of responsibility for critical systems and ensures that IT-related decisions are made to effectively achieve the needs of the organization. As IT Governance forms an integral part of enterprise-wide governance, it should be viewed as the shared responsibility between the organization’s executive management; business leaders throughout the department; and the IT function.

In delivering its mandate to enhance the responsible development and use of Canada’s natural resources and the competitiveness of Canada’s natural resources products, Natural Resources Canada (NRCan) is heavily reliant on various IT systems and processes. These systems enable the Department to conduct innovative science across natural resource sectors in 18 major satellite Science and Technology Centers, laboratories, and facilities across Canada. With many regional offices and laboratories across the country, NRCan has primarily managed its IT activities using a decentralized approach.

In addition, the creation of Shared Services Canada (SSC), in August of 2011, inherently created challenges in the area of IT Governance as it relates to NRCan. As part of their mandate to consolidate, standardize, and streamline the delivery of email, data centres, and network services in the Government of Canada, the responsibility for NRCan’s IT Infrastructure was transferred to SSC along with that of 42 other departments. As a result of these changes, SSC became responsible to manage and maintain the network infrastructure, which includes, among other things, computer hardware, telecommunications (i.e., voice and data), system backups as well as IT security components such as firewalls, Intrusion Detection Systems and routers.

Considering the importance of IT to NRCan’s mandate, the complexities related to its decentralized IT model, and its dependency on SSC networks, a series of consultations were undertaken in the fall of 2014 related to IT within the Department. These consultations were led by the Audit Branch as part of the annual audit planning exercise and included discussions with senior management across all Sectors as well as the Chief Information Officer (CIO). As a result of this exercise, IT Governance was consistently identified as a core risk for NRCan’s ability to achieve its organizational objectives.

As such, the Audit of IT Governance was included in the Department’s Risk-Based Audit Plan, and approved by the Deputy Minister on March 12, 2015. This audit may also provide a baseline for further work described in the Departmental Risk Based Audit Plan over the next three years.

BACKGROUND

• IT Governance at NRCan is delivered mainly through the following committees:
  
   
• Executive Committee (EXCom): This DM-chaired committee, which includes all Sector ADMs, sets the Department’s strategic directions, priorities and oversees coordination with portfolio agencies. Other senior level executive committees responsible for specific functions, such as Business Transformation, Human Resources Renewal or Emergency Management support EXCom.
   
• Business Transformation Committee (BTC): the mandate of BTC is to transform internal business processes that enhance the utilization of human, financial, IM/IT, asset and real property resources, and improve the resilience and responsiveness of NRCan. The Committee is chaired by the Associate Deputy Minister.
   
• Information Management and Technology Project and Architecture Review Board (IMT-PARB): the mandate of IMT-PARB is to provide oversight and direction to IMT services and practices to ensure effective and efficient delivery in support of the Department’s mandate and in achieving its strategic outcomes as stated in the NRCan Program Activity Architecture. This Director-General (DG) level Committee is co-chaired by the CIO and Director General Minerals and Metals Sectors, and reports to BTC.
   
• IMT-PARB Sub-committees: this includes the Architecture Review Board (ARB), the Information Management Working Group (IMWG), the Web Governance Committee, and the Science Computing Working Group (SCWG).
   
• Sector-Specific IT Committees: some Sectors within NRCan have their own IT-related governance committees, including the Canadian Forest Service (CFS), the Earth Sciences Sector (ESS), and the Minerals and Metals Sector (MMS).
   
• Other committees, such the Planning and Reporting Committee (PRC - which reviews projects including IT-enabled projects), and the Investment Review Board (which reviews investments including IT investments).

An additional ADM level IT Committee was created in September 2015 to support IMT-PARB in its role to develop a more integrated and comprehensive IT Plan. This committee is made up of four ADMs and the co-chairs of IMT-PARB.

The CIO is the functional authority for IT within the department, and is the Director General of CIOSB, reporting to the Assistant Deputy Minister of the Corporate Management and Services Sector (CMSS). In 2013-14, NRCan spent approximately $43.4 Million^{Footnote 3} on IT and employed 215 employees in the CS (Computer Science) category, out of a total workforce of 3,832 employees. Out of the 215 CS employees, 126 employees are within the Chief Information Officer and Security Branch (CIOSB), while 89 work in various NRCan Sectors. 

AUDIT OBJECTIVE

The objective of the audit was to provide reasonable assurance that NRCan has an adequate IT governance structure in place to support the management of IT across the Department.

Specifically, the audit assessed whether:

• An adequate IT governance framework is in place which supports transparent, risk-based decision making related to IT activities;
• The IT strategy is aligned with the departmental business strategy and investment plan;
• The IT strategy is effectively delivered through clear resource allocation decisions, clear expectations, and performance measurement and monitoring; and
• The IT strategy adequately considers and is consistent with whole-of-government IT direction and policy requirements.

The audit criteria are presented in Appendix A.

AUDIT CONSIDERATIONS

A risk-based approach was used in establishing the objectives, scope, and approach for this audit engagement. A summary of the potential key areas of risk taken into consideration includes:

• The current IT governance structure may not enable NRCan to identify synergies and manage department-wide IT risks and issues, including cyber security, and liaising with Shared Services Canada.
   
• A decentralized IT governance structure may increase the risk of inconsistencies at the regional level with corporate IT policies, directives, and practices, thus potentially exposing the department to various cyber security risks, in addition to the risk of non-compliance with government policies.
   
• IT planning may not be well-integrated and aligned with the business planning and investment planning processes of the organization as a whole.
   
• IT-enabled projects (both new requirements and maintenance requirements) may not be prioritized effectively to ensure IT resources are allocated in clear alignment with the broader goals of the organization.
   
• There may be a lack of clarity between the roles, responsibilities, and accountabilities for IT governance between Sectors and the Chief Information Officer and Security Branch (CIOSB).
   
• Projects and investment decisions (e.g. TB submissions) may not integrate IT considerations (e.g. impact on current infrastructure, cost to maintain, and alignment with departmental policies, architectures and standards) in a timely manner.
   
• IT risk management may not be fully integrated with the organization’s broader risk management processes.
   
• Formal and meaningful IT performance measures related to outcomes and alignment to NRCan’s strategy and priorities may not have been developed, thereby limiting the ability of management to monitor the effectiveness of IT, and take corrective action as necessary.
   
• IT may not measure the full costs of IT-enabled projects, resulting in imprecise cost-benefits analyses, and limiting the ability of IT management to make effective IT investment decisions.

SCOPE AND METHODOLOGY

The scope of the audit included a review of the IT strategic and operational plans, IT governance structures, IT-enabled project oversight, alignment with business and investment planning, and governance mechanisms. The audit focused on relevant activities from April 1, 2014 to September 30, 2015.

The information management (IM) activities were not assessed during this audit. A separate audit of NRCan’s IM management will be performed in 2015-16.

The audit included liaison and communications between SSC and NRCan related to IT governance processes, but excluded a direct review of SSC operations. 

The audit methodology was based on Treasury Board (TB) Policy on Internal Audit and Government of Canada Internal Audit Standards and included:

• Interviews with key personnel with respect to the Department’s IT activities and related governance models;
• Review of key documents including the IT plans, committee structures, meeting minutes, relevant policies and directives; 
• A detailed examination of information and planning documentation, monitoring, performance, and reporting of IT-related activities; and
• Reporting the results and findings.

CRITERIA

The audit criteria were primarily developed using the Information Systems Audit and Control Association (ISACA)’s Control Objectives for Information and Related Technology (COBIT) framework as well as relevant associated Treasury Board and NRCan policies, procedures, and directives. Please refer to Appendix A for the detailed audit criteria.

FINDINGS AND RECOMMENDATIONS

IT Governance and Strategic IT Planning

Summary Finding

The current IT governance model is decentralized, which has impacted the effectiveness of IT investment decision making; IT security; and maintenance costs. The department lacks an agreed upon departmental IT vision and strategic priorities that align with departmental business priorities; common standards and an enterprise-wide architecture. IMT-PARB, a senior level executive committee co-chaired by the CIO, has focused its efforts on more technical issues and has lacked consistent attendance by Sector representatives at the appropriate level that are empowered to represent their Sectors. NRCan Management should also consider formally involving SSC in IMT-PARB as an observer. This reflects a broader challenge due to a lack of a service-level agreement between NRCan and SSC, an issue which has been identified in a previous internal audit at NRCan.

With regards to the current IT Plan, it is not comprehensive and continues to lack key elements required and expected of a robust IT Plan. These include, prioritizing projects and activities based on departmental priorities; identifying the number of IT resources required to support identified projects and activities; adequate costing for IT projects and activities; and a performance measurement framework and an IT risk management process.

Supporting Observations

IT Governance

The current IT governance model is decentralized, as IT-enabled business priorities and investments are mostly set within the Sectors. A decentralized model is inherently more responsive to user needs, yet is more prone to inconsistencies and less effective at leveraging synergies than a more centralized IT governance model inherently could.

Within that context, the current IT governance structure appears to be reflective of the broader governance structures of the department. In order to allow the department to leverage the advantages of its decentralized model; however, it should work towards reducing the inherent limitations of the model. 

Specifically, addressing the inconsistent application of IT investment decisions that lead to an IT infrastructure that is decentralized; non-standardized, complex, costly to support and evolve; and protect from cyber security threats. In addition, the Government of Canada IT Policy instruments require a departmental authority responsible for IT governance, IT planning, and IT strategies. 

A departmental strategy is required to ensure the most effective use of IT resources. While IT investment decisions may rest within Sectors and are not the sole authority of the departmental CIO, decisions should be made within a framework that ensures IT resources are used effectively. Specifically, resources should be allocated in a manner that minimizes duplication and creates synergies; that reflect decisions that are aligned with common standards; and result in an enterprise architecture that will allow synergies within the departmental IT infrastructure to better protect the Department against cyber security threats. There are currently no such IT policies or standards in place.

CIOSB is currently working on a framework to classify systems as Corporate, Business or Innovation systems. The intent of the framework is to set gradual control expectations. Systems used for innovation would retain a level of flexibility required, yet be segregated from other systems on the shared IT infrastructure to limit the exploitation of their more limited controls to compromise business and corporate systems that need to be available and secured for business reasons. Once implemented, the framework should provide NRCan with the appropriate balance of flexibility and control.

Interviewees acknowledged and understood that IMT-PARB, as a Director General (DG) level Committee co-chaired by the CIO, could be the appropriate committee through which Departmental IT governance and IT planning is exercised. This has been a challenge to date; however, as a significant portion of the discussions at IMT-PARB over the past couple of years have focused on implementing government-wide initiatives, such as the Email Transformation Initiative, GCDOCS information management system, and the consolidation of data centres. Although IMT-PARB is a senior level executive committee, its focus has been primarily on technical issues and initiatives, impacting its ability to set the IT vision and strategic objectives for the department, including more coordinated and comprehensive IT planning and IT investment decision making. This has been compounded by the fact participants at IMT-PARB meetings have not consistently been that the DG level and are limited in their ability to make decisions on behalf of their Sectors.

As many government-wide initiatives have recently been implemented, IMT-PARB can begin focusing more of its efforts on developing a more strategic IT vision and setting strategic objectives for the Department. An interim ADM level committee has recently been established to provide support to IMT-PARB in this role. This audit found that the existence of an ADM level committee to support IMT-PARB could be beneficial as a significant number of interviewees, many of which were IMT-PARB members, expressed a lack of clarity regarding roles, responsibilities and accountabilities related to IT Governance. With that said, as the ADM level IT committee was only recently created, its role was unclear to the audit team.

NRCan has a significant dependency on SSC as the service organization managing the IT Infrastructure. Achieving an established IT vision and strategic objectives will require the full involvement and collaboration of SSC. Consequently, it is strongly encouraged that NRCan management formally involve SSC in its IT Governance structure. For example, this could be achieved through an observer role on IMT-PARB, or other means through which SSC can more fully gain an appreciation for NRCan’s IT vision, strategic objectives, and planned IT investments, and better align its planning activities based on the potential impacts to the IT Infrastructure.

As a result of NRCan’s dependency on SSC, a critical component of the department’s IT governance structure requires clarity surrounding the services it can expect to receive from SSC, which should be defined through a formal service level agreement (SLA). The audit found that there continues to be no formal SLA that provides detailed service standards relating to the services SSC provides NRCan. This was previously identified as an issue in the 2014 NRCan Internal Audit on Disaster Recovery Controls for Mission Critical Applications. Specifically, the 2014 audit noted that an SLA was necessary to ensure an adequate governance structure was in place to support IT continuity, particularly for mission critical applications in the event of an unforeseen disaster. Although a recommendation was made by the audit at that time to address this issue, NRCan’s senior management has advised us that SSC was reluctant to sign a formal SLA.

Strategic IT Planning

In 2012, NRCan developed a document entitled ‘IMT Strategic Plan’ for 2013-2018. While the five-year period covered by the plan had not expired, it did not adequately reflect the IMT needs of the entire department; and it was clear from audit interviews performed that it was no longer considered relevant by NRCan IT stakeholders. Specifically, the focus of the 2013-2018 IMT Strategic Plan was on the priorities of the Chief Information Officer (CIO) organization, as opposed to the IMT priorities of the department as a whole. For example, while “Sector needs” were identified as a priority, actual Sector needs and IT priorities in alignment with business strategies were not identified or discussed.

This limitation in the scope of the 2013-2018 IMT Strategic Plan is reflective of the state of IT governance and planning within the department which is decentralized and short term; and focused on discrete IT initiatives. When reviewing the minutes of IMT-PARB and other IT Governance-related committees, for example, it was observed that discussions are focused on providing updates, and meetings are a forum to discuss risks and issues of specific corporate IT initiatives, such as the implementation of GCDOCS (an electronic document and record management system), the email transformation initiative, and other SSC IT initiatives. Strategic discussions at IMT-PARB regarding long-term IT priorities and planning were not common and ad hoc.

Early in 2015, the Treasury Board Secretariat (TBS) requested that departments provide a list of key IT initiatives to help plan and prioritize activities government-wide and also allow departments to leverage the list of IT initiatives towards initiating their respective IT planning exercises. In addition to the TBS request, various internal and external pressures have been driving the need for a more comprehensive department-wide IT plan. For example, the Department’s IT infrastructure is now managed by SSC, which requires liaison with a centralized entity and process. Similarly, cyber security threats to both private and public sector organizations are serious risks which need to be mitigated. Furthermore, the weaknesses of a decentralized and non-standardized IT infrastructure further exposes the Department to these types of threats as a result of the lack of central oversight and control. 

In response to the TBS request, NRCan has recently drafted a new 2015-2018 IT Plan. The draft 2015-18 IT Plan contains a list of approximately 50 IT initiatives/projects that vary considerably in yearly budget (from $5k to $6.9M), in type (transformation vs maintenance activities) and in level of completion. Specifically, these IT initiatives/projects include technology solutions to support departmental business initiatives and programs; improve security measures; website related initiatives; and support/updates related to back office activities.

A shortcoming of draft 2015-18 IT Plan is that the IT initiatives are not prioritized, not fully costed, and its list of IT initiatives may not be comprehensive as IT activities are often an afterthought for new programs and/or projects. The absence of a more robust plan, also impedes the department’s ability to determine whether NRCan has sufficient IT capacity and resources to meet NRCan’s IT objectives and business requirements, as well as how to best allocate limited IT resources based on departmental priorities.

The current planning approach (while aligned to responding to the TBS request for a comprehensive list of IT initiatives) is mostly bottom up in trying to inventory IT activities and IT resources throughout the Department. A more strategic approach that focuses on “IT business enablement” by translating the department’s business priorities into an IT vision and strategic priorities that would lead to a more robust and effective IT Plan. Specifically, the IT vision and strategic priorities could serve as a guide/criteria to:

• Establish agreed upon criteria to enable the prioritization of IT activities from a “business value” perspective;
• Consider the risks and impact of not achieving the identified objectives, based on departmental priorities;
• Consider how best to allocate IT resources, both corporate and within the Sectors, based on departmental priorities;
• Develop a set of strategic business capabilities and supporting IT architecture; and
• Develop measures and targets to assess performance in reaching the objectives defined in the plan; and to implement required corrective actions in a timely manner.

Considering the strategic importance of the task, it would be appropriate for IMT-PARB to fully engage BTC and Senior Management in defining the IT vision and strategic priorities for the department. This would provide significant direction and authority for IMT-PARB to develop a more robust IT plan based on a clear vision and strategic objectives.

Prioritization of IT-Enabled Projects

As previously mentioned, there are currently no criteria to prioritize IT-enabled projects in the 2015-18 draft IT Plan. The Architecture Review Committee Working Group (ARC), an IMT-PARB sub-committee, has been recently tasked with developing criteria to prioritize IT activities. Establishing such criteria is important to align IT investments to business objectives in a manner that is more consistent, objective and supportable; and allow for the allocation of resources to IT activities based on business needs/priorities. Once established, approved and applied, the criteria should enable more consistent and objective discussions regarding project prioritizations and resource allocation in a manner that effectively addresses the organization’s business needs.

RISK AND IMPACT

An unclear IT vision and strategic priorities increases the risk that IT investments throughout the department are not aligned with the business objectives of the department, and considering the significant reliance on IT, misalignment could significantly reduce the Department’s ability to meet its priorities that require IT enablement.

Furthermore, the absence of formal criteria to prioritize IT activities, there is a risk that IT resources may not be allocated based on business needs, resulting in a misalignment with strategic priorities. This also increases the risk that IT investment decisions will not be aligned, and may not allow the department to leverage synergies, manage IT support and maintenance costs, and effectively protect against cyber security threats.

RECOMMENDATIONS

1. The Business Transformation Committee, co-chaired by the Associate Deputy Minister and Assistant Deputy Minister-Corporate Management and Services Sector (ADM-CMSS), should define the vision, strategy and direction for a coherent management of Information Technology (IT) across the Department, including setting strategic business capabilities and supporting IT architecture.
    
2. The Information Management and Technology Project and Architecture Review Board (IMT-PARB) Committee, in collaboration with the Business Transformation Committee, should ensure alignment of IT investment decisions made throughout the department with departmental priorities, common standards and an enterprise-wide architecture.  
    
3. Sector ADMs should ensure that representatives identified for IMT-PARB attend regularly, are empowered to represent their Sectors and are consistently at the Director General (or equivalent) Level.
    
4. The Executive Committee should ensure a more comprehensive IT Plan is developed that includes missing key elements.
    
5. The IMT-PARB Committee should ensure that criteria are developed to prioritize projects based on their relative business value.
    
6. The ADM-CMSS in consultation with the Chief Information Officer should request a formal arrangement with Shared Services Canada (SSC) to establish operating protocols, including service delivery commitments (from SSC to NRCan).

MANAGEMENT RESPONSE, ACTION PLAN AND TIME FRAME

Management agrees. In response to recommendation 1, a 2016-17 IT operational plan will be developed and will incorporate a high-level IT vision, direction and strategy aligned with business priorities, and identifies required business capabilities: May 31, 2016

A 2017-20 IMT Strategy will also be developed, including a review of Government of Canada IM and IT strategies: October 31, 2016

Position Responsible: Co-chairs of IMT-PARB will work with the committee to develop an IT Operational Plan and IMT Strategy, including review and approval by the Executive Committee and Business Transformation Committee, respectively.

Management agrees. In response to recommendation 2, to ensure better alignment of IT investment decisions with departmental priorities:

Chief Information Officer and Security Branch (CIOSB) representatives will be included on Sector IMT Governance Committees: June 30, 2016

Sectors will develop IT operational plans to be signed off by their ADMs to ensure alignment with Departmental priorities: December 31, 2016

The Architecture Review Committee will develop common standards and enterprise wide architecture: March 31, 2017

Position Responsible: Co-Chairs IMT-PARB

Management agrees. In response to recommendation 3, IMT-PARB membership will be confirmed and the roles and responsibilities of the IMT-PARB committee and its members, will be reviewed in relation other committees, namely the Architecture Review Committee and the Business Transformation Committee as well as with responsibilities of Shared Services Canada. IMT-PARB will reiterate its invitation to Shared Services Canada to participate in IMT-PARB meetings in order to secure regular attendance: June 30, 2016

Position Responsible: Co-chairs IMT-PARB, Sector ADMs

Management agrees. In response to recommendation 4, a more comprehensive IT plan will be developed by:

Establishing a Project Management Framework which defines the IT project intake process, role of IMT-PARB and CIOSB in approving projects and monitoring status as well as project resource allocation / capacity: September 30, 2016

Developing an IT costing model which takes into consideration full costs, including SSC and NRCan salary costs: October 31, 2016

Ensuring an IT operational plan is developed and updated annually, incorporating an approved Departmental 3 year IT vision, strategy, and direction, aligned with business priorities, and a plan to ensure the availability of required business capabilities. The IT operational plan will be approved by the Executive Committee: March 31, 2017

Position Responsible: Co-Chairs IMT-PARB

Management agrees. In response to recommendation 5, criteria for prioritizing IT projects have been developed and have been used by IMT-PARB members to prioritize projects at their 2^nd IT workshop on November 24^th.

Position Responsible: Co-Chairs IMT-PARB

Timing: Completed

Management agrees. In response to recommendation 6, the Assistant Deputy Minister (CMSS) and the Chief Information Officer will engage SSC to define and establish operating protocols and service delivery commitments.

Position Responsible: ADM-CMSS, Chief Information Officer

Timing: March 31, 2017

Identification of IT-Enabled Projects

Summary Finding

IT activities, projects and investments throughout the department are currently being compiled for the purposes of the departmental IT plan. These activities, however, are not always clearly aligned with similar information gathering activities related to project reporting, investment planning, and TB submission preparation purposes. In addition, the audit found an opportunity to clarify and strengthen the role of the CIOSB in reviewing TB submissions from the current role as functional reviewer.

Supporting Observations

Identification of IT-Enabled Projects

Project management and oversight processes at NRCan have been evolving constantly in recent years. While some oversight mechanisms have been added, project management remains largely decentralized in the department, with the accountability for the governance and successful delivery of projects remaining with the Sector/Branch that is leading the project.

Projects, including IT-enabled projects, requiring a Treasury Board Submission must go through a defined process led by the NRCan Treasury Board (TB) Centre of Expertise. The process involves internal consultations with numerous functional reviewers throughout NRCan, including CIOSB. The role of functional reviewer consists of providing input on the submission, but does not require a formal sign-off like that required of the Chief Financial Officer (CFO) provided through the mandatory CFO attestation of all TB Submissions. If CIOSB is not involved at the onset of this process, TB Submissions for IT-enabled projects may not appropriately reflect IT requirements, costs and resources required. Some interviewees described instances of this occurring, resulting in a request for funding that was not comprehensive and lower than actually required.

Coordination of Project Management

The NRCan Project Management Office (PMO) is currently finalizing changes to the NRCan Project Management Framework (PMF). The changes involve clarifying the projects that require reporting to departmental oversight committees based on their classification of their size and risk/complexity/visibility, and aligning corporate processes with this new approach. Based on their classification, projects need to report quarterly, biannually, or annually to the NRCan Planning and Reporting Committee (PRC), a Director General level Planning Committee. Twenty-two projects have so far been identified through this process, some of which include IT-enabled projects. 

The NRCan Investment Planning Office (IPO) also develops a list of Reportable Investments (typically for investments over $1M), some of which may be IT investments. This reflects requirements of the Treasury Board Secretariat (TBS) Policy on Investment Planning – Assets and Acquired Services.

There is no clear alignment; however, between the PMO, IPO and/or TB Submission processes and list of IT activities/investments being compiled for the purposes of the 2015-18 IT Plan. Similarly, there does not appear to be any check points in the PMO, IPO and/or TB Submission processes to help ensure IMT-PARB is aware of projects or investments which may also require IT-enablement.

RISK AND IMPACT

If the list of IT activities, projects and investments prepared for the IT plan and IMT PARB oversight is not aligned with related processes for Project Management Reporting, Investment Planning, and TB Submission preparations, there is an increased risk that projects do not properly identify IT-related requirements and resources; and that planning efforts are duplicated.

RECOMMENDATIONS

7. The Information Management and Technology Project and Architecture Review Board (IMT-PARB) and the Planning and Reporting Committees should ensure their respective committees integrate the list of IT activities, projects and investments prepared for the IT plan with related Project Management and Investment Planning processes in the department.
    
8. Sector ADMs in collaboration with the Chief Financial Officer, should engage Chief Information Officer and Security Branch (CIOSB) at the onset of all Sector activities (e.g. development of Treasury Board Submissions, Memoranda to Cabinet, etc.) to help identify whether they require IT enablement and/or support, so that IT requirements and resources, including support required from IT service providers, are duly identified and planned for.

MANAGEMENT RESPONSE, ACTION PLAN AND TIME FRAME

Management agrees. In response to recommendation 7, the list of IT activities, projects and investments to be considered in the IT plan will be presented to the Planning and Reporting Committee to maximize integration with other Natural Resources Canada planning activities, especially the Integrated Business Plan, the investment plan and project reporting. Major IT projects subject to Treasury Board Secretariat reporting are already included in the Department Quarterly Project Reporting products: February 28, 2017

Position Responsible: Co-Chairs IMT-PARB; Co-Chairs Planning and Reporting Committee

Management agrees. In response to recommendation 8, through the development of an annual IT Operational Plan, the CIO will be aware of the Departmental IT needs. For the development of new programs the CIO will be engaged to ensure appropriate costs are identified. In addition, CIOSB representative are to be included on Sector IMT Governance Committees: March 31, 2016

Position Responsible: Sector Assistant Deputy Ministers and Chief Financial Officer  

Communication Between Committees

Summary Finding

There are numerous committees that contribute to IT governance within the Department, which has challenged the systematic exchange of information, recommendations and decisions between committees. In addition, Sector IT governance committees exist in three of five Sectors that depend highly on IT enablement; and, CIOSB representatives do not regularly participate at such meetings.

Furthermore, there are no formal terms of reference for the Science Computing Working Group within the Department to ensure clarity of roles and responsibilities and sustainable service delivery. This is particularly critical considering the importance of Science Computing to effectively deliver key departmental priorities.    

Supporting Observations

As detailed in the background section, there are numerous committees throughout the department that are involved in IT Governance. IMT-PARB is the senior-level committee dedicated to IMT issues. IMT-PARB has a number of sub-committees that discuss specific topics related to Information Management, Enterprise Architecture, Web and Science Computing. In reviewing the minutes of IMT-PARB and its sub-committees, it was observed that there is no systematic process in place to help ensure an effective exchange of information, recommendations and decisions between IMT-PARB and its sub-committees. Specifically, discussions and recommendations occurring at sub-committees are not regularly presented to IMT-PARB and vice versa, and minutes of meetings are not shared or otherwise made available to committee members to help ensure alignment of the various committees.

Within that context, one of the sub-committees of IMT-PARB, the Science Computing Working Group (SCWG) was formed to help NRCan better understand its science computing needs and how to effectively respond to those needs internally and through Shared Service Canada. The SCWG has been recognized as an important element in helping the Department identify IT requirements to support the mandate of the Department, and has been meeting since the fall of 2014. A formal terms of reference for the committee; however, has not yet been developed, and the governance structure for the SCWG has not been finalized, including any requirements to communicate activities and progress back to IMT-PARB.

In addition, some Sectors have IT-related governance committees. Specifically, the Minerals and Metals Sector, the Earth Sciences Sector and Canada Forest Service all have Sector IT Committees. This is considered to be a good practice for all Sectors that depend heavily on IT as an enabler of their business. The audit found opportunities to establish such committees within the Innovation and Energy Technology Sector and Energy Sector as well.  

Regarding existing Sector IT Committees, the audit noted that CIOSB, the functional authority for IT within the Department, attendance at these committees has been irregular and/or non-existent. CIOSB participation in these committees, perhaps even as co-chairs, through a senior representative; however, would better ensure improved communications with the Sectors regarding their respective business priorities and challenges. A better understanding would help enable these priorities through IT insights and otherwise discussing how IT resources can be used effectively and in alignment with departmental and Government of Canada direction.

RISK AND IMPACT

If information, recommendations and decisions are not shared between IT Governance-related committees on a regular basis, there is an increased risk that the committees may not be effectively sharing pertinent information. Similarly, if a senior CIOSB representative does not regularly attend and participate at sector IT governance-related committees, there is an increased risk of misaligning sector and departmental IT activities. Lastly, if the mandate for the SCWG is not formalized, there is a risk that the working groups may not be effective in meeting their intended objectives.

RECOMMENDATIONS

9. Assistant Deputy Minister Innovation and Energy Technology Sector (ADM IETS), ADM Public Affairs and Portfolio Management Sector (PAPMS) and ADM Energy Sector (ES)should ensure IT committees are established within their Sector to facilitate discussions and coordination of IT activities across the Department.
    
10. The chairs of sector IT-related committees, in collaboration with the Chief Information Officer (CIO), should establish common processes that ensure:
    1. a systematic exchange of information between IT governance-related committees;
    2. Senior Chief Information Officer and Security Branch (CIOSB) representative attends Sector IT governance meetings; and
    3. the terms of reference for Sector IT committees are formalized for alignment with corporate strategic agendas and plans.

11. The co-chairs of the Science Computing Working Group (SCWG), in collaboration with other committee members, should formalize the SCWG’s Terms of Reference.

MANAGEMENT RESPONSE, ACTION PLAN AND TIME FRAME

Management agrees. In response to recommendation 9, ES, IETS and PAPMS will add IT planning as a regular standing item to their Senior Management Committee meetings once every two months. CIOSB will attend the meetings to facilitate improved communication with CIOSB and contribute to coordination of IT activities across the Department: March 31, 2016

Positions responsible:

• Director General (DG) Energy, Safety and Security, Energy Sector
• DG Canmet Energy, Innovation and Energy Technology Sector
• DG Public Affairs, Public Affairs and Portfolio Management Sector
• Chief Information Officer Corporate Management and Services Sector

Management agrees. In response to recommendation 10, common processes will be established and reflected in the Terms of Reference for sector IT-related committees: October 31, 2016

Position Responsible: Relevant Information Management and Technology Project and Architecture Review Board (IMT-PARB) members or Chairs of Sector IT-related committees and CIO

Management agrees. In response to recommendation 11, Terms of Reference for SCWG will be formalized and will include a formal reporting relationship to IMT-PARB: June 30, 2016

Position Responsible: Chair SCWG

CIO Organization Evolution

Summary Finding

CIO organizations throughout the federal government are facing a paradigm shift to transform themselves from technical leaders to strategic business enablers. Considering that the large government-wide initiatives such as GCDOCS, Voice Over IP Phones, and Email Transformation have concluded, there is an opportunity to review the structure of NRCan’s CIO organization to further enable that shift to strategic business enabler and partner.

Supporting Observations

The role of the CIO within the federal government is at a turning point. TBS executives have described it as a paradigm shift of the CIO to a strategic business enabler; from technical specialist to digital leader and business partner. The shift was accelerated with the creation of SSC, in August 2011, which allows CIOs to focus less on technical leadership and more on business enablement.

CIOs across all departments have being required to deliver central technical solutions to allow the government to move to enterprise solutions, such as the Email Transformation Initiative, GCDOCS, and the consolidation of data centres. Such initiatives have consumed significant time and energy, and have limited the ability of organization’s to implement changes in this paradigm shift.

As these central initiatives are being finalized, it is an opportune time for organizations to revisit the role of their CIO organizations and re-structure them, as appropriate, to respond to new business enablement requirements. The Government of Canada’s CIO has stated that the successful CIO organization of the future will focus less on application development skills, and more on strong analysis, architecture, systems integration, testing, and project management skills. It will leverage private-sector services that are cost-effective and can adapt to an ever-changing environment in an agile manner. As such, there will be smaller CIO organizations, with more senior-level personnel, as governments move toward the strategic sourcing of off-the-shelf applications and services to drive business performance. The focus of these smaller CIO organizations will shift from application development to business analytics and relationship management, and their skill sets will also need to change to effectively support chief information officers in their new roles.

NRCan’s CIOSB has indicated that they are currently reviewing the organizational structure of CIOSB. While a full organizational review was beyond the scope of this audit, it can be noted that, under the current organization structure, there is no function dedicated to departmental IT planning; and the shift away from application development skills to analysis, architecture and integration of Sector needs has not yet occurred within CIOSB.  

RISK AND IMPACT

If the organizational structure of CIOSB at NRCan is not reviewed and expectations of the function are not clearly established by senior management, there is a risk that it may not evolve from a technical leader to a business enabler and partner that fully contributes to the achievement of departmental strategic objectives.

RECOMMENDATION

12. The Deputy Minister, in collaboration with the Executive Committee should review NRCan’s expectations of Chief Information Officer and Security Branch (CIOSB) and adjust the structure accordingly.

MANAGEMENT RESPONSE, ACTION PLAN AND TIME FRAME

 

Management agrees. In response to recommendation 12, the Deputy Minister and the Assistant Deputy Minister Corporate Management and Services Sector (ADM CMSS) will complete a review of the role of CIOSB and introduce necessary adjustments to optimize its role as a strategic business enabler: March 31, 2017

Position Responsible: ADM CMSS

APPENDIX A – AUDIT CRITERIA

The objective of the audit is to provide reasonable assurance that NRCan has an adequate IT Governance structure in place to support the management of information technology across the Department.

The table below provides the sub-objectives for the audit and the audit criteria mapped to the five IT Governance processes (referred to as Evaluate, Direct and Monitor (EDM) processes) from the COBIT 5 Framework (www.isaca.org):

• EDM01 – Ensure Governance Framework Setting and Maintenance
• EDM02 – Ensure Benefits Delivery
• EDM03 – Ensure Risk Optimization
• EDM04 – Ensure Resource Optimization
• EDM05 – Ensure Stakeholder Transparency

Audit Sub-objectives	Audit Criteria
1. There is an adequate governance structure in place which supports transparent risk-based decision making related to IT activities.	Governance 1.1 An adequate governance framework and oversight bodies for IT have been established and implemented that allows synergies to be leveraged and the management of corporate IT risks like cyber security to be coordinated effectively. 1.2 Roles and responsibilities related to, IT, SSC liaison, and science computing are clearly defined and communicated. 1.3 The organizational structure and HR capacity and capabilities are appropriate and conducive to meet NRCan’s IT objectives and business requirements.
2. The IT strategy is aligned with the NRCan business strategy and investment plan.	IT Planning 2.1 The IT requirements in the business plan have been established through consultations from relevant stakeholders within NRCan. 2.2 An IT Plan/Strategy has been developed in alignment with the business plan, and is being implemented, monitored and reported to senior management committees in a timely manner. IT Investments and Budgets 2.3 A process has been established to ensure IT investment decisions (IT specific or IT-enabled) are appropriately approved, prioritized, and coordinated. 2.4 An IT Budget is formally approved and implemented that reflects the priorities of IT investments across the Department and includes the ongoing costs of operating and maintaining the IT infrastructure.
3. The IT strategy is effectively delivered through clear resource allocation decisions; clear expectations; and performance measurement and monitoring.	Project Oversight and Resourcing 3.1 A project oversight framework for IT-enabled projects is established that helps ensure the correct prioritization, oversight and co-ordination of all projects (both new requirements and maintenance projects). 3.2 IT initiatives and related resources are prioritized and maintained in alignment with the business and IT strategies, and appropriately consider costs, benefits, dependencies and alternatives. Performance Measurement 3.3 Appropriate IT performance measures and targets have been defined and approved. 3.4 An IT performance monitoring process is in place to evaluate IT performance, and monitor IT’s contribution to the business.
4. The IT strategy adequately considers and is consistent with whole-of-government IT direction and policy requirements.	Policy Requirements 4.1 NRCan’s IT strategy adequately considers whole-of-government IT direction. 4.2 NRCan’s IT strategy meets policy requirements.