Language selection

Government of Canada / Gouvernement du Canada

Search

Internal Audit of Cost Management of Information Technology - Final Report

December 16, 2010

Table of Contents

Executive summary

Objective

The objective of this audit was to assess the management of Information Technology Services Directorate’s (ITSD) costs at the Public Service Commission (PSC) for efficiency and effectiveness.

Conclusion

The audit has shown that ITSD has made inroads to address the recommendations in the Manicom Consulting Ltd. study (Governance and Planning for IT, October 2007), the Gartner Group study (PSC IT Executive Benchmark Report, October 2009), as well as in the previous audit on Information Technology Planning (May 2004).

A governance structure based on a partnership of ITSD and business lines has been established. ITSD management recognized the need for more integrated business and IT planning. Over the past few years, ITSD has put in place a more disciplined long-term approach. Specifically, ITSD developed a strategic IT plan, an evergreen plan and a systems rationalization exercise, in line with the work on the enterprise architecture program. ITSD has also recently taken steps to improve the resource allocation and investment prioritization processes and to increase the transparency of IT operations to more effectively convey IT business value.

Some work in governance and management remains to be done. The auditors found that IT processes and the roles and responsibilities of stakeholders with respect to oversight and governance were not always clearly defined or understood. This has impacted ITSD’s ability to align IT and business priorities and cost-effectively deliver on IT strategy. Moreover, weaknesses in the investment management processes and lack of attention to the value, cost and performance of IT-enabled investments and services has led to uncertainty about the costs and progress of some IT investments and activities.

Positive results are already beginning to emerge as ITSD has implemented changes to its management processes and governance structures. Sustained attention is required, however, to ensure that the efforts under way are continued, and new, necessary processes are put in place.

Next steps

Internal Audit has proposed some recommendations that will permit management to refocus its efforts and support initiatives under way to build on a stronger framework for IT cost efficiency, effectiveness and accountability. Management has responded with an action plan that satisfactorily addresses the areas needing attention.

1. Introduction and rationale

The Corporate Management Branch (CMB) had requested an audit of the Information Technology Services Directorate (ITSD) functions to assess and report on the efficiency and cost effectiveness of IT management. The planning phase for this audit commenced in January 2010.

The rapid changes in the Public Service Commission’s risk environment and financial challenges attributed to salary pressures, significant ongoing non-salary obligations, anticipated budget constraints and the complexity of funding arrangements stemming from the Public Service Resourcing System and cost recovery have brought value-for-money considerations to the forefront. These factors affect ITSD more than many other areas of CMB.

2. Background

The Corporate Management Branch’s (CMB) objective is to protect and promote the Public Service Commission’s (PSC) interests through management of corporate policies and provision of central services and systems in support of all PSC programs. The Information Technology Services Directorate (ITSD) plays a significant role in enabling the PSC to achieve its vision by providing and supporting IT and services.

ITSD’s original budget for 2009-2010 was $7.88M; however, expenditures were $10.71M at year-end. Increase to the budget resulted from the PSC’s strategy to reallocate in-year funding surpluses to support PSC IT initiatives (primarily infrastructure evergreening) that would not have otherwise been funded.

As part of its efforts to improve the cost-effectiveness of IT operations, ITSD had commissioned two significant studies:

  • Manicom Consulting Ltd’s study on Governance and Planning for IT (2007); and
  • Gartner Group study on PSC IT Executive Benchmark Report (2009).

These studies recognized business challenges and made recommendations for PSC IT operations, technical and business planning, investment management, application and infrastructure management and performance management.

Rapid changes in the PSC’s risk environment, which include Public Service Staffing Modernization Project funding, cost recovery, proposed relocation and anticipated, government-wide budget restrictions, have brought value-for-money considerations to the forefront. These factors affect ITSD more than many other areas of CMB, particularly in light of ITSD’s challenging major projects: the Enterprise Data Warehouse, the transfer of Publiservice to the PSC and the redesign of Post-Secondary Recruitment. Thus, CMB requested an audit to examine the efficiency and cost-effectiveness of IT management.

3. Risks

A key purpose of an audit is the identification, assessment and ranking of risks. Following approval of the audit’s Terms of Reference (ToR), Internal Audit conducted the preliminary risk analysis which led to the identification of potential audit issues reflected in our listing of preliminary audit criteria. The analysis also validated the audit objectives originally set out in the ToR.

The Gartner Group and Manicom Consulting Ltd. studies noted challenges for the Public Service Commission (PSC) in the strategy and planning areas. They called for a strengthened joint technical and business planning function to ensure that systems meet future business needs and to reduce overall complexity and operational costs. Weaknesses in the investment management and governance processes were also raised in the Manicom study, specifically with respect to the quality of investment proposals and the inadequate checking for value and alignment of Information Technology (IT) and business priorities.

IT planning is impacted by rapidly evolving technologies and the need to respond to changing business and government environments. Our early interviews and documentation review indicated that the ability to meet these evolving business needs and to fund future IT obligations were at risk. The Information Technology Services Directorate (ITSD) is particularly concerned about the lack of sustainable funding. For past years, ITSD depended on the PSC’s late in-year funding surpluses to support some IT initiatives, particularly those that are not separately managed. This funding approach and the lack of a multi-year investment plan reduce ITSD’s ability to effectively plan and manage technology changes. Furthermore, there is an increased risk of a widening funding gap for future years, which could lead to obsolete or unsupported IT equipment. PSC-wide budget tightening increases the risk of a funding gap.

ITSD management was concerned that IT services were being perceived as “free goods”, since ITSD was responsible for securing most of its own funding. The full range of costs was not apparent to users or being justified by users on a basis of priority or volume. While the demand and costs for infrastructure maintenance and support increase, ITSD’s capacity to effectively manage and fund systems throughout their life cycle is reduced.

By the time audit examinations were under way, ITSD management was already working to improve planning and management processes.

4. Objectives

The objective of the audit is to assess the management of Information Technology Services Directorate’s (ITSD) costs for efficiency and effectiveness at the Public Service Commission, more specifically to provide assurance on whether:

  • ITSD has in place the IT governance, management and operational controls to ensure that its services are provided with due regard for cost-effectiveness; and
  • ITSD operational functions, processes and practices help achieve efficiency.

5. Scope

The review included:

  • Information Technology Services Directorate (ITSD) investment management processes, with emphasis on planning, priority setting for investments and decision-making and governance structures;
  • ITSD service delivery, support and management functions;
  • The follow-up to recommendations provided in the Manicom Consulting Ltd. study (Governance and Planning for IT, October 2007) and the Gartner Group study (PSC IT Executive Benchmark Report, October 2009).

The review did not include:

  • Technical controls and functional IT security requirements, including compliance with the Management of Information Technology Security standard or any subsequent security policies or standards
  • Funding and program activities relating to separately managed projects, such as the Public Service Staffing Modernization Project; and
  • Information Management activities of the Information Management/Information Technology Committee.

6. Methodology

The audit was conducted according to applicable Institute of Internal Auditors and Public Service Commission (PSC) standards. Methodologies included: interviews with management and staff; reviews and analysis of documents, including systems-generated reports and financial data; walk-through of key processes and testing of transactions and records. A preliminary risk assessment was conducted to identify lines of inquiry. Internal Audit developed draft criteria using the Office of the Comptroller General’s Core Management Controls Guide, the Control Objectives for Information and Related Technology (CobiT), the Treasury Board Policy on Management of Information Technology and the Directive on Management of Information Technology.

The PSC Standard Audit process includes three principal phases: the Preliminary Survey Phase, the Detailed Examination Phase and the Reporting Phase. At the completion of Preliminary Survey Phase a decision is made whether or not to proceed with the Detailed Examination Phase.

The audit was completed using internal resources of the Internal Audit Directorate. All deliverables were reviewed and signed off by the Director, Internal Audit. Briefings and validations of observations were ongoing during the course of the audit with the Vice-President of the Corporate Management Branch (CMB) and Information Technology Services Directorate representatives as part of the audit process. CMB provided requested documents and access to employees in a timely manner.

The Terms of Reference were sent to the auditee on January 22, 2010. The analysis was completed in September 2010, using information covering 2009-2010 and early 2010-2011.

7. Statement of Assurance

The internal audit was conducted in accordance with Public Service Commission (PSC) standards, based on the Institute of Internal Auditors standards and the Treasury Board policy. The PSC's Internal Audit Directorate is working toward full compliance with all applicable standards. We have examined sufficient evidence and collected the information necessary to arrive at the conclusions made. In some cases, the evidence sought was not available, resulting in an observation to this effect.

8. Observations and recommendations

Control Objective No. 1 - Effective bodies and processes are established to ensure that the Information Technology (IT) strategy is aligned with the business strategy and that the organization cost-effectively delivers against the IT strategy.

A. Governance committees adhere to a clearly defined mandate

To achieve effective oversight, the IT governance committee’s mandate and processes must be clearly communicated, understood and executed in order to effectively align the IT strategy with the overall business strategy.

The audit found that a formal governance structure exists as documented in the Information Management/Information Technology Committee (IM/ITC) Terms of Reference (ToR) (see Annex B). The Information Technology Services Directorate (ITSD) is formally accountable to the Vice-President (VP), Corporate Management Branch; key strategic decisions are the responsibility of the Executive Management Committee (EMC). IM/ITC is expected to help the VP discharge his role vis-à-vis IM/IT management by providing advice to both the VP and the Director General, ITSD. IM/ITC members did not, however, have a consensus on their committee’s mandate or oversight role in the IT project approval/implementation process. Our interviews indicated that the IM/ITC mainly provided a forum to discuss ongoing concerns with IT services and corporate initiatives, to review new IT application development projects and to inform business lines of ITSD-led initiatives. (Large IT-enabled projects such as the Public Service Resourcing System, the Business Intelligence/Enterprise Data Warehouse or PeopleSoft have governance and steering committees separate from IM/ITC, so ITSD staff manages the coordination.)

The role of EMC is to approve corporate budgets, special funding requests and strategic plans and direction. It also reviews corporate expenditure reports and performance highlights. In turn, it relies on IM/ITC for more detailed reviews. IM/ITC’s allocation/prioritization advisory activities have focused on new minor applications but did not include assessment of infrastructure projects, prior-year projects, IT maintenance costs or service levels - all activities envisaged by the IM/ITC’s ToR. The IM/ITC project prioritization process that was carried out in 2010-2011 included information on the alignment with high level business priorities.

IM/ITC’s oversight of management of smaller IT projects was not consistent in practice. In a sample of projects ranging from 116 to 318 days of effort, we found weaknesses in the availability, completeness and quality of project-critical information such as the business case, project charter, project plan, schedule/cost baseline, tracking changes and explaining variances. Full costs and investment benefits were not quantified. This is similar to findings and recommendations of the Manicom study. Although lighter oversight is expected for smaller projects, certain structure was still expected.

ITSD has enhanced its application development monitoring. The ITSD Project Review Committee (PRC) had been set up to review, track, report and document all projects with respect to potential risks, security issues, performance and compliance with IM/IT policies, standards and guidelines. Although the PRC reviewed timelines, actual results were not compared against plans and information on risks and underperforming projects was not systematically conveyed to the IM/ITC. For example, the actual number of days used for one project’s application development (approximately 1 500 days over 5 years) exceeded estimates of effort required by 70% as requirements were added over time. Effort for application development is now being monitored through EZ-Time and a progress report is included in the “dashboards”. Progress is reviewed monthly at ITSD/Management Committee and will be presented quarterly at IM/ITC.

Overall, governance structures have been established to oversee and advise on ITSD activities. Additional opportunities exist to use and more fully integrate these into ITSD management practices.

Recommendation I: To strengthen IM/ITC effectiveness and to facilitate accountability, IM/ITC and the VP-CMB should clarify the committee’s roles and responsibilities. IM/ITC membership and its link with other IM/IT committees should be reviewed.

Management response:

The VP-CMB, in collaboration with the IM/ITC chair, is working to clarify the IM/IT committee’s roles and responsibilities and adjust IM/ITC’s work plan. The result will be presented to EMC for approval.

Completion date: Q4 of 2010-2011

Recommendation II: ITSD should strengthen the PRC’s function to provide oversight of IT projects through standard procedures for all major project-related actions and decisions to be tracked and reported throughout the project’s life cycle.

Management response:

PRC will put in place procedures to follow progress on all IT-related projects that are presented to them to ensure that proper project management practices are followed and reported accordingly. PRC will monitor projects throughout their life cycle by using dashboards.

A new Treasury Board policy on project management will come into force on April 1, 2011. To meet the new policy requirements, ITSD will strengthen its project management, applications development and oversight processes. Starting December 2010, ITSD will begin documentation and analysis of existing processes and will fill identified gaps. Current ITSD staff resources will be realigned to sustain these processes on an ongoing basis. The level of process formality adopted for each project will be appropriate to the project size.

Completion date: Q3 of 2010-2011

Control Objective No. 2 - The organization has clearly defined and communicated strategic directions and operational objectives

B. Governance review and support of decision-making with policies, directives and standards

Having set its strategic direction, the organization must ensure that it is understood and transmitted to operational level staff.

The 2008-2011 IT Strategic Plan was presented to the IM/ITC in November 2008 and was subsequently reviewed at EMC. The IT plan was not updated for FY 2009-2010. Also, the risks, risk mitigation strategies and potential impacts associated with the funding gap were not documented in the IT plan, nor was the strategic direction for IT priorities formally cascaded down or documented in operational work plans for most IT activities.

The draft 2011-2014 IT strategic plan follows TBS’s IT strategy framework. This new Strategic Plan includes investment in new projects/systems and maintenance/enhancements to existing systems, spending on ongoing IT operations, as well as the funding approach, expected results and risk mitigation strategies. Through project management and planning functions, ITSD will implement a process to ensure IT objectives and measures in the IT Strategic Plan cascade to IT management and staff performance expectations and work plans.

A visible integration between the strategic planning and Public Service Commission (PSC) IT architecture planning is key to more cost-effective investment decisions. We found that the Enterprise Architecture function, tasked with creating a strategic system plan describing the desired future state for PSC systems, is at a basic stage of documenting the architecture.

The overall IT strategy and architecture plans for 2008-2011 included key systems initiatives of the business lines. Developments over this period included:

  • The Public Service Staffing Modernization Project drove some of the architecture work and helped create a potential vision;
  • ITSD developed a high level plan for the Enterprise Architecture Program;
  • ITSD put in place an Architecture Working Group, comprised of IT and business subject matter experts to document the current architecture and the vision; and
  • ITSD initiated an applications rationalization project in order to simplify the architecture, optimize the investment and maintenance resource planning and reduce ongoing costs associated with systems.

ITSD management was strengthening its investment planning. Investment opportunities had often been assessed on a piecemeal basis without consideration for the PSC IT vision, IT plan or the strategic context. This is consistent with the Manicom study findings regarding the need for a more integrated IT planning approach linking IT and business goals. For early 2011-2012, ITSD management is putting in place a process to use project charters for new initiatives. These will outline roles, scope, deliverables and resources. The level of formality will be commensurate with project size. Given that the PSC’s directorate budgets are in place by the start of the fiscal year, we expected that managers would receive early notification of their budgets from the directorate’s administration. The auditors found that ITSD managers played limited roles in determining their budget requirements and not all managers with budget authority were aware of their approved resources at the start of 2009-2010.

Management has made progress in putting IT-related plans into operational terms. For example, the IT strategic plan objectives were linked to the achievement of business goals and the Program Activity Architecture (PAA), although not always clearly. We also expected to find a costing model, in line with Management Accountability Framework area of management 13.3, to guide IT investment decisions and support cost efficiency. Reviewing 2009-2010 evidence, we found that the existing model captured costs for IT services at an aggregate level.

ITSD is taking steps to link strategic, investment, budget and operational planning. ITSD has identified IM/ITC, representing the branches, and the Finance and Accounting Directorate (FAD) as its key partners in developing annual plans. This will facilitate improved progress reporting and stronger investment planning practices.

Recommendation III: ITSD should implement a process to annually report the progress against the IT Strategic Plan to the appropriate governance bodies.

Management response:

ITSD will report, on a quarterly basis, the progress against the IT Strategic Plan to the IM/ITC and annually to EMC; and

EMC approved the 2011-2014 IM/IT Strategic Plan September 7, 2010. Project progress reports, which are updated monthly, are available to business owners at all times through the Records/Document/Information Management System.

Completion date: Q3 of 2010-2011

Recommendation IV: ITSD, in consultation with business stakeholders, should develop a realistic and more comprehensive work plan in support of the Enterprise Architecture Planning Program (EAP).

Management response:

To better support EAP, ITSD will use a two-phased approach that responds to the maturity level of current processes. Phase one, which will be implemented immediately, will be more tactical. Phase two will follow, as EAP acquires an acceptable level of maturity within the PSC.

Completion date for phase 1: Q2 of 2011-202012

ITSD has limited resources. To facilitate the tracking and reporting on projects and plans on a sustained basis, ITSD estimates needing an additional 0.25 full-time equivalent (FTE) at the CS-3 level (to be funded through reallocation within ITSD).

C. Governance bodies are provided with the information required to make informed decisions

Timely and accurate information is required to support proper resource allocation and to provide understanding of funding sources, risks, risk mitigation strategies, expected results and long-term organizational impacts. ITSD could meaningfully contribute to decision-making on providing IT-enabled business solutions.

The TBS Directive on Management of Information Technology (DMIT), effective April 1, 2009, requires the IT investment plan resource allocation targets be organized into four portfolio classes:

  • mandatory (legal/regulatory compliance);
  • maintenance (operations to maintain service levels);
  • business opportunities (for business benefit); and
  • innovations (for business transformation or competitive advantage).

The 2008-2011 IT Plan and 2009-2010 financial information reviewed did not use the DMIT categories to help frame funding and risk-management decisions. ITSD indicated that the investment plan was developed in 2010-2011 as part of its Strategic Plan. DMIT categories are now being used in the IT Plan and in the financial review and variance analysis processes.

The IT strategic and architecture planning activities are maturing. Structures such as the 2008-2011 IT Strategic Plan provided some direction, but without covering the IT investment management process. The information presented was inadequate to score or compare proposals, funding risks were not documented in the IT plan or Zero-Based Budget (ZBB) templates and full costs and investments benefits were not quantified. The Manicom study had similar findings regarding the business proposal development process needed to address value for money, total system life cycle costs, priority alignment and risks. ITSD’s dependence on late in-year funding surpluses to support some IT initiatives has further reduced its flexibility to plan and manage technology changes. With this in mind, the 2010-2011 ITSD spending forecast in the IT Strategic Plan 2011-2014 has been categorized into the four TBS DMIT portfolio classes, with business opportunities and innovation categories combined. The plan also linked IT priorities andoutcomes to the PAA and business goals in expressing objectives in results-oriented terms.

Management response:

Even though the TBS DMIT became effective on April 1, 2009 and that TBS gave departments and agencies until March 31, 2012 to fully implement it, ITSD developed a new prioritization process that was introduced to IM/ITC in 2010-2011. The process assesses initiatives based on elements such as strategic alignment, business value, risks, timing and technical alignment. In addition to this new process, ITSD plans to develop a new Project Management Framework (PMF) to support projects implementation from the initiation phase to the completion and post-implementation phases. The PMF will not only help the PSC comply with the DMIT but will also ensure that the PSC will meet the new government policy on management of projects.

Completion date: Q4 of 2010-2011

Control Objective No. 3 - The activities, schedules and resources needed to achieve objectives have been integrated into the budget and are in line with IT strategy and investment plans.

D. IT projects and initiatives are assessed and prioritized

We examined whether the annual IT plan and resourcing processes are conducted with input from stakeholders, particularly business lines and financial authorities.

The IM/ITC has traditionally played a limited role in helping set the strategic direction and prioritization of IT resources with business priorities. IM/ITC’s project prioritization process took place after the budgeting exercise and included alignment with high-level business priorities but not infrastructure-related activities. IM/ITC’s roles are now being clarified.

For 2010-2011, ITSD made significant progress in establishing an independent challenge function to ensure assumptions, costing practices and resource allocations are used in budgeting and decisions are documented. The previous IT plan did not clearly distinguish between the IT investments in new projects or systems, maintenance and spending on ongoing IT operations. We noted that ITSD primarily relied on historical data and resource availability to establish resource requirements and set allocations. For instance, IT application development resource allocations were based on resources available rather than cost-benefit analyses and business priorities. Resource requirements are more consistently challenged and prioritized; some budgets and resources were realigned to priorities.

The challenge/review was not carried out in advance of the ZBB process and across the full spectrum of resource needs, thus limiting the potential effectiveness of the ZBB process. ITSD has approval for additional time during the ZBB process to respond to and incorporate Branch IT requirements. (In the future, ZBB will be known as the Integrated Resource Planning and Budgeting Exercise (IRPB).)

Recommendation V:  ITSD should establish an integrated process to identify and prioritize all resource requirements as part of the IRPB exercise(previously known as ZBB), with investments and ongoing resource requirements allocated by the four DMIT categories and linked to initiatives and expected results in the IT plan.

Management response:

ITSD will establish a process to identify all resource requirements in advance of the IRPB budget exercise. Investments and ongoing resources will be allocated by the four DMIT categories. ITSD will integrate all Branches’ needs in its IRPB template.

Completion date: Q3 of 2010-2011

For FY 2011-2012, ITSD, developed new templates for the business lines to report their IT needs. ITSD also requested additional time to submit its IRPB document in order to allow adequate time to analyze branch IT requests and plan accordingly. This approach will allow for better alignment between ITSD plans and the needs of PSC branches.

In addition, ITSD conducted an audit of all its systems and tools as requested by TBS/C Information Officer Branch. The data gathered will provide information for managing licenses and tools.

Control Objective No. 4 - An effective framework is in place for developing an understanding of IT costs, reducing cost inefficiencies and recovering costs of IT.

E. IT resources are efficiently allocated to meet the strategy

The auditors also examined whether annual operational plans and budgets were closely aligned with the IT Strategic Plan.

ITSD services are primarily funded through a set appropriations base, approved by EMC. A portion of ITSD costs are also recovered through Staffing and Assessment Services Branch (SASB) vote-netting revenues, the corporate reserve, project funds, and, to a lesser extent, interdepartmental recoveries. ITSD started the 2009-2010 fiscal year with a funding gap. This was because their funding model includes some fund transfers throughout the year from other PSC Branches to support IT initiatives. The 2009-2010 ITSD budget increase resulted mainly from PSC in-year funding surpluses being reallocated. These contingent funds are allocated to ITSD for specific projects and any funds that are not used for their identified purpose must be returned. Therefore, proper accountability necessitates tracking the fund transfers and the associated costs with a project code or a similar mechanism.

For 2009-2010, some funds were not spent as anticipated and returns to the reserve were not easy to make. This illustrates the need to closely monitor such funding - an issue ITSD addressed in 2010-2011.

The use of contingent funding can limit ITSD’s ability to plan effectively and can contribute to some delays. For example, the back-up software for the server migration could not be obtained late in the year, due to contracting delays. As a result, migration was postponed and $200K was returned to the corporate reserve for carry-forward to the next fiscal year. As well, some planned items subject to funding risk or with unsecured funding were not specifically identified in the planning and budgeting processes.

The more robust planning and monitoring processes now in place in ITSD reduce the risks associated with contingent funding. Previously, the projected IT expenditures in the Strategic Plan diverged significantly from the budget allocated, such as for 2009-2010 and 2010-2011, and actual expenditures for the 2009-2010 fiscal year. Unanticipated business needs caused some of these variances.

The auditors assessed whether the current funding model encouraged accountable and economical use of IT resources. ITSD faces considerable work in establishing and stabilizing its new management regime outlined in other parts of this report. Additional financial leverage from business clients could, however, increase business integration, accountability and effectiveness. Various funding options are available: inter-branch charging, creation of an investment fund within the PSC, internal budget reallocation from client branches for system development or acquisition of assets. ITSD and FAD are jointly exploring mechanisms to fund investments and ongoing expenditures.

In 2007, consultants developed a corporate cost model to support the corporate costs included in the established SASB fee structure; a fixed percentage of revenues has been used since to recover corporate costs, including IT. We found that the assumptions in the cost recovery model and the linkages between costs and value drivers were not clear or transparent to users and, as such, would not support an accountable and economical use of IT resources. ITSD is consulting with SASB on how to better reflect IT costs in its cost recovery model.

ITSD is identifying low value and high cost activities, projects and applications in order to improve cost efficiency, in line with the 2009 Gartner Benchmark Study recommendations. The Study showed that the personnel utilization for certain PSC IT functions was generally comparable to similar organizations, often at a lower cost per staff. Cost data for most PSC activities is limited so some conclusions cannot be made. Detail is lacking on the cost baseline or cost drivers needed for optimizing decisions.

An application assessment exercise was initiated to simplify the systems landscape and reduce ongoing associated systems costs. By the end of 2010, ITSD expects to have complete cost estimates for its applications and services. These two initiatives promise to enable ITSD to deliver more cost-effective services.

Overall, ITSD has reinforced its resource allocation process significantly and demonstrated good cost performance for some functions compared to other organizations. Full visibility of costs would contribute to more effective resource allocation.

Recommendation VI: ITSD, in collaboration with FAD, should establish a costing model for IT services and enhanced cost reporting capabilities to support decision-making and continuous improvement.

Management response:

ITSD, in collaboration with FAD,  will establish a costing model for IT services and enhance cost reporting capabilities to support decision-making and continuous improvement, where appropriate. To facilitate expenditure tracking, ITSD will make better use of project codes.

Completion Date: Q1 of 2011-2012

To implement and manage an effective cost management process, ITSD will need to strengthen its planning function and will require a half FTE at the CS-3 level (to be funded through reallocation within ITSD).

As ITSD is moving toward the implementation of the government generic organizational model, resources will be reallocated to strengthen the planning function within the directorate

Control Objective No. 5 - Management monitors, controls and reports on the cost effective use of IT resources and uses the information to improve efficiency and provide accountability.

F. Performance monitoring and reporting

The auditors expected that budgets, goals and performance metrics would be agreed to, consistently measured, reported on and used to improve efficiency and provide accountability.

DMIT requires the organization to annually report on progress against plans and make recommendations for the next planning cycle. An annual update must be provided until the plan expires. The annual progress against the IT Plan was not formally reported to the IM/ITC for 2009-2010. However, EMC reviews budget and performance highlights monthly, including for ITSD.

The role of ITSD’s managers with budget authority in monitoring actual and budgeted expenditures and taking appropriate remedial action is being clarified. We found that for 2009-2010, ITSD directors reviewed financial reports but did not provide input to the monthly variance analysis. The evidence suggests that variances were not well understood and that timely remedial actions were not taken to manage the projected deficit and to keep expenditure forecasts accurate. Transitional management measures are in place for 2010-2011.

Budget and cost detail in the financial systems to support monitoring, analysis of variances and decision-making has improved over time. ITSD has good mechanisms in place to monitor salary costs. It used time reporting for application development and maintenance and, more recently, for project-driven infrastructure work. In 2009-2010, ITSD also developed a spreadsheet to support budget submissions for maintenance and IT infrastructure. Infrastructure spending could then be tracked against plans.

In 2010-2011, ITSD made notable progress in putting in place control and budget management practices. These address weaknesses identified in the 2009-2010 monthly financial reviews, track project funds and permit more timely corrective actions. ITSD implemented a bi-weekly financial review and variance analysis process, which includes Director and Director General (DG) sign-off. This includes monitoring of infrastructure spending and project performance against plans, including separately funded projects. A spreadsheet is used to update expenditures, commitments and projections and reconcile these against the budget on a monthly basis. Changes to projects plans are being monitored to avoid overruns and ensure new project charters are developed and reviewed by IM/ITC if significant enhancements from original plans are identified. For 2010/11, to ensure the new controls are understood and work effectively, all expenditures must be approved by Director-General. After the new process becomes more entrenched, it is intended that regular spending delegation will resume in 2011-2012.

We also reviewed the reporting and use of performance goals and metrics to improve performance of IT operations. For 2009-2010, a number of IT objectives and key performance indicators were identified in the IT Strategic Plan. However, indicators were not expressed in specific results-oriented terms permitting measurement, nor were performance baselines and service levels established or reported. The performance metrics for 2010-2011 are now agreed to and consistentlymonitored, using proper performance targets.

To provide a value focus, the auditors looked for integrated performance metrics and reporting that demonstrated progress versus planned activities. ITSD linked the key initiatives in the IT Strategic Plan to expected results in the PSC quarterly progress report. The performance data in the report was very high level, being limited to ‘on track’, ‘delayed’ and ‘cancelled’ as senior management requested for this exercise. More detailed periodic progress reporting to stakeholders was not in place.

ITSD has put more structured monitoring mechanisms in place in key areas. Of note, in line with various recommendations from the Gartner study, ITSD is now monitoring Central Processing Unit utilization and has expanded the PSC virtualization infrastructure to new servers. ITSD has also reviewed hardware refresh practices in line with industry practices and will incorporate these into the evergreen plan for 2010-2011. We found that recent measures such as network monitoring to ensure user compliance with IT bandwidth use policy and the reporting of high bandwidth users have led to significant reductions in usage. ITSD has also reviewed license requirements in order to reduce ongoing costs.

The auditors did not assess performance metrics related to cost implications of policies in place, but did note that certain policies were outdated and due to be reassessed.

Recommendation VII: ITSD should implement a more formal communication process to routinely inform stakeholders of performance against key objectives and expected results. This may include a dashboard format to communicate project status, including financial performance.

Management response:

In addition to using existing mechanisms such as open houses, awareness sessions and presentations to IM/ITC, ITSD has introduced dashboards and a blog as a means to better communicate results. ITSD’s implementation of TBS’s Generic Organizational Model will strengthen communication processes.

Completion date: Q2 of 2010-2011

9. Conclusion

The audit has shown that ITSD has made inroads to address the recommendations in the Manicom Consulting Ltd. study (Governance and Planning for IT, October 2007), the Gartner Group study (PSC IT Executive Benchmark Report, October 2009), as well as in the previous audit on Information Technology Planning (May 2004).

A governance structure based on a partnership of ITSD and business lines has been established. ITSD management recognized the need for more integrated business and IT planning. Over the past few years, ITSD has put in place a more disciplined long-term approach. Specifically, ITSD developed a strategic IT plan, an evergreen plan and a systems rationalization exercise, in line with the work on the enterprise architecture program. ITSD has also recently taken steps to improve the resource allocation and investment prioritization processes and to increase the transparency of IT operations to more effectively convey IT business value.

Some work in governance and management remains to be done. The auditors found that IT processes and the roles and responsibilities of stakeholders with respect to oversight and governance were not always clearly defined or understood. This has impacted ITSD’s ability to align IT and business priorities and cost-effectively deliver on IT strategy. Moreover, weaknesses in the investment management processes and lack of attention to the value, cost and performance of IT-enabled investments and services has led to uncertainty about the costs and progress of some IT investments and activities.

Positive results are already beginning to emerge as ITSD has implemented changes to its management processes and governance structures. Sustained attention is required, however, to ensure that the efforts under way are continued, and new, necessary processes are put in place.

Management response:

ITSD is in the process of implementing the Treasury Board Secretariat/Chief Information Officer Branch IT Community Generic Organizational Model in order to strengthen all IT streams. Some streams, such as planning and project management, which are considered essential to a successful IT organization, do not currently exist within ITSD. The PSC needs to address these gaps by staffing a manager for the planning and project management stream (CS-4). This will position the PSC well with respect to any future IT enabling projects requiring TBS approval. The position will be funded through reallocation within ITSD.

Next Steps

Internal Audit has proposed some recommendations that will permit management to refocus its efforts and support initiatives under way to build on a stronger framework for IT cost efficiency, effectiveness and accountability. Management has responded with an action plan that satisfactorily addresses the areas needing attention.

Annex A – Preliminary audit criteria

Control Objective Audit criteria
Control Objective No. 1

Effective bodies and processes are established to ensure that Information Technology (IT) strategy is aligned with business strategy and that the IT organization cost-effectively delivers against the IT strategy
  • 1.1 The oversight’s body mandate (in the form of a charter or other documentation) exists and clearly communicates its roles in helping ensure effective alignment of the IT strategy with business strategy and alignment of IT operations with the IT strategy.
  • 1.2 IT resources are allocated based upon clearly articulated business priorities, with linkage to the overall PSC mandate.
  • 1.3 IT-related investments are assessed and recommended by the oversight body (bodies) and responsive to achieving organizational objectives with due regard for cost effectiveness.
  • 1.4 IT priorities and resource allocation decisions are guided by sound selection and prioritization criteria.
  • 1.5 There is a consistent and robust approach to preparing and submitting business cases that fully address value for money, total system life cycle costs, alignment and risks.
  • 1.6 Accountability is assigned and benefits are tracked over the IT project life cycle.
  • 1.7 IT performance, including the investment portfolio, is reviewed against the IT strategy to identify progress against plans, costs and risks of all significant investments and to recommend action on potentially underperforming or under-resourced projects.
  • 1.8 ITSD annually reports on resource allocation, schedule changes, progress against plans and recommendations for the next planning cycle.
Control Objective No. 2

The organization has clearly defined and communicated strategic direction and operational objectives
  • 2.1 The IT strategic direction and objectives are established and communicated through formal strategic plans, with consideration for government priorities, identified risks and client needs.
  • 2.2 The IT Plan outlines the organization’s priorities and planned investments/acquired services for the upcoming five year period for: new IT projects, systems, services or large enhancements to existing projects, systems and services; planned maintenance of or enhancements to existing IT systems or services and IT operations.
  • 2.3 The IT Plan is reviewed annually and updated, as required, at the time of the review.
  • 2.4 Operational plans and objectives for all key activities, aimed at achieving strategic objectives and priorities, have been defined and communicated.
  • 2.5 IT strategic and operational plans and objectives are linked to achievement of business goals and expressed in specific results-oriented terms related to business requirements that permit measurement and evaluation.
  • 2.6 A Strategic Systems Plan describing the desired future state for the PSC was created/updated and is linked to the IT Strategic Plan.
Control Objective No. 3

The activities, schedules and resources needed to achieve objectives have been integrated into the budget and are in line with the IT strategy and investment plans
  • 3.1 An integrated IT budget and investment plan is approved and integrated within the overall PSC financial/business plan.
  • 32 Budget submissions accurately reflect the funding requirements for IT-planned discretionary and non-discretionary costs of mandatory and maintenance activities, investments in business opportunities and innovations.
  • 3.3 The line items of the IT budget and priorities in the investment plan can be clearly linked to IT plans and objectives.
  • 3.4 Resource allocation targets are organized into four portfolio classes: mandatory (legal/regulatory compliance), maintenance costs (operations to maintain service levels), investments in business opportunities (for business benefit) and innovations (for business transformation or competitive advantage).
  • 3.5 Budget submissions for IT are properly supported by information and underlying assumptions/risks on forecasted demand, service levels and other relevant information.
  • 3.6 Assumptions and related resource allocations and costing practices used to prepare the budget are challenged independently and decisions from this challenge process are documented.
  • 3.7 The approved budget is established and communicated to ITSD managers in advance of the operating period or shortly thereafter.
Control Objective No. 4

Budgets and costs are appropriately managed with due regard for cost-effectiveness, in line with approved IT budget plans and objectives
  • 4.1 Management with budget authority regularly monitors actual expenditures, reviews projections against plans, reviews monthly variances and takes appropriate remedial action.
  • 4.2 Budget and costs for each activity or project are sufficiently detailed to support monitoring, analysis of variances and decision-making.
  • 4.3 Funds are spent throughout the year on planned items or defined purposes linked to plans/objectives.
Control Objective No. 5

An effective framework is in place for developing an understanding of IT costs, reducing cost inefficiencies and recovering costs of IT
  • 5.1 To ensure transparency and understanding, costs are appropriately and systematically attributed to activities or services provided.
  • 5.2 Costs for services rendered are systematically allocated to users to encourage accountable and economical use of IT resources.
  • 5.3 A cost model has been created/updated to appropriately support the established fee structure for the portion of ITSD costs recovered through the Staffing and Assessment Services Branch vote-netting revenues.
  • 5.4 IT policies effectively support a well-informed and efficient use of IT services.
  • 5.5 Value for money of key activities and deliverables is periodically reviewed.
    • 5.5.1 Low value activities have been identified and eliminated and processes are cost effective.
    • 5.5.2 The organization has defined and implemented a plan to rationalize existing application systems and eliminate or replace older technologies.
    • 5.5.3 Applications/projects with higher costs have been reviewed with actions taken to improve cost efficiency.
    • 5.5.4 Hardware refresh policy and vendor maintenance agreements are aligned with industry practices to ensure optimal value for money.
Control Objective No. 6

Management monitors, controls and reports on the cost-effective use of IT resources and uses the information to improve efficiency and provide accountability
  • 6.1 Valid and reliable information metrics on efficiency and effectiveness of key operational activities are produced.
  • 6.2 Valid and reliable information on efficiency is used to monitor, maintain and improve utilization of resource capacity.
    • 6.2.1 Capacity is planned in line with demand forecasts and resource utilization and performance data is reviewed on a periodic basis to ensure efficient usage of resources.
    • 6.2.2 Server Central Processing Unit utilization has been reviewed to optimize use of hardware and virtualization efforts are expanded to reduce the number of servers.
  • 6.3 Quality and level of service are monitored and compared to Service Level Agreements and Operational Level Agreements to ensure reasonable performance.
Top of Page

Annex B - Accountability structure for Information TechnologyFootnote 1 

Annex B - Accountability structure for Information Technology

Annex B - long description

Annex C – Glossary

BMC
Branch Management Committee
CIOB
Chief Information Officer Branch
DG
Director General DMIT Directive on Management of Information Technology
EAP
Enterprise Architecture Program EMC Executive Management Committee
FAD
Finance and Administration Directorate
FTE
Full-time equivalent
IA
Internal Audit IAC Internal Audit Committee
IAD
Internal Audit Directorate
IM/ITC
Information Management/Information Technology Committee
IRPB
Integrated Resource Planning and Budgeting Exercise
MITS
Management of Information Technology Security
OCG
Office of the Comptroller General
PAA
Program Activity Architecture
PMF
Project Management Framework
PMIT
Policy on Management of Information Technology
PRC
Project Review Committee
PSRS
Public Service Recruitment System
PSSMP
Public Service Staffing Modernization Project
SASB
Staffing and Assessment Services Branch
TBS
Treasury Board of Canada Secretariat TOR Terms of Reference
ZBB
Zero-Based Budget

Page details

Date modified: