Audit of the Canadian Heritage Funding Portal (Onboarding and Transition)
Office of the Chief Audit Executive
April 25, 2024
On this page
- List of figures
- List of table
- List of acronyms and abbreviations
- Executive summary
- Audit opinion and conclusion
- Statement of conformance
- 1.0 Background
- 2.0 About the audit
- 3.0 Findings and recommendations
- 4.0 Conclusion
- Glossary
- Appendix A – Assessment scale and results summary
- Appendix B – Management action plan
- Appendix C – Sample of 37 Controls reviewed during the audit
List of figures
- Figure 1: Reporting structures and governance decision model
- Figure 2: CEB reporting structure
- Figure 3: Online Funding Application Process at PCH
List of tables
List of acronyms and abbreviations
- ADM
- Assistant Deputy Minister
- ATIP
- Access to Information and Privacy
- BPI
- Business Process Innovation
- CCCS
- Canadian Centre for Cyber Security
- CEB
- Client Experience Branch
- CFOB
- Chief Financial Officer Branch
- CHFP
- Canadian Heritage Funding Portal
- CIO
- Chief Information Officer
- CIOB
- Chief Information Officer Branch
- CoE
- Centre of Excellence
- CRM
- Client Relationship Management
- CSP
- Cloud Service Provider
- DAC
- Departmental Audit Committee
- DG
- Director General
- DSD
- Digital Services Delivery
- EDI
- Equity Diversity & Inclusion
- EXCOM
- Executif Committee
- GC
- Government of Canada
- GCIMS
- Grants and Contributions Information Management System
- GCMAP
- Grants and Contributions Modernization Action Plan
- GCMI
- Grants and Contributions Modernization Initiative
- GCMP
- Grants and Contributions Modernization Project
- Gs&Cs
- Grants and Contributions
- HR
- Human Resource
- HTML
- HyperText Markup Language
- HTTPS
- Hypertext Transfer Protocol Secure
- OCAE
- Office of the Chief Audit Executive
- OLHR
- Official Languages, Heritage, and Regions
- PCH
- Department of Canadian Heritage
- Portable document format
- PIA
- Privacy Impact Assessment
- PoAM
- Plan of Actions and Milestones
- PBMM
- Protected B / Medium integrity / Medium availability
- POs
- Program Officers
- POC
- Project Oversight Committee
- QA
- Quality Assurance
- RBAP
- Risk Based Audit Plan
- SAP
- Systems Applications and Products
- SOS
- Statement of Sensitivity
- SPPCA
- Strategic Policy, Planning and Corporate Affairs
- SSC
- Shared Services Canada
- TB
- Treasury Board
- UAT
- User Acceptance Testing
Alternate format
Final Report - Audit of the Canadian Heritage Funding Portal (Onboarding and Transition) [PDF version - 1.7 MB]
Executive summary
In December 2019, PCH introduced the project known as My PCH Online with a defined mission to increase digital access to services for clients; simplify processes and tools for employees and clients; and enable quality data gathering for improved service, reporting and decision-making. My PCH Online resulted in the creation of a client-facing portal named the Canadian Heritage Funding Portal (CHFP). This solution is an online channel that allows Canadians to submit funding applications for PCH Gs&Cs programs and track the progress of their application. The portal was launched for the first time in May 2021 and has facilitated the intake of 19 high-volume program subcomponents with approximately 9500 online applications received through the portal to this day. The primary activities in the delivery and management of CHFP consist of onboarding and relaunching PCH programs in the portal. The long-term departmental vision for CHFP is to continue onboarding new program components while maintaining the existing ones.
During My PCH Online development and implementation, the project team was assembled from the former Modernization Branch and the Business Process Innovation (BPI) group at PCH, working in collaboration with resources from Centre of Excellence (CoE), Finance, and the Chief Information Officer Branch (CIOB). An external delivery vendor called Eperformance was contracted by the Department to develop the solution and focus on other technical aspects of the project. My PCH Online was closed-out on March 31st, 2023.
With the formal close-out of My PCH Online, all activities related to CHFP were transitioned from a project state to on-going operations involving new assigned roles and responsibilities, a new operational budget and a defined change management approach. Throughout this transition phase, a new branch called Client Experience Branch (CEB) was formed under the leadership of the Assistant Deputy Minister of Official Languages, Heritage, and Regions (OLHR). The CEB was created from a merger between the former Modernization Branch and the BPI group with the aim to build on the results of My PCH Online and further the client service aspect. One of the top priorities of this new branch is to ensure that PCH programs that have already been onboarded in CHFP, continue to be maintained. This is intended to enable an accessible, responsive, consistent client experience.
Audit opinion and conclusion
Based on the audit findings, it is my opinion that the Department of Canadian Heritage (PCH) defined and applied a well-structured transition process to move all key activities related to the implementation of CHFP from a project state to an operational state. Throughout this transition phase, close collaboration and consistent engagement occurred between the key parties involved in the delivery of CHFP operations, and knowledge was transferred from the project resources to the new limited internal resources responsible for ongoing operations. While key activities required to deliver CHFP mandate such as programs’ engagement, onboarding, relaunch and support, continue to be maintained post-transition, the current operational state is not sustainable to achieve the long-term departmental vision for CHFP. To address the current challenges found during this audit, the following opportunities for improvements were highlighted for management’s consideration:
- The current capacity (both Human Resource (HR) and financial) to manage and deliver CHFP operations should be reviewed to ensure departmental objectives and vision related to CHFP can be achieved.
- The control environment established for CHFP should be fully assessed to enhance the protection and security of the cloud-based service, and obtain/maintain full authorization to operate.
- The roles, responsibilities and accountabilities for the management and delivery of CHFP operations, particularly those related to data management, should be clearly established.
Statement of conformance
In my professional judgment as Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Policy and Directive on Internal Audit of the Government of Canada, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed with management and are only applicable to the entity examined and for the scope and period covered by the audit.
Original signed by
Bimal Sandhu
Chief Audit Executive
Department of Canadian Heritage
Audit Team members
- Dylan Edgar, Director of Internal Audit
- Houssein Ndiaye, A/Team Lead
- Trisha Laul, Senior Auditor
- Erick Martel, Auditor
With the support of external resources
1.0 Background
The Department of Canadian Heritage (PCH or the Department) provides a myriad of grants and contributions (Gs&Cs) funding opportunities for individuals and organizations representing a mix of sectors including the arts, sport, culture, heritage, official languages, etc. PCH provides approximately $1.2 billion in Gs&Cs funding support to approximately 10,000 clients annually across Canada. To continually improve the delivery of its services to Canadians, a Gs&Cs modernization journey has been underway in the Department since 2010. Three main phases occurred throughout this transformational journey with an evolution from the Grants and Contributions Modernization Initiative (GCMI), through the Grants and Contributions Modernization Action Plan (GCMAP), to the Grants and Contributions Modernization Project (GCMP). From the outset of this modernization journey, the overall vision to transform/simplify processes, modernize client interactions and implement an integrated end-to-end solution for Gs&Cs delivery across the Department, remained consistent.
In late 2019, the Department revisited the scope of the third phase, resulting in a reset and rebranding of GCMP. In December 2019, PCH introduced the project known as My PCH Online with a defined mission to increase digital access to services for clients; simplify processes and tools for employees and clients; and enable quality data gathering for improved service, reporting and decision-making. This solution is an online channel that allows Canadians to submit funding applications for PCH Gs&Cs programs and track the progress of their application. The portal was launched for the first time in May 2021 and has facilitated the intake of 19 high-volume program subcomponents with approximately 9500 online applications received through the portal to this day. The primary activities in the delivery and management of CHFP consist of onboarding and relaunching PCH programs in the portal. The long-term departmental vision for CHFP is to continue onboarding new program components while maintaining the existing ones.
During My PCH Online development and implementation, the project team was assembled from the former Modernization Branch and the Business Process Innovation (BPI) group at PCH, working in collaboration with resources from Centre of Excellence (CoE), Finance, and the Chief Information Officer Branch (CIOB). An external delivery vendor called Eperformance was contracted by the Department to develop the solution and focus on other technical aspects of the project. My PCH Online was closed-out on March 31st, 2023.
For several months preceding the formal close-out of My PCH Online, a plan to transition from the project state to on-going operations was defined and rolled-out by the Project Management teams responsible for the implementation of CHFP. All activities related to CHFP were transitioned from a project state to on-going operations involving new assigned roles and responsibilities, a new operational budget and a defined change management approach. Throughout this transition phase, the Department adopted a client-centric service delivery model intended to establish a sustainable and improved client experience, and to better align with the Policy on Service and Digital, the Policy on Transfer Payments and the Policy on Results. A new branch called Client Experience Branch (CEB) was formed under the leadership of the Assistant Deputy Minister of Official Languages, Heritage, and Regions (OLHR). The CEB was created from a merger between the former Modernization Branch and the BPI group with the aim to build on the results of My PCH Online and further the client service aspect. One of the top priorities of this new branch is to ensure that PCH programs that have already been onboarded in CHFP, continue to be maintained. This is intended to enable an accessible, responsive, consistent client experience.
2.0 About the audit
2.1 Project authority
The authority for this audit was derived from the 2022-2024 Risk Based Audit Plan (RBAP), which was recommended by the Departmental Audit Committee and approved by the Deputy Minister.
2.2 Objective and scope
The objective of the audit was to provide assurance on the effectiveness and sustainability of the new Canadian Heritage Funding Portal as a service delivery channel; and assess the effectiveness of its transition to operations including governance, planning, control environment and management of operations.
The scope of the engagement focused on CHFP operations and planned activities to deliver a client-centric service with continuous improvement; as well as the organizational structures, processes and controls adopted for the implementation and management of CHFP.
2.3 Approach and methodology
The audit was conducted in accordance with the Treasury Board Policy on Internal Audit, its affiliated Directive on Internal Audit, and the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors.
The audit methodology included the following key activities:
- review of relevant documentation related to CHFP on-going operations;
- review of relevant documentation related to the previous project My PCH Online;
- collection of information through interviews and survey questionnaires;
- walkthroughs of key CHFP processes and the relevant systems involved;
- review and testing sessions of key controls related to CHFP (e.g., security, accesses, etc.);
- analytics on financial, human resources and operational data;
- review of relevant laws, regulations, policies, procedures, and guidance; and
- work from previous OCAE projects, such as My PCH Online Controls Mapping.
3.0 Findings and recommendations
Findings are based on the evidence gathered through the audit methodologies applied for each audit criterion. Appendix A — Assessment Scale and Results Summary provides a summary of conclusions for each of the criteria assessed during this audit. Findings of lesser materiality, risk or impact have been communicated with the auditee either verbally or in management letters.
3.1 Governance, accountabilities, roles & responsibilities
Governance
A governance decision model was established during the project My PCH Online and continues to be applied for CHFP on-going operations. Oversight functions are being fulfilled during periodic meetings at the executive levels. The current process for changes and decision requests has a unique critical path involving the reporting structure from CEB to the Assistant Deputy Minister (ADM) of OLHR.
Sound governance of business operations helps promote transparency, accountability, efficiency, risk management, stakeholder engagement, compliance, and long-term sustainability. The Treasury Board Policy on Service and Digital assigns Deputy Heads responsibility for establishing governance to ensure the integrated management of service, information, data, IT, and cyber security within their department. At PCH, the establishment of a strong governance framework for the Canadian Heritage Funding Portal is essential to ensure an appropriate oversight function is in place to review and monitor day-to-day operations and overall business delivery. The audit team expected to find governance bodies in place to ensure the integrated management of operations/activities related to CHFP; satisfying the requirements of the Policy on Service and Digital.
During the project My PCH Online, a governance “Decision Model” was defined with the Project Oversight Committee (POC) identified as the departmental committee (level 2) responsible to oversee the full delivery and effective management of the project. Following the transition from My PCH Online project to CHFP ongoing operations, this decision model continued to be applied with a slight difference in the oversight role. The team observed that POC was no longer the defined oversight body for on-going operations. Instead, oversight functions are being fulfilled during periodic meetings at executive levels (i.e. Directors, DGs, or ADMs). In fact, a CHFP Executive team has been created, meeting every three weeks, made up of executives from CEB, CIOB and the CoE. Although there is no specifically defined oversight body, operations or business delivery actions/items that should be discussed at the governance level, are presented and/or escalated to the appropriate level within the reporting structures illustrated below:
Despite having two reporting structures involved in the management and oversight functions of CHFP operations, the audit team noted that the current decision-making process for changes and decision requests has a unique critical path going from CEB to the ADM of OLHR, and in rare cases to the Deputy Head. In addition, the formal organization chart signed-off by the ADM on May 10th 2023 indicates two separate reporting relationships within CEB. In fact, the management team includes a Director General and a Senior Director, both reporting directly and separately to the ADM.
Findings regarding the lack of clarity around roles and responsibilities are presented in the next section, and key stakeholders that should be consulted during the change process are presented in section 3.3 of this report (Change Management).
Accountabilities, roles and responsibilities
Roles and responsibilities pertaining to CHFP operations are not formally defined, documented, and communicated. Rather, ad hoc roles and responsibilities are understood by most stakeholders involved in the delivery and management of CHFP. Currently, there is no defined accountability for the data/information residing in CHFP.
Having clear roles and responsibilities helps organizations boost their operational efficiency in several ways. It allows organizational resources to be aware of expectations and complete deliverables while avoiding confusion or gaps in their work. It can also enhance collaboration, communication, and coordination among team members while fostering a culture of trust, accountability, and feedback. With well-defined roles and responsibilities, each group or team involved in the delivery and management of CHFP operations can focus on their respective assigned tasks and work in collaboration towards the achievement of defined objectives. This will increase motivation, engagement, and satisfaction by providing each team member with a sense of purpose, ownership, and recognition. The audit team expected to find that roles, responsibilities, and accountabilities for the management and delivery of CHFP operations, are clearly defined, documented, communicated, and understood.
Throughout this engagement planning phase and fieldwork, the team inquired about the definition of formal roles and responsibilities following the transition from My PCH Online to CHFP on-going operations. Interviews with management and staff in CEB, CIOB, CoE revealed that roles and responsibilities are generally understood by most stakeholders involved in the delivery and management of CHFP. The Client Experience Branch is recognized as the owner of the portal, managing the delivery of its activities. A new team in CIOB inherited all technical functions related to the development, licensing, maintenance, and security of the portal. The CoE (responsible for ensuring transparent and accountable management of grants and contributions, benefiting both recipients and the Government of Canada) plays a role of support and training for CHFP. Although these ad hoc roles and responsibilities were verbally explained to the audit team, it was observed that they are not formally defined nor communicated. The absence of documented roles and responsibilities has resulted in a lack of clarity, leading to confusion and ambiguity on who has ownership/responsibility for certain duties. For instance, the team observed confusion on the part of program staff concerning the roles and responsibilities of CEB in comparison to those of the CoE, and overlap in duties leading to operational inefficiencies and duplication of efforts related to the creation of working groups and forums. Inconsistencies in synchronization activities were also noted where some recurring tasks are undertaken by program staff and in some cases by the CoE (refer to section 3.5 for details regarding the Client Synchronization Task). Ownership of the Gs&Cs business process with respect to the operation of the CHFP is unclear. While this role is attributed to the Centre of Excellence for the management of all Gs&Cs within the Department, the fact that CEB owns this portal and leads its operation creates ambiguity and confusion regarding the role of business owner. Furthermore, the Senior Director in CEB who has separate and distinct responsibilities from the DG, was identified as the head of program engagement and represents programs’ business needs in terms of governance and oversight. Consequently, there is overlap in business ownership/delivery responsibilities and a need to clearly identify responsibilities that fall under the Director General of CEB, the Senior Director of CEB and those attributed to the CoE for this portal.
Identifying roles, responsibilities, and accountabilities for the management of information residing in CHFP was a challenge throughout this audit. All relevant stakeholders were consulted, and the engagement was completed without being able to confirm who in the Department is accountable for the data residing in CHFP. Throughout the review of relevant documentation, the audit team could not find any assigned responsibilities for the management of the portal data. All 16 program components that were first onboarded in CHFP indicated during interviews that they are not responsible/accountable for the data remaining in the portal after its transfer to PCH internal systems. The team received conflicting responses to questions about roles and responsibilities concerning who the data lead is [information manager]. Programs believe that the CHFP and CIOB teams are addressing retention and disposition of information in the portal, while CEB and CIOB placed the responsibility on programs. Currently, there is no defined accountability for the data/information residing in CHFP.
Recommendation:
- The Director General of the Client Experience Branch, in collaboration with the Chief Information Officer and the Chief Financial Officer, should ensure that roles, responsibilities and accountabilities for the management and delivery of CHFP operations are clearly and formally defined, documented, and communicated.
3.2 Business delivery
Transition to operations
The departmental project My PCH Online resulted in the creation of CHFP, and was closed-out in March 2023. A plan to transition from the project state to on-going operations was defined, well documented and rolled-out by the Project Management teams responsible for the implementation of CHFP. The transition phase involved a restructuring of departmental organizations, a reallocation of funds and resources, and a transfer of functional roles.
Organizational projects focus on a time-based, outcome-oriented goal. Once a project reaches that goal and is completed, it transitions to operations. Project sponsors need to focus on this transition phase during the design and implementation of the project and build the necessary transitory steps and documentation that will ensure an effective alignment with existing business processes and proper transfer of knowledge, skills, and expertise to the new teams responsible for operations. Once the project My PCH Online was completed and formally closed-out, the audit team expected to observe an effective transition from the implementation phase to on-going operations of CHFP as a sustainable solution that supports program delivery activities.
The project My PCH Online was introduced in December 2019 and resulted in the creation of a client-facing portal named the Canadian Heritage Funding Portal. This online channel was built with the intent to provide an improved digital experience to Canadians. The application portal allows PCH clients to create a user profile, apply for funding, and track the progress of their application as illustrated in the following figure:
To access the Canadian Heritage Funding Portal for the first time, any new user must go through the initial registration by signing-up either with a GCKey (see definition in Glossary) or a sign-in partner such as banking institutions. Once the Terms and Conditions of the GCKey are accepted and a user profile is created with a unique username and password, the user can log into CHFP. Prior to the submission of any funding application, applicants must create an organizational profile including the name, address, phone number, email, legal status and authorized representatives for the organization. After the creation of the organization, applicants can submit their funding applications which are automatically received in a Client Relationship Management (CRM) platform (see definition in Glossary). PCH employees use this CRM tool to access all application and organizational information provided by the applicant through the portal. Program Officers (POs) do not work directly in CHFP, rather the information is transferred from the CRM to the internal Grants and Contributions Information Management System (GCIMS). GCIMS is the Department's official repository, and it houses all client and project information, including funding decisions. GCIMS is also supported by an integrated technology (.net) named GC Links which is used to capture the application assessment and post-award monitoring details. This process of transferring data and documents from CRM to GCIMS is explained in the last section of this report (3.5 Information Management).
Prior to the initial deployment of the Canadian Heritage Funding Portal online, an accessibility assessment was conducted by the Department to ensure services offered through the portal are accessible to everyone. This assessment resulted in a final report indicating that the portal webpage is in compliance with accessibility requirements. The primary format for applications is in HTML forms which are accessible, including to people using assistive technologies. While the portal offers a digital method to apply, non-digital methods remain available to the public for Gs&Cs application submission (e.g. via paper, help offered by phone, in person visits to PCH offices, etc.). A message is posted on the initial portal webpage providing details to users that require assistance using the portal and information on how to seek help to apply offline. In terms of Equity, Diversity and Inclusion (EDI), it was observed that portal applicants are required to indicate their organization’s primary activity, audience, client group, or beneficiary (i.e. general public, men, women, persons with disabilities, indigenous peoples, members of ethnocultural communities, etc.). While PCH collects this data from applicants, there is currently a gap and a lack of consistency in how EDI information is being collected by programs. CEB and CoE indicated during interviews that the portal is at an early stage of maturity for EDI collection, but a working group was created, and consultations are on-going with programs to provide more direction, guidance and consistency on the collection of EDI data.
CHFP is also intended to enable the submission of follow-up documents by applicants to report on the use of the funds provided by PCH, communicate the results achieved and demonstrate compliance to the terms and conditions in the funding agreement. This reporting functionality has not been fully implemented for all program components in the portal today, but it has been made available for implementation to program components that request the addition of this feature.
For several months preceding the formal close-out of My PCH Online on March 31st 2023, a plan to transition from the project state to on-going operations was defined and rolled-out by the Project Management teams responsible for the implementation of CHFP. By reviewing the relevant documentation, the audit team found that this plan was well documented and provided a staged approach to move all key activities of the project into regular internal operations, particularly activities related to the onboarding and relaunch of programs (explained in the Onboarding and Relaunch section below), and all technical functions that were previously performed by the external vendor Eperformance. Throughout this transition phase, the Department adopted a client-centric service delivery model intended to establish a sustainable and improved client experience by focusing on three main priorities:
- Improve service delivery channels by enhancing the client-facing capabilities of the portal; onboarding additional programs; and providing better tools for client enquiry and public support.
- Improve service levels and client/staff experience by working on the interaction between the portal and internal systems; upgrading existing business processes; and supporting program officers with additional guidance and training.
- Establish a client service program focused on close collaboration with key stakeholders; feedback collection and data-gathering methods to support decision-making, results measurement and reporting.
By adopting this client-centric direction, the Department aims for a better alignment with the Treasury Board (TB) Policy on Service and Digital, the TB Policy on Transfer Payments and the TB Policy on Results.
The transition of CHFP from a project to on-going operations involved a restructuring of departmental organizations, a reallocation of funds and resources, and a transfer of select roles and responsibilities. In line with the client-centric vision explained above, the new Client Experience Branch was created from a merger between the former Modernization Branch and the BPI group with the aim to build on the results of My PCH Online and further the client service aspect. CEB was made accountable for capturing and documenting the requirements related to new programs being onboarded as well as the maintenance and relaunch of programs previously onboarded to CHFP. As it relates to the technical services and technology aspects of the portal, all functions were transitioned to the new development team created in CIOB through the roll-out of a three-phased transition strategy. It was found that this phased approach ensured that knowledge was transferred from the external solution developer Eperformance to the internal team in CIOB, and continuous learning occurred. During audit walkthroughs focused on CHFP technical development and maintenance steps, the CIOB team demonstrated knowledge of technical business requirements for onboarding, relaunching and bug fixing. Ad hoc roles and responsibilities attributed to CEB and the development team in CIOB are explained in the previous section of this report (3.1 Roles and Responsibilities).
Onboarding and relaunch
The long-term departmental vision for CHFP is to continue onboarding new program components while maintaining the existing ones. The level of effort and complexity for the relaunch was similar to an initial onboarding due to major changes being required and a lack of data standardization. With the current situation (i.e. CHFP design, program business requirements, current capacity, etc.), the vision of onboarding additional programs while maintaining existing ones, is at risk of not being sustainable.
As mentioned above, the transition of My PCH Online involved moving to an operational state any project activities that are required to ensure the project desired outcomes continue to be achieved. As CHFP continues to operate, the audit team expected to find that key activities are maintained beyond the life of the project and continue to be delivered in a sustainable manner. The team also expected to find that capacity needs to support CHFP operations were assessed, developed and maintained; and funding needs were secured.
The primary activities in the delivery and management of CHFP operations consist of onboarding and relaunching PCH programs in the portal. The onboarding process comprises all activities that lead to the initial implementation and addition of a new program or program component in the portal whereas relaunching is the process of reintroducing a program component that had already been onboarded. These two core activities are considered top priorities for CEB and CIOB who are both responsible for their delivery. CEB manages the planning and engagement of all stakeholders involved in the onboarding/relaunch process along with the schedule, communication strategy, required consultations, testing sessions and approvals. CIOB handles the technical development of the application form that will be uploaded in the portal and the fixing of bugs. During the engagement fieldwork, key resources from CEB and CIOB provided detailed walkthroughs of the onboarding process. The table below presents a summary of the specific steps involved in the process and activities managed by each respective branch:
Activities managed by | Steps |
---|---|
CEB | Step 1: The onboarding process starts with the definition of a schedule based on the estimated date that the program should go live in the portal. This schedule is communicated to the program in the early stages of onboarding and is continuously updated throughout the onboarding process. Step 2: Rounds of communication occur between CEB and the program, including a formal kick-off meeting during which the roles of multiple parties involved are explained. Programs are asked to identify their business requirements for the development of the application form. This step includes consultations with CoE and Access to Information and Privacy (ATIP) to ensure the form will be in conformance with the Policy on Transfer Payments and the Policy on Privacy Protection. Step 3: Program business requirements are transformed into user stories (see definition in Glossary) which are reviewed during refinement sessions to ensure their defined acceptance criteria is met. Once user stories are refined and finalized, they are uploaded in a backlog and categorized within three levels of priority. |
CIOB | Step 4: The technical development team in CIOB picks up user stories in the backlog and starts working on their implementation based on their level of priority. This work is set to be completed in defined periods of three weeks called sprints (see definition in Glossary). The team develops new features and delivers business value at the end of each sprint. Step 5: Once development work is done, the completed user stories are deployed in a Quality Assurance (QA) environment for review by a QA testing team in CIOB. Any technical issues identified are turned into bugs which are created in the backlog and categorized to be addressed subsequently based on their level of priority. Following the QA review, sprint items that are marked as complete are deployed in a User Acceptance Testing (UAT) environment. |
CEB | Step 6: Series of business validation testing are performed first by the CEB testing team. Then a testing exercise is conducted in the UAT environment by staff members from the program to verify the implementation of their business requirements. User stories are validated, potential issues/bugs are raised and a UAT Report is generated. Once issues/bugs are addressed, CEB offers a final presentation of the application form to the program for approval (see additional details in section 3.3). The final stage is the deployment to the Production environment and Training environment for users. |
When PCH programs are onboarded in CHFP, the application form will remain online during their annual intake periods (see definition in Glossary). Once that period is closed, the form is no longer available to the public until the next intake for the following year. Consequently, the program must be reintroduced to the portal on an annual basis. While onboarding a new program in the portal comes with a certain level of complexity and extensive workload, the level of effort for relaunching can be lower depending on changes required by the program. In fact, relaunching a program component can be as simple as re-uploading the application form from the previous year without any changes. However, for most program components relaunched in CHFP during the fiscal year 2023-24, it was observed that the level of complexity and effort was similar to an initial onboarding. A total of 12 components were scheduled and prioritized for relaunch. While this schedule is currently on track, significant challenges occurred due to major changes (both program business requirements and portal improvements) being required, the complexity to incorporate those changes, and a lack of data standardization. From the initial design and implementation of CHFP, the approach has been to onboard program components individually from end-to-end. As a result, the onboarding exercise is tailored to each program and their respective business requirements. It was observed that this tailored approach has caused the annual relaunch exercise to be more complex than expected. Furthermore, changes brought to the application form are hard coded directly in the system. As a result, substantial work was needed from both CEB and CIOB to deliver this priority and ensure all components were brought back to the portal for their respective intake periods. During interviews, programs that were relaunched reported that their application form was back online in time for the intake period. However, most of them indicated that the relaunching schedule was tight, and a number of changes needed could not be brought. Program staff expressed the need for additional time to identify all changes required on the application form prior to its relaunch. The fact that CHFP is still in its early stages of evolution explains why major changes are still being requested by programs that were already onboarded, resulting in a relaunch exercise as demanding as the initial onboarding. As CHFP gains maturity, programs’ annual relaunch exercise is expected to be less demanding and time-consuming. In addition, the CHFP team’s intention to change the current onboarding strategy was noted. Instead of onboarding programs individually from end-to-end, CEB is working in collaboration with CIOB and CoE, to build onboarding modules that will enable data standardization and facilitate future onboardings and relaunches. This approach is expected to increase capacity efficiency and create better standardization across programs.
The long-term departmental vision for CHFP is to continue onboarding new program components while maintaining the existing ones. Throughout the transition from My PCH Online to on-going operations, each of the key branches (CEB, CIOB and CoE) involved in the delivery of activities, conducted a capacity assessment exercise to determine the resources (HR and Financial) required for regular operations. Three options of business continuance were presented to PCH governance including funding needs and capacity estimates. An annual funding of $2.8 million was secured and is distributed between CEB (approximately $1.2M), CIOB (approximately $1M) and CoE (approximately $600K). Internal reallocations occurred in each branch and all new functions related to the portal were assigned to existing resources. The audit team found that the current capacity (both financial and HR) is at risk of being insufficient, if it is required to keep up with the substantial workload resulting from the annual relaunch of program components while bringing in (onboarding) new programs to the portal. Throughout the engagement, it was observed that planned activities for CHFP are being delivered by a small number of people, and staff at the operational level is currently functioning at full capacity in each of the respective branches. The impact of this heavy workload was continuously reported to the team and is taking a toll on the limited resources who have gone, and continue to go, above and beyond to deliver CHFP mandate. With the current situation (i.e. CHFP design, onboarding strategy, annual relaunch, program business requirements, lack of data standardization, current capacity, etc.), the vision of onboarding additional programs in CHFP while maintaining existing ones, should be revisited as it is at risk of not being sustainable.
Recommendation:
- The Assistant Deputy Minister of Official Languages, Heritage and Regions, in collaboration with the Assistant Deputy Minister of Strategic Policy, Planning and Corporate Affairs should:
- revisit the long-term departmental vision to confirm or revise expectations for CHFP, vis-à-vis available resources.
- secure the resources (HR and financial) required to deliver the mandate defined for CHFP.
Support and maintenance
A well-structured four-level support model is in place to receive, address and respond to incidents raised by external users. PCH internal users turn to several other mediums to seek support. While these methods are effective to report issues, solutions instructions and guidance are not centralized. Continuous maintenance activities are occurring to keep the portal updated and available to users.
Support services and maintenance activities are essential for any technology introduced to organizational users or made available to external clients. Support refers to actions taken on behalf of users to keep them functional or to help facilitate the use of the system while maintenance refers to actions taken to improve or upgrade the system itself. Following the implementation of CHFP, the audit team expected to find that an effective support model was established for both external and internal users; and maintenance activities are performed in a timely manner to keep the portal operational and up to date.
As mentioned earlier in this report, all technical services related to CHFP were transitioned to CIOB. While solution design and development services from the external vendor ended with the project My PCH Online, CIOB contracted on-going support services from Eperformance as part of the operational support model defined for CHFP during the transition phase. This model includes four distinct support levels based on the type and complexity of issues or enquiries as explained below:
- In Level 1, external clients (applicants) experiencing issues with the portal can seek support primarily from the Client Service & Public Support Centre located in Winnipeg (1-866-Line). This Centre is intended for PCH external enquiries and receives all types of requests from the public, including external users of CHFP. In these cases, a Line Officer creates/logs the issue in a tracker and uses CIOB Digital Workspace to escalate the issue/enquiry to the proper channel for resolution in the next levels.
- In level 2, Program Officers (POs) and CIOB provide the necessary support depending on the request. If the issue is related to the program (application file), POs will attempt to resolve the issue. If the request is technical in nature, it is assigned to the CIOB Digital Services Delivery (DSD) Application Support for resolution.
- In level 3, program related issues that could not be resolved in level 2 are escalated to the Centre of Excellence (CoE) or the GC Systems Helpdesk. Similarly, technical issues that could not be resolved by the CIOB Application Support group are escalated to the CIOB Cloud Operations group.
- In level 4, issues that could not be resolved internally by CoE or CIOB are escalated to external vendors (Eperformance and Microsoft) or PCH partners (Systems Applications and Products (SAP) and Systems Applications and Products (SSC)) for support and resolution. All support requests to external vendors are coordinated by CIOB who owns and manages their service contracts.
The support model defined for CHFP operations is well structured to address and respond to incidents or enquiries raised by external users of the portal. While this 4-level model is working as intended, it was designed with a primary focus on external users. PCH internal users (e.g. program staff) experiencing issues with the portal turn to several other mediums to seek support when needed. In fact, a number of mechanisms (i.e. forums, channels, surveys, etc.) were put in place by CEB to allow internal users to raise potential issues, bugs or errors encountered. In addition, the CIOB Digital Workspace remains available to PCH staff experiencing technical issues with CHFP. In a survey conducted by the audit team, 19 out of 27 program officers (70%) indicated that they submit a ticket to the Digital Workspace when seeking support for CHFP, and 6 out of 27 indicated they contact directly the CoE. It was found that when it comes to reporting issues to CEB, CIOB or CoE, these current methods for internal support are effective and may lead to a subsequent resolution on a case-by-case basis. However, instructions, guidance or solutions are often scattered in these different mediums which can create confusion or challenges when users are searching for answers or try to self-help. The team could not find standard operating procedures detailing how to deal with incidents/scenarios or a unique repository of instructions/guidance that internal users can refer to for answers. In section 3.3 of this report (Change Management), additional details are provided regarding the mechanisms implemented by CEB for feedback collection and the internal survey conducted by the audit team during the engagement.
As it relates to system maintenance, the team obtained evidence of continuous maintenance activities ensuring that CHFP services are enhanced and remain available to internal and external users. In addition to the relaunch process, programs have several mechanisms (explained below in section 3.3) to report portal bugs to CEB or raise system errors that should be addressed through maintenance. Each maintenance period is followed by a new system release including release notes that document all changes (repairs, updates, upgrades, add-ins, etc.) brought to the system during the maintenance phase. During maintenance periods, a standard message is communicated to all CHFP users to inform them that the portal is temporarily unavailable.
Recommendation:
- The Director General of the Client Experience Branch, in collaboration with the Director of Centre of Excellence, should ensure a unique repository is created and easily accessible for internal users of CHFP/CRM in order to provide centralized guidance and instructions facilitating the use of the portal.
3.3 Change management
Client-centric service and continuous improvements
CHFP was designed and continues to evolve based on the client/user perspective. Changes and improvements brought to the portal and CRM result from the identification of business requirements, the implementation of user stories and responses to bugs or feedback provided by internal users. One of CEB’s priorities is to facilitate and improve internal users’ experience.
Client-centric is a business strategy that focuses on creating the best experience for the client, and by doing so enhances user satisfaction. A client-centric service is designed to improve the delivery of said service by putting the client/user at the center of business decisions and operations in order to meet their needs and provide a positive experience throughout their journey. In the case of a new online system such as CHFP, a client-centric approach enables the Department to provide a digital experience to external organizations while focusing on the improvement of program delivery from an internal user perspective. The audit team expected to find that user experience, needs and expectations are collected and used for the continuous improvement of services delivered through CHFP operations.
One of the main objectives of the new Canadian Heritage Funding Portal is to provide an accessible, responsive, consistent experience to clients (i.e. Canadians, external organizations, etc.). In order to achieve this goal, the portal team continues to prioritize the relaunch on a yearly basis of all program components that were already onboarded in CHFP, and to promote the onboarding of new programs. As explained above in Table 1, the onboarding and relaunch process is based on the identification of business requirements at the program level and the implementation of user stories during sprint sessions. It was found that most changes and improvements brought to the portal result from programs’ requirements, expectations and feedback collected by CEB. Once these requirements are implemented in the portal through the user stories, program staff is engaged in testing the completion of their business requirements during the User Acceptance Testing (UAT) phase. The program will then validate completion or raise potential issues as bugs that should be addressed by the portal team prior to the deployment of the application form online. Once the prioritized bugs are addressed, a final demo of the application form is presented to the program including details on outstanding items that could not be implemented. The audit team obtained evidence that all changes and improvements brought to the application form are tracked, approved and signed-off by the Director of the program and the Senior Director of CEB. In addition, a change process was established by CEB to ensure any changes brought by or for CHFP are endorsed by other stakeholders that could be impacted. During this process, the key stakeholders involved are asked to review how the upcoming change will impact their business. While this process has been followed since My PCH Online, the team noted a gap in obtaining CoE’s endorsement in the recent change processes. As mentioned in Step 2 of Table 1, the Policy and Advisory group in CoE is consulted during the development of the application form. However, since the transition to on-going operations, the final rounds of approval did not include CoE’s endorsement. This gap has been identified by CEB and will be addressed/corrected in future change processes.
While close consultation occurs and engagement is consistent with the program during the onboarding/relaunch process, the portal was developed with a focus on the client-facing lens. Therefore, the implementation of the portal was mainly focused on providing a better experience to external clients. From the initial deployment of the portal in 2021, feedback was being collected from external users with a portal experience satisfaction question included at the end of each application submitted. In the close-out report of My PCH Online project, it was reported that more than 82% of applicants were either satisfied or very satisfied with their experience using the portal. In order to gain direct insight from the perspective of internal users, the audit team conducted an internal survey targeting CHFP users at the program level. The survey was distributed to the personnel from all 16 program components that were onboarded in the portal as of June 2023. From a total population of 132 program officers, 48 responded to the survey which generated a participation rate of 37% (note that some respondents did not answer to all questions in the survey). When asked about their overall level of satisfaction with CHFP, 39% of respondents (18 out of 46) indicated that they were very satisfied or somewhat satisfied while 45% of respondents (21 out of 46) were somewhat or very dissatisfied. Also, respondents were asked to describe their new way of working with CHFP in comparison to the old ways of working before CHFP, and 20% of respondents (10 out of 48) indicated that CHFP brought a very positive or somewhat positive impact on their work while 50% of respondents (24 out of 48) indicated that CHFP brought somewhat to very negative impact on their work. Several comments were gathered during the survey in which most program officers indicated their dissatisfaction stems from the Client Synchronization Task (refer to section 3.5).
It should be noted that this audit started around the same time that the new Client Experience Branch was created. From initial discussions, CEB had already recognized the need to focus more on improving the internal user experience and this was identified as a priority in the close-out report of My PCH Online. It was observed throughout the audit that several challenges raised by program staff were already being addressed by CEB in collaboration with CIOB and the Centre of Excellence. In fact, in order to identify and address the on-going issues and other potential concerns, the Client Experience Branch set up a number of mechanisms allowing PCH users to share their experience and provide feedback. The audit team noted that CEB created a Support Forum where all programs are invited and encouraged to share their experience or raise potential concerns in their use of the portal and CRM. The Forum meetings which include CIOB and CoE, are held on a weekly basis or more often upon request. Similarly, CEB distributes a Biannual CHFP Internal Client Survey with the goal to collect and analyze feedback from multiple internal users (i.e. programs, CIOB, CFOB, Client Enquiry Centre and Resource Management Directorate). This survey was launched for the first time on March 20th 2023, and the second edition was launched on December 13th 2023. It was observed that feedback provided by internal users through all these mechanisms, are logged into the portal backlog and are being addressed based on three levels of priority. In the audit survey, 62% of respondents indicated that when they raise issues or provide feedback, the matter is completely or partially addressed by those responsible for the management of CHFP.
Overall, it was found that the Client Experience Branch has adopted a client-centric service delivery model focused on listening closely to the portal/CRM users and applying continuous improvements based on the user experience and feedback collected. While efforts are being deployed by CEB to enhance internal user satisfaction, program staff continues to navigate the learning curve to adapt and get more familiar with the use of this new client interface tool.
Recommendation:
- The Director General of the Client Experience Branch should ensure that business process related changes brought in CHFP are endorsed by the Centre of Excellence to ensure full compliance with the Policy on Transfer Payments.
Communication and stakeholder engagement
Through multiple channels, networks, and committees, CEB informs, consults and/or engages with the key parties (CIOB, CoE and Programs). Other relevant stakeholders involved in CHFP operations are also continuously consulted. While various groups and forums are being updated, the communication of important changes, updates and on-going activities were not Department-wide.
Communication and awareness are key components that enable the achievement of desired outcomes and better results for any organizational project, activities and/or operations. Effective and collaborative communication is important because it increases employee morale, engagement, productivity, and satisfaction. Through internal and external communication, relevant information can be relayed to the right people and every person involved understands better his or her role. With the introduction of the new online channel CHFP and its recent transition from a project state to on-going operations, the audit team expected to find that defined communication plans were applied and are being followed to ensure relevant stakeholders are engaged, internal/external users of the portal and the rest of PCH personnel are kept informed of important changes, updates and departmental decisions/activities related to CHFP.
From the development phase of CHFP to the current phase of on-going operations, the teams responsible for the management of the portal have adopted and continue to apply an agile approach for the management and delivery of operations. As part of this agile environment, communication and engagement strategies were rolled-out and followed by CEB with the targeted goal to not only consult, but also continuously update various groups, management teams, and departmental forums on CHFP activities, resolution of issues, progress on improvements and changes implemented. A list of stakeholders was clearly defined by CEB and include G&C applicants (external users), PCH Programs (internal users), CoE, CIOB, CFOB, Departmental Forums (Program Managers, Directors and DGs), Departmental Committees (POC, CCC, EXCOM, DAC), Change Ambassador Network, Accessibility Office, etc. Most stakeholders and internal users of the portal/CRM who were met during interviews, indicated that they are regularly consulted and/or informed of portal activities that could have an impact on their work. In fact, the team found multiple channels and forums used to convey relevant information to internal users and collect their feedback as well. As mentioned in the previous section, the Support Forum is a consistent platform where regular and collaborative communication occurs between CEB, CIOB, CoE and Programs. Multiple MS Teams channels such as an Announcement Channel, an Alert Channel, a ‘Help me!’ Channel and a Client Sync Channel (to support and update programs on client synchronization issues specifically) were created, all for the purpose of providing close communications, collecting user feedback and improving the internal user experience. In addition, every time a new program component is onboarded to the portal, CEB organizes a formal retrospective session where the new program and all other programs (previously onboarded) are invited. During these retrospective sessions, programs and other stakeholders included (such as CIOB, CoE, Communications, etc.) are asked to share their feedback and lessons learned (successes vs challenges) on the entire process of onboarding. The comments and items raised in these sessions feed into future improvements of the portal. Once the application form is deployed online, changes suggested by stakeholders can only be implemented in the next annual relaunch of the program.
Although most stakeholders are continuously engaged, it was observed that PCH Information Management advisory group (under CIOB) was consulted during the development of CHFP and has not been involved since the transition to on-going operations.
While multiple mechanisms are in place to formally consult and engage with the key stakeholders, group and/or management forums, the audit team found that communication of important changes, updates and on-going activities were not Department-wide. For instance, the creation of the new Client Experience Branch, its objectives, vision and responsibilities were not formally communicated across the Department during the audit fieldwork. Individuals who are directly impacted by the introduction of the portal receive communication through direct contact with members of the CHFP team or by means of their participation in associated committees and networks. Presentations are tabled at departmental committees to inform PCH Senior Management on CEB’s vision and activities including CHFP, but consistent communication and updates could not be found in the Intranet or in PCH News. The absence of broader, department-wide, communication of this part of the modernization journey would restrict the level of department-wide understanding of and support for the value and needs of the initiative. During the reporting phase of the engagement, the team was informed that a CEB intranet page had just been launched and a SharePoint site was also being made available to the whole Department. These internal webpages will be used to communicate the objectives of the branch and all activities including those related to CHFP.
Recommendation:
- The Director General of the Client Experience Branch should ensure that organizational changes, updates and activities related to CHFP are formally communicated across the Department (e.g. intranet page, PCH News, SharePoint site, etc.).
Training
Training is available and continues to be provided to all CHFP users.
Training is another key component that helps provide a positive and better experience for the users of any new system. By providing the necessary training for CHFP, departmental staff using the portal for Gs&Cs processing or staff responsible for the development, maintenance and support of CHFP can gain the knowledge and skills needed to accomplish their jobs. The audit team expected to find that relevant and appropriate training was made available and provided in a timely manner to the different groups of CHFP users.
The use of CHFP includes a range of different groups of users depending on their role or function within the Department. By reviewing the documentation provided by CEB, the team identified two types of internal users that needed training the most. The primary internal user of CHFP is program staff and the other type of user includes departmental staff responsible for providing support and improving the portal (e.g. support staff in CIOB or CoE). It was found that relevant and appropriate training is available and continues to be provided to the different groups of CHFP users. Training for program staff is provided by CoE; training for the technical development team (CIOB) is provided by the external vendor Eperformance; and instructions are provided to the Call Centre by CEB. Since the implementation of CHFP, the training material and instructions on how to use the portal/CRM were made available to program staff. Prior to granting any new accesses to the portal, mandatory training sessions are delivered to program officers during the onboarding phase and refresher sessions are available post-onboarding or during the relaunch phase upon request. In the audit survey conducted during the engagement, program officers were asked if they received formal training on how to use CHFP and 82% of respondents (41 out of 50) said ‘Yes’. In addition, 82% of respondents indicated that the training received was moderately or very useful, 70% of respondents indicated that the training provided was moderately or very timely, and 67% of respondents indicated that overall, they are very or somewhat satisfied with the training received.
As it relates to departmental staff responsible for providing support and improving the portal, the audit team obtained evidence that continuous training is being provided to these resources to equip them with the knowledge and skillset required to fulfill their respective functions. As explained in section 3.2 of this report, the new development team in CIOB continues to learn from the external vendor Eperformance. The learning sessions provided by the vendor were recorded and remain available for future use. The Client Service and Public Support Centre located in Winnipeg received instructions on how to create and close a ticket for external client enquiries. Instructions are provided to external users (applicants) on how to sign up or login to the portal, how to recover their accounts or how to seek help when needed.
3.4 Control environment
Controls implementation, assessment and monitoring
A set of baseline security controls were selected to be implemented for CHFP operations. A security assessment was conducted by PCH IT Security in 2021 to verify the implementation of these controls. The evidence supporting the implementation and assessment of controls was not consistently documented, and the operating effectiveness of the controls has not been verified.
By leveraging cloud-based IT services, the Government of Canada (GC) relinquishes direct control over many aspects of security and privacy and confers a level of trust onto the cloud service provider (CSP). At the same time, GC departments and agencies using cloud-based information systems remain accountable for the information hosted by the CSP and are required to manage IT security risks by selecting the appropriate set of security controls that should be implemented, assessed and continuously monitored. This security exercise is intended to ensure the protection of the cloud-based GC service, and to grant/maintain authorization to operate. As it relates to the implementation of the CHFP cloud-based service, PCH has the responsibility to ensure these security requirements are satisfied. The audit team expected to observe that security and privacy controls for CHFP operations were implemented, assessed (including testing), documented and monitored.
The Canadian Heritage Funding Portal is a cloud-based service hosted by the cloud service provider Microsoft. The contracting service between PCH and Microsoft was established under the GC Cloud Framework Agreements brokered by Shared Services Canada (SSC). Due to the shared nature of cloud computing, each party (PCH and Microsoft) inherited responsibilities for the implementation and maintenance of security controls that would procure a safe and suitable cloud environment for the operations and activities of CHFP. During this audit, the overall control environment established and managed by PCH was reviewed. It should be noted that security measures handled by Microsoft were not included in this review.
A set of baseline security controls were selected from the GC Cloud PBMM Security Control Profile recommended by the Canadian Centre for Cyber Security (CCCS) and a subset of controls were derived from GC Cloud Guardrails. The task of implementing these controls was handled by the portal development team during My PCH Online project. In order to evaluate the implementation of these controls, a security assessment was conducted by PCH IT Security in 2021 which resulted in a recommendation to grant an Interim Authority to Operate CHFP. The Microsoft platform called Azure DevOps was used by the CHFP team to document the security controls applicable to the portal and CRM, along with evidence of the assessment of each control to ensure they are effectively implemented. The audit team reviewed the security assessment and found that the evidence supporting the implementation and assessment of controls was not consistently documented. Therefore, the audit team requested live sessions from CIOB in order to obtain a demonstration of the controls’ implementation. From a total population of 180 controls, a judgemental sampling technique was used to select 37 controls (20% of the population) related to identification & authentication, access restrictions, backup & audit-trail, cybersecurity, maintenance and information management. During the live sessions, the settings and configuration parameters for 29 controls (79% of the sample) were demonstrated with supporting evidence and confirmed in place. Six controls (16% of the sample) related to security monitoring were confirmed as not implemented and the remaining two (5% of the sample) could not be verified because they are mainly handled through the established agreement between Microsoft and SSC. Audit procedures were not performed for controls handled by external parties (considered out of scope). The table presented at the end of this report in Appendix C provides the exhaustive list of 37 controls that were included in the sample with additional details regarding the audit review.
The security assessment that was conducted by PCH IT Security was limited to verifying the presence of controls and did not include controls testing. Consequently, the operating effectiveness of the controls has not been verified. It should be noted that the security assessment was completed with a Plan of Actions and Milestones (PoAM) which included a recommendation to conduct security testing with an initial estimated target date of April 2022. It was also recommended that the portal continue to operate with an interim authority until all items included in the PoAM are completed. To this day, the portal is still operating with the interim authority as security testing has not been fully performed. The testing of privacy and security controls would provide increased confidence that they’ve been effectively implemented for the protection of CHFP operations. In addition, clear documentation of this testing exercise would serve as supporting evidence that the controls are working as intended, and also facilitate continuous monitoring and improvements where required.
As part of an agile approach, the audit team consulted with PCH IT Security throughout the engagement and raised the gaps related to the testing and documentation of controls. Following these discussions, it was noted that actions are underway to fully perform security testing and improve the assessment/documentation of controls implemented. In fact, CIOB staff is currently working on providing additional information in DevOps for the controls implemented and a security consultant was recently engaged to conduct penetration testing on security controls.
It was reported that security monitoring by PCH does not include actions to automatically detect potential attacks or unauthorized use of CHFP cloud components (portal and CRM Dynamics). However, audit logs are automatically collected to monitor user activity and capture security events. While these logs are kept for a period of 90 days, the team was informed by CIOB that they are only reviewed when incidents are reported internally. This event-triggered review method may result in a lag in detecting potential malicious actions or unauthorized use of the portal. A regular and scheduled review of audit logs would enhance security monitoring and regulatory compliance.
Recommendation:
- The Chief Information Officer should ensure that required security testing is fully performed to verify the operating effectiveness of controls implemented for CHFP.
- The Chief Information Officer should ensure that the assessment of security controls (including any testing exercise) is consistently documented; and audit logs are periodically monitored.
3.5 Information management
Security and privacy of information
The level of classification for the information uploaded in the portal was defined up to Protected B. Privacy assessments were performed in consultation with the ATIP branch to ensure the proper use of personal information collected. A privacy notice informs applicants that their information will be retained for a period of 6 years, but retention and disposition procedures are not yet established, nor documented.
GC Departments are required to assign a security category and determine the criticality/sensitivity of all information received from Canadian citizens or organizations (including transitory records), and used to support government programs, services and activities. In addition, personal information under the control of government institutions should be effectively managed and protected through identifying, assessing, monitoring and mitigating privacy risks. As such, the collection, use, disclosure, retention and disposal of personal information in CHFP must be done in accordance with the Privacy Act, the Policy on Privacy Protection, and the Policy on Government Security. The audit team expected to find that security and privacy requirements for the information residing in the portal, are established and followed.
The Canadian Heritage Funding Portal was designed as a transitory channel intended for the submission of Gs&Cs application files from external organizations to the Department. Once applications are submitted through the portal, the information is first stored in the Client Relationship Management platform and then transferred to GCIMS which is the authoritative repository of Gs&Cs application files at PCH. During the development phase of the portal, a Statement of Sensitivity (SOS) review exercise was performed and the level of classification for the information uploaded in the portal was defined at Protected B considering some types of information that applications may contain (e.g. financial information, legal records, medical records, individual characteristics, etc.). In parallel, a Privacy Impact Assessment (PIA) was conducted during the development phase, resulting in a PIA Action Plan and responses from management to address few privacy risks around privacy notices, safeguards, use and disclosure of personal information, etc. The audit team observed consistent involvement and consultation with the ATIP branch, being the departmental official with delegated responsibilities for PIAs as required in the Directive on Privacy Impact Assessment (sections 6.2 and 6.3). For each program onboarding in CHFP, there are rounds of consultations between ATIP and the program to map the types of information that will be collected through the portal, review the conditions of use or disclosure of personal information and complete a privacy risk checklist. The PIA that was performed for CHFP included the establishment of a formal privacy notice indicating that the collection and use of personal information is authorized by the Department of Canadian Heritage Act and in accordance with the Privacy Act. This privacy notice is displayed on the client-facing webpage of the portal and informs applicants that their information will be shared to the branch responsible for the program applied to, and will be retained for a period of 6 years after its last use. While this retention period is being communicated to funding applicants, evidence of documented retention and disposition procedures could not be found.
By reviewing the relevant documentation related to the PIA and SOS, the team found that both exercises were endorsed and approved by the key stakeholders responsible for the management of the portal. Even though information collected via the portal (i.e. funding applications and supporting documentation) is used in the program area, program staff met during the audit indicated that they are mainly relying on the portal team to have put in place the required controls for the privacy and security of information (as explained above in section 3.1). The audit review exercise for the sample of 37 controls included privacy and security controls that were demonstrated in two control categories (Cybersecurity and Information Management - refer to Appendix C for additional details).
Data management
There is a lack of automatic data integration between CRM and GCIMS. Most of the transfer of client/application information is done manually which results in significant challenges. The defined accountability model for CHFP allows multiple duplications in the system which increases the quality assurance workload during the Client Synchronization Task.
Interoperability refers to the degree to which software, devices, applications or other organizational systems can interconnect and share information in real time, in a coordinated and integrated manner, with minimal human intervention. From a data management perspective, data interoperability allows organizations to accurately collect information and ensure its efficient flow without redundancy. At PCH, the processing of a grant or contribution funding request involves various systems that need to talk to each other, including CHFP/CRM. The audit team expected to see that CHFP data is managed to enable interoperability, reduce redundancy and avoid duplication.
Currently, PCH has multiple records for the same client in various Gs&Cs systems, making it burdensome to understand and report on a complete client funding history. As one of these systems, CHFP was implemented with a defined accountability model consisting of granting data verification and quality assurance responsibilities to program staff from within the authoritative repository GCIMS. A departmental decision was made during the project My PCH Online in which PCH decided that there would be no validation of clients and application information from within the portal. Rather, the task of verifying the accuracy and validity of information submitted by applicants is performed during and after the data transfer process from CRM to GCIMS. This process involves an exercise called the ‘Client Synchronization Task’ during which all of the information related to the application and the external client is transferred from the CRM to GCIMS by program staff with the support of CoE. Responsibility for carrying-out the syncing procedure had been initially assigned to the CoE and was subsequently dispersed to programs. Throughout the audit, this task was reported as one of the main challenges of CHFP due to its complexity, the lack of automatic data integration and the extensive workload required. Program staff from 16 sub-components reported that they continue to struggle with this syncing exercise. To this day, it remains an ongoing challenge both from a technical perspective as well as having a limited number of resources who are sufficiently capable of managing the synchronization – especially in regional offices. The audit team obtained a detailed walkthrough of the client synchronization process and found that data interoperability between CHFP/CRM and GCIMS was limited. In fact, most of the transfer of client/application information requires a manual process in which program staff has to download all documents attached to the application and upload them in GCIMS and/or proceed with manual data entry in GCIMS. In addition, program staff must perform a comparative analysis between the portal information and GCIMS database prior to any transfer in order to verify whether the applicant is already an existing Gs&Cs PCH client. In cases where the applicant is new to PCH (no existing match in GCIMS database), the CoE must create the new client in GCIMS prior to the application transfer. In cases where the applicant is a recurring client to PCH (exact match or similar found in GCIMS database and CHFP), then the application is automatically transferred to GCIMS. However, in this last scenario, program staff is still required to download PDF documents or other attachments and manually upload them in GCIMS.
Additional issues were found due to the absence of verification and validation of any information from within the portal. For instance, it was reported that duplicate accounts are an ongoing problem caused by applicants forgetting their password or not being able to locate their previous account. With the defined accountability model, users can create multiple accounts for any given organization and no process is in place to manage duplicate accounts in the portal. One organization can have multiple primary contacts and authorized representatives acting on behalf of the organization. Furthermore, the portal is being used to generate reports on clients’ data or the number of applications received. The fact that no verification is performed within the portal causes uncertainty around the reliability, integrity and accuracy of the data residing in the portal. The challenges stemming from the data within the portal (i.e. synchronization, duplications, manual reconciliations, etc.) result in a domino effect on internal capacity, support to external clients, accurate reporting on portal applications, and external/internal user satisfaction. This is compounded by the lack of data integration across programs explained in section 3.2 above (onboarding/relaunch).
It is important to recognize that from its initial conception, CHFP was designed and implemented as a transitory system mainly intended for information flow. Therefore, the information submitted in the portal was never meant to be managed to avoid duplications or verify the authenticity of applicants within the portal. The audit team found that the Client Experience Branch is aware of the challenges related to the information residing in the portal, and continues to provide support and instructions to users in order to reduce the on-going challenges. For instance, the portal team continues to encourage applicants to create one account and recover their accounts if needed instead of creating multiple ones. Instructions were provided to returning applicants on how to recover their GCKey or CHFP account. With the help of CoE, clear back-end processes were developed to illustrate the different scenarios and every step required in the data transfer from CRM to GCIMS. Training, instructions, and support are continuously provided to program staff to facilitate the ‘Client Synchronization Task’. Recently, CEB has started working with the programs and is in the early stages of developing a data model that should ensure a consistent approach of data-gathering across programs. This is intended to simplify the onboarding/relaunch process, improve the quality of client profile data, and reduce the amount of manual reconciliation required between CRM and GCIMS.
Recommendation:
- The Assistant Deputy Minister of Official Languages, Heritage and Regions, in consultation with the Chief Data Officer, should formally assign the role of data stewardship to the appropriate entity that would be responsible/accountable for the management of information held in the CHFP/CRM.
- This role should include the responsibility to establish and implement retention and disposition procedures.
- This role should include full responsibility and accountability for the transfer of data from CRM to GCIMS (Client Synchronization Task).
- This role should include the responsibility to define and implement a clear process to support the management of duplicate records.
4.0 Conclusion
Based on the audit findings, it is my opinion that the Department of Canadian Heritage (PCH) defined and applied a well-structured transition process to move all key activities related to the implementation of CHFP from a project state to an operational state. Throughout this transition phase, close collaboration and consistent engagement occurred between the key parties involved in the delivery of CHFP operations, and knowledge was transferred from the project resources to the new limited resources responsible for on-going operations internally. While key activities required to deliver CHFP mandate such as programs’ engagement, onboarding, relaunch and support, continue to be maintained post-transition, the current operational state is not sustainable to achieve the long-term departmental vision for CHFP.
The current challenges involved in the management and delivery of CHFP were reported to the relevant departmental branches who have initiated a number of actions to address them. Executive meetings are taking place to address the issue of limited capacity; security controls are being documented and tested to increase security assurance of the cloud-based service; roles and responsibilities are being formally documented.
Glossary
- Accountability model
- Refers to organizational decisions in allocating defined and specific responsibilities to different individuals or groups within the organization; and creating a layered approach on how business should be delivered. The model for CHFP defined at what stage client and application information should be assessed.
- Agile approach
- Agile methodology takes an iterative and customer-focused approach to software development. Its goal is to deliver completed functional units of code as frequently as possible.
- Azure DevOps
- A software as a service (SaaS) platform from Microsoft designed to provide a comprehensive set of programming tools that is used to perform a complex software development task or to create a software product.
- Backlog
- Backlog is used to manage the high-level priorities of the project and provides progress tracking. It is a method of not only managing priorities but also requirements traceability, and completion of work. The Backlog includes user stories and bugs and items are sequenced every Friday with the Business based on priorities.
- Bugs
- In agile software development, a bug is an unexpected behavior identified after a user story has been completed and accepted by the Product Owner. It is caused by coding errors. A bug is a particular malfunction of an application, a specific way in which a specific feature performs incorrectly given some precondition. Bugs will typically be picked up by users or via an automated regression test.
- Client synchronization
- Client synchronization is the ongoing process of synchronizing client organizational data between two or more systems [CHFP/CRM and GCIMS] and updating changes between them to maintain consistency within systems.
- CRM
- Customer Relationship Management is a technology that enables organizations to manage their relationships and interactions with clients and potential clients. In PCH, CRM is also used to describe the database and database interface that stores client G&C application information.
- Data Stewardship
- Data stewardship is an approach to the management of data, particularly data that can identify individuals. It is described as the accountability and responsibility for data and processes that ensure effective management and use of data assets. Data stewardship involves managing and overseeing all aspects of the data lifecycle from creation, collection, preparation, and usage to data storage and deletion. It is a collection of practices that ensure an organization’s data is accessible, usable, safe, and trusted.
- GC Cloud Guardrails
- A preliminary set of baseline cyber security controls to ensure that the cloud service environment has a minimum set of configurations. Departments must implement, validate and report on compliance with the guardrails in the first 30 business days of getting access to their cloud account.
- GC Cloud PBMM Security Control Profile
- This document identifies the baseline security controls that must be implemented by CSPs and GC departments and agencies in order to appropriately protect cloud-based GC services and related information having a security category of Protected B, medium integrity, and medium availability. It also documents the context in which these security controls are expected to be implemented.
- GCKey
- A standards-based authentication service provided by the Government of Canada. It provides Canadians with secure access to online information and government services and assists Canadian federal government departments in managing and controlling access to their on-line programs through the provisioning of standardized registration and authentication processes.
- HTTPS: Hypertext transfer protocol secure
- is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website.
- Intake period
- An intake period refers to a pre-defined time frame during which organizations or applicants can submit proposals or applications for a specific Gs&Cs program.
- Scrum
- Scrum is an agile framework that helps teams structure their work into short development cycles called sprints.
- Sprint
- A sprint is a short, time-boxed period when a scrum team works to complete a set amount of work.
- TLS
- Transport Layer Security is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet.
- TDE
- Transparent Data Encryption is a technology employed by Microsoft, IBM and Oracle to encrypt database files. TDE offers encryption at file level. TDE solves the problem of protecting data at rest, encrypting databases both on the hard drive and consequently on backup media. It does not protect data in transit nor data in use.
- User stories
- A user story is the smallest unit of work in an agile framework. It’s an end goal, not a feature, expressed from the software user’s perspective. A user story is an informal, general explanation of a software feature written from the perspective of the end user or customer.
Appendix A – Assessment scale and results summary
Conclusion | Definition |
---|---|
Well controlled | Well managed and effective. No material weaknesses noted. |
Controlled | Managed and effective. Minor improvements are needed. |
Moderate issues | Requires management focus (at least one of the following criteria are met):
|
Significant improvements required | Requires immediate management focus (at least one of the following three criteria are met:
|
Criterion | Audit criteria | Conclusion |
---|---|---|
|
1.1 Governance bodies are in place to ensure the integrated management of operations/activities related to CHFP; and provide an oversight function on the service, information, data, IT, and cyber security. | Controlled |
1.2 Roles, responsibilities, and accountabilities for the management and delivery of operations/activities related to CHFP, are clearly defined, documented, communicated and understood. | Moderate issues | |
|
2.1 A transition plan is developed and applied to support the transition from My PCH Online project to CHFP operations, ensuring the delivery of planned activities; alignment with the needs of program delivery; availability of online services; and required support for users. | Controlled |
2.2 PCH’s capacity to manage and deliver operations/activities related to CHFP is developed and maintained; sources of funds are confirmed and approved to meet operational requirements within existing reference levels; and information is available to support planning, budgeting and accounting for allocating resources. | Moderate issues | |
|
3.1 A client-centric service is delivered through the operations/activities of CHFP; user expectations, needs, challenges and feedback are collected to inform continuous improvement of services; and changes required for CHFP are tracked, prioritized and formally approved. | Well controlled |
3.2 Departmental decisions, activities and updates related to CHFP are effectively communicated; key parties/stakeholders are consulted or involved in the planning/delivery of operations; and training is provided to acquire the necessary knowledge, experience and skills for the management/use of CHFP. | Controlled | |
|
4.1 Processes and controls are in place to protect the security of information residing in CHFP/CRM; limit access where necessary; identify, detect and respond to potential cybersecurity incidents; and monitor user identity/activity to implement corrective action where required. | Moderate issues |
|
5.1 Information collected and residing in CHFP/CRM is managed to enable data interoperability, reduce redundancy and avoid duplication; data security and privacy requirements are followed and respected; retention periods and disposition procedures are established, maintained and documented. | Moderate issues |
Appendix B – Management action plan
Recommendations | Management assessment and actions | Responsibility | Target date |
---|---|---|---|
|
The Director General of CEB and the Director of CFOB (CoE) agrees with the recommendation.
|
Director of CoE with assistance from the DG of CEB and the CIO. | Sept 2024-2025 |
|
The ADM of OLHR and the ADM of SPPCA agree with the recommendation and accept the risk that HR and financial resources are scarce and must be shared across multiple departmental priorities.
|
ADM of OLHR with help from the ADM of SPPCA and the CFO. | Completed |
|
The Director General of CEB agrees with the recommendation.
|
DG of CEB | June 2024-2025 |
|
The Director General of CEB agrees with the recommendation.
|
DG of CEB | Completed |
|
The Director General of CEB agrees with the recommendation.
|
DG of CEB | June 2024-2025 |
|
The CIO agreed with the recommendation.
|
Chief Information Officer (CIO) | June 2024-2025 |
|
The CIO agreed with the recommendation.
|
Chief Information Officer (CIO) | Completed - Monitoring activities ongoing |
|
The ADM of OLHR, the Chief Data Officer and the Director of CFOB (CoE) agree with the recommendation.
|
Director of CoE with assistance from DG of CEB and CIO | Sept 2024-2025 (determination and assignment of role) |
Appendix C – Sample of 37 Controls reviewed during the audit
Control category | Control description | In place (YES/NO) |
---|---|---|
Identification & authentication |
|
Yes |
|
Yes | |
|
Yes | |
|
Yes | |
|
Yes | |
|
Yes | |
|
Yes | |
Access restrictions |
|
Yes |
|
Yes | |
|
Yes | |
|
Yes | |
Backup & audit-trail |
|
Yes |
|
No | |
|
Yes | |
|
Yes | |
|
Yes | |
|
Yes | |
|
No | |
|
Could not be verified | |
|
Yes | |
Cybersecurity |
|
Yes |
|
Could not be verified | |
|
Yes | |
|
Yes | |
|
Yes | |
|
No | |
|
Yes | |
|
Yes | |
|
No | |
|
No | |
|
No | |
Maintenance |
|
Yes |
|
Yes | |
Information management |
|
Yes |
|
Yes | |
|
Yes | |
|
Yes |
©His Majesty the King in Right of Canada, as represented by the Minister of Canadian Heritage, 2024
Catalogue Number: CH6-67/2024E-PDF
ISBN: 978-0-660-71774-6
Page details
- Date modified: