Audit of information management / information technology governance, 2020
Internal Audit Sector
July 27, 2020
Acronyms & Abbreviations
- CIO:
- Chief Information Officer
- CIOB:
- Chief Information Officer Branch - Treasury Board Secretariat
- CSC:
- Correctional Services Canada
- DGCOM:
- Director General Committee
- EXCOM:
- Executive Committee
- IM/IT:
- Information Management / Information Technology
- IMS:
- Information Management Services
- IMTAB:
- Information Management Technology Architecture Board
- MCOM:
- IM/IT Management Committee
- NIPC:
- National Investment Prioritization Committee
- OMS:
- Offender Management System
- RACI:
- Responsibility Assignment Matrix
- RBAP:
- Risk Based Audit Plan
- SSC:
- Shared Services Canada
- TBS:
- Treasury Board Secretariat
- TCOM:
- Information Management / Information Technology Transformation Committee
Introduction
Background
The Audit of Information Management / Information Technology (IM/IT) Governance was conducted as part of the Correctional Service of Canada’s (CSC) 2018-2020 Risk-Based Audit Plan (RBAP). This audit links to CSC’s priorities of “efficient and effective management practices that reflect values-based leadership in a changing environment” and to the corporate risk that CSC “will not be able to respond to the complex and diverse profile of the offender population”.
IM/IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IM/IT function sustains and extends the organization’s strategies and objectivesFootnote 2. The primary goal of a sound IM/IT governance framework is to ensure that investments in IM/IT enable projects to generate business value, and to mitigate the risks that are associated with IM/IT such as the misalignment of IM/IT and business priorities.
IM/IT governance should be viewed as how IM/IT creates value as part of the overall Corporate Governance Strategy of the organization, and not be a discrete and siloed disciplineFootnote 3. In taking this approach, all stakeholders, from programs, services and IM/IT, are required to participate in the decision-making process. This creates a shared acceptance of responsibility for critical systems and ensures that IM/IT related decisions are made to effectively achieve the mandate and priorities of the organization. As IM/IT governance forms an integral part of enterprise-wide governance, it should be viewed as the shared responsibility of an organization’s executive management and the IM/IT function.
CSC engaged the professional services of the firm Samson to carry out the audit from January to August 2019.
Legislative and Policy Framework
Legislation
While there is no legislation that directly impacts the governance of IM/IT at CSC, the following Acts influence the delivery of IM/IT services with the Federal Government: the Financial Administration Act, the Access to Information Act, and the Privacy Act.
Treasury Board Policies and Directives
The following policies guide IM/IT governance within the Canadian federal government: Treasury Board Secretariat (TBS) Policy on Information Management; TBS Policy on the Management of IT; TBS Policy on the Planning and Management of Investments; and the Directive on the Management of IT Enabled Projects.
It should be noted that the TBS Office of the Chief Information Officer is in the final stages of a policy renewal initiative that will see the Policy on the Management of IT, the Policy on Information Management, and the Policy on Service being merged into the draft Policy on Service and Digital, which lays out the foundation for the Government’s digital transformation. The Policy on Government Security has also recently been renewed, which includes the management of IT security.
CSC Directives, Strategies and Procedures
Relevant CSC Directives, strategies and procedures most notably include the CSC Corporate Business Plan, CSC Corporate Risk Profile, CSC Data Strategy, the Commissioner’s Directive on Information Technology Security, IMS Strategic Plan, and other IM/IT-related directives.
CSC Organization
Overview of Information Management Services (IMS)
The CSC landscape has become ever reliant on IM/IT services to support and improve the way the organization delivers programs, interventions and services that ultimately assist offenders to become law-abiding, contributing members of society.
For example, the CSC 2017-18 Departmental Performance Report lists six corporate priorities including:
- Safe management of eligible offenders during their transition from the institution to the community, and while on supervision.
- Effective and timely interventions in addressing mental health needs of offenders.
- Efficient and effective management practices that reflect values-based leadership in a changing environment.
IMS plays a critical role in providing technological and information support related to all the six priorities including those listed above, through the vital program information required to ensure their achievements, as well as maintaining and improving the information technology and information management-based tools that streamline the way CSC resources perform their every-day duties.
IMS’ reach across the organization is broad. It supports some 18,000 CSC and 500 Parole Board of Canada (PBC) staff of which 80 percent are located at operational field sites. It provides technical support for over 23,000 computer workstations of which roughly 60 percent are used to support offenders as part of training and rehabilitation efforts. Over 80 percent of the organization’s mandate is focused on ‘Run’ activities - the day-to-day expenses of keeping the existing IT infrastructure running. IMS supports the IT infrastructure that allows CSC to operate. In 2017-18 the IM/IT operational spend across CSC was $73 million of which $68 million was spent directly by IMS. IM/IT capital expenditures were an additional $18 million. As of January 2019, there were 626 staff working in IMS of which 49 percent were in the regions.
IMS supports the implementation and management of a myriad of applications and services to CSC. These range from data and network infrastructure (on behalf of SSC), case management systems and the broader objective of the Offender Management System (OMS), its core mission-critical system for managing its daily correctional operations. It includes tools to enable offender’s access to doctors and family, Point of Sale (POS) capabilities to support sales through canteens, as well as a large information-sharing network with dozens of public safety related organizations and Criminal Justice partners.
From an IM perspective, CSC’s focus is on the advancement of a robust Enterprise Information Management (EIM) Program to manage information assets that will support investments in data and analytics to improve business outcomes.
CSC IM/IT Governance
CSC is led by a Commissioner who is responsible for managing CSC’s business and operations. The Commissioner is supported by EXCOM, CSC’s most senior decision-making body, whose membership is composed of senior executives from across the Service. National Headquarters, located in Ottawa, is responsible for overall policy development, while each of the five regional headquarters leads the implementation of all policies and initiatives at regional and operational levels. Sectors at National Headquarters are responsible for national coordination and oversight of institutional and community operations, health services, women offenders, strategic policy, planning, performance measurements, internal services, and facilities management.
EXCOM has six sub-committees that provide strategic analysis, horizontal advice, and recommendations to Sector Heads and to EXCOM on issues aligned with CSC’s corporate priorities. Each of these six committees is also responsible for identifying key components of their theme as well as analyzing trends, challenges, gaps and best practices.
In 2016, a review of the existing IM/IT governance framework was undertaken. At that time, the oversight of IM/IT projects was being done by the Information Management Technology Architecture Board (IMTAB). This committee was largely informational and although it provided updates on IM/IT projects, it was not a decision-making body and it had poor attendance from key members.
The review led to a proposal for a new governance structure that included the creation of a new IM/IT Transformation Committee with assistant deputy minister level membership and strategic oversight and new governance committees at the DG and Manager levels that would be responsible for making gating decisions to more strongly influence which IM/IT projects were initiated and progressed through the complete lifecycle. The committee structure is broken down as follows:
IM/IT Transformation Committee
IM/IT governance at CSC is primarily delivered through the IM/IT Transformation Committee (TCOM). The committee is a subcommittee of EXCOM providing strategic advice and governance regarding IM/IT. The committee recommends for approval, prioritizes, and directs IM/IT initiatives to ensure that CSC expectations for IM/IT solutions are met, IM/IT risks are mitigated, best value is secured to meet demand and that the IM/IT architecture can execute the corporate strategy. TCOM is chaired by the Senior Deputy Commissioner and the Assistant Commissioner Corporate Services (Chief Financial Officer). The Assistant Commissioner Correctional Operations and Program Sector serves as alternate chair if either of the two chairs cannot attend.
DG Committee
The TCOM is supported by a DG Committee (DGCOM) that is chaired by the Chief Information Officer. It provides governance functions for items delegated by the TCOM. The DGCOM additionally provides a DG-level forum for reviewing, discussing and endorsing items affecting the IM/IT domain. The committee is responsible for determining when an item or issue from the IM/IT domain is appropriate for escalation to TCOM. For deliberations on enterprise architecture matters, DGCOM acts as the Enterprise Architecture Review Board for CSC.
IM/IT Management Committee
The IM/IT Management Committee (MCOM) represents the Chief Information Officer (CIO) and IMS Director-level governance and decision-making body for the IM/IT Domain. It is also responsible for the development, delivery and support of IM/IT products and services provided by IMS. It also provides governance and decision-making for operating and capital investments that have been delegated from TCOM or DGCOM.
These committees are in turn supported by sub-committees including Project Architecture Review Committee / Cost Estimation Working Group, Architecture Working Group and Data Governance Working Group.
Refer to Appendix B for a graphical depiction of the governance committee structure.
Risk Assessment
This audit was identified as an audit priority and an area of high risk to CSC in the RBAP 2018-2020. Reasons for this included:
- Governance is a foundational element from which resource allocation decisions stem. It has a downstream impact on IM/IT activities.
- Related risks include SSC dependency, governance and prioritization, intake and business analysis, operational funding, and performance measurement.
- A new governance committee, the Information Management / Information Technology Transformation Committee TCOM and project gating process were put in place in early 2018.
- Impact of the ongoing TBS Office the Chief Information Officer (CIOB) policy reset and opportunities for CSC to mature in the emerging areas highlighted by CIOB, such as cloud and digital.
In addition, the Internal Audit Sector, in the fall of 2018 completed an IM/IT risk assessment in order to identify the major IM/IT risks facing the organization. Based on the results of this risk assessment, several audits were identified as being necessary for CSC to meet its objectives. One of the audits identified is an Audit of the IM/IT Governance, which was assigned a high priority.
Objective and Scope
Audit Objective
The objective of this audit was to assess the adequacy and effectiveness of IM/IT governance processes in place to identify, prioritize, monitor and measure IM/IT resource allocation decisions and ensure alignment with departmental priorities, and that these processes effectively support the achievement of CSC’s mandate.
Specific criteria are included in Annex A.
Audit Scope
The scope of the audit included a review of the IM/IT strategic and operational plans, IM/IT governance structures, IM/IT-enabled project oversight, alignment with business and investment planning, and governance mechanisms. More specifically, the audit reviewed processes related to IM/IT strategic planning, operational planning and funding, project portfolio oversight and prioritization, risk management, performance management and Shared Services Canada coordination.
The audit focused on relevant activities from April 1, 2018 to March 29, 2019. The audit focused on NHQ but assessed how regional perspectives were incorporated into the governance structures.
The National Parole Board is included in the membership of the various governance structures; however, it was excluded from the audit scope.
Conclusion
Overall, audit results demonstrated that there are elements of an IM/IT governance framework in place to identify, prioritize, and monitor IM/IT-enabled investments and capital resources and ensure alignment with departmental priorities.
The audit found that elements of an IM/IT governance framework are in place with committees and roles and responsibilities, and support transparent, risk-based decision-making related to IM/IT investments and activities. However, the audit did note that:
- Although a proposal to put in place a new governance structure was put forward and discussed in October 2017, it was not until August 2018 that the discussion on the new governance structure was formally initiated with draft Terms of Reference being reintroduced. This has delayed the maturing and effectiveness of the new committees.
- Although the mandates of both TCOM and DGCOM state that they will provide strategic advice and governance for the IM/IT Domain, there have been no discussions on the ongoing monitoring of progress being made against the planned strategic objectives of both the IMS Strategic Plan 2017-2020 the IM/IT Business Plan. Without those discussions, it is not possible to ascertain that CSC is using IM/IT resources effectively and that it is effectively supporting the achievement of CSC’s mandate.
The audit found that IM/IT strategic planning considers input from stakeholders, identifies risks, is aligned with the departmental business strategy and investment plan, and aligns with central agency guidance. In addition, the implementation of the IMS Strategic Plan is being monitored and performance measurement processes are being implemented. However, the audit did note that:
- During the development of the IMS Strategic Plan 2017-2020 there were significant interactions and feedback sought from IMS staff, however, the analysis does not make any mention of whether there were interactions with senior CSC stakeholders outside of IMS and how their views were incorporated. The resulting plan is very much focused on IMS and not the broader IM/IT needs of the department.
- The expected outcomes and outputs are only identified for 19 of the 28 initiatives identified in the IMS Strategic Plan. There are only qualitative performance measures identified for the 28 initiatives. Secondly, although there is an IMS Program Office responsible for the ongoing monitoring of progress, there is no overall summary report being prepared that shows the progress. Without performance measures and overall progress reports, it will hard to track performance and see if the planned benefits are being realized or if corrective action needs to be taken.
The audit found that prioritization of IM/IT-enabled projects is done in line with CSC strategic priorities, enhances business value, and is within capital resource availability. However, the audit did note that:
- Although there are similarities between the Technical Services & Facilities and IMS prioritization criteria in the annual planning and prioritization of capital investments, CSC does not have a common base against which to assess all projects requiring capital funding. Furthermore, the capital project templates do not include a section on the ongoing run costs, so it is not possible to get the complete lifecycle costs for the projects being proposed. Lastly, although IMS had to have its prioritized list of IM/IT projects by late November 2018, it was still in prioritization discussion for its projects in February 2019 when its capital funding was approved at $22.5M. When the IMS capital plan was finally submitted to EXCOM in April 2019, it was $7.2M higher.
About the Audit
Approach and Methodology
Audit evidence was gathered using several methods, including the following:
Interviews
Interviews were conducted with senior management and key staff at NHQ, and regional representatives that were members of the main IM/IT governance bodies.
Review of documentation
Relevant documentation was reviewed including the following: TBS and CSC Policies, guidelines, and corporate documents such as EXCOM, IMTTC and DGCOM terms of reference, agendas and records of decision, presentations; strategic and operational plans; risk assessments; and monitoring and reporting information.
Testing
Document reviews were performed to provide assurance that systems, processes and governance bodies were functioning as described and understood.
Sampling
Since the IM/IT main governance bodies have been in place for less than one year, all minutes and records of decision were reviewed.
A sample of nine initiatives from a total population of 20 was selected on a judgemental basis. The initiatives were selected based on their direct relationship to the five priorities set in the IMS Strategic Plan 2017-2020.
Statement of Conformance
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the area examined.
The audit conforms to the Internal Auditing Standards for Government of Canada, as supported by the results of the quality assurance and improvement program. The evidence gathered was sufficient to provide senior management with proof of the opinion derived from the internal audit.
Christian D’Auray, CPA, CA
Chief Audit Executive
Annex A: Audit Criteria
The following table outlines the audit criteria developed to meet the stated audit objective and audit scope:
Objective | Audit Criteria | Met/ Met with Exceptions/ Partially Met/ Not Met |
---|---|---|
1. Assess the adequacy and effectiveness of IM/IT governance processes in place to identify, prioritize, monitor and measure IM/IT resource allocation decisions and ensure alignment with departmental priorities, and that these processes effectively support the achievement of CSC's mandate. | 1.1 - Governance Framework
| Met, with Exceptions |
1.2 - IM/IT Alignment
| Partially Met | |
1.3 - IM/IT Strategic Planning
| Partially Met | |
1.4 - Planning an Prioritization of IM/IT-Enabled Projects
| Partially Met |
Annex B: IM/IT-related Committee Structure

The picture below describes the IM/IT-related Committee Structure. At the top, EXCOM, the Executive Committee chaired by the Commissioner, and the committee members are all CSC Senior management. Under EXCOM, there is the TCOM, the IM/IT Transformation Committee co-chaired by the SDC and CFO, and the committee members are a subset of EXCOM members. Under the TCOM, there is the DGCOM, the IM/IT Director General Committee chaired by the CIO, and the committee members are DGs from across CSC. Finally, under the DGCOM, there is the MCOM, the IM/IT Management Committee chaired by the CIO, and the committee members are IMS Management.
Page details
- Date modified: