Audit of information management / information technology governance, 2020

Acronyms & Abbreviations

CIO:
Chief Information Officer
CIOB:
Chief Information Officer Branch - Treasury Board Secretariat
CSC:
Correctional Services Canada
DGCOM:
Director General Committee
EXCOM:
Executive Committee
IM/IT:
Information Management / Information Technology
IMS:
Information Management Services
IMTAB:
Information Management Technology Architecture Board
MCOM:
IM/IT Management Committee
NIPC:
National Investment Prioritization Committee
OMS:
Offender Management System
RACI:
Responsibility Assignment Matrix
RBAP:
Risk Based Audit Plan
SSC:
Shared Services Canada
TBS:
Treasury Board Secretariat
TCOM:
Information Management / Information Technology Transformation Committee

Introduction

Background

The Audit of Information Management / Information Technology (IM/IT) Governance was conducted as part of the Correctional Service of Canada’s (CSC) 2018-2020 Risk-Based Audit Plan (RBAP). This audit links to CSC’s priorities of “efficient and effective management practices that reflect values-based leadership in a changing environment” and to the corporate risk that CSC “will not be able to respond to the complex and diverse profile of the offender population”.

IM/IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IM/IT function sustains and extends the organization’s strategies and objectivesFootnote 2. The primary goal of a sound IM/IT governance framework is to ensure that investments in IM/IT enable projects to generate business value, and to mitigate the risks that are associated with IM/IT such as the misalignment of IM/IT and business priorities.

IM/IT governance should be viewed as how IM/IT creates value as part of the overall Corporate Governance Strategy of the organization, and not be a discrete and siloed disciplineFootnote 3. In taking this approach, all stakeholders, from programs, services and IM/IT, are required to participate in the decision-making process. This creates a shared acceptance of responsibility for critical systems and ensures that IM/IT related decisions are made to effectively achieve the mandate and priorities of the organization. As IM/IT governance forms an integral part of enterprise-wide governance, it should be viewed as the shared responsibility of an organization’s executive management and the IM/IT function.

CSC engaged the professional services of the firm Samson to carry out the audit from January to August 2019.

Legislative and Policy Framework

Legislation

While there is no legislation that directly impacts the governance of IM/IT at CSC, the following Acts influence the delivery of IM/IT services with the Federal Government: the Financial Administration Act, the Access to Information Act, and the Privacy Act.

Treasury Board Policies and Directives

The following policies guide IM/IT governance within the Canadian federal government: Treasury Board Secretariat (TBS) Policy on Information Management; TBS Policy on the Management of IT; TBS Policy on the Planning and Management of Investments; and the Directive on the Management of IT Enabled Projects.

It should be noted that the TBS Office of the Chief Information Officer is in the final stages of a policy renewal initiative that will see the Policy on the Management of IT, the Policy on Information Management, and the Policy on Service being merged into the draft Policy on Service and Digital, which lays out the foundation for the Government’s digital transformation. The Policy on Government Security has also recently been renewed, which includes the management of IT security.

CSC Directives, Strategies and Procedures

Relevant CSC Directives, strategies and procedures most notably include the CSC Corporate Business Plan, CSC Corporate Risk Profile, CSC Data Strategy, the Commissioner’s Directive on Information Technology Security, IMS Strategic Plan, and other IM/IT-related directives.

CSC Organization

Overview of Information Management Services (IMS)

The CSC landscape has become ever reliant on IM/IT services to support and improve the way the organization delivers programs, interventions and services that ultimately assist offenders to become law-abiding, contributing members of society.

For example, the CSC 2017-18 Departmental Performance Report lists six corporate priorities including:

IMS plays a critical role in providing technological and information support related to all the six priorities including those listed above, through the vital program information required to ensure their achievements, as well as maintaining and improving the information technology and information management-based tools that streamline the way CSC resources perform their every-day duties.

IMS’ reach across the organization is broad. It supports some 18,000 CSC and 500 Parole Board of Canada (PBC) staff of which 80 percent are located at operational field sites. It provides technical support for over 23,000 computer workstations of which roughly 60 percent are used to support offenders as part of training and rehabilitation efforts. Over 80 percent of the organization’s mandate is focused on ‘Run’ activities - the day-to-day expenses of keeping the existing IT infrastructure running. IMS supports the IT infrastructure that allows CSC to operate. In 2017-18 the IM/IT operational spend across CSC was $73 million of which $68 million was spent directly by IMS. IM/IT capital expenditures were an additional $18 million. As of January 2019, there were 626 staff working in IMS of which 49 percent were in the regions.

IMS supports the implementation and management of a myriad of applications and services to CSC. These range from data and network infrastructure (on behalf of SSC), case management systems and the broader objective of the Offender Management System (OMS), its core mission-critical system for managing its daily correctional operations. It includes tools to enable offender’s access to doctors and family, Point of Sale (POS) capabilities to support sales through canteens, as well as a large information-sharing network with dozens of public safety related organizations and Criminal Justice partners.

From an IM perspective, CSC’s focus is on the advancement of a robust Enterprise Information Management (EIM) Program to manage information assets that will support investments in data and analytics to improve business outcomes.

CSC IM/IT Governance

CSC is led by a Commissioner who is responsible for managing CSC’s business and operations. The Commissioner is supported by EXCOM, CSC’s most senior decision-making body, whose membership is composed of senior executives from across the Service. National Headquarters, located in Ottawa, is responsible for overall policy development, while each of the five regional headquarters leads the implementation of all policies and initiatives at regional and operational levels. Sectors at National Headquarters are responsible for national coordination and oversight of institutional and community operations, health services, women offenders, strategic policy, planning, performance measurements, internal services, and facilities management.

EXCOM has six sub-committees that provide strategic analysis, horizontal advice, and recommendations to Sector Heads and to EXCOM on issues aligned with CSC’s corporate priorities. Each of these six committees is also responsible for identifying key components of their theme as well as analyzing trends, challenges, gaps and best practices.

In 2016, a review of the existing IM/IT governance framework was undertaken. At that time, the oversight of IM/IT projects was being done by the Information Management Technology Architecture Board (IMTAB). This committee was largely informational and although it provided updates on IM/IT projects, it was not a decision-making body and it had poor attendance from key members.

The review led to a proposal for a new governance structure that included the creation of a new IM/IT Transformation Committee with assistant deputy minister level membership and strategic oversight and new governance committees at the DG and Manager levels that would be responsible for making gating decisions to more strongly influence which IM/IT projects were initiated and progressed through the complete lifecycle. The committee structure is broken down as follows:

IM/IT Transformation Committee

IM/IT governance at CSC is primarily delivered through the IM/IT Transformation Committee (TCOM). The committee is a subcommittee of EXCOM providing strategic advice and governance regarding IM/IT. The committee recommends for approval, prioritizes, and directs IM/IT initiatives to ensure that CSC expectations for IM/IT solutions are met, IM/IT risks are mitigated, best value is secured to meet demand and that the IM/IT architecture can execute the corporate strategy. TCOM is chaired by the Senior Deputy Commissioner and the Assistant Commissioner Corporate Services (Chief Financial Officer). The Assistant Commissioner Correctional Operations and Program Sector serves as alternate chair if either of the two chairs cannot attend.

DG Committee

The TCOM is supported by a DG Committee (DGCOM) that is chaired by the Chief Information Officer. It provides governance functions for items delegated by the TCOM. The DGCOM additionally provides a DG-level forum for reviewing, discussing and endorsing items affecting the IM/IT domain. The committee is responsible for determining when an item or issue from the IM/IT domain is appropriate for escalation to TCOM. For deliberations on enterprise architecture matters, DGCOM acts as the Enterprise Architecture Review Board for CSC.

IM/IT Management Committee

The IM/IT Management Committee (MCOM) represents the Chief Information Officer (CIO) and IMS Director-level governance and decision-making body for the IM/IT Domain. It is also responsible for the development, delivery and support of IM/IT products and services provided by IMS. It also provides governance and decision-making for operating and capital investments that have been delegated from TCOM or DGCOM.

These committees are in turn supported by sub-committees including Project Architecture Review Committee / Cost Estimation Working Group, Architecture Working Group and Data Governance Working Group.

Refer to Appendix B for a graphical depiction of the governance committee structure.

Risk Assessment

This audit was identified as an audit priority and an area of high risk to CSC in the RBAP 2018-2020. Reasons for this included:

In addition, the Internal Audit Sector, in the fall of 2018 completed an IM/IT risk assessment in order to identify the major IM/IT risks facing the organization. Based on the results of this risk assessment, several audits were identified as being necessary for CSC to meet its objectives. One of the audits identified is an Audit of the IM/IT Governance, which was assigned a high priority.

Objective and Scope

Audit Objective

The objective of this audit was to assess the adequacy and effectiveness of IM/IT governance processes in place to identify, prioritize, monitor and measure IM/IT resource allocation decisions and ensure alignment with departmental priorities, and that these processes effectively support the achievement of CSC’s mandate.

Specific criteria are included in Annex A.

Audit Scope

The scope of the audit included a review of the IM/IT strategic and operational plans, IM/IT governance structures, IM/IT-enabled project oversight, alignment with business and investment planning, and governance mechanisms. More specifically, the audit reviewed processes related to IM/IT strategic planning, operational planning and funding, project portfolio oversight and prioritization, risk management, performance management and Shared Services Canada coordination.

The audit focused on relevant activities from April 1, 2018 to March 29, 2019. The audit focused on NHQ but assessed how regional perspectives were incorporated into the governance structures.

The National Parole Board is included in the membership of the various governance structures; however, it was excluded from the audit scope.

Conclusion

Overall, audit results demonstrated that there are elements of an IM/IT governance framework in place to identify, prioritize, and monitor IM/IT-enabled investments and capital resources and ensure alignment with departmental priorities.

The audit found that elements of an IM/IT governance framework are in place with committees and roles and responsibilities, and support transparent, risk-based decision-making related to IM/IT investments and activities. However, the audit did note that:

The audit found that IM/IT strategic planning considers input from stakeholders, identifies risks, is aligned with the departmental business strategy and investment plan, and aligns with central agency guidance. In addition, the implementation of the IMS Strategic Plan is being monitored and performance measurement processes are being implemented. However, the audit did note that:

The audit found that prioritization of IM/IT-enabled projects is done in line with CSC strategic priorities, enhances business value, and is within capital resource availability. However, the audit did note that:

About the Audit

Approach and Methodology

Audit evidence was gathered using several methods, including the following:

Interviews

Interviews were conducted with senior management and key staff at NHQ, and regional representatives that were members of the main IM/IT governance bodies.

Review of documentation

Relevant documentation was reviewed including the following: TBS and CSC Policies, guidelines, and corporate documents such as EXCOM, IMTTC and DGCOM terms of reference, agendas and records of decision, presentations; strategic and operational plans; risk assessments; and monitoring and reporting information.

Testing

Document reviews were performed to provide assurance that systems, processes and governance bodies were functioning as described and understood.

Sampling

Since the IM/IT main governance bodies have been in place for less than one year, all minutes and records of decision were reviewed.

A sample of nine initiatives from a total population of 20 was selected on a judgemental basis. The initiatives were selected based on their direct relationship to the five priorities set in the IMS Strategic Plan 2017-2020.

Statement of Conformance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the area examined.

The audit conforms to the Internal Auditing Standards for Government of Canada, as supported by the results of the quality assurance and improvement program. The evidence gathered was sufficient to provide senior management with proof of the opinion derived from the internal audit.

Christian D’Auray, CPA, CA
Chief Audit Executive

Annex A: Audit Criteria

The following table outlines the audit criteria developed to meet the stated audit objective and audit scope:

Objective Audit Criteria Met/
Met with Exceptions/
Partially Met/
Not Met

1. Assess the adequacy and effectiveness of IM/IT governance processes in place to identify, prioritize, monitor and measure IM/IT resource allocation decisions and ensure alignment with departmental priorities, and that these processes effectively support the achievement of CSC's mandate.

1.1 - Governance Framework

  • An adequate IM/IT governance framework is in place through effective committees and clear roles and responsibilities, and supports transparent, risk-based decision making related to IM/IT investments and activities.

Met, with Exceptions

1.2 - IM/IT Alignment

  • IM/IT strategic planning considers input from all stakeholders, identifies risks, is aligned with the departmental business strategy and investment plan, and aligns with central agency guidance.

Partially Met

1.3 - IM/IT Strategic Planning

  • IM/IT strategic planning is effectively implemented through clear resource allocation decisions, SSC coordination, and performance measurement and monitoring

Partially Met

1.4 - Planning an Prioritization of IM/IT-Enabled Projects

  • Prioritization of IM/IT-enabled projects is done in line with IMS and CSC strategic priorities, enhances business value, is within resource availability, and considers run costs.

Partially Met

Annex B: IM/IT-related Committee Structure

The picture below describes the IM/IT-related Committee Structure. At the top, EXCOM, the Executive Committee chaired by the Commissioner, and the committee members are all CSC Senior management. Under EXCOM, there is the TCOM, the IM/IT Transformation Committee co-chaired by the SDC and CFO, and the committee members are a subset of EXCOM members. Under the TCOM, there is the DGCOM, the IM/IT Director General Committee chaired by the CIO, and the committee members are DGs from across CSC. Finally, under the DGCOM, there is the MCOM, the IM/IT Management Committee chaired by the CIO, and the committee members are IMS Management.

Page details

Date modified: