Audit of the Governance Framework over Information Management

Appendix A: Audit Criteria

Audit Criteria 1: Planning
(TBS Information Lifecycle Category: Planning)

1.1 Governance, Risk Management

Governance structures, mechanisms and resources are in place to ensure the continuous and effective management of information. This includes the following structures, mechanisms, and resources:

  • CIC’s IM program and plans meet the needs of CIC’s strategic and business objectives, programs and services.
  • CIC has established IM committees that meet regularly to discuss IM, including:
    • Issues and risks
    • Opportunities
    • Legislation, policies, directives and their implications on CIC
  • IM risks are identified and documented, as are the risk responses and mitigation strategies.
  • IM projects and activities are prioritized, at a minimum, annually.

Audit Criteria 2: Gathering
(TBS Information Lifecycle Category: Collection, Creation, Receipt, Capture)

2.1 Controls

Information gathering at CIC ensures compliance with the following:

  • TBS Policy on Information Management (6.1.5): Electronic systems are the preferred means of creating, using, and managing information.
  • TBS Directive on Recordkeeping (6.1.3): Identifying, establishing, implementing, and maintaining repositories in which information resources of business value are stored or preserved in a physical or electronic storage space.
  • TBS Directive on Recordkeeping (6.1.3): Establishment and implementation of key methodologies, mechanisms, and tools to support CIC recordkeeping requirements throughout the information lifecycle.

Audit Criteria 3: Management
(TBS Information Lifecycle Category: Organization, Protection and Preservation, Maintenance, Evaluation)

3.1 Controls

CIC information is managed to ensure compliance with the following:

  • TBS Policy on Information Management (6.1.2): Decisions and decision-making processes are documented to account for and support the continuity of departmental operations, permit the reconstruction of the evolution of policies and programs, and allow for independent evaluation, audit, and review.
  • TBS Policy on Information Management (6.1.4): Information is managed to ensure the relevance, authenticity, quality, and cost-effectiveness of the information for as long as it is required to meet operational needs and accountabilities.
  • TBS Policy on Information Management (6.1.5): Electronic systems are the preferred means of creating, using, and managing information.
  • TBS Policy on Information Management (6.1.8): Establishing, measuring, and reporting on a departmental program or strategy for the improvement of the management of information.
  • TBS Directive on Recordkeeping (6.1.2): Protection of information resources of business value by identifying and documenting the risk profile of information resources and responding to and mitigating documented risks to the protection of information resources.
  • TBS Directive on Recordkeeping (6.1.3): Establishment and implementation of key methodologies, mechanisms, and tools to support CIC recordkeeping requirements throughout the information lifecycle.

3.2 Governance

CIC employees at the senior executive, management, operational and IM-specialist levels perform their delegated information management roles and responsibilities effectively, as outlined in sections 6.1 to 6.4of the TBS Directive on Information Management Roles and Responsibilities. Structured and documented authorities and accountabilities for IM decisions and lifecycle activities are supported by a strong and continuous corporate culture.

Audit Criteria 4: Disseminate
(TBS Information Lifecycle Category: Dissemination)

4.1 Controls

The dissemination of CIC information complies with the following:

  • Access to Information Act (7): Within 30 days after the request is received, give written notice to the person who made the request as to whether or not access will be given. If access is to be given, give the person access to the record, or part thereof. Access is subject to the following:
    • Access to Information Act (19-1): Head of a government institution shall refuse to disclose any record under this Act that contains personal information as defined in section 3 of the Privacy Act.
    • Access to Information Act (19-2): Head of government institution may disclose any record requested under this Act that contains personal information if the individual to whom it relates provides consent (section 8 of the Privacy Act).
  • TBS Policy on Information Management (6.1.3): Information is shared within and across departments to the greatest extent possible, while respecting security and privacy requirements.
  • TBS Directive on Recordkeeping (6.1.3): Establishment and implementation of key methodologies, mechanisms, and tools to support departmental recordkeeping requirements throughout the information lifecycle.

Audit Criteria 5: Leverage
(TBS Information Lifecycle Category: Use)

5.1 Controls

CIC information and records from internal and external sources are managed to ensure comparability between systems.

5.2 Controls

CIC information and records from internal and external sources are managed to support collaboration and permit usability within the appropriate context.

5.3 Controls

Leverage and collaboration of information ensures compliance with the following:

  • TBS Policy on Information Management (6.1.3): Information is shared within and across departments to the greatest extent possible, while respecting security and privacy requirements.
  • TBS Policy on Information Management (6.1.5): Electronic systems are the preferred means of creating, using, and managing information.
  • TBS Policy on Information Management (6.1.5): Electronic systems are the preferred means of creating, using, and managing information.
  • TBS Directive on Recordkeeping (6.1.3): Establishment and implementation of key methodologies, mechanisms, and tools to support CIC recordkeeping requirements throughout the information lifecycle.

Audit Criteria 6: Disposing
(TBS Information Lifecycle Category: Disposition)

6.1 Controls

CIC information is disposed to ensure compliance with the following:

  • Library and Archives of Canada Act (12-1): No government or ministerial record, whether or not it is surplus property of a government institution, shall be disposed of, including by being destroyed, without the written consent of the Librarian and Archivist or of a person to whom the Librarian and Archivist has, in writing, delegated the power to give such consents.
  • TBS Directive on Recordkeeping (6.1.3): Establishment and implementation of key methodologies, mechanisms, and tools to support CIC recordkeeping requirements throughout the information lifecycle.
Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: