Audit of the Governance Framework over Information Management

1.0 Introduction

Information—and how it is planned, gathered, managed, disseminated, leveraged, and disposed of—is at the core of each of Citizenship and Immigration Canada (CIC)’s departmental programs. Effective governance over information management (IM) is key to accomplishing the Department’s objectives.

The Internal Audit and Accountability Branch (IAAB) 2010-2011 Risk-Based Audit Plan identified the need for an audit of the governance framework over IM. The IAAB engaged the Centre for Public Management (CPM) to conduct this audit.

1.1 Background

1.1.1 The IM Lifecycle

The IM industry defines the information lifecycle in reference to the planning, gathering, managing, disseminating, leveraging and disposing of all information assets used by an organization.

Figure 1: Information Lifecycle

Information Lifecycle: sequence going from Plan to Gather, Manage, Disseminate, and Leverage to Dispose.

Table 1 presents both the industry standard and the Treasury Board Secretariat (TBS) categorizations of the information lifecycle, as both categorizations were taken into account in this audit.

Table 1: Information Lifecycle—Industry vs. TBS Categorization
Industry Categorization TBS Categorization
Plan Plan
Gather Collect, Create, Receive, Capture
Manage Organize, Protect and Preserve, Maintain, Evaluate
Disseminate Disseminate
Leverage Use
Dispose of Dispose of

The industry categorization of the information lifecycle was mapped on to the TBS categorization for the purposes of setting the criteria for this audit (see Appendix A).

1.1.2 Contextual IM Environment

IM Governance Structure

CIC’s Information Management Directorate (IMD) is part of the Information Management and Technologies Branch (IMTB). The Director, Information Management, reports directly to the Chief Information Officer (CIO). The CIO is also the designated senior official for IM and is responsible for ensuring that management direction, processes and tools are in place to manage IM efficiently, and for maintaining the quality of information throughout its lifecycle. For further details on the CIC IM governance structure, see Section 3.1 Governance.

1.2 Audit Risk Assessment

Observations and assessments were drawn against audit criteria developed as part of a risk-based audit planning process, which cross-referenced the information lifecycle elements and the criteria for effective/quality information (see Appendix A for audit criteria). The risk-identification process assessed the three core objectives of this audit—the effectiveness of the following:

  • The IM governance structure
  • IM risk management processes
  • Management and operational controls that support IM

The CPM approach is based on the following:

  • Preliminary survey interviews
  • Background documentation review
  • Legislation, policy, and directive reviews

The seven risks listed below were identified as significant.

CIC IM Risk Assessment

There is a risk to CIC that…

  1. The IM governance tools and mechanisms do not support a strong IM corporate culture.
  2. IM awareness (including accountabilities and roles and responsibilities) at CIC is not sufficient to meet IM objectives.
  3. Information is not managed continuously among CIC’s internal and external stakeholders.
  4. IM does not enable the collaboration of internal and external stakeholders.
  5. IM processes do not enable compliance with CIC National Headquarters operational and administrative requirements.
  6. The IM of paper records does not meet CIC’s information needs.
  7. IM in the Department does not comply with the following:
    • Access to Information Act
    • Library and Archives of Canada Act
    • Privacy Act
    • TBS Policy on Information Management
    • TBS Directive on Information Management Roles and Responsibilities
    • TBS Directive on Recordkeeping

1.3 Audit Objectives

The objectives of this audit were to determine the effectiveness of the following:

  • IM governance structure
  • IM risk management processes
  • Management and operational controls that support IM

This audit report is organized around these three objectives. The criteria used to assess whether these objectives are being met are based on the categorizations of the information lifecycle described in Section 1.1.1 and are detailed in Appendix A.

1.4 Audit Scope

The audit covers all IM governance activities at CIC in 2010. The audit assessed primarily the adequacy of the IM governance structure in place at the IMTB and the relevant executive committees. The audit considered best practices where applicable.

In its purest definition, the IM governance framework would include the committees and other governance structures that are tasked with ensuring that IM helps CIC meet its objectives. However, in order to assess the effectiveness of this governance framework, various operational activities were examined that encompass the planning, gathering, managing, disseminating, leveraging and disposing of information.

1.5 Audit Approach and Methodology

As part of the audit execution phase, the auditors did the following:

  • Reviewed and analyzed relevant IM-related documentation;
  • Conducted interviews with senior management and selected staff (see Appendix B for interviewees);
  • Developed and completed a detailed audit program; and
  • Assessed overall findings to highlight pertinent findings.

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

Page details

Date modified: