Audit of the Governance Framework over Information Management

Executive Summary

Information—and how it is planned, gathered, managed, disseminated, leveraged, and disposed of— is at the core of each of Citizenship and Immigration Canada (CIC)’s departmental programs. Effective governance over information management (IM) is key to accomplishing the Department’s objectives.

Based on an analysis of departmental risk factors and consultation with senior management, the CIC Internal Audit and Accountability Branch (IAAB) 2010-2011 Risk-Based Audit Plan identified the need for an audit of the governance framework over IM. The audit was carried out from July to December 2010, with the examination phase occurring from October to November 2010. The IAAB engaged the services of the Centre for Public Management (CPM) to conduct this audit.

The objectives of this audit were to assess the following:

  • IM governance structure;
  • IM risk management processes; and
  • Management and operational controls that support IM.

IM Governance Structure

Overall, the governance structure, mechanisms, and resources are in place at CIC to support the management of information throughout its lifecycle. The IM Strategic Plan 2010-2013 has been approved by the Management Accountability Committee (MAC). The document includes key IM elements (for example, goals and objectives, and strategic drivers); however, it could be improved by adding components that would more effectively define CIC’s strategic direction for IM. Also, consultations and input from key stakeholders could be incorporated into the decision-making process.

Recommendations:

Information Management and Technologies Branch (IMTB) should:

  • Enhance the current IM Strategic Plan by developing IM standards, an IM performance measurement strategy and an IM human resource plan.
  • Ensure that the IM Strategic Plan is presented to the Department’s Executive Committee for their review and approval. This would generate organization-wide visibility and would serve as a mechanism to enlist the support of senior managers in communicating and promoting IM-aware behaviours.

IM Risk Management Processes

The IM Strategic Plan 2010-2013 includes a risk assessment; however, risk mitigation strategies could be improved. In addition, the IM Directorate does not currently sign-off on information management/information technology (IM/IT) project charters to ensure that IM risks and implications have been adequately considered. Further strengthening IM risk management will ensure that senior management has all the risk-related information it needs to shift priorities and allocate resources appropriately.

Recommendations:

IMTB should:

  • Enhance the current IM Strategic Plan by developing a detailed risk mitigation plan; and
  • Ensure that the Project Charter approval process for all IM/IT initiatives includes sign off from the Director, Information Management.

Management and Operational Controls

Although control elements are in place and roles and responsibilities are clearly defined, the management control framework for IM could be improved in certain areas. A continued focus on adoption of RDIMS in lieu of branch specific IM tools, the management of secret and classified information, and the establishment of record disposition authorities will strengthen the overall control framework and mitigate IM and operational risks.

Recommendations:

IMTB should:

  • Investigate the root causes of the lack of RDIMS adoption in order to develop and implement a remediation plan;
  • Investigate options for central storage and tracking of documents that are not stored in RDIMS because of their security classification;
  • Ensure that the requirements of MOUs that govern information sharing align with CIC’s IM policies and procedures, and implement measures to ensure that information sharing partners adhere to CIC’s policies under those MOUs; and
  • Continue with the development of the disposition and retention schedules to ensure compliance with LAC requirements, as well as ensure that compliance with R&D schedules is tracked.

Conclusion

Overall, CIC is making progress to ensure that governance structure, risk management, and management and operational controls in the area of IM provide effective support throughout the information lifecycle. This audit has identified opportunities for enhancing CIC’s IM governance framework. See Appendix C for the resulting management action plan.

Page details

Date modified: