Follow-up Audit of Information and Records Management
January 2013
For readers interested in the PDF version, the document is available for downloading or viewing:
Table of Contents
Executive summary
The follow-up audit of recommendations from the 2009 Audit of Information and Records Management was carried out as part of the Public Health Agency of Canada’s (the Agency’s) Risk-Based Audit Plan for 2012-13. The objective of the follow-up audit was to determine whether implementation of the management action plan had been effective in addressing the recommendations made in the Audit of Information and Records Management tabled in December 2009.
An assessment of the actions taken by management was performed to address the recommendations outlined in the 2009 audit report. The follow-up audit was conducted from May to November 2012.
The main objectives of the 2009 Audit of Information and Records Management were to assess:
- the operational effectiveness of information and records management practices in the Agency; and
- the extent to which the Agency’s information and records management practices comply with Treasury Board policies and the requirements of the Library and Archives of Canada Act.
As part of the business transformation agenda resulting from the federal Budget 2012, the Agency’s and Health Canada’s information management and information technology directorates have consolidated the delivery of their services by creating a single shared services partnership.
The follow-up audit concludes that the implementation of the management action plan has been effective in addressing most of the recommendations made in the 2009 Audit of Information and Records Management. Nine of the eleven recommendations (82%) have been substantially or fully implemented. The remaining recommendations have an associated action that is past the implementation target date.
Improvements have been noted in the development of an information management (IM) framework, policy instruments, operational plan and related risk assessment, core competency profile for IM specialists, and a strategy to implement an electronic document and records management system.
Further progress is required to implement standard operating procedures and to monitor the compliance of IM operations.
A. Introduction
1. Background
As part of the Public Health Agency of Canada’s (the Agency’s) Risk-Based Audit Plan for 2012-13, the Portfolio Audit and Accountability Bureau undertook the follow-up audit of the management action plan commitments as outlined in the 2009 Audit of Information and Records Management.
The 2009 audit concluded that the Agency’s information management function is in a nascent state and it requires significant improvement in order to ensure operational effectiveness of information and records management practices in the Agency as well as full compliance with Treasury Board policies and directives.
As part of the business transformation agenda resulting from the federal Budget 2012, the Agency’s and Health Canada’s information management and information technology directorates have consolidated the delivery of their services by creating a single shared services partnership.
2. Audit objective
The objective of the follow-up audit was to determine whether implementation of the management action plan had been effective in addressing the recommendations made in the Audit of Information and Records Management tabled in December 2009.
3. Audit scope
The scope of the follow-up audit focused on the management action plan commitments contained in the 2009 Audit of Information and Records Management. The follow-up was conducted from May to July 2012.
4. Audit approach
For each recommendation, the progress achieved against action plan commitments were assessed. The follow-up methodology included interviews and the analysis of supporting documentation.
5. Statement of assurance
In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the follow-up audit conclusion. The follow-up audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.
B. Findings recommendations and management responses
1.1. Progress made on 2009 audit recommendations
Audit criterion: Management’s actions have been effective in addressing the recommendations identified in the audit tabled in 2009.
| Implementation rating level | Number of recommendations | Percentage |
|---|---|---|
| No progress - insignificant progress | 0 | 0% |
| Planning stage | 0 | 0% |
| Preparation for implementation | 2 | 18% |
| Substantial implementation | 3 | 27% |
| Full implementation | 6 | 55% |
|
Total
|
11 |
Please refer to Appendix A for the assessment rating guide and to Appendix B for the detailed assessments.
The follow-up audit concludes that the implementation of the management action plan has been effective in addressing most of the recommendations made in the 2009 Audit of Information and Records Management. Nine of the eleven recommendations (82%) have been substantially or fully implemented. The remaining recommendations have an associated action that is past the implementation target date.
Improvements have been noted in the development of an information management (IM) framework, policy instruments, operational plan and related risk assessment, core competency profile for IM specialists and a strategy to implement an electronic document and records management system.
Further progress is required to implement standard operating procedures and to monitor compliance of IM operations.
Scorecard
The table below summarizes the status of each audit recommendation.
| Recommendations | Rating | Conclusion | Current Target Date |
|---|---|---|---|
|
|||
| 1 - Approve the information management (IM) framework and policies | FI | Completed. | |
| 2 - IM policy should state that all IM specialists should be accountable and/or report functionally to the Chief Information Officer | FI | Completed. | |
| 3 - Develop and implement a comprehensive operational plan | SI | Harmonization and implementation required. | March 2014 |
| 4 - Develop and implement an Agency-wide procedure manual | PI | Harmonization, approval and implementation required. | March 2015 |
| 5 - Ensure that monitoring activities take place to assess the compliance of IM operations | PI | Harmonization, implementation and monitoring required. | December 2014 |
| 6 - Determine a core competency profile for the IM community and Agency-wide mandatory IM training plan | SI | Approval and implementation required. | March 2013 |
| 7 - Prepare for Executive Committee (EC) approval of strategy to fully implement an electronic document and records management system (EDRMS) | FI | Completed. | |
| 8 - Develop and deliver mandatory IM awareness and training sessions to all Agency staff as part of the EDRMS implementation plan | FI | Completed. | |
| 9 - Prepare a comprehensive risk assessment | FI | Completed. | |
| 10 - Determine the IM resources required for the Agency to support the success of the IM Strategy | FI | Completed. | |
| 11 - Ensure that appropriate financial and human resources are provided to support the success of the IM function | SI | Request funding for new harmonized IM strategy. | March 2014 |
Appendix A - Lines of enquiry and audit criteria
| Criteria Title | Audit Criteria |
|---|---|
| Line of Enquiry 1: Progress made on the 2009 Audit Recommendations | |
| 1.1 Progress made on 2009 recommendations | Management's actions have been effective in addressing the recommendations identified in the audit tabled in 2009. |
1. No progress or insignificant progress
No action taken by management or insignificant progress. Actions such as striking a new committee, having meetings and generating informal plans are insignificant progress.
2. Planning stage
Formal plans for organizational changes have been created and approved by the appropriate level of management (at a sufficiently senior level, usually at the Executive Committee level or equivalent) with appropriate resources and a reasonable timetable.
3. Preparation for implementation
The entity has begun necessary preparation for implementation, such as hiring or training staff, or developing or acquiring the necessary resources to implement the recommendation.
4. Substantial implementation
Structures and processes are in place and integrated in some parts of the organization, and some achieved results have been identified. The entity has a short-term plan and timetable for full implementation.
5. Full implementation
Structures and processes are operating as intended and are implemented fully in all intended areas of the organization.
6. Obsolete
Audit recommendations that are deemed to be obsolete or have been superseded by another recommendation.
Appendix B – Assessment of recommendation implementation
| Recommendation 1 | |||
|---|---|---|---|
| The Executive Committee should review and approve the information management framework and policies. | |||
| Overall Assessment | Full implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. The draft Agency Information Management (IM) Policy, Directive on IM Accountability and Responsibility as well as IM Framework documents will be circulated through the normal approval channels. |
January 2010 |
The Draft Public Health Agency of Canada (the Agency) IM Policy, Directive on IM Accountability and Responsibility as well as IM Framework documents have been circulated through the normal approval channels. |
Full implementation |
A2. Office of the Chief Information Officer (OCIO) will seek the Agency Executive Committee (EC) approval of IM Policy instruments. |
June 2010 |
The IM Framework, Policy on IM, the Directive on IM Accountability and Responsibility, the Directive on Email Management as well as the Guideline on Email Management have been reviewed and approved by EC, and can be found on the Agency’s Intranet site. |
Full implementation |
| Recommendation 2 | |||
|---|---|---|---|
| The Information Management Policy developed by the Chief Information Officer should state that all information management specialists should either be accountable and/or report functionally to the Chief Information Officer. | |||
| Overall Assessment | Full implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. The current draft Agency Directive on IM Accountability and Responsibility has been revised to incorporate this functional reporting requirement. |
June 2010 |
The Directive on IM Accountability and Responsibility has been revised in order to state that IM specialists take functional direction from the Information Management Senior Officer (IMSO) reporting to the CIO and assist in carrying out the responsibilities of the IMSO. |
Full implementation |
| Recommendation 3 | |||
|---|---|---|---|
| The Chief Information Officer should develop and implement a comprehensive operational plan for information management inclusive of reporting relationships, resourcing ratios, service delivery and projects required to support the Information Management and Information Technology Strategy. | |||
| Overall Assessment | Substantial implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. Using standard Government of Canada (GoC) risk management tools (as per recommendation 9); a comprehensive operational plan for the IM function will be developed. The Operational Plan will detail the various initiatives and outline necessary resource investments to address issues relating to service ratios, service delivery, oversight and governance, organizational reporting, capacity building, electronic records and legacy management. |
June 2010 |
The IM Operational Plan 2012-15 describing resource requirements, resourcing ratios, service delivery and project requirements to support the IM Strategy has been developed and approved by EC in February 2012. |
Full implementation |
A2. Implementation of the various components of the Operational Plan is directly contingent on the Agency EC endorsement and resourcing to sustain activities. |
Starting Nov. 2010 |
As part of the IM Operational Plan 2012-15, IM has launched 22 projects to address components contained within the Plan. Many of these projects have been completed, however, some remain outstanding. We were advised that the residual projects of the Agency’s IM Operational Plan 2012-15 will be addressed within the context of the shared services partnership (SSP). A harmonized Health Canada/Agency IM strategy and supporting key initiatives are scheduled for presentation to the Portfolio Executive Committee (PEC) in December 2012. Revised date: March 2014 |
Substantial implementation |
| Recommendation 4 | |||
|---|---|---|---|
| The Chief Information Officer should develop and implement an Agency-wide procedure manual to standardize the information management operational activities across the Agency. | |||
| Overall Assessment | Preparation for implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. Given the distributed environment and varied business activities of the Agency, one standard model may not be effective nor address individual business needs. General standards can be developed with some flexibility to customize for specific business areas such as a laboratory setting. An Agency “Records Procedures Manual” and supporting annexes outlining customized processes will be developed in concert with the IM community. |
June 2011 |
A draft records management procedure manual and supporting annexes outlining customized processes have been developed. As part of the SSP, we were advised that a review and harmonization of existing policies, directives and procedures is underway. This would include a review of and harmonization of both organizations’ records procedures manual. Revised documents will be presented to PEC for approval. Revised date: March 2014 |
Substantial implementation |
A2. The standard operating procedures will be implemented by the IM Directorate in concert with the IM community. |
The draft Records Management Procedure Manual and supporting annexes outlining customized processes have been developed in concert with the IM community but have yet to be approved by the CIO and disseminated to IM specialists across the Agency. As part of the SSP, we were advised that a review and harmonization of existing policies, directives and procedures is underway. This would include a review of and harmonization of both organizations’ records procedures manual. Revised documents will be presented to PEC for approval. Revised date: March 2015 |
Preparation for implementation |
|
| Recommendation 5 | |||
|---|---|---|---|
| The Chief Information Officer should ensure that monitoring activities take place to assess the compliance of information management operations in the entire Agency. | |||
| Overall Assessment | Preparation for implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. Leveraging standard GoC assessment criteria and recordkeeping program elements, report cards will be established to monitor compliance to IM operations. |
Starting Nov. 2010 |
A draft recordkeeping directive compliance report card has been created to monitor IM operations within the Agency. However, monitoring activities have yet to take place. We were advised that under the SSP, this activity will be harmonized and integrated with Health Canada’s Performance Measurement Framework and reporting cycles. This recommendation will remain outstanding until such time as the harmonized report card is implemented to monitor compliance of IM operations. Revised date: December 2014 |
Preparation for implementation |
| Recommendation 6 | |||
|---|---|---|---|
| The Chief Information Officer should leverage work done by the Treasury Board and the Government of Canada on core competencies and information management certification to determine a core competency profile for the information management community and prepare and support an Agency-wide mandatory information management training plan based on current competencies. | |||
| Overall Assessment | Substantial implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. The OCIO will develop a standard competency profile as well as a learning ‘curriculum’ for IM specialists. The curriculum will build on GoC IM mandatory training at Canada School of Public Service and include training on the Agency IM standards and tools. |
Dec. 2010 |
A set of behavioural functional competencies as well as an Agency IM learning roadmap have been developed for entry, development, proficient and managerial level positions. We were advised that the competency profile, learning curriculum and training material will be harmonized as part of the SSP. Revised date: March 2013 |
Substantial implementation |
A2. The OCIO will seek the Agency EC endorsement of mandatory competencies and training plan. |
Feb. 2011 |
A fully harmonized set of competencies, learning curriculum and training material is to be presented to PEC for endorsement in March 2013. Revised date: March 2013 |
No progress or insignificant progress |
A3. Implementation of the competency profile and plan is contingent on the Agency EC endorsement. |
April 2011 |
Implementation of the harmonized competencies, learning curriculum and training material is scheduled for March 2013. Revised date: March 2013 |
No progress or insignificant progress |
| Recommendation 7 | |||
|---|---|---|---|
| The Office of the Chief Information Officer should prepare for Executive Committee approval a strategy to fully implement an electronic document and records management system. | |||
| Overall Assessment | Full implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. As a compendium document to the IM Capacity Business Case prepared in January 2008 an EDRMS implementation strategy will be prepared and presented to the Agency executive management. |
June 2010 |
The Agency’s Records, Document, IM System (RDIMS) 2012-14 Implementation Plan inclusive of the Implementation Strategy was approved by EC in February 2012. |
Full implementation |
| Recommendation 8 | |||
|---|---|---|---|
| The Chief Information Officer should develop and deliver mandatory information management awareness and training sessions to all Agency staff as an integral part of the approved Electronic Document and Records Management System Implementation Plan. | |||
| Overall Assessment | Full implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. The EDRMS Deployment Strategy includes mandatory training for all employees. The purpose is to educate employees on IM requirements and demonstrate how technology can assist in meeting policy requirements. Individual one-on-one desktop coaching also follows to further ensure that employees understand IM concepts and how to use the tool effectively. |
Aug. 2010 |
As part of the EDRMS deployment, information management/information technology (IM/IT) provides mandatory training on IM awareness, functional classification awareness, business rules for RDIMS and RDIMS user training to Agency staff. |
Full implementation |
A2. Delivery of the mandatory training is contingent upon the Agency EC endorsement and funding. |
Starting Sept. 2010 |
The Agency RDIMS 2012-14 Implementation Plan, inclusive of the training requirement, was approved by EC in February 2012. |
Full implementation |
| Recommendation 9 | |||
|---|---|---|---|
| The Chief Information Officer should prepare a comprehensive risk assessment that would highlight information management risks, impacts and benefits and potential mitigation strategies. This risk assessment would be used as a precursor to the development of a detailed information management operational plan. | |||
| Overall Assessment | Full implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. Leveraging existing GoC tools, a comprehensive risk assessment will be conducted on the Agency IM function. Risks, impacts, mitigation strategies and benefits will be prepared and incorporated into the Operational Plan. |
March 2010 |
A risk assessment on the Agency IM function including impacts and benefits was incorporated into the IM Operational Plan leveraging from existing risk assessment standards and methodologies, risk assessment initiatives and lessons learned, in order to identify critical risks. |
Full implementation |
| Recommendation 10 | |||
|---|---|---|---|
| The Chief Information Officer should determine for Executive Committee approval the information management resources required for the Agency to support the success of the Information Management Strategy. | |||
| Overall Assessment | Full implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. The IM Strategy and IM Operational Plan (see recommendation 3) will outline operational resource requirements to support the success of the IM Strategy. Allocation of resources for the various initiatives supporting the IM Strategy and Operational Plan is contingent on the Agency EC endorsement. |
June 2010 |
As indicated in recommendation 3, the IM Operational Plan 2012-15 describing resource requirements has been developed and was approved by EC in February. |
Full implementation |
| Recommendation 11 | |||
|---|---|---|---|
| The Executive Committee should ensure that appropriate financial and human resources are provided to support the success of the information management function and the implementation of the Information Management Strategy. | |||
| Overall Assessment | Substantial implementation | ||
| Planned Actions | Target Date | Progress to date | Status of action item |
A1. EC will provide the financial and human resources to the CIO to support the success of the IM function and the implementation of the IM Strategy in line with the Agency priorities and dependent on the availability of resources and subject to receiving and approving a costed plan for implementation. |
June 2010 |
As indicated in recommendations 3 and 10, the IM Operational Plan 2012-15 describing resource requirements to support the success of the IM function and the implementation of the IM Strategy has been developed and was presented to EC for approval in February 2012. EC approved the Plan with the understanding that implementation will be subject to a review of available funding and that this item was to be tabled at the Resource Planning and Management Committee for additional consideration relative to other Agency priorities once the full impact of Budget 2012 on the Agency’s available funding will be known. We would also note that as part of the business transformation agenda resulting from the federal Budget 2012, the Agency’s and Health Canada’s IM/IT directorates have consolidated the delivery of their services by creating a single share services partnership. We were advised that funding to support the harmonized IM Strategy and key initiatives that are scheduled for presentation to PEC in December 2012 will be acquired through the annual integrated operating planning processes as well as investment planning processes. Revised date: March 2014 |
Substantial implementation |
Page details
- Date modified: