Audit of the Shared Services Canada’s Project Management and Delivery Operating Guide

Executive summary

Shared Services Canada’s (SSC) Project Management and Delivery Branch is responsible for supporting the Department’s Information Technology (IT) project and portfolio management functions and serves as a critical resource for project managers and key stakeholders. In the spring of 2017, SSC implemented the Project Management and Delivery Operating Guide (the Operating Guide).

The Operating Guide offers standardized processes, practices and tools across the Department and is mandatory for all IT projects, both SSC and client-led. It is a key guidance tool for project management within SSC, as it provides context on the project life cycle such as project management and deliverables required at the gating process, from idea creation to project closure and review.

What we examined

The audit focused on assessing: whether IT projects follow the Project Governance Framework; that the Project Management and Delivery Operating Guide is aligned with the framework; and that it has been communicated effectively to stakeholders.

Why it is important

The success of SSC’s modernization of information technology hinges on the successful delivery of IT projects related to large IT programs.

This audit was requested by Project Management and Delivery Branch within six (6) months of implementation of the new Operating Guide. Management wanted to get an indication of the effectiveness of the implementation of the framework at an early stage.

What we found

SSC’s Project Management and Delivery Branch was successful in developing, communicating and implementing a comprehensive Project Governance Framework and Operating Guide within a six (6) month time frame. The processes described in the materials were found to be generally consistent and aligned with the Project Governance Framework. They were well communicated to staff, and staff were aware of their responsibilities with respect to project management.

The project gating approvals for Gates 3 through 6 conferred by the Project Management Board were well executed, however, there was ambiguity and less compliance with the Operating Guide approval requirements at the early gates (Gates 1 and 2). These issues are critical as these gates provide the initial approval and funding for IT projects and investments.

The Operating Guide outlines the role of Project Review Officers who are tasked to provide a key second line of defense in management oversight of projects by reviewing key project artifacts. In the audit it was noted that the role of the Project Review officers was not fully implemented. This management oversight review is critical for key project artefacts to ensure quality and comprehensiveness of reporting.

Financial management forms and templates outlined in the Operating Guide were being used, however, key authorizations of financial forms were missing. Ensuring that all areas of SSC are aware of and approve the financial aspects of projects are key to sound project management.
Earned Value reporting, a tool to assess project performance and progress, had been implemented at the project level; however, at the time of the audit, Earned Value Reporting forms were not being validated by a financial management advisor, nor were the required quarterly reviews being completed. Fully implementing this important process will add significant strength to the project management process.

Overall, the Project Management and Delivery Branch has developed the necessary corporate and management practices to deliver IT projects. The Operating Guide is a useful document to guide the implementation of SSC IT projects. The Operating Guide defines the governance requirements and procedures needed to lead IT projects from idea creation to closeout and review. Once these processes are fully implemented, they will provide a sound and robust project management framework at SSC.

Begonia Lojk
Acting, Chief Audit and Evaluation Executive

A. Introduction

1. Background and rationale for the audit

1.1 Introduction

In 2016, SSC created a Project Management and Delivery Branch tasked with implementing a more robust project governance, strengthening and improving IT project management practices and consolidating project management responsibilities. To institutionalize this change, the Operating Guide was implemented in May 2017 for all SSC projects.

The Project Governance Framework, included in the Operating Guide, outlines the approvals required for projects to progress through each of the six (6) project gates. For all IT projects an investment proposal must first be recommended by the Enterprise Standards and Architecture Review Board. IT projects must then have approval for Gates 1 and 2 from the Service, Project and Procurement Review Board. Projects passing through Gates 3 to 6 require recommendation and approval from the Project Management Board. To ensure consistency and due diligence, project managers must complete and document the gate artefacts and use the project gating templates when making presentations to governance committees.

As SSC is a matrix organisation, the Project Management and Delivery Branch shares accountability with the service lines to deliver IT projects. The Project Management and Delivery Branch also has responsibility for project delivery through its project managers and exercises oversight, providing a second line of defence, through the review function of the Project Management Centre of Excellence.

1.2 Rationale for the audit

This audit was requested by SSC’s senior management shortly after the implementation of the new Project Management and Delivery Operating Guide to get an early indication of the effectiveness of the initial implementation.

1.3 Audit authority

This audit was approved in SSC’s 2017-2021 Risk Based Audit Plan.

2. Objective, scope and methodology

2.1 Objective of the audit

The objectives of this audit are to provide assurance that:

• The Project Management and Delivery Operating Guide is aligned with the Project Governance Framework; that the guide has been communicated effectively to stakeholders within SSC; and
• That SSC projects are following the Project Management and Delivery Operating Guide and Project Governance Framework.

Annex A provides details of the audit criteria that support these objectives and guided the audit work.

2.2 Scope

The scope of this audit included relevant processes and controls pertaining to the Project Management and Delivery Operating Guide implemented in May 2017.

The examination phase of this audit included transactions from October 1st, 2017, to December 15th, 2017.

2.3 Methodology

The audit methodology consisted of: interviews, detailed assessments of relevant documents and controls testing.

A sample of IT projects that were underway from April 1, 2017 to October 1, 2017 were assessed. Only projects that had cleared a gate during the examination scope period were selected. During the scope period, five (5) projects cleared Gate 1, five (5) projects cleared Gate 3, and two (2) projects cleared Gate 4, for a total of twelve (12) projects (see Annex A for details). The following IT projects were reviewed according to the audit criteria:

• Criterion 1 – Project Governance: consisted of a sample population of twelve (12) projects
• Criterion 2 – Alignment of the Guide and Framework: did not include project sampling;
• Criterion 3 – Financial Management:
  • Task and Financial Authorization had a sample population of nine (9) projects
  • Earned Value reports had a sample population of four (4) projects; and
• Criterion 4 – Guide Communication: did not include project sampling

2.4 Statement of conformance

This audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. A practice inspection has been done.

Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion were based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. The findings and conclusion are only applicable to the entity examined and for the scope and time period covered by the audit.

B. Findings and recommendations

1. Project governance

Audit Criterion: Project management governance committees and oversight processes are operating in alignment with the Project Management and Delivery Operating Guide.

We expected to find that the project management governance committees and oversight processes complied with SSC’s Project Governance Framework gating processes; that required project artefacts were available for reviews and that approvals throughout the lifecycle (initiation, planning, execution, monitoring, closeout) of a project were performed.

The Project Governance Framework is a structure within which IT projects are initiated, planned, executed, monitored and closed. To support project interdependencies, the Project Governance Framework is also aligned to enabling functions such as the Service Life Cycle Management Model, security, procurement management and architecture standards. The Project Governance Framework ensures oversight is commensurate with the size and complexity of any IT project (based on the project’s Project Complexity Risk Assessment rating) and it defines the governance and requirements that must be met to allow IT projects to progress from one (1) gate to the next.

To assess the effectiveness of the Project Governance Framework, twelve (12) projects which had passed a gate between October 1, 2017 and December 15, 2017 were identified. The audit team conducted several audit tests to determine if IT projects followed the directives included in the Operating Guide, that projects were added to the draft Investment Plan, that artefacts were appropriately completed and signed, and that project deliverables were reviewed by a Project Review Officer from the Project Management Centre of Excellence.

Finding: Governance and oversight mechanisms outlined in the Project Governance Framework were not well implemented at Gates 1 and 2.

The audit team examined if IT projects obtained recommendations for approval from the indicated governance bodies and if they were included in the draft Investment Plan. During the period under review, twelve (12) IT projects were gate approved (five (5) at Gate 1, five (5) at Gate 3, and two (2) at Gate 4).

The processes for Gate 1 approval were unclear. Five (5) IT projects were presented in a “list format” for Gate 1 approval at the Service Project and Procurement Review Board in May 2017. It was found that the same IT projects were presented to the Project Management Board for Gate 3 approval in August 2017; they received only conditional approval. The conditions included further presentations at the Enterprise Standards and Architecture Review Board and another review by the Service, Project and Procurement Review Board to confirm the investment component. These presentations were scheduled between the end of August and October 2017.

The remaining seven (7) IT projects in the sample were presented at Gates 3 and 4 to the Project Management Board and met the governance criteria established by the Project Governance Framework. A further review indicated that all IT projects were added to the draft Investment Plan.

The Project Management Board ensured proper approval post Gate 2, however, the review of data for Gate 1 approval and interviews conducted with service line and project management staff indicated some ambiguity surrounding the Project Governance Framework. The requirement to obtain formal approval from the Enterprise Standards and Architecture Review Board for the IT investment, followed by a presentation to the Service, Project and Procurement Review Board to confirm the investment component was often seen as unclear or unnecessary. This may be due to the initial implementation challenges faced by the Project Management and Delivery Branch PMDB staff when the Operating Guide and the Project Governance Framework was introduced in May 2017. Furthermore, the Project Management Board approved some projects where all gating requirements and approvals were not met; and some projects received conditional approvals from Project Management Board but were not monitored until the completion of all conditions.

Recommendation 1

Priority : high

The Senior Assistant Deputy Minister, Project Management and Delivery Branch, should ensure that:

The requirements for presentations of IT projects at Gates 1 and 2 are clarified in the Project Governance Framework; and

Projects receiving conditional approvals, or with missing artefacts, are documented as exceptions and are monitored.

Management response

Agree with the findings. Since the 1st edition of the guide was published, Enterprise Strategy and Architecture Review Board review has become operational and the Finance and Investment Management Board has been established to perform investment review and is operational. Changes to these processes are still taking place. Project Management and Delivery will include the Finance and Investment Management Board in the Project Management and Delivery Operating Guide, and include additional changes as they become available. Establishment of the Finance and Investment Management Board: Co-chaired by the Senior Assistant Deputy Minister Strategy, and Chief Financial Officer with accountability to ensure that financial management and investment decisions are based on effective planning, stewardship and governance.

Process Design & Supporting Artefacts to Address Gate 1 & Gate 2 Gaps: Facilitated sessions were held with key stakeholders including Analytics, Benchmarking and Transformation Program Office, Project Management Centre of Excellence, Enterprise Architecture, Chief Information Officer, Service Management Transformation and Finance (Deputy Chief Financial Officer & Director General Financial Costing & Strategies) to develop clear process maps, supporting standardized templates for Gate 1 and Gate 2; checkpoints to ensure stakeholders are engaged; and alignment to governance bodies such as the Enterprise Strategy and Architecture Review Board and Government of Canada Enterprise Architecture Review Board (if investment is greater than $5 million).

Finding: Required project artefacts for the gating processes were not consistently reviewed by Project Review Officers.

The Operating Guide specifies the project artefacts required to obtain governance committee approval at gating presentations. Prior to submission for gate approval, project artefacts should be reviewed by a Project Review Officer from the Project Management Centre of Excellence to verify completeness. This provides an important second line of defense, ensuring that project artefacts are reviewed and challenged by a management oversight review.

Twelve (12) IT projects were examined to validate that Project Review Officers were exercising their challenge function, and to ensure that project artefacts were available and appropriately reviewed. The early audit evidence indicated that while the majority of artefacts existed, the Project Review Officers performed their challenge function in only half of the cases, and over one-third of the project artefacts remained unsigned or incomplete.

• Only 50% (6 out of 12) of the IT projects reviewed had full or partial reviews conducted by a Project Review Officer prior to submission for gate approval;
• For the 12 IT projects under review, 43 IT project artefacts were required. While the majority of the artefacts existed, 16 artefacts (or 37%) were incomplete; and
• Important artefacts that were incomplete or unsigned included: Business Requirements Document, Concepts of Operations, Task and Financial Authorization, Project Complexity Risk Assessment, and the Security Plan of Action and Milestone.

While it is recognized that it may take time to fully ingrain new processes that were implemented in the early days of the new Operating Guide, the role of the Project Review Officer is a key management oversight function. Specifically, when artefacts are not fully vetted and approved, decisions could be made based on inaccurate or incomplete information potentially affecting the outcome of the project.

Recommendation 2

Priority : medium

The Senior Assistant Deputy Minister, Project Management and Delivery Branch, should document the review and challenge function of the Project Review Officers to ensure that all IT project artefacts are assessed prior to gate presentations to ensure the gate checklist/artefacts are complete, accurate and approved.

Management response

Agree with the findings with the understanding that the Operating Guide was approved in May 2017. The projects reviewed as part of the audit had started prior to this date, were in a transition period and were being processed under older practices. The review and challenge function of the Project Review Oversight officer will be documented to ensure that all IT project artefacts are assessed prior to gate presentations, to verify that the gate checklist/artefacts are complete, accurate and approved.

2. Alignment of key project management guidance

Audit Criterion: The Project Management and Delivery Operating Guide is aligned to the Project Governance Framework.

We expected to find that the Project Management and Delivery Operating Guide supports and operationalizes the Project Governance Framework; that governance and oversight committees are consistently described between the Operating Guide and the Framework; and that project artefact requirements are identical across all the reference materials.

Project managers gain approval for their projects by making gate presentations, submitting the required project artefacts, and being subject to challenge and oversight by board members. Internal Audit identified and examined key supporting reference materials included in the Project Management and Delivery Operating Guide, used by project managers to identify the required deliverables to compile before any gates.

Finding: The Project Governance Framework and the Operating Guide were generally aligned.

The following four (4) supporting reference materials were assessed to ensure alignment: the Project Management and Delivery Operating Guide; the Project Governance Framework document (included within Operating Guide); the Gating checklist (included as an annex within the Operating Guide); Project gating presentation templates (referenced in the Operating Guide with a link to the Project Management Centre of Excellence GCpedia).

To ensure consistency among reference materials, the audit team identified the presentation templates and the deliverables required for gate approval and compared them against other reference material from the Operating Guide. Some minor differences were noted and these were shared with the Project Management and Delivery Branch during the audit.

Overall, no key misalignments were identified regarding the governance committee requirements between the Project Governance Framework and the Operating Guide.

The Operating Guide includes the Responsible, Accountable, Consulted and Informed Chart (RACI) on project management roles and responsibilities. Forty-eight (48) roles included in the Chart were tested. The results indicate that relevant stakeholders are aware of, and generally compliant with the RACI roles and responsibilities.

Finding: Areas of inconsistencies were the result of additional or duplicative requirements and the need for greater clarity.

The discrepancies noted were the result of certain reference materials requiring additional documentation than the Project Governance Framework or the Operating Guide or the need for greater clarity in certain documents.

• Gate 1: the Operating Guide requires both a Business Requirements Document and a Project Proposal. The Project Governance Framework requires either, not both;
• Gate 2: the Operating Guide is unclear when a business case is required, whereas the presentation template identifies that a business case is required for Project Complexity Risk Assessment Level 2 or above;
• Gate 2: the Operating Guide does not distinguish between Project Complexity Risk Assessment Level 4 or Operational Project Management Capacity Assessment authority for Treasury Board Submission, Treasury Board Project Brief, and Independent Review;
• Gate 3: the Operating Guide requires an Independent Review for every project, whereas the Project Governance Framework only requires an Independent Review for Project Complexity Risk Assessment Level 4 projects; and
• Gate 4: The Operating Guide requires an Independent Review be completed and a Security Plan of Action Milestones prepared for Project Complexity Risk Assessment Level 4 projects. The presentation template has both deliverables required, regardless of the level.

There are multiple reference documents and sources of information, which outline the Project Governance Framework gate deliverables; however, some reference documents contain discrepancies. Ensuring consistencies between documents and project artefacts should minimize the level of effort required for gate presentations.

The examination of the alignment between the Operating Guide and the Project Governance Framework highlighted inconsistencies between the artefacts requirements, the gating process and the Operating Guide. While these were not gaps in the control framework, they could lead to inefficiencies and duplication of work in certain areas.

Recommendation 3

Priority : low

The Senior Assistant Deputy Minister, Project Management and Delivery Branch, should update the Operating Guide and its included references to ensure consistency of project artefacts and templates used for gating presentations.

Management response

Agreed with the findings that there were inconsistencies between the Operating Guide and other reference materials. The Operating Guide and other reference documents will be reviewed for consistency and updated accordingly.

3. Financial management

Audit Criterion: Projects are following budgeting, monitoring and reporting processes in accordance with the Project Management and Delivery Operating Guide.

We expected to find that IT projects were following the financial management requirements in accordance with the Operating Guide requirements. Financial management responsibilities include: completed financial forecasts; required funding has been identified; Cost Management Advisor approval has been obtained; budgetary forecasts and project costs were reported; and change requests were approved.

The Operating Guide identifies all project financial management requirements necessary to support project managers in implementing IT projects. SSC introduced Task and Financial Authorization and Earned Value reporting during the spring of 2017, and these are key financial controls to manage complex and often sensitive IT projects.

To ensure that all financial management requirements were followed, nine (9) IT projects were selected for review. The audit results indicate that most projects were compliant with the financial requirements by:

• identifying the required funding
• ensuring baseline cost approval and reporting were completed; and
• obtaining appropriate approval of change requests

Because project management is a relatively new function at SSC, it would have been difficult to achieve 100% compliance to these financial requirements in such a short period of time. During the period reviewed, the audit team noted progress in budgetary forecasts and project costs reporting.

Finding: Task and Financial Authorization was implemented but not duly authorized.

The Task and Financial Authorization is a key financial internal control which reflects the level of effort to plan a project and includes the input of contributing service lines and functional areas to identify project resource requirements. For the nine (9) projects tested, the Task and Financial Authorizations were assessed for their completeness, accuracy and approval. The audit results indicated the following:

All projects tested utilized the Task and Financial Authorization required template; project managers identified resources and cost transfer requirements from contributing functional areas;

Most of the projects had their Task and Financial Authorization registered with the Project Management Centre of Excellence; and,

Only one (1) project received formal approval from the Service Line Director General, and no project had the Task and Financial Authorization approved from the Project Management and Delivery project manager, Director General and the Financial Management Advisor.

These results show good implementation of the Task and Financial Authorization form, however, not having the form fully vetted and approved by the service lines, the project manager and finance undermines the effectiveness of this document. For example, the lack of formal commitment from key stakeholders may increase misunderstandings between service lines and Project Management Branch senior management, or could lead to misallocation of funding. The lack of challenge from the Financial Management Advisor may result in variances in project schedule and costs. It will be essential to ensure proper approval and review of this key financial control.

Recommendation 4

Priority : medium

The Senior Assistant Deputy Minister, Project Management and Delivery Branch, should ensure that Task and Financial Authorizations presented to Project Management Board are properly reviewed and approved by Service Line managers and Financial Management Advisors before proceeding to the next gate.

Management response

Agreed with the findings that most projects were compliant with Task and Financial Authorization requirements, but that many Task and Financial Authorizations were not signed. Project Management and Delivery will ensure that the Task and Financial Authorizations are reviewed and signed by the appropriate parties before proceeding to the next gate.

Finding: Earned Value reporting is in place and will benefit from implementation of quarterly reporting.

Monitoring and reporting is a significant area of focus of the Project Management and Delivery Operating Guide. Earned Value reporting is a key financial internal control to monitor the health of SSC IT projects. Earned Value management is a methodology that combines scope, schedule, and resource measurements to assess project performance and progress. The metric can help assess the performance of the project and provide a project health status to SSC’s senior management.

To ensure compliance to the Earned Value reporting requirements, four (4) IT projects that had passed Gate 3 delivery were selected for assessment. The audit results indicated the following:

• Since implementing the Earned Value monthly reporting in spring 2017, significant progress had been made and the four (4) IT projects tested had an adoption rate of 100% for the months of August and September 2017. The audit team could not, however, locate any Earned Value reports in 2017 for the months of April, May, and July, while partial Earned Value reports were provided for June; and
• A consolidated Earned Value quarterly report was reviewed for the second quarter of 2017, which included the four (4) sample projects. The audit team noted that the validation of the Earned Value quarterly report from a Financial Management Advisor could not be provided and the quarterly report was not presented to Project Management Board.

Progress was noted over the audit period in the implementation of Earned Value reporting. Moving forward, however, it will be necessary to ensure that Earned Value reports are submitted monthly, consolidated quarterly, validated and presented to the Project Management Board for review and that they are appropriately validated by Finance.

Recommendation 5

Priority : medium

The Senior Assistant Deputy Minister, Project Management and Delivery Branch, should ensure that the Earned Value reporting process is implemented and that reports meet the requirements of the Project Management and Delivery Operating Guide.

Management response

Agreed with the findings that the monthly Earned Value reports made significant progress over the first few months of implementation, but that the quarterly report to Project Management Board, validated by Finance, was not implemented. Project Management and Delivery Branch will create a quarterly Earned Value report that will be validated by Finance and presented formally to the Project Management Board.

4. Operating guide communication

Audit Criterion: The Project Management and Delivery Operating Guide was communicated effectively to relevant stakeholders.

We expected to find that the Operating Guide was communicated effectively to relevant stakeholders, including Project Management and Delivery staff, project managers, financial officers, service delivery managers and SSC service lines.

The audit team reviewed the communication plan to ensure that the Operating Guide was distributed and communicated effectively to SSC staff involved in project management. The audit team also assessed a sample of roles and responsibilities to ensure the Operating Guide was not only communicated, but also understood by staff.

Finding: The communication plan was effective to reach relevant stakeholders who generally understood their role and responsibilities.

The Operating Guide was communicated to Project Management and Delivery Branch staff during “all staff” meetings in May 2017 and October 2017. Project management staff were instructed to review the Operating Guide and were shown its digital location; the meetings specifically targeted project managers as primary users of the Operating Guide. A further review of the communication plan indicated that it was provided to senior management via e-mail distribution list, formal presentations and training. All Director Generals were informed during discussions held at each senior management table. We also found that classroom training and WebEx sessions were made available to further understand the Operating Guide tools and project management changes. Finally, the Operating Guide was published online by the Communication and Organizational Effectiveness Office.

The audit team also wanted to ensure that the Operating Guide was understood and applied by stakeholders, to confirm this, they examined the RACI roles and the consistency with which the Operating Guide was practiced. A sample of nine (9) RACI activities over six (6) IT projects was tested. The results indicated that project management stakeholders were aware of RACI roles and responsibilities, and their function was consistent with the roles and responsibilities established in the Operating Guide.

C. Conclusion

SSC was mandated to modernize the information technology infrastructure for the Government of Canada. Through its Infrastructure Plan, SSC carries out a significant number of large-scale and complex IT projects to meet the Government of Canada modernization agenda. To deliver on its mandate, SSC created the Project Management and Delivery Branch and developed the Project Management and Delivery Operating Guide to better manage its large portfolio of IT projects. The purpose of the Operating Guide is to provide sound and effective project management at Shared Services Canada. To achieve success, the Operating Guide needed to be communicated effectively to all SSC stakeholders.

This audit was requested by Project Management and Delivery Branch within six (6) months of implementation of the new Operating Guide. Management wanted to get an early indication of the effectiveness of the implementation of the framework.

Overall SSC’s Project Management and Delivery Branch was able to develop, communicate and implement a comprehensive Project Governance Framework and Operating Guide within a six (6) month time frame. The processes described in the materials were found to be generally consistent and well aligned with the Project Governance Framework. They were well communicated to staff, and staff were aware of their responsibilities with respect to project management.

In conclusion, the Project Governance Framework provides a solid foundation for project management at SSC. Although the audit took place at an early stage of the Project Governance Framework implementation, there was evidence of clear progression in terms of compliance over the examination period. The findings indicate that when processes were not followed it was due to lack of monitoring and clarity in accountability of these new processes.

Annex A – Audit criteria, project sample and acronyms

Audit criteria	Criteria description
1 - Project Governance	Project management governance committees and oversight processes are operating in alignment with the Project Management and Delivery Operating Guide.
2 - Alignment of the Guide and Framework	The Project Management and Delivery Operating Guide is aligned to the Project Governance Framework.
3 - Financial Management	Projects are following budgeting, monitoring and reporting processes in accordance with the Project Management and Delivery Operating Guide.
4 - Guide Communication	The Project Management and Delivery Operating Guide was communicated effectively to relevant stakeholders.

Last gate approved	Project complexity and risk assessment level	Sampled IT projects – total of 12
Gate 1	Pending	Migration of Statistics Canada at Tunney's Pasture
	3	Network Device Authentication
	3	Secure Remote Access Migration
	2	Centralized Management Network
	3	Security Information and Event Management
Gate 2	N/A	No IT project cleared Gate 2 during the period under review
Gate 3	3	Workplace Communication Services
	3	Enterprise Mobile Device Management
	2	Hosted Contact Centre Services Transformation
	3	Enterprise Data Centre Borden Relocation Project
	3	Application Whitelisting
Gate 4	3	CANARIE
	3	High Performance Computing Renewal
Gate 5	N/A	No IT project cleared Gate 5 during the period under review
Gate 6	N/A	No IT project cleared Gate 6 during the period under review

Acronym	Name in full
IT	Information Technology
SSC	Shared Services Canada

Annex B – Audit recommendations prioritization

Internal engagement recommendations are assigned a rating by SSC’s Office of Audit and Evaluation in terms of recommended priority for management to address. The rating reflects the risk exposure attributed to the audit observation(s) and underlying condition(s) covered by the recommendation along with organizational context.

Recommendations legend

Rating	Explanation
Priority : high	Should be addressed as priority for management within the next 6-12 months Controls are inadequate. Important issues are identified that could negatively impact the achievement of organizational objectives Could result in significant risk exposure (for example, reputation, financial control or ability to achieve Departmental objectives) Provide significant improvement to the overall business processes
Priority : medium	Should be addressed over the next year or reasonable timeframe Controls are in place but are not being sufficiently complied with. Issues are identified that could negatively impact the efficiency and effectiveness of operations Observations could result in risk exposure (for example, reputation, financial control or ability of achieving branch objectives) or inefficiency Provide improvement to the overall business processes
Priority : low	Changes are desirable within a reasonable timeframe Controls are in place but the level of compliance varies Observations identify areas of improvement to mitigate risk or improve controls within a specific area Provide minor improvement to the overall business processes