Audit of Shared Services Canada’s Information Technology Asset Management

Audit Report

Office of Audit and Evaluation
June 2017

Period of Examination from September 1, 2014, to September 30, 2015

Executive Summary

What we examined

The objective of the audit was to provide assurance on the adequacy of information technology (IT) asset management at Shared Services Canada (SSC) and to ensure compliance with government policies and SSC procedures.

The scope of the audit included SSC’s IT asset management (ITAM) processes, tools and controls including the application of these processes, tools and controls from September 1, 2014, to September 30, 2015.

Why it is important

IT lifecycle management is the effective and efficient management of IT assets from the identification of requirements to the disposal of the asset. IT assets include software, hardware, major projects and acquired services. ITAM depends on robust processes with tools to automate manual processes.

The Treasury Board (TB) Policy Framework for the Management of Assets and Acquired Services set the tone for the management of assets and to help ensure that the conduct of these activities provided value for money and demonstrated sound stewardship in program delivery. The complexity, speed, scale and concurrency of key transformation initiatives could lead to unforeseen implementation and operational obstacles that could affect overall success of the transformation and ongoing service delivery which further emphasizes the importance of having well established ITAM processes and controls.

What we found

We found that SSC developed a draft Framework for SSC Material “Inventory and Disposal” Management (Framework) and that the draft Framework and instruments were in line with applicable requirements as set out in the TB Policy Framework for the Management of Assets and Acquired Services and the TB Policy on Management of Materiel. The Framework and its instruments had not been approved or communicated.  

In the absence of an approved and communicated materiel management framework, we found insufficient communication regarding roles and responsibilities and the centralization of the ITAM function.

We identified several issues with the processes and controls that impacted SSC’s ability to provide assurance that all enterprise assets (hardware and software) were being adequately managed.

We found gaps in the accuracy and sufficiency of the information available to support and monitor the management of IT assets. There were inconsistencies in the identification of what information was required for the lifecycle management of IT assets and the controls in place to ensure the required information was captured in the appropriate tracking tool.

We found no systematic monitoring taking place in relation to the overall management of IT assets at SSC.

Patrice Prud’homme
Chief Audit and Evaluation Executive

Background

1. Shared Services Canada (SSC) was established on August 4, 2011, to modernize how the federal government manages its information technology (IT) infrastructure in order to better support the delivery of programs and services to Canadians. The IT infrastructure supporting government programs and services was aging, vulnerable to security risks and inefficient.
2. The Treasury Board (TB) Policy Framework for the Management of Assets and Acquired Services set the tone for the management of assets and helped ensure that the conduct of these activities provided value for money and demonstrated sound stewardship in program delivery. The complexity, speed, scale and concurrency of key transformation initiatives could lead to unforeseen implementation and operational obstacles that could affect overall success of the transformation and ongoing service delivery which further emphasizes the importance of having well established IT asset management (ITAM) processes and controls.
3. This audit was approved by the President of SSC after being recommended by the Departmental Audit and Evaluation Committee as part of the 2014–2017 Risk-based Audit and 2014–2019 Evaluation Plan. SSC’s senior management also identified concerns around the lack of documented and communicated roles and responsibilities for ITAM, the risks associated with the transfer of legacy assets and not having timely, sufficient and accurate information on all of SSC’s IT assets.
4. IT lifecycle management is the effective and efficient management of IT assets from the identification of requirements to the disposal of the asset. IT assets include software, hardware, major projects and acquired services. ITAM depends on robust processes with tools to automate manual processes.
5. Legacy refers to equipment or assets procured and owned by another government organization before they were transferred to SSC in 2011, and enterprise refers to new assets and equipment that were procured with SSC funds since SSC was created.
6. A new organizational structure for SSC was adopted on April 1, 2015, entitled SSC Way Forward, to reflect SSC’s focus on the migration from legacy to new enterprise IT infrastructure. The new structure made branches responsible for the entire lifecycle of services they provided. This realignment was part of SSC’s natural evolution and had an impact on several groups including the Service Asset and Configuration Management (SACM) directorate which was responsible for a large part of the ITAM function at SSC and gained more responsibility after the realignment.
7. Prior to April 1, 2015, there were no standardized ITAM processes and tools in place for the lifecycle management of IT assets. Since the reorganization, the ITAM function became centralized under the SACM directorate.

Objective

8. The objective of the audit was to provide assurance on the adequacy of ITAM at SSC and to ensure compliance with government policies and SSC procedures.

Scope

9. The scope of the audit included SSC’s ITAM processes, tools and controls including the application of these processes, tools and controls from September 1, 2014, to September 30, 2015. This included the management of:
   • All SSC IT assets, including hardware and software; and
   • Both legacy and end-state assets. Consideration was given to the added value of addressing issues and risk related to legacy assets

Methodology

10. During the conduct of the audit, we:
    • Interviewed relevant directors, managers and technical experts
    • Conducted file and system walkthroughs and reviews
    • Reviewed relevant documents, such as TB and SSC policies, draft Framework for SSC Materiel “Inventory and Disposal” Management, and SSC processes and procedures documentation; and
    • Performed data analysis based on extracts provided from two systems used
11. Field work for this audit was substantially completed by October 2015.

Statement of Assurance

12. Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion were based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. This engagement was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. A practice inspection has not been conducted.

Detailed Findings and Recommendations

Shared Services Canada’s Information Technology Asset Management Governance Structure

13. We expected SSC to have a governance structure in place to ensure that IT assets were managed appropriately and in compliance with Government of Canada and SSC policies. Furthermore, we expected that there would be a documented, approved and communicated materiel management framework in place.
14. We found that SSC developed a draft Framework for SSC Material “Inventory and Disposal” Management (Framework). The Framework included the following instruments:
    • Draft Directive for SSC Materiel “Inventory and Disposal” Management
    • Draft Standard for SSC Materiel Inventory Control
    • Draft Standard for SSC Materiel Stocktaking
    • Draft Standard for SSC Materiel Transfer, Loan and Donation
    • Draft Standard for SSC Materiel Disposal; and
    • Materiel Management Governance Structure
15. We found that the draft Framework and instruments were in line with applicable requirements as set out in the TB Policy Framework for the Management of Assets and Acquired Services and the TB Policy on Management of Materiel.
16. We expected that the roles and responsibilities for the management of IT assets would be documented and communicated. We found the roles and responsibilities for the management of IT assets were documented in the draft Framework and the accompanying Directive, Standards and Materiel Management Governance Structure. However, at the time of this audit the Framework had not yet been approved. Once approved, the intention was to communicate the Framework organization-wide on the SSC website. At the time of the audit, no communication plan had been developed.
17. We found that stakeholders were consulted and improvements were made to the Framework to reflect the comments received throughout the consultation process.
18. We found delays in the submission and presentation of the Framework for approval to the Corporate Management Board which was in most part due to the reorganization and consultations with various stakeholders.
19. The TB Policy on Management of Materiel stated that Deputy Heads were responsible for ensuring that a materiel management framework was in place to ensure that materiel was managed by departments in a sustainable and financially responsible manner. Further delays in the approval, communication and implementation of the Framework would result in non-compliance with TB requirements. Furthermore, the absence of a documented and communicated governance structure for ITAM could impact the Department’s operational ability to manage the lifecycle of its IT assets and damage its reputation as a responsible steward of crown property.

Processes for the Lifecycle Management of Information Technology Assets

20. We expected that SSC would have processes in place for the lifecycle management of IT assets which met the applicable policies and directives. We found that since the reorganization on April 1, 2015, SSC centralized its ITAM function under the responsibility of SACM.
21. We found that SSC had some documented processes and controls for the purchasing, receiving, tagging, recording and disposing of IT assets. However, these processes were mainly designed for use within SACM and were only communicated to the group internally. Although the SACM directorate was using their documented processes, updates were required to reflect organizational changes and general updates. For example, the disposal processes required updates to reflect additional types of disposal that had not been previously documented and the user guide for the Enterprise Control Desk (ECD) tracking tool also required updates to align with the latest version of the software that was in use.
22. In the absence of an approved and communicated materiel management framework, we found there had been insufficient communication regarding the centralization of the ITAM function. There were no controls in place to enforce SACM’s involvement in the ITAM function. Therefore, SSC employees may not be aware of the requirement to contact ITAM at different points in the lifecycle.
23. Prior to the centralization of the ITAM function, there were no standard processes or tracking tools which resulted in a lack of visibility of all IT assets that were transferred to SSC when the Department was established. As a result, we found that SSC could not provide assurance that all of SSC’s legacy IT assets were adequately managed.
24. There was no integration between the financial system (SIGMA) and the IT asset tracking tools (ECD and HP Asset Manager). SACM had documented a manual process to monitor SIGMA for new IT asset purchases because there was no assurance that SACM was notified when new IT assets were purchased. Due to the manual nature of this process and the reliance on proper financial coding, there was a risk that all newly purchased IT assets may not be identified through this process.
25. We found that SSC’s process for tracking infrastructure software (the server and network software found in data centres) was in the development stage and SSC was not able to report on the infrastructure software currently deployed, including the status of the licenses purchased or issued. In addition, although there was a project underway to identify and address the gaps for certain desktop software, there was no control in place to prevent SSC from issuing more desktop software licenses than were purchased. Overall, SSC was unable to provide assurance that the lifecycle of all software assets was appropriately managed.
26. Without awareness of all the assets that the Department owns (legacy and enterprise), SSC is not able to ensure that it is effectively managing the lifecycle of all of its IT assets.

Information to Support the Lifecycle Management of Information Technology Assets

27. We expected SSC to have accurate and sufficient information to support the management of IT assets throughout their lifecycle. However, we found problems in the accuracy and sufficiency of the information available to support the management of IT assets.
28. SSC used two different software systems for the lifecycle management of IT assets (i.e. ECD and HP Asset Manager). ECD was used to track enterprise assets which consisted namely of: infrastructure hardware, servers, networks, switches, etc. HP Asset Manager was used for legacy hardware, as well as for desktops, laptops, software and other end-user assets.
29. SACM identified and documented, through business rules, which fields and information were required to track and manage the lifecycle of IT assets. Reports were generated from the ECD and HP Asset Manager databases containing all SSC assets up to June 30, 2015, were reviewed as part of the audit. We compared this data to the information identified as required by SACM.
30. We found some controls in place to help ensure the required information collected was accurate and sufficient. However, there were several weaknesses identified in the controls that impacted the accuracy and sufficiency of the information captured in both tools:
    • The business rules were very general and did not specify which specific field(s) in either system should be populated (e.g. the business rules state “Location” is required, but there are multiple fields in the systems that contain location-type information)
    • There was additional information identified as important by SACM that was not captured in the business rules; and
    • There were automated, system enforced controls for the collection of some required information, but not all
31. In addition, we identified weaknesses with some of the automated controls in the tools:
    • Generic options were available in system enforced drop-down fields, such as “Please Select a Value” or “Unknown”; and
    • Certain required fields allowed a blank entry
32. We found that the location fields (i.e. codes, descriptions, tower, floor and room) were not enforced in ECD and although some location fields were enforced in HP Asset Manager, there were cases where the combined information populated in the location fields in both systems did not provide accurate or sufficient information to locate some assets.
33. After finding the above inconsistencies with location fields in ECD, we conducted an inventory validation exercise at one SSC location. We found that:
    • Of the assets that were visible (i.e. in hallways and boardrooms), there were 60 assets that were required to be tagged and tracked in the system
    • 35 of 60 (58%) assets should have had asset tags but either did not or they were not visible
    • Of the 25 asset tags we identified, 18 were SSC tags and 6 were Public Works and Government Services Canada tags; and
    • Only one asset was found in ECD and none in HP Asset Manager
34. These observations could have been due to a combination of timing and lack of a centralized ITAM function when SSC was created. SSC did not have its own asset tags at the outset which resulted in assets being tagged with other department tags (even if they were considered SSC assets). In addition, there were no centralized processes, tools or controls in place to track any assets that were tagged even after SSC received their own asset tags.
35. The lack of visibility of all IT assets combined with the process and control weaknesses resulted in SSC’s inability to provide accurate and sufficient information to monitor the management of all IT assets throughout their lifecycle.

Monitoring of the Management of Information Technology Assets

36. We expected that SSC would have mechanisms in place for monitoring and reporting on the management of IT assets. TB Policy Framework for the Management of Assets and Acquired Services required Deputy Heads to ensure that practices were in place for asset management within the department and that monitoring and reporting on the management of materiel occurred.
37. We found that SSC’s draft Framework stated that the Chief Information Officer (CIO) was responsible for developing, maintaining, implementing measurement indicators and data collection tools for the Framework and for reporting on them. However, we found no systematic monitoring was taking place in relation to the overall management of IT assets at SSC; the CIO planned to develop metrics once the Framework was approved.
38. A delay in the approval of the Framework was impeding the development of metrics, indicators and the reporting of these indicators affecting the ability of the Deputy Head to monitor and report on the management of materiel at SSC and results in non-compliance with TB requirements. 

Conclusion

39. The objective of the audit was to provide assurance on the adequacy of ITAM at SSC and to ensure compliance with government policies and SSC procedures.
40. We found that SSC developed a draft Framework for SSC Material “Inventory and Disposal” Management and that the Framework and instruments were in line with applicable requirements as set out in the TB Policy Framework for the Management of Assets and Acquired Services and the TB Policy on Management of Materiel. However, it was neither approved nor communicated.
41. We found that stakeholders were consulted and improvements were made to the Framework to reflect the comments received throughout the consultation process. However, there had been insufficient communication regarding roles and responsibilities and the centralization of the ITAM function.
42. We identified several issues with the processes and controls that impacted SSC’s ability to provide assurance that all enterprise assets (hardware and software) were being adequately managed. Without awareness of all the assets that the Department owns (legacy and enterprise), SSC is not able to ensure that it is effectively managing the lifecycle of all of its assets.  
43. We found deficiencies in the accuracy and sufficiency of the information available to support and monitor the management of IT assets. There were inconsistencies in the identification of what information was required for the lifecycle management of IT assets and the controls in place to ensure the required information was captured in the appropriate tracking tool.
44. We found that there was no systematic monitoring taking place in relation to the overall management of IT assets at SSC; the CIO planned to develop metrics once the Framework was approved.

Management Response

Overall Management Response

Management agrees with all the findings, conclusions, and recommendations. Actions will be taken to ensure compliance with the TB Policy Framework for the Management of Assets and Acquired Services and the TB Policy on Management of Materiel.

Clear roles and responsibilities will be communicated in parallel to the implementation of the Material Management Internal Policy Instruments (Directive and Standards) associated with inventory control, stocktaking, transfer, loan, donation and disposal.

While there are existing processes and controls in place, SSC’s ITAM processes for all IT assets will be developed and a communication plan will be implemented to inform SSC employees outside of SACM of their roles and responsibilities pertaining to ITAM.

Annex A: Audit Criteria

The following audit criteria were used in the conduct of this audit:

1. SSC has a governance structure in place to ensure that IT assets are managed appropriately and in compliance with Government of Canada and SSC policies.
2. SSC has processes in place for the lifecycle management of IT assets which meet the applicable policies and directives.
3. SSC tracks its IT assets throughout their lifecycle and has access to accurate and sufficient information.

Annex B: Acronyms

Free PDF download

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet:

• Adobe Reader
• Foxit Reader
• Xpdf
• eXPert PDFReader