Audit of Shared Services Canada’s Governance Framework

 

Audit Report


Executive Summary

What we examined

The objective of the audit was to provide assurance regarding the adequacy and effectiveness of Shared Service Canada’s (SSC) corporate governance (structure, processes, controls and information for decision making) with a view to supporting efficiency, accountability and achievement of SSC’s mandate.

The scope of the audit included SSC’s governance structure, processes, tools and controls including the application of these processes, tools and controls from August 1, 2013 to September 30, 2014.

Why it is important

According to the 2013–2014 Integrated Business Plan, SSC’s senior management committee structure was a reflection of the Department’s ongoing commitment to establishing and maintaining collaborative working relationships with partner organizations. The governance structure was streamlined, with a view to supporting efficiency, accountability and the achievement of results.

Effective governance is essential for enabling an organization to inform, direct, manage, and monitor its activities toward the achievement of its objectives. In the public sector, governance also ensures the entity’s credibility, establishes equitable provision of services, and assures appropriate behaviour of government officials — reducing the risk of public corruption.

What we found

All executive committees included in this audit had documented and communicated their roles and responsibilities in their respective terms of reference (ToR). We found inconsistencies between the decision-making authorities listed in the ToRs for some committees and what was expected of them according to SSC’s Project Governance Framework.

There was no documented decision-making process for how decisions were made in the committees. However, we found that all decisions we reviewed were made at the appropriate committee, were within the committees’ mandate and were recorded in the meetings’ records of decisions (RoD).

We found tools in place to support effective decision making, such as the creation of meeting agendas, corresponding RoDs and action trackers. However, we found issues regarding attendance, agenda management and action tracking.

We found that the Departmental Vacancy Management Committee was not addressing its strategic objectives, had incomplete record keeping and did not meet as required in the ToRs.

Information provided to the senior committees was generally sufficient, accurate and timely.

Mechanisms were in place to monitor the efficiency of SSC’s governance structure on an ongoing basis. Work was also being done to assess the effectiveness of the structure, and the committees themselves were noted to be monitoring their own effectiveness.



Yves Genest
Chief Audit and Evaluation Executive



Background

  1. Shared Services Canada (SSC) was established on August 4, 2011, to modernize how the federal government manages its information technology (IT) infrastructure in order to better support the delivery of programs and services to Canadians. SSC was created by transferring IT and internal services employees from 43 federal organizations. The Department brought together people, IT resources and assets to improve the efficiency, reliability and security of the government’s IT infrastructure. SSC was a relatively new department with a new structure and maturing culture, the environment was changing and evolving.

  2. This audit was approved by the President of SSC after being recommended by the Departmental Audit and Evaluation Committee (DAEC) as part of SSC’s 2013–2016 Risk-based Audit and 2013–2018 Evaluation Plan. SSC’s senior management identified governance as a high risk; unclear roles and responsibilities and the risk of objectives not being met in a timely fashion were specific areas of concern.

  3. The Organization for Economic Co-operation and Development described corporate governance as “a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives (i.e. strategy) of the company are set, and the means of obtaining those objectives and monitoring performance are determined.”

  4. ISACA stated that “governance ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritisation and decision making; and monitoring performance and compliance against agreed-on direction and objectives.”

  5. In addition, the Institute of Internal Auditors defined public sector governance as: “the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the organization’s activities toward the achievement of its objectives. In the public sector, governance relates to the means by which goals are established and accomplished. It also includes activities that ensure a public sector entity’s credibility, establish equitable provision of services, and assure appropriate behavior of government officials — reducing the risk of public corruption.”

  6. According to the 2013–2014 Integrated Business Plan, SSC’s senior management committee structure was a reflection of the Department’s ongoing commitment to establishing and maintaining collaborative working relationships with partner organizations. The governance structure was streamlined, with a view to supporting efficiency, accountability and the achievement of results.

  7. SSC’s corporate governance committee structure included 11 committees (see Annex B). Five of these committees were external advisory bodies that provided venues for developing working relationships with partner departments that support the achievement of common goals. The remaining six committees were internal governance bodies that supported the day-to-day management of the organization and the fulfilment of its mandate to deliver modern and efficient IT infrastructure services within the Government of Canada.

Objective

  1. The objective of this audit was to assess the adequacy and effectiveness of SSC’s corporate governance (structure, processes, controls and information for decision making) with a view to supporting efficiency, accountability and achievement of SSC’s mandate.

Scope

  1. The scope of the audit included SSC’s governance structure, processes, tools and controls including the application of these processes, tools and controls from August 1, 2013 to September 30, 2014. This included:
    • The six internal executive committees at the Assistant Deputy Minister (ADM) level and above which support the day-to-day management of the Department and the fulfilment of its mandate, including:
      • The Senior Management Board (SMB);
      • The Corporate Management Committee (CMC);
      • The Operations Committee (OC);
      • The Business Transformation Committee (BTC);
      • The Operations Security Review Committee (OSRC); and
      • The Senior Project and Procurement Oversight Committee (SPPOC).
    • The Departmental Vacancy Management Committee (DVMC) based on its membership being composed of SSC senior management and due to the fact that it was identified as a risk during audit planning.
    • The following Director General (DG)-level committees with membership internal to SSC and targeting significant initiatives aligned with SSC’s mandate:
      • The DG Enterprise Project Execution Review and Oversight Committee;
      • The Government Enterprise Network Services DG Steering Committee; and
      • The Service Review Board (SRB).
    • Any documentation pertaining to governance at SSC during this timeframe.
  2. External committees were not included in the scope for the following reasons:
    • They were advisory bodies, rather than decision-making bodies;
    • They were comprised primarily of external members; and
    • No concerns were raised regarding the external committees in our planning interviews.
  3. In addition to consisting of external members, SSC’s DAEC was excluded from the audit scope due to potential conflict of interest posed by the Office of Audit and Evaluation auditing its own committee.

Methodology

  1. During the conduct of the audit, we:
    • Interviewed members of SSC senior management and governance committee stakeholders;
    • Attended governance committee meetings;
    • Analyzed committee documents such as terms of reference (ToR), records of decisions (RoD) and agendas;
    • Reviewed a sample of 25 agenda items from the SMB, CMC, SPPOC and BTC; and
    • Reviewed relevant documents such as previous audits, results of internal governance review activities and industry literature on governance.
  2. Field work for this audit was substantially completed by December 2014.

Statement of assurance

  1. Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion were based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. This engagement was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. A practice inspection has not been conducted.

Detailed Findings and Recommendations

Roles, Responsibilities and Procedures for Effective Decision Making

  1. We expected SSC to have documented and communicated the roles and responsibilities for effective decision making as found in the Treasury Board of Canada Secretariat Management Accountability Framework (MAF).

  2. We found that all executive and DG-level committees included in this audit had documented and communicated their roles and responsibilities in their respective ToRs. The executive committee ToRs were available to employees via SSC’s Extranet. We found the approval of ToRs was inconsistent, both in who approved them and how they were documented. ToRs were approved by either the delegating committee or the committee itself. There was also no clear expectation as to how changes to the ToRs were to be approved. We also noted that ToRs were neither dated nor had version tracking. As a result, it could be unclear to stakeholders as to whether the up-to-date ToRs were being consulted which could impact employees who were using them in their work.

Recommendation 1

The Senior Assistant Deputy Minister, Corporate Services and Chief Financial Officer should ensure that committee terms of reference (ToR) are approved by the decision-making authority delegating the authority to the committee and that the ToRs include dates and versioning information.

Management response:

Management agrees with the recommendation. ToRs for internal executive committees will be circulated by the Executive Committees group periodically to committee chairs for review by each committee and then to the President of SSC for final approval.

  1. We found inconsistencies between the decision-making authorities listed in the ToRs for some committees and what was expected of them according to SSC’s Project Governance Framework (PGoF). The PGoF required the involvement of the SMB, SPPOC and BTC as part of its documented approval process. The ToRs for these committees did not contain these responsibilities which may lead to inadequate or inappropriate decision making.

Recommendation 2

The Senior Assistant Deputy Minister, Corporate Services and Chief Financial Officer should ensure consistency with the decision-making authorities stated in SSC’s Project Governance Framework.

Management response:

Management agrees with the recommendation. ToRs for internal executive committees will be updated to include the gate approval requirements for each Project Complexity and Risk Assessment level, as stated in version 2.0 of SSC’s PGoF, dated May 2014.

Decision-Making Process

  1. We expected to find a documented decision-making process for decisions made in the committees. However, we found no documented decision-making process for the executive committees. None of the executive committees’ ToRs stated whether decisions were by majority vote, consensus or decisions were to be made by the committee chair alone. Not having a documented and communicated decision-making process could lead to confusion and unclear committee accountability.

  2. Only the SMB documented what constituted a quorum for holding a meeting and the DVMC documented the requirements for a quorum for decision making. Although the SRB did not have a documented decision-making process, the ToRs stipulated who must be in attendance for key presentations.

Recommendation 3

The Senior Assistant Deputy Minister, Corporate Services and Chief Financial Officer should establish and document decision-making processes for each of the executive committees, including quorum.

Management response:

Management agrees with the recommendation. ToRs for internal executive committees will be updated to include the decision-making process as well as the accountability reporting structure. Quorum will also be specified.

  1. We expected to find that decisions made were at the appropriate committee and within the committee’s mandate. We found that all decisions we reviewed were made at the appropriate committee, were within the committees’ mandate and were recorded in the meetings’ RoDs.

  2. We reviewed a list of items sent directly to the President of SSC and the Chief Operating Officer for decision to determine if they were following the appropriate approval processes and concluded that they did follow the expected governance structure.

Decision-Making Tools

  1. We expected that tools would be in place to support effective committee decision making. We found the committees used meeting agendas, corresponding RoDs and action trackers as their primary tools. However, we found several issues regarding attendance, agenda management and action tracking.

  2. We found that meeting attendance varied between committees. For example, the average attendance for each committee reviewed was as follows: We found that meeting attendance varied between committees. For example, the average attendance for each committee reviewed was as follows:
    • SMB: 90%;
    • CMC: 75%;
    • SPPOC: 95%;
    • BTC: 76%;
    • OC: 68%; and
    • OSRC: 85%.
  3. However, this did not impact the meeting frequency as replacements were sent in most instances.

  4. We also found that items were not accurately categorized in the agendas. For example, 9 of 25 agenda items were identified as being “for information” or “for discussion”, but resulted in documented decisions being made. If item owners were unclear about the purpose of their presentation in the agenda, it could result in committee members being unprepared for the meeting and create inconsistencies in overall committee record keeping. We found this to not be a significant issue and management has been advised.

  5. From our sample of agenda items, we found that not all items were recorded in the committee’s action tracker, and only one item was marked as completed during the scope of the audit. For the remaining items, we were unable to determine if the actions were taken due to missing or incomplete information in the action tracker.

Recommendation 4

The Senior Assistant Deputy Minister, Corporate Services and Chief Financial Officer should ensure that action items issued by the committees are properly documented and tracked.

Management response:

Management agrees with the recommendation. Since September 2014, the Executive Committees group has established processes and tools to support the ability to document and track executive committee business decisions.

Departmental Vacancy Management Committee

  1. We expected the DVMC to function as stipulated in its ToRs. Throughout the scope of the audit, we found that the DVMC did not address its strategic objectives, it had incomplete record keeping and it did not meet as required.

  2. Two of the DVMC’s strategic objectives were to “ensure transformation initiatives and projects (from planning to execution) are resourced in an effective and timely manner” and to “ensure that business continuity and service to Canadians is maintained”. We found only 13 of 30 (43%) expected meetings occurred during the audit scope. Due to these cancellations, there was a risk that these strategic objectives would not be met. Staffing actions were being put on hold, which created operational difficulties that directly affected the organization. We found that measures were initiated near the end of the scope of this audit to try to reduce the number of meeting cancellations due to conflicting schedules.

  3. We generated a list of 111 staffing actions based on the DVMC’s staffing action information repository (entitled “DVMC Master List”). Only 65 of 111 (59%) of the reviewed items were found on the DVMC RoDs. Some of the remaining items were scheduled to appear at committee meetings but were approved secretarially due to meeting cancellations. For 24 of 111 (22%) staffing actions, we were unable to determine whether there was a DVMC decision.

  4. A majority of staffing items (106 of 111) were in line with the requirements set out in the ToRs. There were control weaknesses noted as staffing items were accepted and approved without all of the required information, such as the verification of Gateway to Mobility or the approval of the Senior Assistant Deputy Minister. We also found that the DVMC Master List did not always accurately reflect the information provided on the DVMC Approval Request Form.

  5. DVMC’s ToRs stated that all voting members must be present for quorum to be established. We identified seven meetings where there was no quorum due to the absence of at least one member without an alternate present. During those meetings, 24 staffing items were presented and 20 were approved despite not having met the requirements for quorum. As quorum was not established, these approvals should not have been given.

Recommendation 5

The Chair of the Departmental Vacancy Management Committee should ensure that:

  • meetings take place in accordance with the terms of reference;
  • proposed staffing actions meet all requirements prior to being tabled at a meeting; and
  • decisions are appropriately recorded.

Management response:

The Chair of the DVMC agrees with the findings of the audit. SSC is reviewing its governance as part of its Way Forward, and will be replacing the current DVMC with an approach that integrates workplace management into its formal governance structure and ensures that staffing activity is planned, approved and regularly monitored.

  1. We expected that the information provided to SSC senior level committees would be sufficient, accurate and timely. From our review of the RoDs, we found all but one committee had indicated issues with the sufficiency of information. These committees noted the need for more information, clarification or granted conditional approvals due to the insufficiency of the information. However, we found this was not a significant concern as there were actions taken to address the insufficiencies and minimise the impact on the ongoing operations.

  2. We found no concerns from committee members regarding the accuracy of information presented at the SMB, CMC, SPPOC, BTC and OSRC. At the OC, there was one instance in which changes were requested due to the accuracy of reporting on three incidents (two related to the origin of the incidents, the other related to the reporting time), but this did not impact the discussion of those incidents.

  3. The Executive Committee Directives stated that documentation for internal executive committees was required to be submitted 48 hours in advance of the meetings. Interviewees were generally satisfied with the timeliness of information provided.

Monitoring the Efficiency and Effectiveness of Shared Services Canada’s Governance Structure

  1. We expected SSC’s governance structure to be monitored in a regular and timely manner to ensure its efficiency and effectiveness in accordance with the policy and programs and governance and strategic elements of the MAF. During the audit, SSC’s Corporate Secretariat was performing two reviews to assess the efficiency of SSC’s governance structure. The first was a quarterly review process, which looked at the functioning of the senior committees. These reviews were limited to processes and tools and did not touch on committee structure, decision making or committee ToRs. It was expected that the frequency of this review would be reduced to bi-annually.

  2. The second review process was at the ADM- and DG-level committees and working groups review. Through that process, 58 different committees with membership at the DG-level or above had been identified and preliminary inventories of those committees had been taken. The review was still underway at the completion of the audit work.

  3. The efficiency of SSC’s committees was also addressed by the Executive Committee Directives, which issued guidance on topics such as length of presentation decks, when materials should be submitted to committees, security measures and avoiding meeting disruptions (e.g. limiting the use of handheld devices).

  4. The ADM- and DG-level review was looking to examine issues related to the effectiveness of the governance structure (e.g. examining the linkages between the committees and mapping out how items move through the governance process). We were advised that executive committees were monitoring their own effectiveness through the committee chairs.

Conclusion

  1. The objective of this audit was to assess the adequacy and effectiveness of SSC’s corporate governance (structure, processes, controls and information for decision making) with a view to supporting efficiency, accountability and achievement of SSC’s mandate.

  2. All executive committees included in this audit had documented and communicated their roles and responsibilities in their respective ToRs. We found inconsistencies between the decision-making authorities listed in the ToRs for some committees and what was expected of them according to SSC’s PGoF.

  3. There was no documented decision-making process for how decisions were made in the committees. However, we found that all decisions reviewed were made at the appropriate committee, were within the committees’ mandate and were recorded in the meetings’ RoDs.

  4. Based on our review, we concluded that there did not appear to be a risk of items circumventing the formal governance structure.

  5. We found some tools in place to support effective decision making, such as the creation of meeting agendas, corresponding RoDs and action trackers. However, there were issues regarding attendance, agenda management and action tracking.

  6. We found that the DVMC was not functioning as intended. There were issues identified with frequent meeting cancelations, the lack of strategic direction setting and record keeping.

  7. Information provided to the senior committees was generally sufficient, accurate and timely. The committees were able to mitigate any concerns by requesting additional information, clarifications, or issuing conditional approvals.

  8. The efficiency of the governance structure was monitored on a regular basis by the Corporate Secretary’s quarterly review process. An ADM- and DG-Level Committees and Working Groups review was also taking place to assess the effectiveness of the governance structure. These mechanisms were supplemented by committee self-monitoring.

Management Response and Action Plans

Overall Management Response

Management has reviewed the summary of findings on the audit of SSC’s governance framework and agrees with the findings of the audit and the recommendations.

SSC agrees that the executive committee ToRs must be consistently reviewed and approved. Final versions must be available to stakeholders to ensure that they are fulfilling their roles as expected. SSC also agrees that it is important to monitor and track action items resulting from committee meetings. In addition, SSC is reviewing its governance as part of its Way Forward, and will be replacing the current DVMC with an approach that integrates workplace management into its formal governance structure and ensures that staffing activity is planned, approved and regularly monitored.

Recommendation 1

The Senior Assistant Deputy Minister, Corporate Services (CS) and Chief Financial Officer should ensure that committee terms of reference (ToR) are approved by the decision-making authority delegating the authority to the committee and that the ToRs include dates and versioning information.

MANAGEMENT ACTION PLAN POSITION
RESPONSIBLE
COMPLETION
DATE
ToRs for internal executive committees will be circulated by the Executive Committees group periodically to committee chairs for review by each committee, to incorporate any required changes.

Revised ToRs will then be submitted to the President of SSC for final approval. They will be dated and clearly identified as final versions. Draft versions will also be dated and clearly identified as such.

Changes to the organizational structure, as of April 1, 2015, will also be incorporated into the revised ToRs for internal executive committees.

The ToRs review and approval process will be incorporated into the Executive Committee Directives document.
Director General, Corporate Secretariat June 30, 2015

Recommendation 2

The Senior Assistant Deputy Minister, Corporate Services (CS) and Chief Financial Officer should ensure consistency with the decision-making authorities stated in SSC’s Project Governance Framework (PGoF).

MANAGEMENT ACTION PLAN POSITION
RESPONSIBLE
COMPLETION
DATE
Terms of reference (ToR) for internal executive committees will be updated to include the gate approval requirements for each Project Complexity and Risk Assessment level, as stated in version 2.0 of the SSC PGoF, dated May 2014.

ToRs will then be circulated by the Executive Committees group to committee chairs for review by each committee. Revised ToRs will then be submitted to the President of SSC for final approval.
Director General, Corporate Secretariat June 30, 2015

Recommendation 3

The Senior Assistant Deputy Minister, Corporate Services (CS) and Chief Financial Officer should establish and document decision-making processes for each of the executive committees, including quorum.

MANAGEMENT ACTION PLAN POSITION
RESPONSIBLE
COMPLETION
DATE
Terms of reference (ToR) for internal executive committees will be updated to include the decision-making process as well as the accountability reporting structure. Quorum will also be specified.

ToRs will then be circulated by the Executive Committees group to committee chairs for review by each committee. Revised ToRs will then be submitted to the President of SSC for final approval.
Director General, Corporate Secretariat June 30, 2015

Recommendation 4

The Senior Assistant Deputy Minister, Corporate Services (CS) and Chief Financial Officer should ensure that action items issued by the committees are properly documented and tracked

MANAGEMENT ACTION PLAN POSITION
RESPONSIBLE
COMPLETION
DATE
Since September 2014, the Executive Committees group has established processes and tools to support the ability to document and track executive committee business decisions.

More specifically, action trackers are used to register action items that have been agreed upon and captured in the record of decisions by respective committees. Each action item’s relevant business information, including committee lead and project manager as well as expected completion dates, is documented in the action tracker by the Executive Committees group and confirmed by each Executive Committee’s chair.

Follow-up presentations, along with their respective leads, are then scheduled and tracked through the Executive Committee Integrated Forward Agenda, which is sent to all management at the Assistant Deputy Minister level on a weekly basis.

In conjunction with project leads, the Executive Committees group documents and tracks the movement of action items and their return to committee for presentation until close-out.
Director General, Corporate Secretariat Completed

Recommendation 5

The Chair of the Departmental Vacancy Management Committee (DVMC) should ensure that:

  • meetings take place in accordance with the terms of reference;
  • proposed staffing actions meet all requirements prior to being tabled at a meeting; and
  • decisions are appropriately recorded.
MANAGEMENT ACTION PLAN POSITION
RESPONSIBLE
COMPLETION
DATE
The DVMC will be replaced with the implementation of Human Resources (HR) Plans for each Branch that will proactively identify HR priorities and requirements.

Once approved through formal governance, these plans will serve as the authority to proceed with staffing. Plans will be regularly monitored by the Corporate Management Board, and a dashboard to monitor performance and workforce growth will be developed for this purpose.
Director General, HR and Workplace September 30, 2015

Annex A: Audit Criteria

The following audit criteria were used in the conduct of this audit:

  1. SSC established roles, responsibilities and procedures for effective decision making.
  2. Information provided to oversight bodies was sufficient, timely and accurate.
  3. SSC’s governance structure was monitored in a regular and timely manner to ensure its efficiency and effectiveness.

Annex B: Shared Services Canada’s Governance Structure

SSC Governance Structure

Annex C: Acronyms

The following table provides definitions for acronyms used in this document.

Acronym Name in Full
ADM Assistant Deputy Minister
BTC Business Transformation Committee
CMC Corporate Management Committee
CS Corporate Services
DAEC Departmental Audit and Evaluation Committee
DG Director General
DVMC Departmental Vacancy Management Committee
HR Human resources
IT Information technology
MAF Management Accountability Framework
OC Operations Committee
OSRC Operations Security Review Committee
PGoF Project Governance Framework
RoD Record of decisions
SMB Senior Management Board
SPPOC Senior Project and Procurement Oversight Committee
SRB Service Review Board
SSC Shared Services Canada
ToR Terms of reference

Free PDF download

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet:

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: