Audit of Workload Migration - 2023

Executive summary

The Workload Migration (WLM) Program was established in 2018 to move partner departmental data and applications from aging legacy data centres to enterprise data centres and/or to cloud services. It is expected that over 300 mission critical applications will be transitioned to modern and reliable Enterprise Services. The Workload Migration Program also aims to consolidate small and medium legacy data centres to Enterprise Data Centres.

Overall, the audit team found that:

• While the WLM Program governance structure was adequately defined and communicated, there were opportunities to improve record keeping, to follow-up on action items and to provide risk oversight.
• The WLM Program had adequate risk management processes except for risk integration and risk reporting to WLM governance committees. Risk management processes were implemented as designed.
• The WLM Program had adequate and effective change control management processes for identifying, approving, and tracking project changes.
• The WLM Program had effective internal stakeholder management overall, however, it was inconsistent in terms of identification. External stakeholder management was ineffective in terms of identification and engagement.
• The WLM Program projects prioritization criteria, endorsement and approval processes were defined, however, documentation for projects prioritization endorsement and approval was lacking.
• The WLM Program had adequate and effective human and financial resource management processes. Despite good practices and efforts, the WLM Program was still impacted by a scarcity of qualified resources.

Begonia Lojk, CIA
Chief Audit and Evaluation Executive, Shared Services Canada

A. Introduction

1. Background

The Workload Migration (WLM) Program supports Application Modernization, a core Shared Services Canada (SSC) 3.0 priority. Led by the Project Management and Delivery Branch (PM&D), the WLM Program was established in 2018 and is funded through to fiscal year 2023-24. The release of the Cloud First Digital Strategy in 2020 prompted a reassessment of the WLM Program's direction and priorities.

The WLM Program aims to:

• Oversee the migration of partner department data and applications from aging legacy data centres to enterprise data centres (EDCs) and/or cloud services;
• Launch enabling projects and activities related to enterprise solutions;
• Provide funding for the emergency closure of small to medium-sized legacy data centres (DC).
• Provide core enabling services to SSC/TBS to effectively migrate workloads to modern solutions.

To achieve these objectives, SSC works closely with partner departments to identify the applications most at risk and with the highest potential impact on services to Canadians. Workload migration is a complex process that requires coordination across SSC branches and SSC service lines, and collaboration with partner departments and other external stakeholders.

PM&D is responsible for overseeing the delivery of 15 WLM projects, organized into waves (see Annex B) and managed by different directorates at different stages of progress. Up to March 31, 2022, the WLM Program had received total funding of $374 million and spent $367 million of this. The delivery of WLM projects was allocated $320 million, and had spent $316 million of this allocation. The total WLM funding is $578 million, to be ending in fiscal year 2023-24. Of the 15 WLM projects, one project had been completed, and 14 were at various stages of progress at the time of the audit.

Ultimately, the WLM Program is critical for modernizing data and applications in government organizations. By consolidating and migrating mission-critical applications and data from at-risk legacy data centres to modern solutions, the program helps ensure that essential services continue to be delivered to Canadians in an efficient and effective manner.

2. Rationale for the audit

The rapid introduction of COVID-19 related projects temporarily shifted focus away from organizational priorities, including the WLM Program, causing delivery delays. Given the importance of the WLM projects in supporting the Government of Canada (GC) and SSC strategic priorities, and the risk of critical GC application failure, it was decided to include an Audit of WLM in the 2021 to 2024 Risk Based Audit Plan

3. Audit authority

The audit engagement was approved by the President in July 2021, as recommended by the Departmental Audit Committee during its review of the 2021 to 2024 Risk-Based Audit Plan.

4. Objective of the audit

The objective of this audit was to provide assurance that SSC has adequately designed and implemented processes to oversee and manage the WLM Program and projects.

5. Scope

The scope of this audit included WLM program governance, management processes and project management activities for the portfolio of active and completed WLM projects between January 1, 2018, and March 31, 2022. Key SSC WLM Program areas for review included:

Key SSC WLM Program areas for review

Area	Processes
Oversight	Program and projects oversight
Risk management	Program and project level
Program management	Project prioritization, stakeholder, and change control management
Resource management	Human and financial resource management

The DC Closures initiative and WLM Services were not included in the scope of this engagement except for the WLM Factory, which enables scaling the delivery of WLM projects by providing a supply arrangement, standardized migration delivery practices, and dedicated support. The activities under the responsibility of partner departments were also excluded.

6. Methodology

The audit was conducted by means of:

• Interviews with senior management and operational staff;
• Document review; and
• Testing of controls.

A sample of four WLM projects was selected based on project stage and gate for audit field work:

Project Name	PCRA* Rating	Stage	Gate
WLM of Public Services and Procurement Canada (PSPC) ██████████ Legacy Data Centre	2	Completed	-
WLM of Environment and Climate Change Canada (ECCC) ██████████ Legacy Data Centre	2	Execution	3
WLM of Innovation, Science and Economic Development (ISED) ██████████ Legacy Data Centres	2	Planning	2
WLM of Transport Canada (TC) ██████████ Data Centre	2	Planning	2

(*) PCRA: Project Complexity and Risk Assessment

7. Statement of conformance

This engagement was conducted in conformance with the Institute of Internal Auditors International Professional Practices Framework and the Treasury Board Policy on Internal Audit, as supported by the results of Office of Audit and Evaluation’s quality assurance and improvement program.

B. Findings, recommendations and management response

1. Governance

1.1 WLM governance structure is adequately defined and communicated

The audit team expected the WLM Program to have an adequately defined and communicated governance structure to provide oversight, direction, decision making and risk management.

The audit team assessed the governance of the WLM Program, which is concerned with the structures, systems, and practices that define decision-making authorities, oversee delivery and report on performance.

The audit team also assessed whether a governance structure was defined and communicated to stakeholders and found that the WLM Program is overseen externally by several government interdepartmental bodies (see Figure 1), including:

• the Deputy Minister Committee on Enterprise Priorities and Planning (DM CEPP),
• the Assistant Deputy Minister Committee on Enterprise Priorities and Planning (ADM CEPP),
• the Government of Canada Enterprise Architecture Review Board (GC EARB), and
• the WLM and Cloud Enablement Working Group, which is co-chaired by SSC’s Director General (DG) – Project Portfolio Management (PPM) Directorate and a representative from the Office of the Chief Information Officer (OCIO) and includes members from partner departments.

Long description for WLM Program Governance

The diagram describes the Workload Migration Program’s (WLM) governance structure starting with the Workload Migration working group up to the Treasury Board (TB) of Canada:

• The WLM working group, co-led by Shared Services Canada (SSC) and the Treasury Board Secretary – Office of the Chief Information Officer (TBS – OCIO), includes members from SSC, the Treasury Board Secretary – Office of the Chief Information Officer, Public Service and Procurement Canada (PSPC), Communication Security Establishment (CSE) and Customer Departments participating in the program. The WLM working group manages the Workload Modernization and Migration including the discovery, the planning and execution as well as prioritization funding ($110M) and project management.
  • The WLM working group seeks architectural decisions from the Government of Canada Enterprise Architecture Review Board (GC EARB), prioritization endorsement from Assistant Deputy Minister Committee on Enterprise Planning and Priorities (ADM CEPP), and reports to the Project Management Board (PMB) – composed of ADM level representatives from SSC, TBS-OCIO and Customer Departments – on project and issues management.
• GC EARB provides feedback to the WLM working group on architectural decisions, and reports to the ADM CEPP on architectural decisions and seeks approval from Government of Canada Chief Information Officer (CIO) on prioritization and funding allocation (accountable).
  • PMB reports to the SSC President, provides feedback to the WLM working group on project and issues, and reports quarterly to the ADM CEPP on project status.
• The ADM CEPP reports on its prioritization approvals to the Deputy Minister (DM) CEPP.
• The DM CEPP provides feedback to Government of Canada Chief Information Officer (CIO) on the prioritization approval and advises the Secretary of the TB on the prioritization approval.
• The GC CIO approves the prioritization and allocation of funding.
• The Secretary of the TB of Canada provides advice to the TB of Canada.

Internally, the WLM Oversight Forum (Senior Director level) and the WLM Steering Committee (DG level) were established in April 2021 to provide strategic decision-making, support ongoing progress and oversight for the WLM Program. The WLM Oversight Forum, responsible for tactical direction and oversight, is chaired by the Senior Director of the WLM Program within the PPM Directorate, and has various stakeholders as members, including representatives from the Data Centre Services Projects (DCSP) Directorate, Data Centre Services Branch (DCSB), and Networks & Security Services Branch (NSSB). The WLM Steering Committee, which oversees strategic decision-making, is chaired by the DG - PPM and includes members from other PM&D Directorates and branches, including DCSB and NSSB.

Both the WLM Oversight Forum and Steering Committee have Terms of Reference (TOR), that define their mandates, roles, responsibilities, membership, and operations. The committees' TORs were endorsed by the respective committee members. In addition, the SSC project gating process provides another layer of oversight through the Project Management Board (PMB) and the Finance, Investment, and Internal Management Board (FIIMB). The WLM Program team also provided quarterly updates to FIIMB.

The WLM governance structure was communicated to internal and external stakeholders through the endorsement and approval of WLM-related artefacts and was made available through the WLM Program and projects’ presentations. The charters of sampled projects were communicated to and endorsed by the business owner, project sponsor, PM&D DGs, project manager, and PMB through the gating process. Partner departments' representatives were invited to attend PMB meetings where their respective projects’ charters were tabled.

1.2 WLM Governance Committees meet regularly to provide timely decisions and results are communicated to relevant stakeholders

The audit team expected that the WLM Program and projects governance committees met regularly to provide timely decisions, control and oversight and their decisions were recorded and communicated to relevant stakeholders.

The audit team assessed the functioning of the WLM Program's governance committees, evaluating whether they met regularly, documented and communicated their decisions, and tracked and followed-up on action items. The team found that the WLM Steering Committee met quarterly and the WLM Oversight Forum held six meetings. While the Oversight Forum had one approved record of decisions (ROD), only one draft ROD was prepared for the five remaining meetings held. Despite the committees' TORs including risk management responsibilities, the Oversight Forum discussed risks only once and the Steering Committee did not discuss risks at all.

Causes and impacts

Shortcomings in record keeping, tracking of action items, and risk management discussions at the governance level due to a lack of maturity in the governance structure and the absence of operational requirements for risk management. This could lead to a lack of direction and accountability, and ineffective risk management for the WLM Program and impact the WLM program’s ability to deliver on its objectives.

Recommendation 1

Medium priority

The Assistant Deputy Minister, Project Management and Delivery Branch should establish and implement processes to ensure that the WLM Oversight Forum and Steering Committee maintain records of decision, follow-up on action items and provide risk management oversight.

Management response

Management agrees

WLM Secretariat Procedure has been established to further define the accountabilities/requirements related to the Program Management Office’s (PMO) management of WLM Governance committees. This includes the implementation of the WLM Integrated Governance Continuous Improvements, Risks, Actions, Issues and Decisions (CI-RAID) tool in order to effectively track/monitor risks, actions, issues and decisions; monitored on a bi-weekly basis with necessary Office of Primary Interest (OPI) follow ups completed.

In addition, PMO has completed modifications to the CI-RAID procedure now enforcing the requirement to escalate WLM risks/issues through the Program's internal governance (Director level Enablement committee, Sr. Director Oversight Forum, DG Steering Committee, ADM Review board)

Lastly, enhancements to record keeping will be established through improved information management process (WIP).

2. Risk management

2.1 WLM has defined adequate risk management processes

The audit team expected the WLM Program and projects to have defined risk management processes that included risk identification, assessment, response, assignment to owners, reporting, monitoring and integration.

The audit team evaluated the risk management processes in place for the WLM Program and projects. The WLM Program had a clear risk management framework and guidelines, which outlined the process of risk identification, assessment, response, assignment of ownership, reporting, monitoring, and closing. The Continuous Improvement – Risks Actions Issues and Decisions (CI-RAID) was used to log risks and issues encountered. At the project level, the risk management processes were identified in SSC Project Risk Management Process and included identification, assessment, response, monitoring, and control. However, the process of risk closing was not defined at the project level. The risk reporting process was documented in the risk and issue management guidelines, which defined the audience and communication tools for risk reporting. The WLM Oversight Forum was responsible for identifying, addressing and escalating risks to the WLM Steering Committee, while the WLM Steering Committee was responsible for endorsing and validating risk mitigation strategies. It was found, however, that risk reporting to the governance committees was not mandatory, but only required "as appropriate".

The audit team found that risk integration between the WLM Program and projects was not well-defined. While some risks did align in terms of their general theme (for example, funding, resourcing), there was no clear link between the project-level risks and program-level risks. This lack of integration was observed as out of 22 project risks that could impact the program, only 12 (55%) were included in the WLM Program's risk register

Causes and impacts

The lack of maturity with organizational risk management processes and the absence of a formal risk integration process led to risks identified at the project level not to be taken into consideration in the management of WLM Program risks and vice versa. Furthermore, the requirements for risk reporting to governance committees were weak leading to a lack of risk reporting.

The absence of a defined risk integration process and weak requirements for risk reporting to the governance committees could result in ineffective risk management practices. This may limit senior management’s holistic view of the program's risks, leading to poor decision-making and inefficient use of resources. The lack of risk reporting could also lead to projects not effectively addressing their risks and potentially resulting in multiple projects facing similar risks with multiple resolutions. This could cause delays, unnecessary scope changes, and increased costs for the WLM Program.

Recommendation 2

High priority

The Assistant Deputy Minister, Project Management and Delivery Branch should define and implement:

• A process for the integration of WLM program and projects’ risk management activities to ensure a holistic view of risk.
• A process for periodic risk reporting to the WLM Oversight Forum and Steering Committee.

Management response

Management agrees

Quality Assurance (QA) Program Management Office (PMO) function established to review WLM Project risks/issues report on weekly basis, and subsequently incorporated within Program CI-RAID log as required, based on overall Program impact.

In addition, monthly CI-RAID meeting participation has been extended to include DCSP/Project Support Office (post Gate 2 WLM projects) for increased Project risks/issues line of sight.

Lastly, Program and Project risks/issues are in the process of being integrated within Power BI for overall improved management and alignment.

2.2 WLM risk management processes are effectively implemented

The audit team expected the WLM Program and projects to implement the defined risk management processes effectively.

The audit team assessed the implementation of the defined risk management processes for the WLM Program and projects. The audit team reviewed the WLM Program risk register (CI-RAID log) and found that the risk and issue practices were aligned with the defined risk management process requirements such as identification, assessment, response, ownership, monitoring, updating, and reporting. The audit team confirmed that the WLM Program risk register was compliant with the defined processes.

For the WLM projects, the audit team evaluated the Risk Management Plan and the Project Management Plan and found that they were approved and met the defined requirements for risk identification, analysis, response, ownership, and reporting. A review of high-risk items for three projects (ECCC, ISED, and PSPC) showed that they all met the defined risk management requirements. Of the 23 risks in these projects, 17 (74%) met the risk reporting requirements. Additionally, the audit team assessed the inclusion of Project Complexity and Risk Assessment questions with a score of 5 in the projects' risk registers and found that 12 out of 13 (92%) were included

3. Program management

3.1 WLM has adequate and effective change control management processes

The audit team expected the WLM projects to have a clear and effective change management process in place. Change management encompasses the methods and procedures used to handle changes that may impact a project and its outcomes.

To assess the change management process, the audit team examined the documentation and procedures for change control at SSC, evaluated high-priority change requests from the sampled projects, and conducted interviews with project management teams and stakeholders.

The audit team found that:

1. The change requests (CRs) for changes in costs, scope, schedule, and expected benefits needed PMB approval in addition to FIIMB approval for any cost-related changes.
2. The Operating Guide defined the change control process, including the requirement for CRs, roles and responsibilities of stakeholders, and approval authorities. The CR template provided by SSC's Project Management Centre of Excellence had detailed procedures and instructions.
3. The four sampled projects included change control processes in their project management plan (PMP), covering updates to project artifacts and documentation, priority ranking, categories, and project managers' approval authority for CRs in accordance with the Operating Guide.
4. Other aspects of change control management were addressed in the respective project charters, including change contingencies, baseline resets, approval authorities for CRs at the governance level, managing CRs through Enterprise Portfolio System, and project managers' roles and responsibilities.
5. Project managers utilized Enterprise Portfolio System to log CRs and store related documents.

All three high-priority CRs that were reviewed had clear descriptions, rationales, benefits, costs, and impacts. Two of the three had PMB approval, while the third was conditionally approved, however, the audit team could not obtain evidence of the condition being met. The CRs were communicated to stakeholders and approved by PMB, and approved changes were reflected in updated project artifacts.

A secretarial approach was implemented to approve low-risk CRs (under 10% change) to ease the burden on the project and governance committees. Changes that do not affect the scope, schedule, or budget, including changes to tasks or resources, could be approved by the project manager, sponsor, or steering committee if they do not impact the critical path. However, some interviewees expressed concern about the time spent on CR approval, which took 6 to 8 weeks.

3.2 WLM has effective internal and external stakeholder management processes

The audit team expected the WLM projects to have stakeholder management processes in place, with clear practices for both internal and external stakeholder management and communication.

The audit team reviewed the stakeholder management plans of the sampled projects to assess whether they were approved, and complete with information pertaining to the identification of communication tools, identification, analysis, and classification of stakeholders.

The audit team found that the WLM projects had proper documentation for stakeholder management processes, as required by the Operating Guide. The Communications and Stakeholder Management Plan (CSMP) was either a standalone document or included in the PMP, and all projects had a Communication Matrix template, however, the audit team noted instances where not all stakeholders were identified. Only the PSPC project listed key external stakeholders in their Communication Matrix; while other projects only included internal stakeholders as part of their Communication Matrix. During interviews, project management teams and stakeholders did not raise any concerns regarding information sharing and project updates but identified some challenges in identifying internal stakeholders. The audit team also found that early preparation of a standalone CSMP document was a best practice as it allowed for earlier engagement with key stakeholders, however, the Operating Guide and CSMP template lacked clear guidance and best practices for stakeholder identification and communication.

Causes and impacts

The Operating Guide and the template for the Project CSMP lacked guidance on stakeholder engagement. No clear direction or best practices in terms of stakeholder identification and communication was provided to project managers. This led to inconsistent practices across the board.

The inability to identify and engage all relevant stakeholders, who are key to efficient project completion, could lead to misunderstandings between both parties, resulting in ineffective communication strategies, project delays, cost overruns, or poor stakeholder relations.

Recommendation 3

High priority

The Assistant Deputy Minister, Project Management and Delivery Branch, should define and implement the requirements and standardized tools for internal and external stakeholder management, including timeliness and engagement requirements for WLM projects, with a view to maintain consistent engagement with stakeholders.

Management response

Management agrees

To be addressed via WLM Communication strategy and plans (a work in progress), as well external stakeholder engagement and management to be improved via recently endorsed (GC CIO) WLM/App Mod renewed Governance which will include Partner representation.

3.3 WLM has an effective project prioritization process

The audit team expected the WLM Program to have an effective project prioritization process that was documented, approved, and implemented. Doing so enables efficient resource allocation and delivery of projects to meet the WLM Program’s objectives.

The audit team examined project selection criteria documentation and conducted interviews with project management teams and stakeholders to assess whether selection criteria were defined and implemented.

The audit team found that the WLM Program had a defined project prioritization process that was documented, approved, and implemented. The prioritization process was outlined in the ████████████████████ and endorsed by various government interdepartmental governance bodies, including the WLM & Cloud Enablement Working Group, GC EARB, ADM CEPP, and DM CEPP. The Government of Canada Chief Information Officer (GC CIO) was responsible for approving project prioritization and funding allocation. The projects were prioritized based on selection criteria that included factors such as data centres at-risk of failure and high business value.

The audit team also found that the list of prioritized DCs presented in the ████████████████████ The prioritized projects then changed with the ████████████████████ The audit team could not obtain the evidence of endorsement by the DM CEPP and approval by the GC CIO for the re-prioritized projects.

Causes and impacts

Information management is especially complex when the information is generated and maintained outside of SSC. There was no defined process to maintain evidence of the prioritization process and the endorsement and approval of the criteria. It is critical that official project prioritization documentation be maintained as evidence of approvals as this may be requested by internal or external stakeholders. Failing to maintain key documentation records could be considered mismanagement and could result in a loss of trust and shortcomings in accountability and stewardship.

Recommendation 4

Medium priority

The Assistant Deputy Minister, Project Management and Delivery Branch, should define and implement processes for documenting and maintaining WLM project prioritization endorsement and approval.

Management response

Management agrees

Renewed WLM and AppMod Governance recently approved by GC CIO, which will include new and simplified process for project prioritization and initiation. Implementation underway to include documented process and information management structure.

4 Resource management

4.1 WLM has adequate and effective human and financial resource management processes

The audit team expected the WLM Program to have a process for planning, organizing, directing, and controlling human and financial resources to achieve the WLM Program and projects success and objectives within schedule and budget. Project Resource Management includes processes to identify, acquire, and manage resources needed for the successful completion of the project.

The audit team examined SSC’s project management processes and relevant WLM projects documentation, and conducted interviews with project management teams and stakeholders to assess the effectiveness and adequacy of resource management activities of the WLM Program.

Financial Resources:

Up until March 31, 2022, the WLM Program received total funding of $374 million and spent $367 million. The funding is planned to continue until fiscal year 2023-24 for a total of $578 million.

WLM ████████████████████ with funding of ████████████████████ respectively.

$320 million of the $374 million received so far was assigned to the delivery of WLM projects and the rest of the WLM budget was assigned to WLM Services, DC Closures and Internal Services ($316 million of the $320 million assigned to WLM projects was spent on project delivery).

Due to the WLM Program difficulty in identifying the appropriate skills coupled with COVID-19 pandemic-related supply chain issues, SSC shifting priorities, and partners’ readiness, the WLM Program’s allocated funds were reprofiled and used in subsequent fiscal years as seen below (figures in millions):

WLM Program’s allocated funds

██████████/Year:	2019-20	2020-21	2021-22	2022-23	2023-24	2024-25
█	█	█	█	█	█	█
█	█	█	█	█	█	█

Note: Reprofiled amounts are indicated with brackets and amounts allotted to subsequent years are used without brackets.

Cost Estimating:

Cost estimating is the process of assembling and predicting costs of a project over its life cycle. It allows project and program managers to predict future expenses in order to reduce the chances of budget overrun.

The PMPs and Project Charters for all sampled projects outlined the project costing calculations and estimates, and defined cost assumptions; and Project Charters for two of the three post-Gate 2 sampled projects, and the detailed business case for the remaining post-Gate 2 project, documented cost assumptions that could impact the project and its outcomes.

The audit team found that variance between planned and actual costs were reported through Earned Value reports and discussed monthly. Additionally, the Financial Management Advisors reconciled the Blackbook and SIGMA figures and the Cost Management Advisor reviewed WLM Program financials to be presented quarterly to FIIMB.

Human Resources:

The WLM projects fulfill their human resources needs internally through the Task Financial Authorization (TFA) process and externally through supply arrangements.

TFAs are prepared following PMB Gate 2 approval, updated through PMB approved CRs and constitutes "an agreement between the PM&D and service lines to obtain resource commitment and confirm project deliverables including the associated costs and timelines".

The Operating Guide outlines the use of the TFA, specifically in terms of resources identification, assignment and TFA approval. The audit team found that the sampled projects had prepared and obtained endorsement for TFAs starting at Gate 2 and for each fiscal year thereafter.

The WLM Factory was created in 2018 to assist with limited resources issues by engaging WLM third party expert resources. The WLM Factory enabled scaling the delivery of WLM projects by providing a supply arrangement, standardized migration delivery practices, and dedicated support. However, interviews noted a difficulty in collaborating with third party resources and having their work endorsed citing a lack of skillset. As such, the WLM Program was still facing resource availability issues.

Resource Monitoring:

Resource monitoring is important to ensure that WLM Program and projects operate within allocated resource and allows preventing over-spending and resource shortages.

The audit team found that the WLM Program resource monitoring practices were aligned with the Operating Guide requirements (that is, PMB approval through a CR for 10% variance in scope, timelines, and budget). These preventative controls were set to restrict and limit allocated resources from exceeding defined thresholds.

C. Conclusion

Overall, SSC had adequately designed and implemented processes to oversee and manage the WLM Program and projects.

There were also some opportunities for improvement.

The WLM Program had adequate and effective change control and resource management processes although the WLM Program reprofiled allocated funds due to external factors. While the WLM governance structure was adequately defined and communicated, there was a lack of record keeping, follow-up on action items and risk oversight. Risk management processes were defined and implemented except for risk integration (program versus projects) and risk reporting to governance committees which were not defined.

Internal stakeholder management was effective overall; external stakeholder management was ineffective in terms of identification and engagement.

Lastly, prioritization criteria, endorsement and approval processes were defined but there was a lack of documentation regarding project prioritization endorsement and approval.

Annex A - Lines of Enquiry and Audit Criteria

Lines of Enquiry and Audit Criteria

Line of Enquiry	Audit Criteria
Line of Enquiry 1: Governance
Governance	1.1 WLM governance structure is adequately defined and communicated. 1.2 WLM Governance Committees meet regularly to provide timely decisions and results are communicated to relevant stakeholders.
Line of Enquiry 2: Risk Management
Risk management processes	2.1 WLM have defined adequate risk management processes. 2.2 WLM risk management processes are effectively implemented.
Line of Enquiry 3: Program Management
Change control management	3.1 WLM has adequate and effective change control management processes at the program and project level.
Stakeholder management	3.2 WLM has effective internal and external stakeholder management processes.
Project prioritization	3.3 WLM has an effective project prioritization process.
Line of Enquiry 4: Resource Management
Resource management processes	4.1 WLM has adequate and effective human and financial resource management processes.

Annex B – Wave 1 and 2 WLM Projects

Wave	Project name	Status
1	WLM of Public Services and Procurement Canada ██████████ Legacy Data Centre	Completed
	WLM of Environment and Climate Change Canada ██████████ Legacy Data Centre	Active
	WLM of Department of National Defense Legacy Data Centre
	Canada Revenue Agency/Canada Border Services Agency Migration
	National Resources Canada ██████████Data Centre WLM
	Migration of Statistics Canada from ██████████
2	WLM of Innovation, Science and Economic Development Canada Legacy Data Centres
	WLM of Canada Food Inspection Agency Legacy Data Centres
	WLM of Privy Council Office ██████████Data Centre
	WLM Correctional Service Canada ██████████Data Recovery Site
	WLM of Global Affairs Canada ██████████
	WLM of ██████████Data Centre
	WLM of Transport Canada ██████████Data Centre
	Financial Transactions and Reports Analysis Centre of Canada - Disaster Recovery	Planned
	WLM of Employment and Social Development Canada ██████████Data Centre

Annex C – Audit Recommendations Prioritization

Internal engagement recommendations are assigned a rating by the Office of Audit and Evaluation in terms of recommended priority for management to address. The rating reflects the risk exposure attributed to the audit observation(s) and underlying condition(s) covered by the recommendation along with organizational context.

Recommendations Legend

Rating	Explanation
High priority	Controls are inadequate. Important issues are identified that could negatively impact the achievement of organizational objectives Could result in significant risk exposure (for example, reputation, financial control or ability to achieve Departmental objectives) Provide significant improvement to the overall business processes
Medium priority	Controls are in place but are not being sufficiently complied with. Issues are identified that could negatively impact the efficiency and effectiveness of operations Observations could result in risk exposure (for example, reputation, financial or ability of achieving branch objectives) or inefficiency Provide improvement to the overall business processes
Low priority	Controls are in place, but the level of compliance varies Observations identify areas of improvement to mitigate risk or improve controls within a specific area Provide minor improvement to the overall business processes

Annex D – Acronyms

Recommendations legend

Acronym	Meaning
ADM CEPP	Assistant Deputy Minister Committee on Enterprise Priorities and Planning
CI-RAID	Continuous Improvement – Risks Actions Issues and Decisions
CR	Change Request
CSMP	Communications and Stakeholder Management Plan
DC	Data Centre
DCSB	Data Centre Services Branch
DCSP	Data Centre Services Projects Directorate
DG	Director General
DM CEPP	Deputy Minister Committee on Enterprise Priorities and Planning
ECCC	Environment and Climate Change Canada
EDC	Enterprise Data Centres
FIIMB	Finance, Investment, and Internal Management Board
GC	Government of Canada
GC CIO	Government of Canada Chief Information Officer
GC EARB	Government of Canada Enterprise Architecture Review Board
ISED	Innovation, Science and Economic Development Canada
NSSB	Networks & Security Services Branch
OCIO	Office of the Chief Information Officer
OPI	Office of Primary Interest
PCRA	Project Complexity and Risk Assessment
PMB	Project Management Board
PMO	Project Management Office
PMP	Project Management Plan
PM&D	Project Management & Delivery Branch
PPM	Project Portfolio Management
PSPC	Public Services and Procurement Canada
QA	Quality Assurance
ROD	Records of Decisions
SSC	Shared Services Canada
TB	Treasury Board
TC	Transport Canada
TFA	Task Financial Authorization
TOR	Terms of Reference
WLM	Workload Migration