Regional development agencies internal audit of information management

Final Report

October 2016

Office of the Comptroller General (OCG)

Executive summary
Conformance to professional standards
Background
Audit objective and scope
Detailed findings and recommendations
Conclusion
Management response
Appendix A: applicable policies, directives and guidance
Appendix B: lines of enquiry and audit criteria
Appendix C: recommendations by regional development agency and priority level
Footnotes

Executive summary

The objective of this audit was to determine whether governance frameworks and monitoring frameworks over information management (IM) are in place^{Footnote 1} within Regional Development Agencies (RDAs).

The scope of this audit examined the IM governance and monitoring frameworks in place as at March 31, 2015, for two selected RDAs: Canada Economic Development for Quebec Regions (CED) and the Atlantic Canada Opportunities Agency (ACOA).

Why this is important

“In the ever-accelerating information landscape, the responsibility for creating and preserving records has become a real challenge.”^{Footnote 2} Recent studies report that 4.4 billion terabytes of digital data were created over the last year, and 90 per cent of the world’s data was created in the last two years.^{Footnote 3} Information is an essential component of effective management across organizations and becomes a valuable asset when managed appropriately.^{Footnote 4} As a result, IM has evolved from traditional recordkeeping activities to include strategies (for example, business integration) that recognize information as a strategic asset and enhance support to operations with, for example, data-driven decision making, increased transparency and facilitated collaboration. IM can be defined as a discipline that directs and supports effective and efficient management of information in an organization, from planning and systems development to disposal or long-term preservation.^{Footnote 5} The focus of IM is the ability of organizations to capture, manage, preserve, store and deliver the right information to the right people at the right time.^{Footnote 6}

The amount of information across government is significant, and it is critical that departments and agencies manage it efficiently and effectively in order to leverage its true value in support of program and service delivery, while respecting security and privacy requirements. The availability of high-quality, authoritative information to decision makers also fosters informed decision making and facilitates accountability, transparency and collaboration. Application of sound IM practices further preserves and ensures access to information and records for the benefit of present and future generations.^{Footnote 7}

The Government of Canada (GC) vision for IM aims for information to be safeguarded as a public trust and managed as a strategic asset to maximize its value in the service of Canadians.^{Footnote 8} Integrating IM considerations into all aspects of government business enables information to be used and recognized as a valuable asset.^{Footnote 9} For example, as the GC increasingly uses information technologies, integrating IM requirements with technology planning ensures that digital information is accessible, shareable and useable over time and through technological change.^{Footnote 10}

Government priorities reflect a commitment to openness and transparency^{Footnote 11} and a strong focus on results. Open data initiatives are being accelerated and expanded in order to make government data available digitally, enabling Canadians to easily access and use it. Tracking and reporting on the progress of commitments, supported by performance measurement, ensures that clear accountability has been established and enables reporting on the results that government has achieved for Canadians. The existence of governance and monitoring frameworks over IM, government-wide and within agencies, is key to ensuring that the benefits of sound IM practices are realized across government.

The GC, including RDAs, increasingly uses information technology to integrate IM requirements and to provide decision makers across government with information that is readily available. This information helps them understand the context and consider the opportunities and risks of various options prior to making decisions so that resources can be deployed to their maximum effect. The availability of high‑quality, authoritative information to decision makers is of particular importance for RDAs, given their focus on program delivery for regional economic development, and the requirement to manage applicant and recipient information from third‑party delivery of transfer payment programs. Managing information of business value effectively throughout its life cycle provides a basis for decision making in support of RDA program and service delivery and reporting. Given the definition, focus and objectives of IM described above, sound practices across RDAs are the foundation to fulfilling these commitments and priorities for Canadians.

Key findings

Both RDAs had established plans to support the agencies’ and the GC’s IM initiatives. In addition, policy instruments that communicate specific IM responsibilities and requirements were developed and communicated within RDAs. However, some of these plans and policy instruments needed to be updated. The release of the updated government IM strategy and policies will be an opportune time for both agencies to review, align and update their IM operational plans, policies and supporting instruments to reflect current IM risks and priorities.

Monitoring control frameworks, including comprehensive performance measurement, set the foundation for organizations to assess achievement of IM objectives and overall compliance with policies. Although the monitoring control framework was found to be comprehensive at CED, current monitoring and reporting activities at ACOA, including performance measures, did not provide a comprehensive assessment of IM achievements or overall compliance. Monitoring and reporting based on comprehensive performance information is instrumental to identify areas where efforts need to be adjusted, and to develop, prioritize and allocate resources to action plans for achieving IM objectives and overall compliance with policies.

Committees supporting IM were in place within RDAs. Their mandates defined roles and responsibilities over IM, and the committees play an advisory role to senior management in support of IM decision making. However, there are opportunities to improve their operations and their role in the governance of IM activities, particularly with respect to monitoring IM performance and overall compliance. If more comprehensive performance information were to become available, it could be presented to committees and enhance their ability to govern IM activities that support achievement of IM objectives. Committee operations (for example, senior management engagement, frequency and focus of IM discussions, sound due diligence) can set the tone for a culture that recognizes the importance of IM.

Both agencies’ IM plans considered GC common systems and initiatives. The implementation of common systems such as GCDOCS supports the open information stream of the GC Open Government Initiative. IM business application systems and tools were also in place in support of the agencies’ information life cycle and information resources for business value. Both RDAs have identified their information resources of business value, which enable sound decision making in support of programs, services and ongoing operations. Further, these resources support departmental reporting, performance and accountability requirements.

In order for government programs and services to provide convenient access to relevant, reliable, comprehensive and timely information,^{Footnote 12} information needs to be recognized and managed as a valuable and strategic asset that supports outcomes, operational needs and accountabilities. In order for this to occur, it requires commitment and engagement by all employees across government and support from IM functional specialists. Although RDAs were engaged in the GC IM community, there is an opportunity to develop and implement strategies to promote and engage IM more broadly as an integral element of RDAs policies, programs, services and initiatives.

IM functional specialists support departments in implementing and achieving their IM initiatives. The audit noted that the recruitment and retention of competent and skilled resources is a challenge in RDAs. Efforts have been undertaken by both agencies in this area to enable them to meet their current and long‑term needs, and to support the implementation of IM initiatives and achievement of IM objectives.

Conclusion

Overall, IM governance and monitoring frameworks were established in both agencies reviewed. IM operational plans have been developed to implement the IM strategy of the RDAs, and specific requirements and responsibilities were addressed in policy instruments. Committees were established within agencies to discuss IM issues, and activities were undertaken to engage and promote the IM community. However, some opportunities were identified in both RDAs to update policy instruments, strengthen committee operations, and ensure that committees are provided with the information required to fulfill their role in governance. The audit noted that some work in these areas was already initiated. Both agencies’ IM plans also considered GC common systems and initiatives. The implementation of common systems^{Footnote 13} further supports the open information stream of the GC Open Government Initiative. IM business application systems and tools were in place to support the agencies’ information life cycle. Both RDAs have identified their information resources of business value, which enable and document decision making in support of programs, services and ongoing operations. Further, these support departmental reporting, performance and accountability requirements. As Agencies face challenges in elevating the priority of IM, there is an opportunity to develop and implement strategies to engage and promote IM more broadly as an integral element of RDAs’ policies, programs, services and initiatives. These improvements could renew the commitment and priority for IM across agencies and support achievement of government priorities going forward.

While Canada Economic Development for Quebec Regions has defined performance measurement, monitoring and reporting activities for the oversight of IM, Atlantic Canada Opportunities Agency’s performance measures or associated monitoring and reporting activities did not provide a comprehensive assessment of the achievement of IM objectives or overall policy compliance. Without monitoring comprehensive performance information, it is difficult to assess compliance with the Treasury Board policy requirements, whether the anticipated benefits are being realized, and where or how strategies and plans should be adjusted to achieve established IM objectives.

Conformance with professional standards

This audit engagement conforms with the Internal Auditing Standards for the GC as supported by the results of the quality assurance and improvement program.

Anthea English, CPA, CA
Assistant Comptroller General and Chief Audit Executive
Internal Audit Sector, Office of the Comptroller General

Background

With advances in technology, the amount of information (digital information in particular) continues to grow exponentially each year. It is estimated that 90 per cent of the world’s data was created in the last two years.^{Footnote 14} The digital universe was estimated to grow by 40 per cent each year into the next decade, accounting for the number of people, enterprises and devices connected to the Internet, “unleashing a new wave of opportunities for businesses and people around the world.”^{Footnote 15} Although the sheer volume of information presents significant challenges for organizations, information becomes a valuable asset when managed appropriately.^{Footnote 16}

IM can be defined as a discipline that directs and supports effective and efficient management of information in an organization, from planning and systems development to disposal or long-term preservation.^{Footnote 17} The focus of IM is the ability of organizations to capture, manage, preserve, store and deliver the right information to the right people at the right time.^{Footnote 18} This focus provides an important foundation to achieve government priorities and commitments to openness and transparency^{Footnote 19} and a strong focus on results.

In 2005, the Secretariat began a comprehensive transformation initiative to define and achieve an enterprise vision for IM in the GC. To better realize this vision, the Secretariat launched the GC IM Strategy in 2008, which included four strategic goals related to policy and governance, people and capacity, enterprise information architecture, and IM tools and applications.^{Footnote 20}

The GC IM policy suite was released, including the Policy on Information Management. The objectives of this policy are to achieve efficient and effective IM to support program and service delivery; foster informed decision making; facilitate accountability, transparency and collaboration; and preserve and ensure access to information and records for the benefit of present and future generations.^{Footnote 21} A description of IM policies, directives, standards, acts and guidelines is provided in Appendix A.

Since the GC IM Strategy was developed, significant changes in the strategic and operating environment have occurred, including the launch of Canada’s Action Plan on Open Government, the Email Transformation Initiative, Workplace Renewal Initiative 2.0, and the Secretariat’s Policy Reset Initiative. A number of IM-related initiatives are also underway, such as a changing governance structure and the transition to an enterprise-wide IM solution (for example, GCDOCS). In addition, the GC Enterprise IM Strategy Renewal was launched to update the IM vision and goals to account for progress made to date and to reflect current priorities, sensibilities and values of the GC and of Canadians.^{Footnote 22}

Deputy heads of RDAs play a key role with respect to IM. They are responsible for ensuring that the appropriate management direction, processes and tools are in place to efficiently manage information under the control of the agency, support the agency’s business, and retain the quality of information throughout the information life cycle.^{Footnote 23} The RDAs administer programs that advance economic opportunities in their respective regions, and a significant portion of the information they manage relates to transfer payment programs. Furthermore, all employees are responsible for managing the information they collect, create and use as a valuable asset to support the outcomes of programs and services and the agency’s operational needs and accountabilities.^{Footnote 24} Consequently, sound management of information received from program applicants and recipients is essential to ensure that information of business value is properly safeguarded and available for decision making.

During consultations regarding the development of the Office of Comptroller General’s (OCG’s) Three‑Year Risk-Based Internal Audit Plan from the 2015 to 2016 fiscal year to the 2017 to 2018 fiscal year and the RDA Multi-Year Risk-Based Internal Audit Plan for the 2015 to 2016 fiscal year to the 2018 to 2019 fiscal year, IM was identified as an area that continues to be of high inherent risk because it is fundamental to all aspects of government and to RDAs’ programs and services in that it supports informed decision making and efficient and effective service delivery, and is critical to achieving goals and the mandates of RDAs. The importance of IM, combined with government priorities and the change initiatives underway across government and within RDAs, has heightened concerns over IM risks, in particular with respect to governance and monitoring frameworks.

Audit objective and scope

The objective of this audit was to determine whether governance frameworks and monitoring frameworks over IM are in place^{Footnote 25} within RDAs.

The scope of this audit included the IM governance and monitoring frameworks in place as at March 31, 2015, for two selected RDAs: CED and ACOA. Key elements of these frameworks were expected to align with Treasury Board policy instruments, including definitions of roles and responsibilities, accountability structures, policies, plans, tools, systems, human resources planning, and monitoring and reporting. However, the audit also acknowledged initiatives and improvements that were in progress or implemented after this date, where applicable.

The scope of the audit also provided an opportunity to assess the progress on elements of IM governance that were highlighted as opportunities for improvements in the audit findings of the 2011 OCG Horizontal Internal Audit of Electronic Recordkeeping in Large Departments and Agencies and the Horizontal Internal Audit of Electronic Recordkeeping in Small Departments and Agencies.^{Footnote 26} The OCG Horizontal Internal Audit of Information Technology (IT) Security in Large and Small Departments (Phase 1),^{Footnote 27} which examines the governance frameworks over IT security in place in departments and government‑wide, was recently completed in 2016. Any overlapping risk elements with respect to IM governance frameworks were therefore removed from the scope of this audit.

The lines of enquiry and audit criteria to achieve the audit objective are provided in Appendix B.

Detailed findings and recommendations

Finding 1: strategic direction for IM

Strategic direction establishes the course of action that leads to the achievement of objectives. It can take many forms, including strategies, plans and policy instruments. The audit examined whether plans were in place within RDAs to implement government-wide and agency-specific IM objectives. Developing plans facilitates agreement on key issues and what it will take to address them, builds cooperation and commitment to implement identified priorities, and establishes the desired outcomes as a basis to oversee implementation. The audit also determined whether policy instruments were developed and communicated to support IM agency-wide. Establishing policies defines the responsibilities and requirements for agencies and employees, deemed necessary to achieve established objectives.

RDAs had developed and communicated operational plans to support government-wide and agency-specific IM objectives; however, there are opportunities for ACOA to improve elements of its plan.

Deputy heads are responsible for establishing a departmental program or strategy for the improvement of the management of information.^{Footnote 28} Operational plans outline the steps, activities and initiatives to be taken to achieve the identified broad departmental IM objectives and priorities, which should align with those of the GC IM Strategy. Both RDAs had developed IM plans that align with government-wide and agency‑specific IM objectives and priorities. Agency IM-related risks that impede the achievement of objectives were considered in their IM planning processes. IM risks were also identified in the Corporate Risk Profile of both agencies, which includes risk responses and mitigation strategies. Internal key IM stakeholders were also being consulted as part of the annual review and update of IM plans, and the plans were accessible by all staff through the intranet or collaboration sites.

RDAs had IM plans in place that included a list of IM activities and initiatives. The audit noted that CED’s IM plan included key elements of an IM plan outlined in the Secretariat’s IM guidelines,^{Footnote 29} such as who is responsible, resource allocation, performance measures, and monitoring and reporting schedules.ACOA’s IM plan could be strengthened by including performance measures along with monitoring and reporting schedules. The information in IM plans is the foundation for translating strategic direction into specific actions for which those responsible can be held accountable.

RDAs had developed and communicated policy instruments to support IM objectives; however, some of ACOA’s instruments were not updated.

Both RDAs had developed policy instruments to support their agency-specific IM program, along with a range of internal directives, manuals and guides. These were found to be aligned with the GC IM policy framework. Roles and responsibilities for those involved in the management of information have been clearly defined in the agency IM policies. The IM policy framework had been communicated through each RDA’s intranet portal and was therefore readily available to all employees. In addition, both RDAs had developed and delivered IM training programs and awareness activities to employees. Accessibility of, and training on, IM policies increases the likelihood that IM policies and directives are being consistently applied across the agency.

CED’s IM policy framework was updated to reflect the current GC IM policy framework, and was awaiting final approval. Several of ACOA’s IM guides had not been reviewed and updated in several years.

The Secretariat is currently in the process of developing its GC Enterprise IM Strategy Renewal and related IM policy instruments to reflect current GC priorities. The release of updated Treasury Board IM strategy and policies will be an opportune time for both RDAs to review, align and update their IM operational plans, policies and supporting instruments. This will ensure that government and agency‑specific IM responsibilities and requirements appropriately reflect and address changes in risks and the operating environment.

Summary of finding: strategic direction for IM

RDAs have developed IM plans and policies in consideration of government-wide and agency‑specific IM objectives. Some policies and guides were, however, not kept up to date. The upcoming GC Enterprise IM Strategy Renewal and the release of updated government IM policies will be an opportune time for both RDAs to ensure that their IM plans, policies and supporting instruments are reviewed and updated to reflect current priorities.

Recommendation: strategic direction for IM

ACOA should update departmental IM plans and policy instruments with consideration given to the Secretariat’s upcoming updated GC IM Strategy and policy instruments.

Finding 2: IM monitoring

Monitoring frameworks provide the means to oversee and adjust, as necessary, strategies, plans and processes to ensure that the benefits of sound IM practices are realized. Performance measures and targets are a necessary component of the monitoring framework in order to define and provide the information needed to make these assessments and decisions.

Deputy heads are responsible for monitoring adherence to the Policy on Information Management and for ensuring that appropriate remedial action is taken to address any deficiencies within their departments.^{Footnote 30} The audit examined whether monitoring frameworks were in place within RDAs to ensure achievement of IM goals, objectives and policy compliance.

Both RDAs have defined monitoring and reporting activities, including performance measurement, for the oversight of IM. However, there is an opportunity for ACOA to provide a more comprehensive assessment of the state of IM.

RDA deputy heads are responsible for measuring and reporting on a departmental program or strategy for the improvement of the management of information. Both RDAs have defined IM monitoring and reporting activities, including performance measurement, within their IM policy and/or plans. The IM policies stipulate how the agencies will monitor compliance with all aspects of their IM policy and directives and report on the achievement of expected results.

For the RDAs, monitoring and reporting activities were mainly performed by completing the annual self‑assessments for the Management Accountability Framework (MAF) required by the Secretariat, and periodically using the Recordkeeping Assessment Tool (RKAT) to self-assess their level of IM compliance with the Directive on Recordkeeping. In the 2014 to 2015 fiscal year, both RDAs completed the annual self-assessments for the MAF, which also included the results of the RKAT assessment. Although the MAF and RKAT provide information to assess compliance with the Directive on Recordkeeping, they do not provide comprehensive information to assess overall policy compliance.

In addition, CED had developed a comprehensive performance measurement framework, beyond the requirements of the MAF and RKAT, as the foundation to monitor and report on IM performance and compliance. Their IM strategic plan identified the expected results, as well as performance indicators for each of its strategic objectives for the coming year. Throughout the year, results were monitored and reported against the expected results. At the operational level, planned initiatives to support the IM strategic plan have also defined expected results and were monitored and reported in a similar fashion, in addition to identifying the risks to successful implementation and achievement of results. The agency further monitored IM compliance and followed up on IM issues through its compliance review program. Identified gaps were addressed, where applicable. This type of performance information and monitoring enables agencies to assess and make necessary adjustments to plans and processes to ensure that the expected results and desired outcomes are achieved.

ACOA also reported through the MAF and RKAT. Monitoring and reporting activities were limited to the status on the implementation of specific initiatives rather than achievement of overall IM objectives or desired outcomes. ACOA has not developed or implemented a comprehensive performance measurement framework to monitor and report on IM compliance beyond the requirements of the MAF and the RKAT. Monitoring and reporting IM performance and overall compliance would enable the agency to assess progress toward achieving IM objectives, goals and overall policy compliance. It would also set the foundation to develop, prioritize and allocate resources to remedial action plans that progress toward compliance with IM policies and achievement of IM objectives. ACOA IM representatives mentioned that they have not had the capacity to implement a robust performance measurement framework, as available resources were focused on implementing key IM requirements and initiatives.

Action plans were developed, implemented and monitored in both RDAs to ensure that identified IM compliance gaps were being addressed.

Over the past two years, both agencies focused their efforts on implementing the Secretariat’s requirements under the Directive on Recordkeeping, including taking action to remediate deficiencies. For CED, the RKAT result for the 2014 to 2015 fiscal year demonstrated full compliance, with a score of 100 per cent. The agency also followed up on IM issues resulting from its compliance review program, and identified gaps were addressed, where applicable. ACOA analyzed the gaps identified in the results of the RKAT and included the necessary actions to address the deficiencies in its operational plan. As a result, the RKAT self-assessed score improved from 48 per cent in the 2014 to 2015 fiscal year to 93 per cent in September 2015. However, given that ACOA’s monitoring and reporting activities did not include comprehensive performance information, adjustments made through action plans may not provide opportunities for the agency to improve on the achievement of its IM objectives or overall compliance. ACOA’s practice of developing action plans to address compliance gaps for the Directive on Recordkeeping could be applied to overall compliance with IM policies and the achievement of IM objectives. Developing and implementing action plans to address IM compliance gaps allows organizations to prioritize required actions and determine and allocate the necessary resources. It also provides a baseline to continue to monitor progress and adjust plans as required.

Summary of finding: IM monitoring

CED has defined performance measurement, monitoring and reporting activities for the oversight of IM. However, ACOA’s performance measures or associated monitoring and reporting activities did not provide a comprehensive assessment of the achievement of IM objectives or overall policy compliance. Comprehensive performance measurement, monitoring and reporting frameworks set the foundation for organizations to develop, prioritize and allocate resources to remedial action plans that progress toward compliance with IM policies and the achievement of IM objectives.

Recommendation: IM monitoring

ACOA should implement a comprehensive monitoring framework in order to identify, prioritize and address performance gaps. The monitoring framework should consider a risk‑based approach and relevant performance measures.

Finding 3: committees supporting IM

Governance is a process through which organizations set strategic directions, allocate resources, define and assign responsibilities, assess risks, and establish internal controls to help achieve outcomes consistent with established objectives. One of the expected results of the Treasury Board Policy on Information Management is that governance structures, mechanisms and resources are in place to ensure the continuous and effective management of information. The audit examined whether governance and accountability structures were in place to support IM within RDAs. The primary focus was on the role that committees played in IM governance, including whether they were established and functioned to support achievement of IM objectives and initiatives.

Committees were in place within RDAs to support IM.

Each RDA had established committees in support of IM. In particular, CED had established the Internal Governance Committee, which is responsible for the direction of the agency on strategic matters such as IM. ACOA had established a Committee on Information Management and Technology to oversee the direction and activities of IM/IT. The mandates of these committees were defined in their respective Terms of Reference and include definitions of the committees’ responsibilities over IM. The members of these committees represent all sectors of each RDA. The committees report through the executive committee of each RDA and play an advisory role to senior management in support of IM decision making. The chairs of these committees were also members of the executive committee. In addition, both RDAs had designated an IM senior official who provides a liaison role with the Secretariat; these senior officials were also members of the committees. Sound governance and oversight that define the roles and responsibilities of key stakeholders increases the likelihood that IM objectives will be addressed, integrated and achieved throughout the RDA in support of broader departmental objectives.

There are opportunities to improve committee operations and their role in governance of IM activities.

Periodic reviews and assessments of governance structures and bodies ensure that roles, responsibilities and accountabilities are defined, up to date, and fulfilled efficiently and effectively. An appropriate review considers factors such as the mandate, roles and responsibilities, membership (that is, breadth of skills, authority for decision making), meeting frequency, member attendance, due diligence and the focus of discussions relative to the Terms of Reference. In addition, the Policy on Information Management stipulates that deputy heads are responsible for ensuring that decisions and decision-making processes are documented to account for and support the continuity of operations, permit the reconstruction of evolution of policies and programs, and allow for independent evaluation and audit.^{Footnote 31} Moreover, due diligence in ensuring that the committees to support IM are functioning as intended fosters a culture that highlights the importance of IM and supports the achievement of IM objectives.

Neither of the RDAs’ committees met as frequently as intended. In some cases, the agencies’ IM issues were dealt with outside of the committee structures. In addition, documentation on committee operations of both RDAs (for example, Terms of Reference, agendas and records of decisions) were not always available and kept current to reflect the agency’s IM structure and operating environment. For example, CED’s committee minutes were not always documented, and ACOA IM/IT committee’s Terms of Reference had not been updated over the past four years. In addition, the implementation of a comprehensive performance measurement framework, along with remedial action plans as indicated in Recommendation 2 in this report, represents an opportunity to enhance the oversight by both RDA committees over IM strategies, operational plans, and policy implementation and compliance. Performance information could be presented to committees and be used to monitor, reassess and adjust strategic direction in a timely manner to support agency-specific achievement of IM objectives. This also aligns with GC priorities and trends toward data-driven, i.e., evidence-based, decision making.

At the time of the audit, both RDAs had already taken action and explored ways to strengthen their committee operations. CED is now using an electronic database to update its committee agenda and to document records of decisions. ACOA has undertaken an exercise to restructure its IM/IT governance, and has indicated that this will be an opportunity to update the Terms of Reference of its IM/IT committee as per the new IM/IT governance structure. The regular review and update of committees’ Terms of Reference would contribute to maintaining the clarity and relevance of roles, responsibilities and accountabilities, which in turn promote the achievement of IM objectives. Further, sound due diligence to support committee operations fosters a culture that highlights the importance of IM.

Summary of finding: committees supporting IM

Committees were in place within RDAs to support IM; however, there are opportunities to improve the management of committee operations within each RDA, and to enhance their oversight role in the governance of IM activities.

Recommendations: committees supporting IM

CED and ACOA should continue their efforts to strengthen committee operations by documenting meeting agendas and records of decisions, and periodically review committees’ Terms of Reference.
CED and ACOA should provide committees with IM performance information to strengthen their oversight role in the governance of IM activities.

Finding 4: IM systems

As the GC increasingly uses information technologies to implement IM requirements, organizations must adopt IM systems to support the information life cycle and information of business value. The value of information assets across government is significant, and it is critical that departments and agencies are able to secure and leverage their investment.

Significant changes in the strategic and operating environment have recently occurred, and a number of IM-related initiatives are underway. Once complete, these transformation initiatives should support the GC as a whole to deliver better services to Canadians.^{Footnote 32} The audit examined whether IM plans considered the GC IM enterprise systems and initiatives to support the GC and agencies’ IM objectives and priorities. The audit also examined whether RDAs have put in place systems to support their respective information life cycle and the GC’s and agencies’ IM objectives and priorities.

IM plans in both RDAs support government-wide IM enterprise systems and initiatives.

According to the Directive on Information Management Roles and Responsibilities, deputy heads are responsible for ensuring that IM requirements are addressed during the planning phase of departmental program and system design.^{Footnote 33} Thus, IM plans need to demonstrate and report on the implementation of IM activities and specific initiatives as required by the Secretariat. The adoption of sound recordkeeping practices, the implementation of open government, the GC Email Transformation Initiative and the transition to enterprise-wide IM solution systems (for example, GCDOCS) are all examples of initiatives that provide support to RDAs in the delivery of their mandates.

Both RDAs had established a formal plan for complying with the Directive on Recordkeeping. The agencies had also established a plan for managing the disposition of documentation and information. This initiative was done in collaboration with Library and Archives Canada and aligned with the GC IM strategy to adopt electronic systems as the preferred mean of managing information. Adopting sound recordkeeping practices provides for a framework of accountability and stewardship in which information resources are considered vital business assets and knowledge resources to support effective decision making and achieve results.^{Footnote 34}

Both RDAs had developed an Open Government Implementation Plan (OGIP). Each plan demonstrated how each agency intended to comply with the Directive on Open Government, and described responsibilities and authorities for key players involved in its implementation and the desired outcomes. The OGIP was aligned with the commitments of the GC Action Plan on Open Government for 2014 to 2016, which supports progress on the delivery of transparent and accountable programs and services focused on the needs of Canadians.

The IM plans of each RDA also considered the implementation of GC common enterprise data initiative to support grants and contributions programs and services. GCDOCS is the electronic document and records management system that has been identified as the official enterprise document and records management solution of the GC. Its implementation is intended to help GC organizations meet their obligations in relation to information life-cycle management, enabling them to create, collect and preserve data, in addition to easily sharing, organizing, evaluating, identifying and disposing of data. GCDOCS encourages collaboration in the area of IM while providing secure access control through the management of user and group access rights.^{Footnote 35} Consequently, it is strategically positioned to address the challenge of effectively managing public resources, in addition to providing an opportunity to resolve the issue of increasing public integrity and improving public services.^{Footnote 36} The audit confirmed that both RDAs had initiated their adoption of GCDOCS. CED had already developed an implementation plan and expected to complete the migration for March 2016; ACOA is planning to implement GCDOCS in the 2017 to 2018 fiscal year, pending Public Services and Procurement Canada (PSPC) confirmation. The implementation of systems such as GCDOCS further supports the open information stream of the GC Open Government Initiative.

In addition, both RDAs are also part of the 43 GC partner organizations that have completed their email transformation, which aims to provide a common, modern, consolidated, secure, more reliable and more cost-effective email system for the GC.^{Footnote 37} Finally, both RDAs monitor the progress of implementation for business applications and initiatives against expected completion dates to ascertain whether the application contributes to their IM needs.

Both RDAs’ IM business application systems are in place to support their information life cycle and information resources of business value.

Establishing and implementing systems tools that support the information life cycle^{Footnote 38} is an essential element that enables sound IM practices. Information life-cycle management can be defined as a comprehensive approach for the creation, storage and disposition of data, recognizing that the value of information changes over time.^{Footnote 39} Both RDAs had defined and documented their information life cycle.

Key IM business application systems to support their information life cycle were found to be in place and aligned with their IM objectives and needs. Systems include those used as document repositories, systems in support of the business management processes, and integrated record IM systems. Both agencies also maintained an inventory list of business application systems. They also developed training and awareness programs, guidance, and tools to support IM business application systems and initiatives agency-wide (Headquarters and satellite offices), which fosters consistency and uniformity in their application and use. Interviews with IM representatives in both agencies further indicated that the business application systems support effective decision making at each agency.

Information resources of business value (IRBV) consist of published and unpublished materials, regardless of medium or form that are created or acquired because they enable or document decision making in support of programs, services and ongoing operations.^{Footnote 40} The Directive on Recordkeeping stipulates that departmental IM senior officials are responsible for ensuring that IRBV are identified based on an analysis of departmental functions and activities that enable or support its legislated mandate;^{Footnote 41} IRBV therefore support departmental reporting, performance and accountability requirements. Both RDAs had identified their IRBV in support of their information life cycle. Both agencies’ IRBV were aligned with their mandates for delivery of programs and services. Used as strategic assets, the identification of IRBV facilitates decision making and the efficient delivery of government programs and services.^{Footnote 42} Both agencies had also maintained a repository^{Footnote 43} to classify the business value of the agencies’ information, by document type and format, and to identify the business units that are accountable for its maintenance. An information resource identified as having business value and placed into a repository enables effective decision making and provides reliable evidence of business decisions, activities and transactions for program managers, deputy heads, ministers and Canadian citizens.^{Footnote 44}

Summary of finding: IM systems

Both RDA IM plans consider government-wide IM enterprise systems and initiatives in order to support RDAs and the GC in the delivery of programs and services to Canadians. Implementing GC-recognized systems such as GCDOCS encourages collaboration in the area of IM, and further supports the open information stream of the GC Open Government Initiative. IM systems were in place to support the agencies’ information life cycle. Both RDAs had identified their IRBV, which enable and document decision making in support of programs, services and ongoing operations. IRBV also support departmental reporting, performance and accountability requirements.

Finding 5: IM promotion and engagement

Integrating IM considerations into all aspects of government business enables information to be used and recognized as a valuable asset^{Footnote 45} to support the outcomes of programs and services, as well as operational needs and accountabilities.^{Footnote 46} Deputy heads are responsible for ensuring that departmental programs and services integrate IM requirements into development, implementation, evaluation and reporting activities.^{Footnote 47} In addition, all employees are responsible for applying IM principles, standards and practices in the performance of their duties and for documenting their activities and decisions.^{Footnote 48}

The 2008 GC IM Strategy defined the strategic goal for people and capacity as maintaining “a highly-skilled GC workforce that achieves information management outcomes by applying the appropriate information management policy instruments.”^{Footnote 49} The audit examined a number of areas that contribute to promoting and building the human resource capacity for implementing and integrating IM. First, the audit examined human resources planning for the IM functional community within each RDA. This included activities implemented within RDAs to strengthen and support those that provide expert services and specialized IM support to each agency. Second, the audit considered strategies, such as communication mechanisms, training and awareness efforts, and the establishment of partnerships, to position IM as an agency-wide priority and increase the likelihood that IM practices are adopted and integrated into day-to-day operations of all RDA employees.

Agencies face challenges in elevating the priority of IM as an integral element of policies, programs, services and initiatives.

Integrating IM requirements into the development, implementation, evaluation and reporting activities of departmental programs and services is a deputy head responsibility.^{Footnote 50} Embedding IM considerations and requirements into the policies, procedures, initiatives, and training and development programs for business operations increases the likelihood that employees will adopt sound IM practices in their day-to-day activities. The development of strategies to engage and promote IM as an integral element of RDAs’ operations can leverage the importance of IM and enhance employees’ commitment toward adopting sound IM practices. Examples of these strategies include mandatory IM training and individual performance objectives for all employees, and partnerships with departmental programs and services.

The Secretariat is responsible for promoting functional communities for the management of information and to develop and sustain IM specialist capacity and practices.^{Footnote 51} Interviews with IM officials confirmed that the both RDAs engaged and participated in the Secretariat’s activities aimed to promote IM functional communities. The IM Senior Official Day and the Recordkeeping Day were seen as valuable opportunities to exchange GC IM best practices and learn about ongoing IM initiatives. Both RDAs also participated in discussions with the Secretariat on IM-related matters and on activities and initiatives being implemented. IM officials also confirmed being sought to comment on the recent IM strategy renewal as part of these learning events and during departmental consultations. It was also noted that the implementation of enterprise systems such as GCDOCS encourages collaboration in the area of IM.

From an agency perspective, both RDAs’ IM functions had undertaken activities to promote IM, including email reminders and bulletins; internal training and awareness programs; and publishing policies, tools and resources online. However, the audit noted that strategies to ensure that IM requirements are adopted and integrated into departmental programs and services could be improved. For example, IM-related training for all employees focused mostly on the implementation of specific initiatives, such as GCDOCS and recordkeeping, and IM objectives were not included in performance agreements for all employees. In addition, while RDAs indicated in interviews that they had developed partnerships with some other programs and services, there is an opportunity to further leverage these partnerships to embed IM in other program policies, procedures, initiatives and training programs. In order for such leverage to occur, all employees need to apply IM principles, standards and practices in the performance of their duties. The IM function provides specialized support within departments to help deputy heads and employees in recognizing and fulfilling these responsibilities.^{Footnote 52}

Both RDAs have established planning activities to develop and sustain their IM human resources capacity.

Access to competent, skilled and trained IM specialists is important to support the successful implementation of IM initiatives. Both RDAs noted that the availability of qualified candidates to fill IM specialist positions is limited. Despite the fact that both RDAs had indicated the challenges in recognizing IM as a profession (for example, difficulties defining an IM specialist, and outdated competencies and associated classifications), both agencies implemented strategies to overcome these challenges. Use of temporary help, staff assignments and secondments were often used as compensatory measures. The rarity of IM specialists in the GC community is also a factor that contributes to this situation.

Both RDAs had established human resources planning activities to develop and sustain their IM human resources capacity. These planning activities determine the agencies’ human resources vision and direction to assist with identifying resources required for implementing IM activities and initiatives. Learning and development activities to support IM functional specialists are identified from these planned IM activities and initiatives. The audit also noted that CED had developed and documented, as a good practice, IM generic work objectives for IM functional specialist positions. Building the capacity and skills of IM functional specialists increases the likelihood that they fulfill their duties.

Summary of finding: IM promotion and engagement

RDAs established human resources planning activities to build the capacity and skilled resources of functional specialist capacity and practices. While RDAs have been engaged and participated in activities aimed to promote the IM community, there is an opportunity to develop and implement strategies to reinforce employee responsibilities and integrate IM into departmental programs and services.

Recommendation: IM promotion and engagement

CED and ACOA should implement strategies to reinforce departmental responsibilities and integrate IM into departmental programs and services.

Conclusion

Overall, IM governance and monitoring frameworks were established in both agencies reviewed. IM operational plans have been developed to implement the IM strategy of the RDAs, and specific requirements and responsibilities were addressed in policy instruments. Committees were established within agencies to discuss IM issues, and activities were undertaken to engage and promote the IM community. However, some opportunities were identified in both RDAs to update policy instruments, strengthen committee operations, and ensure that committees are provided with the information required to fulfill their role in governance. The audit noted that some work in these areas was already initiated. Both agencies’ IM plans also considered GC common systems and initiatives. The implementation of common systems^{Footnote 53} further supports the open information stream of the GC Open Government Initiative. IM business application systems and tools were in place to support the agencies’ information life cycle. Both RDAs have identified their information resources of business value, which enable and document decision making in support of programs, services and ongoing operations. Further, these support departmental reporting, performance and accountability requirements. As Agencies face challenges in elevating the priority of IM, there is an opportunity to develop and implement strategies to engage and promote IM more broadly as an integral element of RDAs’ policies, programs, services and initiatives. These improvements could renew the commitment and priority for IM across agencies and support achievement of government priorities going forward.

Management response

The findings and recommendations of this audit were presented to CED and ACOA.

Management has agreed with the findings in this report and will take actions to address all recommendations applicable to their RDA.

Appendix A: applicable policies, directives and guidance

Policies, directives, standards, acts and guidelines (links current as of March 2015)	Description
Policy Framework for Information and Technology (effective July 1, 2007)	The Policy Framework for Information and Technology provides the strategic context for the Policy on Information Management and the Policy on the Management of Information Technology. It also takes into consideration the Policy on Privacy Protection, the Policy on Access to Information, and the Policy on Government Security. In addition, it provides guiding principles for sound information and technology management practices across government.
Policy on Information Management (effective July 1, 2007)	The objective of this policy is to achieve efficient and effective IM to support program and service delivery; foster informed decision making; facilitate accountability, transparency and collaboration; and preserve and ensure access to information and records for the benefit of present and future generations.
Directive on Information Management Roles and Responsibilities (effective October 8, 2007)	The objective of this directive is to identify the roles and responsibilities of all departmental employees in supporting the deputy head in the effective management of information in their department.
Directive on Recordkeeping (effective June 1, 2009)	Ensure effective recordkeeping practices that enable departments to create, acquire, capture, manage and protect the integrity of information resources of business value in the delivery of GC programs and services.
Directive on Open Government (effective October 9, 2014)	The objective of the directive is to maximize the release of government information and data of business value to support transparency, accountability, citizen engagement and socio‑economic benefits through reuse, subject to applicable restrictions associated with privacy, confidentiality and security.
Standard on Metadata (effective July 1, 2010)	The objective of this standard is to increase the use of standardized metadata and value domains in support of the management of information resources.
Standard on Geospatial Data (effective June 1, 2009)	The objective of this standard is to support stewardship and interoperability of information by ensuring that departments access, use and share geospatial data efficiently and effectively to support program and service delivery.
Standard on Electronic Documents and Records Management Solutions (EDRMS) (effective June 1, 2010)	To support efficient and effective management of information through the use of EDRM solutions to increase timely access to relevant, reliable and comprehensive information to support decision making in program and service delivery. Also to maximize the benefit of GC investments related to EDRM solutions by reducing the overall cost associated with implementation and ongoing operations through standardization and economies of scale.
Guideline for Employees of the Government of Canada: Information Management (IM) Basics (last modified November 5, 2012)	This guideline provides information on basic IM and recordkeeping practices, IM concepts and directions to further help and advice.
Information Management: Guidelines (last modified January 5, 1996)	The guideline provides guidance on government-wide IM planning.
Privacy Act	The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.
Access to Information Act	The purpose of this Act is to extend the present laws of Canada to provide a right of access to information in records under the control of a government institution in accordance with the principles that government information should be available to the public, that necessary exceptions to the right of access should be limited and specific, and that decisions on the disclosure of government information should be reviewed independently of government.
Library and Archives Act	This Act is to establish the Library and Archives of Canada, amend the Copyright Act, and amend certain Acts in consequence.

Appendix B: lines of enquiry and audit criteria

Line of enquiry	Criteria	Related source(s)
1. RDA governance frameworks are in place over IM to support departmental objectives.	1.1 Governance and accountability structures, including definitions of roles and responsibilities, are in place to support IM in RDAs.	Policy on Information Management (PIM) subsections 6.1.1, 6.1.6, 6.1.7 Directive on Information Management Roles and Responsibilities (DIMRR) subsections 3.2, 5.2.1, 6.1.4, 6.1.5, 6.2.4, 7.2.1
	1.2 RDA IM policies, aligned with the government’s IM policy instruments, have been developed and communicated to support IM in the agency.	DIMRR, subsections 6.4.1, 6.4.2, 6.4.3, 6.4.4 Directive on Recordkeeping (DRk) subsections 6.1.3, 6.1.4, 6.1.5
	1.3 Key IM^{Footnote 54} systems and tools are in place to support RDA information life cycle.	PIM subsections 5.2.1, 6.1.5 DRk subsection 6.1.3
	1.4 RDA plans have been developed and communicated to implement government-wide and agency IM initiatives.	PIM subsection 6.1.6 DIMRR subsections 5.2.3, 6.1.1, 6.1.2, 6.1.9, 6.2.4, 6.4.3 Directive on Open Government (DOG) section 6.4
	1.5 RDA human resources plans supporting IM professionals have been established and are aligned with government-wide and agency priorities.	DIMRR subsections 6.1.6, 6.1.7
2. RDAs’ monitoring frameworks are in place for the oversight of IM.	2.1 RDA monitoring of and reporting on compliance with IM policy suite requirements have been implemented.	Policy Framework for Information and Technology (PFIMT) subsection 4.1.3 PIM subsections 6.1.8, 6.2.1 DIMRR subsections 6.1.3, 6.2.1, 6.2.2, 7.2.1 DRk subsections 6.1.1, 6.1.2, 6.2.1
	2.2 Action plans have been developed and implemented to address gaps in the compliance with IM policies frameworks.	PIM subsections 6.2.1, 6.1.8 DIMRR subsection 7.1 DRk subsection 6.2.1

Appendix C: recommendations by regional development agency and priority level

Recommendations	ACOA	CED	Priority level
ACOA should update its IM policy instruments with consideration given to the Secretariat’s updated IM policy instruments.	Applicable	Not applicable	High
ACOA should implement a comprehensive monitoring framework in order to identify, prioritize and address government-wide performance and compliance gaps. The monitoring framework should consider a risk-based approach and relevant performance measures.	Applicable	Not applicable	High
CED and ACOA should continue their efforts to strengthen committee operations by documenting meeting agendas and records of decisions, and by periodically review committees’ Terms of Reference.	Applicable	Applicable	Medium
CED and ACOA should provide committees with performance information to strengthen their oversight role in the governance of IM activities.	Applicable	Applicable	Medium
CED and ACOA should implement strategies to reinforce departmental responsibilities and better integrate IM into departmental programs and services.	Applicable	Applicable	Medium

Footnotes

Footnote 1

“In place” refers to frameworks being developed and implemented.

Return to footnote 1 referrer

Footnote 2

Information Commissioner of Canada, An Opportunity to Lead: Duty to Document, March 31, 2016.

Return to footnote 2 referrer

Footnote 3

International Data Corporate annual digital universe report, “Domo data never sleeps 3.0, IBM understanding big data beyond the hype” (from a PricewaterhouseCoopers LLP presentation, “Data Use Governance,” March 2016.

Return to footnote 3 referrer

Footnote 4

Treasury Board Policy on Information Management, subsection 3.1.

Return to footnote 4 referrer

Footnote 5

Treasury Board Policy on Information Management, Appendix A: Definitions.

Return to footnote 5 referrer

Footnote 6

Association for Information and Image Management (AIIM), What is Information Management?

Return to footnote 6 referrer

Footnote 7

Treasury Board Policy on Information Management, subsection 3.1.

Return to footnote 7 referrer

Footnote 8

Canada: Information Management in the Government of Canada: The Vision, April 2006, page 3.

Return to footnote 8 referrer

Footnote 9

Treasury Board Policy on Information Management, subsection 3.1.

Return to footnote 9 referrer

Footnote 10

Treasury Board Policy on Information Management, subsection, 3.1.

Return to footnote 10 referrer

Footnote 11

Canada: Open and Transparent Government, Budget 2016.

Return to footnote 11 referrer

Footnote 12

Treasury Board Policy on Information Management, subsection 5.2.1.

Return to footnote 12 referrer

Footnote 13

Such as GCDOCS.

Return to footnote 13 referrer

Footnote 14

IBM: What Is Big Data? (from a PricewaterhouseCoopers LLP presentation on data use governance, March 2016, references IBM’s Understanding Big Data Beyond the Hype: A Guide to Conversations for Today’s Data Center).

Return to footnote 14 referrer

Footnote 15

EMC Digital Universe with Research and Analysis by IDC: The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, Executive Summary, April 2014.

Return to footnote 15 referrer

Footnote 16

Treasury Board Policy on Information Management, subsection 3.1.

Return to footnote 16 referrer

Footnote 17

Treasury Board Policy on Information Management, Appendix A: Definitions.

Return to footnote 17 referrer

Footnote 18

Association for Information and Image Management (AIIM), What is Information Management?

Return to footnote 18 referrer

Footnote 19

Canada: Open and Transparent Government, Budget 2016.

Return to footnote 19 referrer

Footnote 20

Government of Canada (GC) Information Management (IM) Strategy website.

Return to footnote 20 referrer

Footnote 21

Treasury Board Policy on Information Management, subsection 5.1.

Return to footnote 21 referrer

Footnote 22

GC IM Strategy Renewal 2015: Business Problem Assessment, page 3.

Return to footnote 22 referrer

Footnote 23

Treasury Board Directive on Information Management Role and Responsibilities, subsection 6.1.

Return to footnote 23 referrer

Footnote 24

Treasury Board Policy on Information Management, subsection 3.1.

Return to footnote 24 referrer

Footnote 25

“In place” refers to frameworks being developed and implemented.

Return to footnote 25 referrer

Footnote 26

ACOA was included in the scope of this audit.

Return to footnote 26 referrer

Footnote 27

CED was included in the scope of this audit.

Return to footnote 27 referrer

Footnote 28

Treasury Board, Policy on Information Management, subsection 6.1.8.

Return to footnote 28 referrer

Footnote 29

Information Management: Guidelines, Information Management Planning, 2.1.

Return to footnote 29 referrer

Footnote 30

Treasury Board Policy on Information Management, subsection 6.2.1.

Return to footnote 30 referrer

Footnote 31

Treasury Board Policy on Information Management, subsection 6.1.2.

Return to footnote 31 referrer

Footnote 32

Canada: Open and Transparent Government, Budget 2016, Chapter 7, “Opening Government and Engaging Canadians.”

Return to footnote 32 referrer

Footnote 33

Treasury Board Directive on Information Management Roles and Responsibilities, subsection 6.1.4.

Return to footnote 33 referrer

Footnote 34

Treasury Board Directive on Recordkeeping, definition of “recordkeeping.”

Return to footnote 34 referrer

Footnote 35

PSPC GCDOCS initiative webpage

Return to footnote 35 referrer

Footnote 36

PSPC GCDOCS initiative webpage

Return to footnote 36 referrer

Footnote 37

Shared Services Canada (SSC) Email Transformation Initiative webpage.

Return to footnote 37 referrer

Footnote 38

Treasury Board Directive on Recordkeeping, section 6, requirement 6.1.3.

Return to footnote 38 referrer

Footnote 39

Based on Gartner Inc.’s IT Glossary definition of information life cycle management.

Return to footnote 39 referrer

Footnote 40

Treasury Board Directive on Recordkeeping, Appendix, definition of “IRBV.”

Return to footnote 40 referrer

Footnote 41

Treasury Board Directive on Recordkeeping, section 6, requirements 6.1.1.

Return to footnote 41 referrer

Footnote 42

Treasury Board Directive on Recordkeeping, subsection 5.2, “Expected results.”

Return to footnote 42 referrer

Footnote 43

A repository is an environment that preserves information resources of business value. It includes specified physical or electronic storage space and the associated infrastructure required for its maintenance.

Return to footnote 43 referrer

Footnote 44