Information Technology (IT) Governance

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web

Recommended for Approval to the Deputy Minister by Departmental Audit Committee on April 30, 2009
Approved by the Deputy Minister on May 1st, 2009

Table of Contents

1.0 Executive Summary

1.1 Introduction

During 2007, Industry Canada (IC) focused on strengthening information technology (IT) governance and oversight across the department — documenting the processes, clarifying accountabilities and institutionalizing project management.

The main objective of IT Governance 2.0 is to ensure that the department is positioned to meet the requirements of revisions to Treasury Board's Management Accountability Framework, the Financial Administration Act, and new Treasury Board policies on IT, IT Security, Information Management, and Project Management. IT Governance 2.0 is also expected to bring more rigor to benefits realization and return on investment.

IT Governance 2.0 (the current IT governance committee structure) and the creation of the Project Management Centre (PMC) were approved by Management Committee in August and September 2007, respectively. The three committees that underpin IT Governance 2.0 consist of:

  1. IT Strategic Management Committee (ITSMC): responsible for IT business and investment allocation as well as reviewing and approving IT strategy and policies. Committee membership is comprised of 4 sector Assistant Deputy Ministers, the Chief Informatics Officer and the Chief Financial Officer.
  2. Project Oversight Committee (POC): responsible for ongoing oversight of IT projects. Membership is comprised at the Director General level of management.
  3. IT Standards and Architecture Committee (IT-StAr): responsible for setting the Department's IT architecture strategy, standards and policies. Membership is made up of managers with IT expertise.

The POC and IT-StAr are independent yet complimentary governance bodies. The ITSMC will act as an escalation forum when the chair of the POC or IT-StAr requires additional support.

The objective of this audit was to provide assurance that the information technology function has implemented clear roles and responsibilities, accountability, and reporting is in keeping with relevant policies, directives, procedures and plans.

The scope of the audit included current IT governance within the department as well as existing internal control, risk management and governance processes.

1.2 Main Findings

IT governance 2.0 represents notable progress for Industry Canada. The need for IT governance is broadly recognized in the department and participants in the process see its value. The main successes to-date are considered to be:

  • The development of a departmental IT Plan to manage IT spending,
  • Instilling project management discipline permitting oversight of IT projects (re: project cost, scope and timing),
  • Identifying opportunities for collaboration among IT projects with similar requirements,
  • Providing project management support to projects, and
  • The recent completion and approval by the DM of an IT Strategic Plan for the department.

The following findings were identified through this audit:

Governance

1. IT Governance exercised at the IT Strategic Management Committee is more focused on the operational and project level than on the strategic plane.

2. Performance measures are not clearly established to ensure that IT Governance is achieving its intended results.

Internal Control

3. There is no link between the IT annual plan and the Long Term Capital Plan.

Risk Management

4. Overall risks to the effectiveness of IT Governance 2.0 are not formally identified, assessed and mitigated.

1.3 Recommendations

Governance

1. The Assistant Deputy Minister of Small Business and Marketplace Services (ADM, SBMS) should ensure the IT Strategic Management Committee operates at a strategic level.

2. The ADM, SBMS should ensure that performance measures be established to demonstrate that IT Governance is achieving its intended results.

Internal Control

3. The CIO should ensure that all significant IT Projects be reflected in the department's Long Term Capital Plan.

Risk Management

4. The ADM, SBMS in collaboration with the IT Strategic Management Committee should ensure that overall risks to the effectiveness of IT Governance 2.0 be formally identified, assessed, assigned to a responsible party and mitigated.

1.4 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.

1.5 Audit Opinion

In my opinion, Industry Canada has several risk areas, with low risk exposures related to the risk management, control and governance processes relative to IT Governance.

line

Bill Merklinger
Chief Audit Executive, Industry Canada
line

Date

2.0 About the Audit

2.1 Background

During 2007, Industry Canada (IC) focused on strengthening information technology (IT) governance and oversight across the department — documenting the processes, clarifying accountabilities and institutionalizing project management.

The main objective of IT Governance 2.0 is to ensure that the department is positioned to meet the requirements of revisions to Treasury Board's Management Accountability Framework, the Financial Administration Act, and new Treasury Board policies on IT, IT Security, Information Management, and Project Management. IT Governance 2.0 is also expected to bring more rigor to benefits realization and return on investment.

IT Governance 2.0 (the current IT governance committee structure) and the creation of the Project Management Centre (PMC) were approved by Management Committee in August and September 2007, respectively. The three committees that underpin IT Governance 2.0 consist of:

  1. IT Strategic Management Committee (ITSMC): responsible for IT business and investment allocation as well as reviewing and approving IT strategy and policies. Committee membership is comprised of 4 sector Assistant Deputy Ministers, the Chief Informatics Officer and the Chief Financial Officer.
  2. Project Oversight Committee (POC): responsible for ongoing oversight of IT projects. Membership is comprised at the Director General level of management.
  3. IT Standards and Architecture Committee (IT-StAr): responsible for setting the Department's IT architecture strategy, standards and policies. Membership is made up of managers with IT expertise.

The POC and IT-StAr are independent yet complimentary governance bodies. The ITSMC will act as an escalation forum when the chair of the POC or IT-StAr requires additional support.

The department's total IT budget for fiscal year 2008/09 is $93 million (including Canadian Intellectual Property Office, the Office of the Superintendent of Bankruptcy Canada and Corporations Canada. Excluding these entities, the total expenditures are $61 million.

2.2 Audit Objective

The objective of this audit was to provide assurance that the information technology function has implemented clear roles and responsibilities, accountability, and reporting is in keeping with relevant policies, directives, procedures and plans.

2.3 Scope

The scope of the audit includes current IT governance within the department including existing internal control, risk management and governance processes.

2.4 Methodology

The audit fieldwork was completed between September and November 2008. The audit work consisted of examination of documents, interviews of key individuals and a review of all IT projects presented to the ITSMC and POC. Specifically, the following activities were undertaken by the audit team:

  • Interviews with members of the three IT Governance committees well as various project managers and support staff in the Project Management Centre (PMC);
  • Interviews with Project documentation was reviewed for all projects that had been presented to the ITSMC or POC;
  • Documentation review;
  • Risks identified within projects were mapped against risk categories supplied by the Project Management Centre;

3.0 Findings and Recommendations

3.1 Introduction

The following sections present the detailed findings from the department-wide audit of Information Technology Governance. Findings are based on the evidence and analysis from both the planning and detailed audit conduct performed.

3.2 Governance

Finding 1: ITSMC is more operational than strategic

IT Governance exercised at the IT Strategic Management Committee is more focused on the operational and project level than on the strategic plane.

The success of IT Governance at Industry Canada depends on the ability of its committees to effectively carry out their expected roles. As per the committee's terms of reference, ITSMC is responsible for strategic direction to IT investment at IC.

The ITSMC has been in operation for one year. The initial priority of the committee was to establish and approve an Annual IT Plan for the department. The committee successfully brought together individual sector and business unit IT Plans, ensuring that the departmental IT spending ceiling was respected, opportunities for collaboration between or among initiatives were identified and pursued and initiatives could be related to the department's program activity architecture and the priorities of individual sectors/business units. Subsequent meetings of the ITSMC addressed individual IT projects as they approached the idea generation stage of the process.

Some members of the ITSMC have indicated a concern that the discussion at the committee meetings is too focused on operational (project-centric) issues and not on the IT strategic direction of the department. Members have stated that the non-strategic level of discussion at the meetings is a contributing factor in the decline of attendance of members. The continued presence of substitute members in committee meetings may exacerbate the weakness of the ITSMC in providing strategic direction to IT investment.

Recommendation 1:

The Assistant Deputy Minister of Small Business and Marketplace Services (ADM, SBMS) should ensure the IT Strategic Management Committee operates at a strategic level.

Finding 2: Performance measures are not clearly established

Performance measures are not clearly established to ensure that IT Governance is achieving its intended results.

An effective IT Governance structure clearly establishes performance measures that ensure that the intended results are achieved.

No performance measures were found for IT Governance. However, project documents reviewed did identify some benefits or expected results of the initiatives such as "reduce maintenance / support costs", "improve data integrity / security", "increased return on investment" or "better customer service". In the vast majority of cases, these benefits were not stated in terms that could be quantified, measured and for which progress could be assessed. As a result, for the most part, project performance could not be measured, except in terms of cost, scope and schedule.

It is uncertain how the department will know whether this version of IT Governance is meeting its objectives, without clear measures of performance.

Recommendation 2:

The ADM, SBMS should ensure that performance measures be established to demonstrate that IT Governance is achieving its intended results.

3.3 Internal Control

Finding 3: Incomplete Long Term Capital Plan

There is no link between the IT Annual Plan and the Long Term Capital Plan.

The Long Term Capital Plan (LTCP) provides the context for decisions about appropriate funding levels for departmental capital programs and individual project approvals.

As stated in the Treasury Board Policy on Long Term Capital Plans, the LTCP "is a management tool intended to assist departments in the overall management of projects and capital assets that support their programs". The LTCP ensures broad visibility of important investments and the availability of funds for multi-year projects and initiatives. It is important to include all significant projects (multi-year and/or costing more than $250,000) in the department's LTCP to ensure that funding is budgeted and made available for these IT investments.

Seven out of sixteen multi-year IT projects, with estimated costs of in excess of $250,000, identified in the 2008/2009 IT Project Portfolio were found to not have been included in the current version of the departmental LTCP. Significant projects may escape budgetary oversight if not in the LTCP.

Recommendation 3:

The CIO should ensure that all significant IT Projects be reflected in the department's Long Term Capital Plan.

3.4 Risk Management

Finding 4: Risks to the Effectiveness of IT Governance 2.0

Overall risks to the effectiveness of IT Governance 2.0 are not formally identified, assessed and mitigated.

The identification and monitoring of risks that may preclude the achievement of the objectives is a key management control. Sufficient oversight and analysis to ensure that identified risks are assessed from organizational and systemic perspectives, demonstrates the effectiveness of IT Governance and contributes to the increased success of individual IT initiatives.

While some members of the ITSMC suggested that there may be some risks to the success of IT Governance 2.0, no effort appears to have been made to formally articulate overall risks to IT Governance in the department. Issues that led to the need to overhaul IT Governance 1.0 were taken into consideration in the formulation of IT Governance 2.0; however, the monitoring of the risks of these same issues occurring in the current IT Governance regime has not been undertaken.

We found that risks are identified on a project by project basis. These risks are not linked into the organizational risks and do not permit the identification of systemic risks to the overall effectiveness of the current structure of IT Governance.

The absence of proper risk assessments at the organizational level could impede the effectiveness of IT Governance 2.0 as well as the identification and mitigation of organizational or systemic risk. If overall risks to IT Governance 2.0 are not formally identified, assessed and mitigated, there is an increased likelihood that IT Governance 2.0 may not function optimally.

Recommendation 4:

The ADM, SBMS in collaboration with the IT Strategic Management Committee should ensure that overall risks to the effectiveness of IT Governance 2.0 be formally identified, assessed, assigned to a responsible party and mitigated.

Notable Progress

The need for IT Governance is broadly recognized in the department and participants in the process see its value. The main successes to-date are considered to be:

  • The development of a departmental IT Plan to manage IT spending,
  • Instilling project management discipline permitting oversight of IT projects (re: project cost, scope and timing),
  • Identifying opportunities for collaboration among IT projects with similar requirements,
  • Providing project management support to projects, and
  • The recent completion and approval by the DM of an IT Strategic Plan for the department.

Annex A: Detailed Audit Criteria

Governance

  • The oversight body (or bodies) has a clearly communicated mandate that includes roles with respect to governance, risk management and control.
  • The organization has clearly defined and communicated IT strategic directions and strategic objectives, aligned with its mandate.
  • External and internal environments are monitored to obtain information that may signal a need to re-evaluate the organization's objectives, policies and/or control environment.
  • The oversight body / bodies request and receive sufficient, complete, timely and accurate information to support the operation and administration of the committee.
  • The organization has in place operational plans and objectives aimed at achieving its strategic objectives.
  • Management has identified appropriate performance measures linked to planned results.
  • Authority, responsibility and accountability are clear and communicated.

Risk management

  • Management identifies the risks that may preclude the achievement of its objectives.
  • Management assesses the risks it has identified.
  • Management formally responds to its risks.

Internal Control

  • Risk-based control and clear departmental policies and guidelines are consistent with government policies.
  • A timely budget is developed at the appropriate level of detail.
  • The organization leverages, where appropriate, collaborative opportunities to enhance client service.
  • Assets are life-cycle managed.
  • Management reallocates resources to facilitate the achievement of objectives/results.
  • Human resource planning is aligned with strategic and business planning.

Annex B: Management Action Plan

Management Action Plan
Recommendation (Page/Section) Planned Action or Justification for no action on the Recommendation Responsible Official Target Completion Date Revised Completion Date Current Status

The Assistant Deputy Minister of Small Business and Marketplace Services, (ADM, SBMS) should ensure the IT Strategic Management Committee operates at a strategic level.
  • Engage ITSMC in discussion regarding mandate and objectives

Marie-Josée Thivierge

2009/10 Q1

  

In progress

The ADM, SBMS, should ensure that performance measures be established to demonstrate that IT Governance is achieving its intended results.
  • Identify performance indicators and objectives from ITSMC mandate
  • Evaluate achievements

Rick Rinholm
  • 2009/10 Q1
  • Evaluation on-going
  

In progress

The CIO should ensure that all significant IT Projects be reflected in the department's Long Term Capital Plan.
  • 2009/10 integrated IT project planning and LTCP information requirements (templates) to ensure consistency between IT projects and LTCP
  • Defined process for sharing information between CAS & CIO including use of common templates, Internal Orders and IT Project Portfolio reports

Rick Rinholm

Complete

  

New process established

Business Proposal Form and Business Case Templates complete

IT Project Portfolio report designed for LTCP for use by CAS

CAS in progress of promoting use of Internal Orders to track project costs

The ADM, SBMS in collaboration with the ITSMC should ensure that overall risks to the effectiveness of IT Governance 2.0 be formally identified, assessed, and assigned to a responsible party and mitigated.
  • Review 'High Level Risk Assessment' document (July 2007) and update risks and original mitigation strategies including use of formal frameworks/tools (maturity models, COBIT, etc.)
  • Analysis of identified risks including probability and impact assessments
  • Develop risk plan to address specific risks

Marie-Josée Thivierge
  • Risk Plan - 2009/10 Q1
  • Evaluation & control on-going
  

In progress
 Report a problem
Date modified: