Archived - Audit of IM/IT Expenditures and Management Control Framework
Archived information
This Web page has been archived on the Web. Archived information is provided for reference, research or record keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Date: September 2010
Project Code: #09-063
PDF Version (185 Kb, 29 Pages)
Table of Contents
- List of Acronyms
- Executive Summary
- 1. Background
- 2. Objectives and Scope
- 3. Statement of Assurance
- 4. Methodology
- 5. Findings and recommendations
- 6. Conclusion
- 7. Management Action Plan
- Appendix A - Information Management Branch description of IM/IT expenditures
- Appendix B - Leading practices for managing IM/IT investments
List of Acronyms
Executive Summary
Background
The Audit and Evaluation Sector (AES) for Indian and Northern Affairs Canada (INAC) [Note 2] included an audit of regional Information Management / Information Technology (IM/IT) expenditures in their 2009-12 Risk-Based Audit Plan at the request of the Chief Information Officer (CIO). The scope of the audit was later expanded to include all Departmental IM/IT expenditures, as well as the Department's IM/IT management control framework.
While IM/IT solutions for the Department are provided by the Information Management Branch (IMB) led by the CIO in headquarters, other IM/IT resources are co-located in specific client areas throughout the Department. These resources are not managed by IMB and report to their respective regional management groups. The CIO reports directly to INAC's Chief Financial Officer (CFO) and the CFO is ultimately responsible and accountable for IM/IT at INAC.
INAC's IM/IT Strategic Plan indicates that the Department spends approximately $90M per year on IM/IT initiatives and services, with approximately $20M managed outside of IMB. However, the IM/IT Strategic Plan indicates that INAC only budgets for a quarter of annual IM/IT spending and uses surpluses at mid-year and year-end from other non-IM/IT business areas to make up the shortfall. A summary of actual IM/IT expenditures could not be confirmed prior to, or during, the audit.
Objective and scope
The primary audit [Note 3] objective was to provide assurance that IM/IT purchasing, development, implementation and maintenance activities at the national and regional levels are coordinated, in order to minimize duplication of effort and reduce unproductive expenditures.
The scope of the audit included an examination of the adequacy and effectiveness of the Department's IM/IT management control framework and organizational structure in supporting timely and cost-effective equipment acquisitions and system development, implementation and maintenance. The scope also included an examination of the Department's processes for identifying IM/IT needs, acquiring, developing and maintaining IM/IT assets, and reporting IM/IT expenditures. The audit focused on the development of applications and systems (planned and actual) and the acquisition of equipment and software during the 2007-08, 2008-09, and 2009-10 fiscal years.
Methodology
The audit was conducted from November 2009 to August 2010. The audit fieldwork was executed at headquarters and in a sample of six regional offices as follows: Saskatchewan, British Columbia, Alberta, Northwest Territories, Quebec, and Ontario. A risk-based audit program was developed and structured to include documentation reviews, interviews, and testing.
Findings and conclusions
Total IM/IT spending at INAC could not be determined due to:
- Lack of clear and consistent definition of IM/IT expenditures
- Variations in IM/IT financial coding across the Department
We also observed the following:
- Inconsistent and incomplete asset tracking
- Control deficiencies related to IM/IT asset procurement, particularly with respect to segregation of duties
- Inadequate cost-benefit analyses of third-party service agreements
- Misalignment of IM/IT strategies employed across regions and headquarters
We conclude that INAC does not have a complete view of total IM/IT spending and of assets across the Department. Inconsistencies were observed in the management of IM/IT investments across all regions visited. The inconsistent approach to implementing and managing IM/IT spending is operationally inefficient, leads to overspending on IM/IT devices, services and licenses, and weakens internal controls over assets in the Department.
Recommendations
We recommend that INAC address the issues identified to gain a complete view of IM/IT expenditures across the Department. Specifically, we recommend the following items be established and implemented consistently across all regions, including headquarters:
- Clear definition of IM/IT expenditures with a directive on financial coding and reporting of IM/IT expenditures
- National IM/IT asset-tracking system with functionality to manage asset life-cycles and to facilitate re-acquisition of assets from employees and contractors who leave the Department
- IM/IT asset procurement process with effective segregation of duties controls
- Complete inventory of third-party IM/IT service agreements and an appropriate cost-benefit analysis process for these services based on strategic significance
- IM/IT strategy to which regional practices across the Department are aligned
Addressing the above recommendations and improving IM/IT expenditure management will be challenging without first establishing a stronger IM/IT accountability framework to enforce greater consistency across the Department. We recommend that INAC identify root causes embedded in overall IM/IT governance and address the issues in consultation with other government departments and agencies.
1. Background
The Audit and Evaluation Sector (AES) for Indian and Northern Affairs Canada (INAC) [Note 4] includedan audit of regional Information Management / Information Technology (IM/IT) expenditures in their 2009-12 Risk-Based Audit Plan at the request of the Chief Information Officer (CIO). The scope of the audit was later expanded to include all Departmental IM/IT expenditures, as well as the Department's IM/IT management control framework.
INAC's Chief Financial Officer (CFO) has executive level accountability for the provision of IM/IT support services within the Department. The CFO sector is responsible for the following:
- Departmental finances and resources
- Departmental information management and information technology
- Departmental assets, materiel and procurement
IM/IT solutions for the Department are provided by the Information Management Branch (IMB) of the CFO sector. The IMB, which is led by the CIO and centralized in headquarters, is responsible for the majority of IM/IT services at INAC, including the purchase, development, implementation and maintenance of software and equipment. The CIO reports directly to the CFO.
In addition to the resources managed by IMB, there are IM/IT resources co-located in specific client areas throughout the Department. These resources are not part of IMB and, therefore, do not report to the CIO; rather, non-IMB resources report to their respective regional management groups.
IM/IT internal services underpin INAC's program activity architecture. [Note 5] Therefore, IM/IT has a direct impact on INAC's strategic objectives across all program activities. The stated IM/IT vision for INAC is "business enablers that add measurable strategic value to INAC's core business". IMB's mission is to deliver IM/IT solutions that "enable the achievement of INAC's strategic outcomes" with "an optimum return on resources invested".
INAC has made significant investments in IM/IT products and services. As further detailed in Section 5.1, a summary of total actual IM/IT expenditures could not be confirmed during the audit. Based on INAC's IM/IT Strategic Plan, released as draft in April 2009, INAC spends approximately $90M per year on IM/IT initiatives and services, with approximately $20M managed outside of IMB. However, the IM/IT Strategic Plan indicates that INAC only budgets for a quarter of annual IM/IT spending and uses surpluses at mid-year and year-end from other non-IM/IT business areas to make up the difference.
2. Objectives and Scope
2.1 Objective
The primary audit objective was to provide assurance that IM/IT purchasing, development, implementation and maintenance activities at the national and regional levels are coordinated, in order to minimize duplication of effort and reduce unproductive expenditures.
Secondary audit objectives, which depend on effectively coordinated IM/IT purchasing, development, implementation and maintenance activities, included providing assurance over the following:
- Regions regularly communicate IM/IT performance and expenditure (planned and actual) information to the IMB, in order to enable efficient and effective decision-making
- Regional IM/IT divisions have the necessary expertise to fulfill their IM/IT expenditure management responsibilities
2.2 Scope
The audit fieldwork was completed at headquarters and in six regions. The audit examined the adequacy and effectiveness of the Department's IM/IT management control framework and organizational structure in supporting timely and cost-effective equipment acquisitions and system development, implementation and maintenance.
The audit focused on the development of applications and systems (planned and actual), and IM/IT acquisitions (equipment and software) during the 2007-08, 2008-09, and 2009-10 fiscal years.
The scope included examining the Department's processes for identifying IM/IT needs, acquiring, developing and maintaining IM/IT assets, and reporting IM/IT expenditures. The audit was structured to cover the following broad areas of review:
- IM/IT expenditure classification and reporting
- IM/IT asset management
- IM/IT procurement controls
- Cost-benefit analysis for IM/IT services
- IM/IT strategy
2.3 Areas not in scope
Areas not examined as part of this audit include the following:
- IM/IT expenditures recorded for field equipment, including Handheld Global Positioning Systems (GPS) and geographic mapping devices
- IM/IT expenditure processes in the former Indian Residential Schools Resolution Canada (now part of INAC's Resolution and Individual Affairs Sector)
3. Statement of Assurance
Sufficient work was performed and the necessary evidence was gathered to support the findings, recommendations and conclusions contained in this report. The work was conducted according to a risk-based audit program developed collaboratively with INAC management.
The risk-based audit program was based on Control Objectives for Information and related Technology, version 4.1 (COBIT 4.1) and the Project Management Institute's Project Management Body of Knowledge, version 4 (PMI PMBOK 4). The audit was executed in conformity with the Internal Auditing Standards of the Government of Canada. It does not constitute an audit or review in accordance with any Generally Accepted Auditing Standards (GAAS).
In addition to the Internal Auditing Standards of the Government of Canada, the audit procedures were aligned with the Treasury Board's Policy on Internal Audit and related policy instruments and the Institute of Internal Auditors' (IIA) International Standards for the Professional Practice of Internal Auditing.
4. Methodology
4.1 Approach and timeline
The audit was conducted in three distinct phases:
- Planning Phase (November 2009 – January 2010)
- Conduct Phase (January 2010 – July 2010)
- Reporting Phase (July 2010 – August 2010)
4.2 Audit approach
The audit fieldwork was conducted at headquarters and in a sample of regions as follows:
- Saskatchewan (Regina office)
- Alberta (Edmonton office)
- British Columbia (Vancouver office)
- Northwest Territories (Yellowknife office)
- Quebec (Quebec office)
- Ontario (Toronto office)
Regions were selected based on the following criteria:
- Unique regional IM/IT systems, projects or initiatives being used to support the delivery of INAC programs and services
- Total number of IT resources in the region, according to IMB's IM/IT Strategic Plan for 2008-13
- Region-specific factors identified to increase the level of risk associated IM/IT expenditures
A risk-based approach was used to scope the audit and focus on areas of greatest risk to INAC. The risk-based audit program was structured to include documentation reviews, interviews, and testing.
5. Findings and recommendations
The findings and recommendations are organized according to the following five areas of review:
- IM/IT expenditure classification and reporting
- IM/IT asset management
- IM/IT procurement controls
- Cost-benefit analysis for IM/IT services
- IM/IT strategy
These areas are described in the following sections.
5.1 IM/IT expenditure classification and reporting
A clear definition statement for IM/IT expenditures is critical to the proper tracking of IM/IT expenditures for the Department. IM/IT expenditures are broadly defined in IMB's IM/IT Strategic Plan, which was not finalized at the time of the audit. However, this definition, provided in Appendix A, does not provide sufficient granularity to enforce appropriate coding of expenditures. Similarly, the line object codes in INAC's financial system do not reflect the definition.
Regions visited used different methods of tracking IM/IT expenditures, based on differing definitions of what constitutes an IM/IT expenditure. In general, the coding used to report expenditures in the financial system is determined based on the discretion of regional finance personnel. This practice causes inconsistency across INAC, preventing a Department-wide view of all IM/IT expenditures.
The ambiguity and inconsistent financial coding prevents a complete list of IM/IT expenditures from being established. More fundamentally, IM/IT costs could not be estimated due to the magnitude of variation. Significant IM/IT expenses were coded as non-IM/IT costs and, similarly, non-IM/IT expenses were coded as IM/IT costs. While the draft IM/IT Strategic Plan suggests that $90M is spent annually on IM/IT, INAC management lacks a break-down and high-level summary of actual IM/IT spending.
Three different methods of differentiating IM/IT expenditures in INAC's financial system, "OASIS", were observed in regions. Regional expenditures were coded according to specific:
- Line object codes
- Activity codes
- Responsibility Center Manager (RCM) codes
The use of different methods to classify and track regional IM/IT expenditures prevents national financial roll-up of IM/IT expenditures.
The ambiguity regarding what constitutes an IM/IT expenditure also contributes to inconsistent asset tagging and tracking practices, as further discussed in Section 5.2.
Interviews indicated that because line object codes define the nature of expenditures, using line objects to track costs enforces more accurate coding than RCM codes and activity codes. However, the accountability framework for expenditures is based on RCMs and activity codes.
There should be a clear link between the definition of IM/IT expenditures, the financial codes used to classify and track the expenses, and the Department's accountability framework. Each region should classify and track expenditures according to the same definition, using the same financial coding mechanism, allowing for a Departmental view of IM/IT expenditures that still maps back to persons accountable for IM/IT expenditures.
The organizational framework at INAC may be impeding clear IM/IT reporting, as the accountability for IM/IT expenditures is fragmented across headquarters and regions. Without first establishing an IM/IT accountability framework and hierarchy that enforces consistent financial reporting on IM/IT expenditures, a complete view may be difficult to achieve.
Finding 1: IM/IT spending at INAC cannot be determined due to: 1) the lack of a clear and consistent definition of IM/IT expenditures and 2) variations in IM/IT financial coding across the Department.
5.2 IM/IT asset management
In addition to classification and financial coding method inconsistencies, asset tracking practices varied widely in regions visited. Specifically, multiple tracking systems were used in each region, as summarized in Table 1 below.
None of the systems listed in Table 1 provides a complete view of the assets deployed. A complete list of IM/IT assets in regions visited could not be established. Completeness tests were conducted to map physical assets back to tracking systems and to reconcile assets across various tracking systems. The exception rate was high, and included the following observations:
- Incomplete regional asset listings; in particular:
- Multiple irreconcilable regional asset listings
- Untracked IT devices that were located physically in regions during the audit, but could not be found in the asset tracking lists
- Untracked IT devices that were observed on the regional network but could not be located physically in the region or found in the asset tracking lists
- High number of untagged assets
- Duplication of IM/IT asset tracking between different business units
- Fixed Asset Module in one region had not been updated in over six months due to the departure of a key regional resource (at the time of the audit, no other regional representatives had access to the system)
Table 1 - Asset tracking mechanisms used in headquarters and regions visited
System used in the region (X = no, √ = yes) |
Regions (includes headquarters) | ||||||
---|---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 | |
OASIS Fixed Asset Module | √ | √ | X | √ | √ | √ | √ |
Remedy | X | X | X | X | √ | √ | X |
Locally-developed system for tracking | X | X | √ | X | X | X | X |
Regional tracking sheet | √ | √ | X | √ | X | X | X |
This table lists the multiple tracking systems that are used across the country to track IM/IT assets, and indicates which region is using each system.
System use is broken down in the following way:
- The Oasis Fixed Asset Module is being used by region numbers 1, 2, 4, 5, 6, and 7.
- Remedy System is being used by region numbers 5 and 6.
- A locally-developed system for tracking is being used in region number 3.
- A regional tracking sheet is being used in region numbers 1, 2, and 4.
IM/IT life-cycle tracking and monitoring is a critical component of IM/IT expenditure management. However, none of the asset tracking systems examined during the audit contained a complete view of relevant asset information. The lack of a single tracking log can lead to overspending because a complete inventory of current IM/IT assets, and their lifecycle status, is unknown. Furthermore, duplication of effort associated with using multiple systems to track assets is operationally inefficient.
In addition to risks of overspending and inefficiencies, there are significant risks associated with the re-acquisition and disabling of devices and software licenses when employees leave the Department. Devices and access rights assigned to employees are not entered in the asset-tracking systems.
Some regions rely on exit interviews to identify assets prior to employee departure; however, exit interviews may not highlight all the necessary information and may not occur (particularly for contractors). Other regions use locally-developed entry-exit systems to assist in identifying employees leaving INAC. However, there was no evidence available to demonstrate a process for disabling all computer program access for a departed employee. Re-acquisition and disabling of IM/IT assets is critical for both security and financial reasons.
The following risks result from the tracking deficiencies:
- Loss of data integrity and gaps in asset data completeness
- Equipment loss or theft by employees and contractors leaving the Department
- Overspending on bandwidth per user and licensing agreements incurred by departed employees and contractors
- Unnecessary purchase of duplicate assets due to the lack of a complete inventory
- Security risks associated with the retention of assets by departed employees and contractors
- Costs due to re-work and inefficiencies associated with the maintenance of multiple tracking lists
A root cause of the wide variation in asset tracking mechanisms may be the lack of a documented asset management process. There was no evidence available to demonstrate documented, consistent guidelines and procedures for managing IM/IT assets. An "Asset Custodian Guide" document was used by some regions, but appeared not to be accessible to other regions. In addition, no evidence was available to demonstrate that the periodic inventory counts specified by the Asset Custodian Guide are performed by regions.
INAC should have a reportable inventory of IM/IT assets deployed Department-wide, indicating where assets are in their hardware lifecycle. The following information should be included in the reportable inventory system:
- Basic asset details, including description, invoice number, financial coding details, date of acquisition and cost
- Life-cycle information, including warranty information and forecasted replacement date
- Tracking number, which should be a unique identifier based on a Departmentally-consistent numbering system
- Location, including physical location and user, specifying employee or contractor
- Asset usage metrics to identify unutilized devices and software
These attributes were not captured in any of the systems examined during the audit. In addition to improving asset management and operational efficiency, a reportable inventory could also be used to measure whether assets are satisfying operational needs.
In order to establish an effective Departmental system, regions should use consistent asset tracking and tagging practices to allow for national consolidation of information. It is important that accountability for IM/IT assets is clear and that an appropriate governance framework is in place to enforce compliance.
Finding 2: Inconsistent and incomplete asset tracking mechanisms are used across headquarters and regions. This leads to control deficiencies regarding the re-acquisition of IM/IT assets when employees and contractors leave the Department.
Recommendation 2: The CFO, in collaboration with the CIO and Assistant Deputy Ministers (ADM) responsible for regional operations and staff, should implement a national system to track all IM/IT assets. This system should track device life-cycle, warranty, user and location information and should provide functionality to ensure that all devices and licenses assigned to employees and consultants are reacquired and/or removed upon departure. Once a national tracking system has been implemented, the CIO should conduct a Department-wide inventory of IM/IT assets.
5.3 IM/IT procurement controls
A key component of effective IM/IT expenditure management is enforcing controls within the procurement process, particularly for the acquisition of IM/IT assets. During the audit, evidence of a documented procurement process for IM/IT devices, services and licenses was not available for review.
We also observed procurement control deficiencies in regions visited, particularly inadequate segregation of duties. Specifically, we found instances of products requested and received by a single individual, which creates a risk of theft and fraud. Segregation of duties should be upheld between the requester and receiver of an IM/IT asset.
We found further control deficiencies regarding the commitment of funds for IM/IT products and services, whereby evidence was not available to demonstrate who had committed the funds (i.e. requested the product or services for a specified cost). Similarly, we noted test exceptions whereby evidence of verification that products and/or services were rendered in accordance with the commitment of funds (i.e. receiving products or services) was not available for review. Many purchase orders tested lacked signatures in accordance with the Financial Administration Act (FAA). These inadequacies lead to a lack of accountability over the acquisition of IM/IT goods and services.
In regions with multiple offices, the request, receipt, and tagging of IM/IT assets often occurs in a different geographical location than the financial coding and tracking of the asset. As a result, we found instances of assets being logged and tracked without verification of physical existence. This practice becomes particularly problematic when it is a single individual performing the request, receipt and tagging of assets and no independent verification is conducted.
In testing procurement compliance, we observed the following test exceptions:
- Theft of two laptops awaiting processing and tagging
- Improper asset classification
- Improper expense coding
- Expense discrepancies between general ledger and asset invoice
- Untracked assets transferred across regions and offices
- IM/IT goods and services purchased by other business units without the knowledge of IM/IT management
As introduced in Section 5.1, there is a further aspect of IM/IT procurement that appears to be impeding governance over IM/IT expenditures: the acquisition of IM/IT goods and services by persons not responsible or accountable for IM/IT budgets and decisions.
Because IM/IT procurement is managed outside of the Department's IM/IT accountability structure, acquisitions can be misclassified and omitted from Departmental listings. This impacts several aspects of IM/IT expenditure management, including asset tracking and life-cycle management, inventory counts, and IM/IT purchasing decisions. Based on a key word search in OASIS, we identified several IM/IT goods and services purchased outside of IM/IT coding. INAC could conduct similar key words searches to flag IM/IT goods and services purchased elsewhere to verify proper coding, tracking and accountability.
A strong IM/IT governance framework is required to effectively manage controls related to the acquisition of assets. Without first addressing issues pertaining to the organizational framework and accountability for IM/IT assets, an effective IM/IT procurement process may be difficult to implement across all regions.
Finding 3: Control deficiencies exist with respect to the procurement of IM/IT assets. In particular, there exists insufficient segregation of duties upheld between the request and receipt of IM/IT assets as well as inadequate controls to enforce accountability for the commitment of funds for IM/IT expenditures.
Recommendation 3: The CFO, in collaboration with the CIO, should establish a consistent, documented and communicated procurement process for acquiring IM/IT assets that enforces appropriate segregation of duties across all regions and headquarters.
5.4 Cost-benefit analysis for IM/IT services
INAC provides IM/IT services to other organizations and, similarly, receives IT services from third-party service providers. In regions visited, IM/IT services purchased by INAC and provided to other organizations by INAC were examined for risks to the Department. Our observations are further detailed below according to the following areas of review:
- IM/IT services purchased by INAC
- IM/IT services delivered by INAC
- Management of IM/IT third-party service agreements
5.4.1 IM/IT services purchased by INAC
The largest IM/IT expense in one region visited relates to IT services delivered by a single third party with a few contractors. The contract entailed the following services, with annual fees of over $1M:
- System development, including 15 system development projects between 2006-07 and 2008-09
- Regular hardware and software maintenance
- Helpdesk services
Levels of effort associated with system development and Helpdesk services were tracked in the region, but hardware and software maintenance levels of effort were not.
There was no evidence available to demonstrate a cost-benefit analysis performed on services rendered, despite an annual regional cost exceeding $1M. Furthermore, while the services are primarily related to IT development and maintenance, the expenses were coded to "Other Professional Services", which is problematic for national tracking of system development and maintenance costs.
A direct cost-benefit analysis could not be performed during the audit because the level of effort afforded to hardware and software maintenance was not tracked or known. Management interviewed were unsure as to whether some IM/IT projects had been cost-effective because metrics were not tracked for analysis. Similarly, we were informed that a large system-development project had not been allocated a project code and, therefore, costs associated with the project could not be provided.
We noted that the associated contract fees have increased over the past three fiscal years, despite reduced levels of effort associated with system development. Figure 1 illustrates the trend. Helpdesk services are considered immaterial to the total fees, as they included only 596 hours of labour over the three fiscal years examined.
Figure 1 - Fees associated with systems-development level of effort versus total fees paid for one regional IT service provider
This graph displays a trend over time of fees associated with IM/IT system development compared to fees associated with IM/IT maintenance and support. The trend shows that maintenance and support fees has been quickly and significantly increasing, despite the fact that the fees associated with system development have increased slowly, and have recently levelled off.
- 2007 - Quarter 3. System development fees are around $400,000. IM/IT maintenance and support fees are around $400,000.
- 2008 - Quarter 1. System development fees are around $500,000. IM/IT maintenance and support fees are around $1 Million.
- 2008 - Quarter 3. System development fees are around $600,000. IM/IT maintenance and support fees are around $1.3 Million.
- 2009 - Quarter 1. System development fees are around $750,000. IM/IT maintenance and support fees are around $2 Million.
- 2009 - Quarter 3. System development fees are around $800,000. IM/IT maintenance and support fees are around $2.5 Million
- 2010 - Quarter 1. System development fees are around $800,000. IM/IT maintenance and support fees are around $3.5 Million.
Because level of effort for hardware and software maintenance is not tracked, the origin of the additional fees could not be determined. Regional representatives indicated that no increased level of effort associated with maintenance should have been incurred based on regional circumstances. Because maintenance costs can represent a significant portion of IM/IT system development initiatives, as indicated in Figures 1, it is important that IM/IT budgets and expenditure monitoring mechanisms be in place to effectively manage INAC's IM/IT investments.
There is a risk that similar contract terms could result in the self-generation of service. Specifically, there is a risk that systems could be developed to require high maintenance, only available from the system developers. While the fees observed may be reasonable, and the services value-added, documented cost-benefit analysis and contract life-cycle monitoring should be conducted. There was no evidence available to demonstrate a process in place to monitor contracts and/or service level agreements in order to enforce value-for-money services.
5.4.2 IM/IT services delivered by INAC
In addition to services provided to INAC, INAC provides IM/IT services to several separate organizations and agencies. No evidence was available to demonstrate whether the fees collected for services rendered were appropriate. We noted that for two different organizations to which INAC provides similar IM/IT services, the Department collects $500 per Full Time Equivalent (FTE) from one organization versus $10K/FTE from the other. While the first organization has fewer employees and lower overall maintenance, the 20-fold difference in fees collected could not be explained by regional management. Moreover, the respective memorandums of understanding (MOU) payment schedules could not be substantiated with financial analysis on service costs.
Risks were also identified with respect to a 2009-10 MOU between INAC and Canadian Northern Economic Development Agency (CanNor). In particular, the MOU specified that CanNor is to have continued IM/IT access (from INAC) until specified in writing from CanNor that IM/IT use is no longer required. We understand from INAC management that funds were only transferred from CanNor to INAC at year-end for services provided in fiscal year 2009-10. This arrangement is problematic for INAC because funds remaining at year-end lapse and cannot be used. While CanNor was a particularly challenging issue to manage given the agency's creation mid- year, the risks identified in the MOU may be indicative of issues with other agreements with separate organizations.
5.4.3 Management of IM/IT third-party service agreements
A cost-benefit analysis should be performed for both the purchase and provision of services to prevent the following risk events:
- IM/IT overspending due to fees that do not reflect level of service received
- Insufficient fees recovered due to over-provision of INAC services
A complete inventory of IM/IT contracts, service level agreements (SLA) and MOUs should be available to monitor spending, as well as to leverage existing service agreements and compare fees across regions. There is no evidence that such a repository exists. This is particularly important because INAC employs seven times more IM/IT consultant and contract labour than its peer group, as previously discussed in Section 5.2. Contract oversight is a key component of IM/IT expenditure management and could allow for synergies if services were compared and leveraged across regions and headquarters according to cost-benefit analyses.
We have identified a few specific examples in this report; however, they may be symptomatic of more wide-spread cost-benefit analytical deficiencies. Interviews suggested that both internal and external IM/IT initiatives lack adequate cost-benefit analysis and that value-for-money is not enforced for service providers and for internally-driven and developed projects.
As described in Appendix B, a key component of effective IM/IT investment management entails formal costing analyses for direct and indirect costs of existing operations and proposed investments. Such analysis should consider the costs and benefits over a total life-cycle. This is consistent with INAC's IM/IT Strategic Plan, which states that the Deputy Minister is seeking more financially-backed statistics demonstrating value-for-money of Departmental services.
INAC should formalize an approach for managing IM/IT investments across the Department. Cost-benefit analysis should be performed for third-party agreements and for internally-developed projects to make better investment decisions across different geographical locations.
Finding 4: An inadequate cost-benefit analysis process is in place for IM/IT contracts, SLAs and MOUs. There is no evidence to demonstrate that the Department has a complete view of third-party IM/IT service agreements and associated fees, or that a process is in place to measure return on investment for IM/IT initiatives performed across regions and headquarters.
Recommendation 4: The CFO should establish and maintain a complete inventory of IM/IT contracts, SLAs and MOUs. The CFO, in collaboration with the CIO, should also formalize a Departmental process to perform appropriate cost-benefit analyses for IM/IT service agreements based on strategic significance.
5.5 IM/IT strategy
Documented procedures and end-to-end workflows are fundamental to maintaining the continuity and consistency of the IM/IT expenditure management process. Documented IM/IT expenditure processes were requested in all regions visited. However, evidence was not provided to demonstrate that all regions maintained documented IM/IT expenditure management processes. Regions execute independent IM/IT expenditure management practices in the absence of guidance from headquarters. More fundamentally, the underlying IM/IT strategy was inconsistent across headquarters and regions.
An IM/IT Strategic Plan, developed by the IMB, was made available for review at headquarters; however, the document was not finalized and had not been implemented consistently across regions. While the plan was intended to cover the 2008-13 timeframe, the document has not been finalized and there is no evidence to demonstrate that it has been approved or that the actions and outcomes planned for Years 1 and 2 have occurred. In general, it was unclear how the IM/IT Strategic Plan is used, and if and how Departmental practices are intended to align with the plan.
We observed a lack of strategic collaboration between regions and headquarters. Processes in regions visited do not consistently support INAC's strategic shift toward a revised centralized IM/IT model, defined to be "premised on strong IM/IT governance, centralized oversight and performance measurement, and full centralization of the most common IM/IT services provided to clients. Instead, regions implement local systems outside the national framework. In addition to a decentralized national model, we observed decentralized regional models, where IM/IT expenditure management is divided and spread out within a region. Overall, key performance and expenditure information required for effective decision-making is not consistently communication by regions to IMB at headquarters.
As explained in Section 5.1, regions do not categorize IM/IT expenditures according to the four categories specified in the IM/IT Strategic Plan, outlined in Appendix A. The different definitions are contributing to the reporting and tracking variances previously discussed in Sections 5.1 and 5.2.
We observed cases where systems were developed regionally, in isolation of headquarters and other regions, for which the source code was later shared with other regions. To account for local differences, other regions modified the source code, leading to multiple customized versions of the same system being used simultaneously. This uncoordinated approach to system development creates many risks for INAC and may be symptomatic of a lack of IM/IT governance. While central systems can, and perhaps should, be developed in regions outside of headquarters, a central process should exist to oversee and approve development initiatives. Furthermore, systems used across regions should adhere to a policy framework. Uncontrolled system customization can further the regional process inconsistencies.
The following two potential root causes of these misaligned practices were identified:
- IM/IT Strategic Plan has not been finalized. Furthermore, the IM/IT organizational framework does not appear to enforce the IMB strategic plans and a revised centralized model.
- Departmental process for approving IM/IT projects and system-development initiatives does not differentiate between national systems and region/user-specific systems.
INAC system-development initiatives currently undergo a review and approval process at headquarters, administered through a "seven gate model". This is a key control for national systems; centralized review and approval is important for warranting that user needs are met, performing cost-benefit analyses, and mitigating system development risks. However, for region-specific system-development initiatives, the needs and system objectives can differ greatly from those of national systems. Specifically, as opposed to wide-spread importance, a regional project may entail critical importance to a small client base. While less significant on a national scale, the smaller project may be easier and faster to implement, and necessary for program delivery to a specific client group.
All system-development initiatives across INAC undergo the same seven-gate process. The queue of projects pending central evaluation is prioritized at headquarters in order of national significance. Therefore, smaller, region-specific initiatives (for example, a mining database specific to serving northern region clients) can continually be preceded for evaluation by larger projects. To overcome the associated process delays and meet client needs, regions circumvent the central review and approval process and develop the required systems. This practice prevents national oversight of IM/IT initiatives and perpetuates isolated system development projects.
To address this issue and enforce central oversight and approval of system development across the Department, INAC should consider separate processes for evaluating national systems and smaller region-specific (or client-specific) systems. The central approval process queues and "gates" should reflect inherent differences between national and client-specific initiatives. Overall, region and client needs should be considered when developing central processes; collaboration between regions and headquarters is an important aspect of achieving strategic alignment and Departmental consistency.
Similarly, INAC should evaluate whether the current organizational framework enforces IM/IT managerial and strategic consistency. Approximately 65 non-IMB resources are dedicated to IM/IT across regions. [Note 6] If no single individual is actively responsible for IM/IT initiatives and services across all regions and headquarters, it may be challenging to achieve alignment between regional and headquarters practices and the Department's IM/IT strategy put forth by the IMB.
Centralization can facilitate greater consistency and strategic alignment; however, "centralization" does not need to be headquarters-driven to achieve a successful centralized model. INAC's mandate is to support Aboriginals and Northerners; therefore, a centralized IM/IT model should prioritize client-specific needs in each region. In some cases, centralized system-development may be most effectively implemented in regions outside of headquarters, where client-facing initiatives are most prominent.
Finding 5: Misalignment exists between the IM/IT strategies employed across regions and headquarters, resulting in widely varying practices and decentralized system-development initiatives.
Recommendation 5: The CFO, in collaboration with the CIO and ADMs responsible for regional operations and staff, should finalize a Departmental IM/IT strategy to which local strategies and processes align across all regions and headquarters. Root causes of inconsistent practices should be addressed to establish a consistent approach to managing IM/IT initiatives across the Department.
6. Conclusion
The primary audit objective was to provide assurance that IM/IT purchasing, development, implementation and maintenance activities at the national and regional levels are coordinated, in order to minimize duplication of effort and eliminate unnecessary expenditures.
Findings in the following five major areas were identified:
- Classification and financial reporting of IM/IT expenditures
- Asset tracking, life-cycle management and exit protocols for departed employees and contractors
- Procurement controls for the acquisition and processing of IM/IT assets
- Cost-benefit analyses for IM/IT services received and rendered
- Department-wide IM/IT strategic alignment
We conclude that INAC does not have a complete view of total IM/IT spending and of assets across the Department. Inconsistencies were observed in the management of IM/IT investments across all regions visited. The inconsistent approach to implementing and managing IM/IT spending is operationally inefficient, leads to overspending on IM/IT devices, services and licenses, and weakens internal controls over assets in the Department.
The challenges facing INAC may be consistent with those confronted by some other government departments. In addressing the findings and recommendations in this report, INAC should consider leading industry practices and should consult other government departments and similar organizations. Shifts in the Department's IM/IT strategy and organizational framework may assist in achieving a mature IM/IT investment management model. Leading practices to consider are provided in Appendix B.
In summary, improving IM/IT expenditure management requires a client-focused approach to enforcing greater accountability over IM/IT management across regions and headquarters. We recommend that INAC identify root causes embedded in overall IM/IT governance to enable effective implementation of the recommendations in this report, and that the issues be addressed where appropriate in consultation with other government departments and agencies.
7. Management Action Plan
Management Observation | Proposed Action | Responsible Manager (Title) |
Planned Implementation Date |
---|---|---|---|
There is a recurring theme throughout the Audit Report that indicates that certain, fundamental elements need to be addressed before the following recommendations can be implemented. This theme is centered on some gaps in existing governance, and the ability for the CIO to exercise strong functional direction over IM/IT activities within the federated organizational model applied at INAC. Specifically, there is the lack of an overall policy on the governance over IM/IT that clearly defines the role and accountability of the CIO as it relates to that governance. |
The CIO is responsible for the IM/IT Branch which reports to the CFO. The CIO will prepare a policy on the governance of IM/IT at INAC for the approval of the Deputy Minister. The policy will specify the accountability of the CIO for the leadership of the function within the Department, and the roles and accountabilities of other executives within the Department. This policy will be the foundation for other policy instruments (some of which are mentioned in this plan) that enable the effective governance of IM/IT at INAC. |
Chief Financial Officer (CFO) | December 2010 |
Additionally, a number of recommendations below address certain aspects of procurement and asset management but not the process as a whole. Significant improvements can be made if attention is paid to procurement globally both in terms of planning and execution. | The CIO will work with the DG, Corporate Accounting and Materiel Management to establish a dedicated, IM/IT specific procurement capacity and the associated workflows. The procurement of goods and services will also be integrated into the Portfolio Management Framework as an integrated process overlay. This approach will introduce better control, and through better planning, result in more effective procurement decisions. | March 2011 | |
1. The CFO, in collaboration with the CIO, should develop and implement a directive that clearly defines IM/IT expenditures, specifying the respective line objects to be used for financial reporting. | The CIO will work with the DG, Planning and Resource Management and the DG, Corporate Accounting and Materiel Management to specify and define how the Departmental chart of accounts is to be used to track IM/IT expenditures effectively. The application of elements of the CoA will be clearly defined as a national standard. These requirements will be communicated in the form of a directive. | Chief Financial Officer (CFO) | January 2011 |
2. The CFO, in collaboration with the CIO and Assistant Deputy Ministers (ADM) responsible for regional operations and staff, should implement a national system to track all IM/IT assets. This system should track device life-cycle, warranty, user and location information and should provide functionality to ensure that all devices and licenses assigned to employees and consultants are reacquired and/or removed upon departure. Once a national tracking system has been implemented, the CIO should conduct a Department-wide inventory of IM/IT assets. |
The CIO has a software tool (viaTIL Remedy) that is capable of tracking assets and verifying inventory. The CIO will adjust existing processes to ensure that entry and exit procedures include the assignment and re-acquisition of hardware and software assets, and the effective management of system access rights and permissions. Once these measures are in place, the CIO will initiate a national baseline inventory and introduce inventory management processes. The CIO will issue a directive specifying the process to be followed and making mandatory the use of the Remedy tool as a national standard. |
Chief Financial Officer (CFO) and ADMs responsible for regional operations and staff | January 2011 |
3. The CFO, in collaboration with the CIO, should establish a consistent, documented and communicated procurement process for acquiring IM/IT assets that enforces appropriate segregation of duties across all regions and headquarters. |
The CIO will issue a directive under the policy on the governance of IM/IT that will specify the processes and authorities for the procurement of IM/IT professional services and hardware and software. The CIO will work with the DG, Corporate Accounting and Materiel Management to ensure that the necessary controls and reporting capabilities exist to support these processes. These measures will include dedicated procurement capacity, monitoring, tools and templates, etc. The CIO will also encourage greater use of the centralized procurement of IT assets which may address such issues as the segregation of duties with respect to procurement and receipt as was observed during the audit. |
Chief Financial Officer (CFO) | March 2011 |
4. The CFO should establish and maintain a complete inventory of IM/IT contracts, SLAs and MOUs. The CFO, in collaboration with the CIO, should also formalize a process to perform appropriate cost-benefit analyses for IM/IT service agreements based on strategic significance. |
The CIO will specify the parameters for defining and measuring performance of acquired services, service agreements, and Memoranda of Understanding that pertain to IM/IT. This will include the requirement for an explicit statement of the expected benefits associated with the 3rd party arrangement, and the means and periodicity of reviewing and reporting. The CIO will endeavour to define a standard approach for the determination of benefits realized from such arrangements. This requirement will be communicated in the form of a Directive under the policy on governance of IM/IT. The CIO will develop an inventory of these agreements which will be reviewed by the Information and Technology Stewardship Group, and monitored on an annual basis. |
Chief Financial Officer (CFO) | December 2010 |
5. The CFO, in collaboration with the CIO and ADMs responsible for regional operations and staff, should finalize a Departmental IM/IT strategy to which local strategies and processes align across all regions and headquarters. Root causes of inconsistent practices should be addressed to establish a consistent approach to managing IM/IT initiatives across the Department. | The CIO will complete and obtain approval of the draft IM/IT Strategy. This strategy will provide the context for the policy on the governance of IM/IT and will form the basis for plans and activities across the Department's sectors and regions. | Chief Financial Officer (CFO) and ADMs responsible for regional operations and staff | January 2011 |
Appendix A - Information Management Branch description of IM/IT expenditures
To provide further context to the report, the four categories of IM/IT expenditures, according to the 2008-2013 draft IM/IT Strategic Plan,are provided as follows:
- Sustainment initiatives, which include:
- Ongoing support, maintenance and upkeep of the Department's IM/IT equipment
- IM/IT support services
- Life-cycle replacement requirements for equipment and software
- Tactical initiatives, which include:
- Changes and improvements to technology infrastructure within the Department
- Statutory changes and annual maintenance associated with application software
- Evolutionary initiatives, which include:
- Introduction of new systems and technology adding value to existing or new business processes and/or introduction of process improvements in efficiency and effectiveness
- Transformational initiatives, which include:
- Major change management initiatives within the Department with a technology component
Appendix B - Leading practices for managing IM/IT investments
Many organizations are challenged in managing IM/IT investments, particularly because information management and information technology are rapidly growing fields. IM/IT leading practices have been established in large part due to concern over the generally increasing level of IM/IT expenditures. [Note 7]
According to COBIT, the assignment of responsibility and accountability for investment selection and budgeting to a specific individual is representative of a mature IM/IT investment management process. IM/IT investments should be budgeted and selected based on an analysis of the long-term cost and benefits of the total life-cycle. In contrast, selection and budgeting of IM/IT investments performed in isolation, with informal documentation, is representative of an immature IM/IT investment management process. [Note 8]
The following are aspects of effectively managing IM/IT investments: [Note 9]
Process and strategy
- Defining, documenting and communicating policies and processes for IM/IT investment and budgeting that cover key business and technology issues
- Aligning the IM/IT budget to the strategic IM/IT and business plans
- Formalizing, documenting and communicating processes for budgeting and selecting IM/IT investments
Accountability
- Formalizing the approval of IM/IT investment selections and budgets
- Acquiring IM/IT expertise and skill-sets necessary to develop IM/IT budgets and recommend appropriate investments
- Assigning a specific individual with the responsibility and accountability for IM/IT investment selection and budgeting
Investment decisions
- Performing formal costing analyses for direct and indirect costs of existing operations and proposed investments that consider costs and benefits over a total life-cycle
- Calculating IM/IT benefits and returns in financial and non-financial terms
- Using industry leading practices to benchmark costs and identify approaches to increase IM/IT investment effectiveness
Footnotes
- INAC is also referred to as "the Department" in this report (return to source paragraph)
- INAC is also referred to as the "Department" in this report. (return to source paragraph)
- The audit was executed in conformity with the requirements of the Treasury Board Policy on Internal Audit and followed the Institute of Internal Auditors' Standards for the Professional Practice of Internal Auditing. It does not constitute an audit or review in accordance with any Generally Accepted Auditing Standards (GAAS). (return to source paragraph)
- INAC is also referred to as the "Department" in this report. (return to source paragraph)
- INAC 2008-2009 Departmental Performance Report (DPR) (return to source paragraph)
- IM/IT resource figures stated in the IM/IT Strategic Plan could not be validated in regions visited; therefore, we cannot confirm the accuracy of resource numbers reported. (return to source paragraph)
- COBIT 4.1 (page 9) (return to source paragraph)
- COBIT 4.1 (page 50) (return to source paragraph)
- COBIT 4.1 (page 50) (return to source paragraph)