Audit of Information Management / Information Technology Governance and Integrated Planning

Project 2020-6B306
May 2020

On this page

• Introduction
• Why this audit is important
• Audit objective
• Audit scope and approach
• Audit findings
• Conclusion
• Statement of conformance
• Approvals
• Appendix A: Lines of enquiry and audit criteria
• Appendix B: Recommendations and management action plans

Introduction

The Internal Audit Directorate (IAD) conducted an audit to examine information management and information technology (IM/IT) governance, project management and integrated planning in accordance with Fisheries and Oceans Canada's (DFO) 2019-2021 Risk-Based Audit Plan.

Information Management and Information Technology (IM/IT) play a vital role within the Government of Canada by supporting efficient service delivery, enabling communication, encouraging openness and transparency, and increasing the accessibility of programs and services to Canadians.

Federal Departments must adhere to and comply with the expectations as defined by Treasury Board policy frameworks. On April 1, 2020, the Treasury Board Policy on Service and Digital will replace the existing IM/IT and service policy frameworks. The objective of the Policy is to improve the client service experience and government operations through digital transformation approaches. One of the expected results of the Policy is to ensure that integrated decision-making is supported by enterprise governance, planning and reporting. The Policy and its related Directive on Service and Digital establish objectives and expected results that departments must comply with, as well as specific responsibilities for Deputy Ministers and Chief Information Officers (CIO).

Why this audit is important

Having effective governance, integrated planning and project management processes are fundamental to the successful achievement of the Department's mandate through its strategic objectives, financial and operational priorities and through delivery of its programs. The transformational implications of the Policy on Service and Digital and its related Directive are important for the Department because they define expected results and accountabilities for the Deputy Minister and the Chief Information Officer (CIO).

The audit is important for the Department because its IM/IT environment is complex due to its size, the broad nature of its mandate and the extent to which multiple sectors and the Canadian Coast Guard rely on enabling technology to support the delivery of national and region-specific programs.

The DFO Chief Information Officer is accountable for the achievement of all Departmental IM/IT projects across multiple national and regional sectors, as well as the IM/IT projects for the Canadian Coast Guard. In FY 2018-2019, the Department spent $83.6 million on IM/IT projects.

Audit objective

The purpose of this audit was to determine whether DFO has governance structures and processes in place to manage IM/IT projects and to integrate IM/IT into planning decisions.

Audit scope and approach

The audit examined the departmental governance structures and project management processes in place over IM/IT projects, and the processes and practices for the planning and development of the Department's Memoranda to Cabinet (MC) and Treasury Board (TB) submissions. The audit focused specifically on how effective these governance structures are at prioritizing, monitoring and reporting on projects throughout their lifecycle. It also assessed whether project management processes are in line with Treasury Board directives and guidance, and best practices, and are being implemented. Finally, the audit examined how well IM/IT is aligned with and integrated into the Department's MC and TB submission process to ensure that IM/IT requirements are included. The audit scope covered activities from April 1, 2017 to July 31, 2019.

The audit conducted:

• Interviews with Departmental staff from various sectors including Information Management and Technology Services (IM&TS), Coast Guard Information Management & Technology Services (ITS), Aquatic Ecosystems, Fisheries and Harbour Management (FHM), Ecosystems and Oceans Science (EOS), the Office of the Chief Financial Officer (CFO), and Strategic Policy.
• Reviews of Fisheries and Oceans Canada IM/IT guiding documents including: Information Management / Information Technology (IM/IT) Plan for 2019-2022; Project Management Framework (PMF); and Directive on the Management of IM/IT Projects.
• An examination of a judgmental sample of seven DFO IM/IT projects. The audit selected projects from a listing of 46 IM/IT projects approved during the period of the audit (April 1, 2017 to July 31, 2019). The seven projects were selected for review based on a horizontal approach to cover one IM/IT project from each of the six DFO sectors on the list and one project requested for review by the Office of the CIO. The total budgeted value of the 46 projects was $93.06M and the value of the projects sampled and reviewed was $34.99M (37.6%).

Audit findings

Integrated Planning

Departmental IM/IT planning is aligned with government-wide strategic direction.

The audit examined whether the Department is integrating IM/IT plans into corporate planning processes and whether IM/IT planning is aligned to support both Departmental business and government-wide IM/IT strategic direction. The audit found that, through its annual IM/IT Plan, DFO is integrating IM/IT plans into corporate planning processes. The IM/IT Governance and Planning group develops the IM/IT Plan in consultation with the Client Portfolio Management (CPM) team within the IM&TS Business Line Support Services group. CPM is responsible for communication and engagement with Departmental sectors and regions to determine IM/IT requirements.

The audit also found that the Departmental IM/IT Plan aligns with government-wide strategic directions, notably through inclusion of strategic IM/IT priorities outlined by Treasury Board's Office of the Chief Information Officer of Canada. For example, the audit found that the DFO IM/IT Plan aligned with the Government of Canada strategic plan for IM/IT, inclusive of the following initiatives: modernizing workplace technology; cloud computing; innovation; digital tools; and agile approaches to implement IT solutions.

The accuracy and completeness of IM/IT project costing estimates is improving.

The audit examined whether the Department integrates IM/IT requirements into the planning and development of Memoranda to Cabinet (MC) and Treasury Board (TB) submissions. The audit found that the Department was not initially integrating IM/IT requirements into MCs and TB submissions in a manner to help ensure all potential needs and costs were considered. The CPM group is responsible for relationship and demand management functions between IM&TS and DFO regions and sectors.

Through review of MCs and TB submissions related to four IM/IT initiatives, the audit found that CPM was not engaged in a timely manner by program leads in three of four initiatives, resulting in IM/IT requirements not being defined nor costed accurately or completely. The cause of this finding was attributed to the MC and TB submission processes having been decentralized prior to October 2019 and January 2020, respectively. This resulted in limited collaboration and communication between project stakeholders. However, the audit found that both processes have been centralized – the MC process within the Strategic Policy sector (October 2019) and the TB submission process within the CFO sector (January 2020). Through this process centralization under the Strategic Policy sector and the CFO sector, the MC and TB submission processes has been formalized to involve all enabling function, the lead program group, IM&TS and the CPM group with the goal of helping ensure that IM/IT needs are identified, considered and costed in a more accurate and complete manner.

This finding is important because centralized MC and TB submission processes will reduce the risk that IM/IT initiative needs and costs are not considered, resulting in incomplete and inaccurate MC and TB submissions.

Governance

The Department's governance is not mandated to exercise a formal oversight role over Departmental IM/IT projects.

The audit examined whether there is a governance structure in place to oversee the prioritization process for IM/IT projects to help ensure that projects align with Departmental objectives. The audit found that the Department has established governance mechanisms to discuss and make strategic decisions related to IM/IT, including the following:

• Departmental Management Committee (DMC) which is responsible for providing strategic direction and decision-making on IM/IT;
• Financial and Investment Management Committee (FIMC) which is mandated to promote sound stewardship of DFO and Coast Guard financial resources and to support financial decision-making. Specifically, FIMC develops and oversees the implementation of financial strategies and investment plans to support Departmental priorities and ensure the best use of financial resources to achieve results; and
• National Informatics Advisory Committee (NIAC) and NIAC Sub-Committee for Planning (Sub-NIAC) which are mandated to promote cross-functional collaboration across all DFO and Coast Guard regions and sectors to prioritize IM/IT business initiatives and help ensure these initiatives align to Departmental direction. NIAC is chaired by the Departmental Chief Information Officer. NIAC reports to DMC, though presents items requiring funding to the FIMC prior to discussion at DMC.

A review of FIMC meeting minutes from the past year found that IM/IT related items have been presented for discussion, including the 2019-2022 DFO IM/IT Plan and DFO IM/IT strategic initiatives. A review of NIAC meeting minutes from the past year found that strategic Departmental IM/IT priorities and initiatives and their alignment with Government of Canada IM/IT strategic direction are discussed, including:

• The forthcoming TB Policy on Service and Digital that will replace the existing TB policy framework related to IM and IT;
• Updates from the Chief Information Officer Council (CIOC) on Government-wide IM/IT priorities, opportunities, trends and lessons learned;
• DFO strategic IM/IT priorities and initiatives, including the Department's Digital Strategy, Department-wide WIFI implementation, Cloud initiatives, and SAP planning and implementation; and
• Client service demand management solutions discussions between the Client Portfolio Management (CPM) team, Project Management Office (PMO) and Departmental clients.

For a governance structure to operate effectively and provide value to an organization, it should be mandated to exercise an oversight function. The audit found that there were quarterly DFO sector IM/IT project portfolio presentations at NIAC, including updates on project timelines, budget, scope, performance, risks and challenges.
However, the review of NIAC minutes found limited evidence of a challenge function by members on the information presented. Through interviews with DFO and Coast Guard IM/IT staff and a review of committee meeting minutes, attendance at NIAC meetings, a sample of seven DFO IM/IT projects and monthly project dashboard reports, the audit found the following limitations within current governance processes:

• Sub-NIAC meeting attendance declined steadily throughout 2019;
• Only one out of seven projects reviewed was presented and approved at NIAC;
• There was limited time to cover all items on the weekly agenda; and
• Coast Guard IM/IT projects are not being monitored and reported to DFO IM&TS. Rather, Coast Guard has its own committee, project management office and internal staff.

The audit found that, from a governance best practice perspective, the effectiveness of NIAC and Sub-NIAC is limited by not having a formal oversight role over IM/IT projects. The audit also found that these committees have not consistently received timely, accurate or complete information on DFO and Coast Guard IM/IT project costs, timelines and risks through monitoring and reporting processes (see Project Management findings).

These findings are important because a governance committee must have timely, accurate and complete project information to effectively provide strategic advice and make informed decisions to help ensure the successful achievement of project objectives, as well as ensuring achievement of the Department's strategic IM/IT objectives and ultimately its mandate.

The audit found that the Department has made efforts to improve IM/IT project monitoring and reporting through the establishment in May 2019 of the Project Review Committee (PRC) and the Gate Review Committee (GRC). Both committees were created by IM&TS to support IM/IT governance under the Project Management Framework (PMF).

• PRC responsibilities include reviewing and monitoring all IMIT projects for quality and due diligence to ensure performance of the projects and that the PMF is effectively followed and applied while remaining technically sound and responsive to the strategic objectives of DFO throughout their lifecycle. The PRC reports to the CIO.
• GRC responsibilities include reviewing all DFO IM/IT projects throughout their lifecycle and ensuring a standard control point for reviewing and approving project deliverables, assessing the project's go-forward readiness, as well as ensuring budget, scope and risk areas are understood by project managers and key stakeholders. The GRC reports to the PRC.

However, the audit also found that neither PRC or GRC have approved terms of reference. The PRC has begun to meet on a monthly basis while the GRC has not yet started.

Collaboration between DFO and the Canadian Coast Guard requires improvement to better support governance and oversight over the management of IM/IT projects and to comply with Treasury Board policy.

Both Treasury Board and the Department define responsibilities for results delivery for the Deputy Minister and CIO with regards to IM/IT. As of April 1, 2020 when the new Policy on Service and Digital comes into effect, the Deputy Minister will be responsible for, among other things, establishing governance to ensure the integrated management of service, information and IT; ensuring that departmental responsibilities and accountability structures are clearly defined; and approving an annual forward looking three-year departmental plan which aligns to the Chief Information Officer of Canada's enterprise-wide integrated plan. Under the Directive, the CIO is responsible for, among other things, participating as a service provider or as a service client in the conception, planning, evolution and oversight of enterprise-wide IT services and solutions.

Fisheries and Oceans Canada's current Directive on the Management of IM/IT Projects establishes the standards and project management requirements for all IM/IT projects within the Department, including Coast Guard. Per the Directive, the CIO is the senior executive designated as lead for IM/IT and is responsible for ensuring appropriate governance, controls and processes are in place so that an efficient and effective IM/IT project management function delivers clear business outcomes and value for the Department. As such, the CIO, who reports to the Assistant Deputy Minister of Human Resources and Corporate Services, is accountable for all DFO IM/IT and all Coast Guard administrative IM/IT projects. The CIO is not responsible for Coast Guard technical systems that support operations, including fleet systems and Marine Communications and Traffic Services (MCTS).

The audit examined whether there was an integrated governance approach between DFO and the Coast Guard for the oversight of IM/IT projects, specifically those of an administrative nature. The audit found that DFO and the Coast Guard are managing IM/IT projects through different frameworks and committee structures, which has limited effective collaboration and integration of IM/IT governance, oversight, monitoring and reporting. In addition, examples were cited where IM&TS was not always aware in a timely manner of some Coast Guard IM/IT activities and projects such as the hiring of CS staff, TB submissions, IT expenditures, through existing planning, monitoring and reporting processes. As a result, IM/IT projects for Coast Guard, regardless of dollar value and technical complexity, may not be receiving an appropriate level of oversight through IM&TS, NIAC or Sub-NIAC in order to effectively manage and mitigate IM/IT project risks.

These audit findings were primarily attributed to existing governance structures not being mandated to provide oversight on DFO or Coast Guard IM/IT projects. These findings are important because an integrated framework is a requirement under the DFO Directive on the Management of IM/IT Projects, the current Treasury Board Policy Framework for Information and Technology, and the forthcoming TB Policy on Service and Digital and its related Directive. The lack of integration is also not consistent with Treasury Board expectations for IM/IT governance, nor industry best practices such as the Control Objectives for Information and Related Technology (COBIT) with regard to framework integration and meeting stakeholder needs through the provision of quality, reliable information.

These findings are also important because there are risks that the Deputy Minister and the CIO may not be supported in meeting their IM/IT accountabilities under the TB Policy on Service and Digital and its related Directive. Moreover, the inability to make informed decisions could place at risk the achievement of strategic departmental IM/IT objectives, and ultimately the Department's mandate.

Recommendation:

1. The Assistant Deputy Minister of Human Resources and Corporate Services should modernize existing governance structures and accountability mechanisms over IM/IT to be aligned with the Treasury Board Policy on Service and Digital. This should be done in consultation and collaborations with DFO and Coast Guard IM/IT stakeholders.

Project Management

Departmental IM/IT project management practices and processes align with TB policies and industry best practices. However, they are not consistently applied.

The audit examined whether the Department's IM/IT project management processes and procedures are in line with TB requirements and industry best practices. The audit found that the Department has:

• A formal Project Management Framework (PMF) in place that defines project documentation requirements. The PMF is aligned to the Treasury Board Directive on the Management of Projects and Programmes and incorporates elements of the Project Management Book of Knowledge (PMBOK). In addition, the Directive on the Management of IM/IT Projects (2016) sets standards for the management of IM/IT projects within the Department. However, at present this Directive does not reflect recent 2019 PMF updates.
• Made efforts to improve IM/IT project monitoring and reporting through the Gate Review Committee and the Project Review Committee. However, neither have approved terms of reference. Management expects a project gating process, which is a key PMF element and IM/IT best practice, to be implemented by April 2020.

The audit found evidence of practice and process inconsistencies related to compliance with PMF requirements, which may be limiting NIAC's ability to make informed, risk-based and timely decisions through monitoring and reporting activities. Specifically, the audit found:

• Not all required project artifacts (key deliverables based on the PMF) were completed in a timely manner and some were found to be missing in the project file. Ensuring these documents are on file is the responsibility of the project manager. In the sample of seven projects reviewed, the following documents were missing:
• Project charter - missing for 1 out of 7 projects;
• Business case - missing for 1 out of 7 projects;
• Concept case - missing for 6 out of 7 projects;
• Statement of work - missing for 5 out of 7 projects;
• Project risk assessment – missing for 1 out of 7 projects; and
• Project management plan – missing for 1 out of 7 projects.

IM/IT project monitoring and reporting tools may not be providing relevant, accurate and timely information for decision-making.

The audit examined whether key stakeholders are provided with relevant, timely and accurate information for decision-making. The audit found that through interviews, Monthly Executive Project health dashboards may not be providing relevant, accurate and timely information to support monitoring and reporting. Clients expressed difficulty interpreting dashboards to identify issues and risk areas. Through a review of sampled projects, the audit found the use of three different dashboard templates. For one sampled project, the status changed from “progressing well” to “failing” the next month, thereby highlighting the risk that reporting may not provide an actual representation of a project's status and risks.

These findings were primarily attributed to the DFO Directive on the Management of IM/IT Projects not being aligned to the updated PMF, which may have led to unclear expectations regarding project documentation and information requirements. This finding is important because existing IM/IT project monitoring and reporting activities and information tools may not be meeting project stakeholder needs or helping ensure accountability for outcomes. Potential impacts include the inability to undertake timely risk-based decision-making on Department-wide IM/IT projects, which could result in significant cost increases, delays in critical project timelines and impact the achievement of strategic IM/IT priorities.

Recommendation:

2. The Assistant Deputy Minister of Human Resources and Corporate Services, through the Chief Information Officer, should ensure:
1. DFO IM/IT policies and the Project Management Framework are aligned with the forthcoming Treasury Board Policy on Service and Digital and its related Directive (April 1, 2020);
2. There is a process to monitor compliance with PMF requirements, inclusive of project gating and project documentation; and
3. There is a process to hold project managers accountable for ensuring that key project documents are completed and contain accurate information to support timely monitoring and reporting.

Conclusion

Overall, the audit concluded that Fisheries and Oceans Canada has implemented some elements of governance and some processes to manage IM/IT projects and to integrate IM/IT into planning decisions. However, the audit identified areas for improvement with regard to committee oversight practices and adherence to the Department's project management framework to better support IM/IT project monitoring, reporting and information decision-making.

Statement of conformance

This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing as supported by the results of the Quality Assurance and Improvement Program of Fisheries and Ocean Canada's Internal Audit Directorate.

Approvals

The Internal Audit Report “Audit of Information Management / Information Technology Governance and Integrated Planning” was approved by the Deputy Minister at the Departmental Audit Committee (DAC) meeting on May 14, 2020, pending modifications. The revised report was subsequently approved by the external DAC members via secretarial distribution on July 5, 2020.

Appendix A: Lines of enquiry and audit criteria

The audit criteria were developed based on the following sources:

• Treasury Board Policy Framework for Information and Technology (will be replaced by the Policy on Service and Digital, along with its related Directive on Service and Digital effective April 1, 2020)
• Treasury Board Policy on the Management of Projects (was replaced by the Directive on the Management of Projects and Programmes on October 11, 2019)
• Treasury Board Directive on the Management of Projects and Programmes
• Treasury Board Directive on the Management of Information Technology (will be replaced by the Policy on Service and Digital, along with its related Directive on Service and Digital effective April 1, 2020)
• Treasury Board, A Guide to Project Gating for IT-Enabled Projects
• Treasury Board, Key Considerations for Drafting a Treasury Board Submission
• Privy Council Office, A Drafter's Guide to Cabinet Documents
• Fisheries and Oceans Directive on Management of IM/IT Projects
• Control Objectives for Information and Related Technology (COBIT)

Appendix B: Recommendations and Management Action Plans