Skip to content Skip to institutional links

Common menu bar links

Management Accountability Framework

ARCHIVED - MAF Assessment: Canadian Security Intelligence Service - 2008

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

* An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and Privacy Act.

This document provides a Treasury Board Secretariat assessment of the department's performance against specific areas of management only. It does not present an assessment of management quality beyond these areas of management, nor does it reflect the level of effort a department may be making towards improving the quality of its management. The MAF assessments use standardized language to ensure consistent descriptions and characterizations. This assessment may not reflect the latest information available. Some departments and agencies have provided updated information in the form of a management response. Where management responses have been prepared, the link to the response is posted below the assessment.

Context

This year’s observations by the Treasury Board Portfolio related to the Canadian Security Intelligence Service are positive. For the fourteen areas of management against which the Service was fully assessed by Treasury Board Portfolio, it received two “strong” ratings, eleven “acceptable” ratings, and one “opportunity for improvement” ratings. Four areas have improved ratings compared to last year’s assessment, and one area rating has worsened. For the seven areas of management for which CSIS provided self-assessments, the Service provided five "strong" and two "acceptable" ratings.

CSIS, in recent years, has undergone a series of profound changes; one where significant adjustments have been made to the Service’s organizational structure and culture in order to better position the Service to respond to shifts in its operating environment. CSIS has also undergone a dramatic increase in the size of the organization and the scope of its activities. During this period of expansion and change, CSIS has invested in measures intended to strengthen its corporate management capacity. These measures have resulted in a number of improvements to the Service’s management practices and processes, which have resulted in a steady improvement in CSIS’ MAF assessments. The key challenge for CSIS in the next year will be for the Service to maintain this positive momentum by ensuring the completion of a number of projects intended to strengthen the Service’s governance and management capacity. *

CSIS should be recognized for its work to improve management in a number of areas since last year, including:

Effectiveness of the Corporate Management Structure – CSIS continued to make progress in instituting a new multi-year corporate planning process for the Service that integrates human and financial resources with equipment, infrastructure and operational requirements in a holistic corporate plan. The Service has committed to having a comprehensive corporate planning process in place in 2009-10. With the completion of this transition, CSIS should have an innovative and comprehensive system of corporate decision-making that ensures alignment of activities and accountabilities with the Service's priorities;
Quality of Analysis in TB Submissions – CSIS has developed a strong capacity to assemble accurate and reliable submissions with comprehensive supporting information. The quality of submissions is consistently strong; with CSIS having refined its quality control processes, thereby ensuring that submissions are consistently prepared to a high standard;
Effectiveness of Corporate Risk Management - *
Effectiveness of Information Technology Management - Information technology is established and sustainable in the areas of leadership, planning and delivery of value from information technology investments. As a consequence, CSIS’ information technology programs make a strong contribution to the corporate business strategy and the government-wide agenda; and,
Effectiveness of Internal Audit Function - The Service has made progress in implementing key elements of the 2006 Policy on Internal Audit in the areas of Internal Audit (IA) Governance, Professional Practices, and Management of the IA Function. The Service has an Internal Quality Assurance and Improvement Program that is documented and implemented. A comprehensive human resource plan exists and includes elaborated strategies for recruitment and external resourcing that address long-term human resource requirements. CSIS is encouraged to further refine its Risk-Based Audit Plan (RBAP) to include risk ranking of the audit universe, and identification of resources for audits.

Further, the Service should be congratulated for the improvements it has made related to management priorities identified in last year’s MAF assessment, including:

Utility of the Corporate Performance Framework –CSIS has undertaken significant work to strengthen the Service’s Program Activity Architecture (PAA), and to developing a supporting Performance Measurement Framework (PMF). The Service’s new PAA and PMF should assist CSIS in better validating the contribution of its programs to the fulfillment of its mandate, the coherence of all programs, and the effectiveness of organizational spending. CSIS is, however, encouraged to continue to develop its PMF.

There are areas, however, where the Service should aim to make further progress in the coming year:

Quality and Use of Evaluation – CSIS is encouraged to clarify its governance system for evaluation. CSIS should also consider exploring the adequacy of evaluation and oversight processes in ensuring the generation of timely, neutral assessments on the relevance of the Service’s programs and activities; and
Effective Management of Security and Business Continuity – While CSIS’ security program is fully developed and sustainable, and comprises all key policy elements, additional efforts are required with CSIS’ business continuity program. While some progress has been made since MAF V in the areas of Business Impact Analysis and Plans and Arrangements, slippages were noted in the area of Governance * some deficiencies remain in the area of Governance.

The Treasury Board Portfolio has identified the following management improvement priority for the coming year:

Quality and Use of Evaluation - CSIS is encouraged to review its mechanism for supplying credible evaluation evidence to inform decision-making and program improvement, and to re-establish a dedicated evaluation function within the Service. CSIS should also clarify its governance system for evaluation.

1. Values-based Leadership and Organizational Culture

Strong

Highlights	Opportunities
1.1 Leadership: Strong This section is based on the assessment submitted by this separate employer to TBP. Executive leaders engage employees and stakeholders on an ongoing basis in ethical discussions and openly address organizational ethical issues through public statements and internal messaging. 1.2 Infrastructure: Strong This section is based on the assessment submitted by this separate employer to TBP. Managers are trained in and apply risk management concepts, techniques and tools. Organization monitors risks in regard to possible breaches of public service values and ethics, and risk management is integrated into decision making. Values and ethics plans or strategies are tailored to an organization's work, span several years, and measure results and are used to inform senior management on the state of the organization's values and ethics. 1.3 Culture: Acceptable This section is based on the assessment submitted by this separate employer to TBP. Managers and staff are encouraged to engage in values and ethics dialogue. Organization has a good understanding of the current state of public service values and ethics as evidenced by qualitative or quantitative information. Public service values and ethics are generally understood. Values and ethics principles are reflected in communications.
Recommendations

Highlights

Opportunities

1.1 Leadership: Strong

This section is based on the assessment submitted by this separate employer to TBP.
Executive leaders engage employees and stakeholders on an ongoing basis in ethical discussions and openly address organizational ethical issues through public statements and internal messaging.

1.2 Infrastructure: Strong

This section is based on the assessment submitted by this separate employer to TBP.
Managers are trained in and apply risk management concepts, techniques and tools.
Organization monitors risks in regard to possible breaches of public service values and ethics, and risk management is integrated into decision making.
Values and ethics plans or strategies are tailored to an organization's work, span several years, and measure results and are used to inform senior management on the state of the organization's values and ethics.

1.3 Culture: Acceptable

This section is based on the assessment submitted by this separate employer to TBP.
Managers and staff are encouraged to engage in values and ethics dialogue.
Organization has a good understanding of the current state of public service values and ethics as evidenced by qualitative or quantitative information.
Public service values and ethics are generally understood.
Values and ethics principles are reflected in communications.

Recommendations

2. Utility of the Corporate Performance Framework

Acceptable

Highlights	Opportunities
2.1 PAA Consistency: Acceptable The Strategic Outcome(s) reflects the departmental area of influence and is/are adequately aligned with the organization’s mandate. 2.2 Measurability: Acceptable All elements of the Program Activity Architecture are in alignment with the Strategic Outcome(s). 2.3 Quality: Expected results are not clear and distinct, and are not appropriate to their respective program descriptions. The performance indicators are not clear and cannot be used for data collection to provide reliable insight into program effectiveness.	The organization should continue to refine its Performance Measurement Framework (PMF) to bring it in line with the standards set out in the MRRS Instructions. The organization should also ensure that actual data for the indicators in its PMF are being collected and analyzed to gain insights into program performance and to validate the indicators.
Recommendations

Highlights

Opportunities

2.1 PAA Consistency: Acceptable

The Strategic Outcome(s) reflects the departmental area of influence and is/are adequately aligned with the organization’s mandate.

2.2 Measurability: Acceptable

All elements of the Program Activity Architecture are in alignment with the Strategic Outcome(s).

2.3 Quality:

Expected results are not clear and distinct, and are not appropriate to their respective program descriptions.
The performance indicators are not clear and cannot be used for data collection to provide reliable insight into program effectiveness.

The organization should continue to refine its Performance Measurement Framework (PMF) to bring it in line with the standards set out in the MRRS Instructions. The organization should also ensure that actual data for the indicators in its PMF are being collected and analyzed to gain insights into program performance and to validate the indicators.

Recommendations

3. Effectiveness of the Corporate Management Structure

Acceptable

Highlights	Opportunities
3.1 Business Plan: Acceptable Organization's corporate business plan is well aligned to corporate priorities. Sector or branch business plans are generally aligned with the corporate business plan. 3.2 Governance Structure: Acceptable Adequate management oversight of the organization's program activities and underlying programs is evident. Management decisions and interventions are generally proactive and timely. Organization's corporate governance structure is fully aligned to the organization's PAA. Recordkeeping is complete and timely. It clearly outlines accountabilities for follow-up action. Resource reallocation is generally proactive when or where required. Senior corporate management structure (e.g., committees) interacts with and provides oversight to the supporting governance structure. Senior corporate management structure or subordinate governance structure (e.g., committees) meet regularly. 3.1 - CSIS’ Corporate business plan needs to better integrate human resources, IM/IT, communications and other key corporate plans.	To ensure closer alignment of resources, activities and accountabilities to corporate priorities as well as better integrate input from different areas of the Service, CSIS should continue to enhance its Service-wide business planning capacity.
Recommendations

Highlights

Opportunities

3.1 Business Plan: Acceptable

Organization's corporate business plan is well aligned to corporate priorities.
Sector or branch business plans are generally aligned with the corporate business plan.

3.2 Governance Structure: Acceptable

Adequate management oversight of the organization's program activities and underlying programs is evident.
Management decisions and interventions are generally proactive and timely.
Organization's corporate governance structure is fully aligned to the organization's PAA.
Recordkeeping is complete and timely. It clearly outlines accountabilities for follow-up action.
Resource reallocation is generally proactive when or where required.
Senior corporate management structure (e.g., committees) interacts with and provides oversight to the supporting governance structure.
Senior corporate management structure or subordinate governance structure (e.g., committees) meet regularly.

3.1 - CSIS’ Corporate business plan needs to better integrate human resources, IM/IT, communications and other key corporate plans.

To ensure closer alignment of resources, activities and accountabilities to corporate priorities as well as better integrate input from different areas of the Service, CSIS should continue to enhance its Service-wide business planning capacity.

Recommendations

4. Effectiveness of Extra-organizational Contribution

Acceptable

Highlights	Opportunities
4.2 Participation in Priority Initiatives: Acceptable The organization contributes effectively to priority interdepartmental initiatives. The organization provides regular performance and risk information to the lead. The organization's commitments are clear and are consistent with its role. Senior management has made some efforts to engage employees with regards to Public Service Renewal. CSIS has been assessed for its participation in the following initiatives: Web of Rules (Opportunity for Improvement); Public Service Renewal (Opportunity for Improvement), and Afghanistan (Strong).	Develop clear and measurable goals to reduce the Web of Rules. Engage employees with regards to Public Service Renewal, and seek employee feedback to focus Renewal efforts.
Recommendations
Develop measurable targets for Web of Rules commitments, and clarify efforts made to collect and use employee feedback with regard to Public Service Renewal.

Highlights

Opportunities

4.2 Participation in Priority Initiatives: Acceptable

The organization contributes effectively to priority interdepartmental initiatives.
The organization provides regular performance and risk information to the lead.
The organization's commitments are clear and are consistent with its role.
Senior management has made some efforts to engage employees with regards to Public Service Renewal.

CSIS has been assessed for its participation in the following initiatives: Web of Rules (Opportunity for Improvement); Public Service Renewal (Opportunity for Improvement), and Afghanistan (Strong).

Develop clear and measurable goals to reduce the Web of Rules.
Engage employees with regards to Public Service Renewal, and seek employee feedback to focus Renewal efforts.

Recommendations

Develop measurable targets for Web of Rules commitments, and clarify efforts made to collect and use employee feedback with regard to Public Service Renewal.

5. Quality of Analysis in TB Submissions

Strong

Highlights	Opportunities
5.1 Supporting Information: Strong Detail is robust. Explanation for the level of resources requested is fulsome. Response to TBS comments is excellent. Supporting information in TB submissions is always very accurate, reliable and complete. The organization is highly responsive to TBS feedback. 5.2 Analysis: Acceptable Appropriate and complete links to MRRS, strategic objectives, etc., are used. Appropriate consideration is given to a range of issues, such as gender-based analysis and sustainable development implications. Established capacity for analysis on implementation is evident. Established capacity for options analysis is demonstrated. Established capacity in the understanding of external pressures exists. Established capacity to analyze value for money, effectiveness and efficiency is evident. 5.3 Consultations: Strong Consultations are always on time (6 weeks or earlier before TB meetings). Consultations with central agencies are planned and conducted in a timely manner with sufficient lead time. Organization is always, or virtually always, able to avoid lateness by predicting and planning for uncontrollable factors. 5.4 Quality control: Strong A highly rigorous and effective quality control process is followed for all TB submissions. All important information is usually included in the first draft. Clarity and consistency of language are good. Description of resource requirements is clear. Submissions always have SFO or Head of Evaluation sign offs when appropriate. TBS feedback is always fully addressed. Very good writing and translation standard has been demonstrated.	As performance measurement, risk, and corporate planning systems mature, greater detail on results to be achieved with new resources as well as assessments of past program performance should be included in submissions.
Recommendations

Highlights

Opportunities

5.1 Supporting Information: Strong

Detail is robust.
Explanation for the level of resources requested is fulsome.
Response to TBS comments is excellent.
Supporting information in TB submissions is always very accurate, reliable and complete.
The organization is highly responsive to TBS feedback.

5.2 Analysis: Acceptable

Appropriate and complete links to MRRS, strategic objectives, etc., are used.
Appropriate consideration is given to a range of issues, such as gender-based analysis and sustainable development implications.
Established capacity for analysis on implementation is evident.
Established capacity for options analysis is demonstrated.
Established capacity in the understanding of external pressures exists.
Established capacity to analyze value for money, effectiveness and efficiency is evident.

5.3 Consultations: Strong

Consultations are always on time (6 weeks or earlier before TB meetings).
Consultations with central agencies are planned and conducted in a timely manner with sufficient lead time.
Organization is always, or virtually always, able to avoid lateness by predicting and planning for uncontrollable factors.

5.4 Quality control: Strong

A highly rigorous and effective quality control process is followed for all TB submissions.
All important information is usually included in the first draft.
Clarity and consistency of language are good.
Description of resource requirements is clear.
Submissions always have SFO or Head of Evaluation sign offs when appropriate.
TBS feedback is always fully addressed.
Very good writing and translation standard has been demonstrated.

As performance measurement, risk, and corporate planning systems mature, greater detail on results to be achieved with new resources as well as assessments of past program performance should be included in submissions.

Recommendations

6. Quality and Use of Evaluation

Opportunity for Improvement

Highlights	Opportunities
	CSIS should consider re-establishing a governance system for evaluation.
Recommendations
CSIS should consider exploring (within the limitations of secrecy required by CSIS’ mandate) the adequacy of evaluation and oversight processes in ensuring the generation of timely, neutral assessment of on the relevance.

7. Quality Reporting to Parliament

Acceptable

Highlights	Opportunities

Recommendations

8. Managing Organizational Change

Strong

Highlights	Opportunities
8.1 Change plan: Strong Established and robust capacity is in place to evaluate whether or not change is required. The organization has the capacity to evaluate whether or not change is required. 8.2 Engagement: Strong A learning culture exists within the organization. Comprehensive change management related training programs are available throughout the organization. Employees and stakeholders are actively engaged at all phases and are committed to advancing strategies and initiatives. 8.3 Assessment: Strong Assessment plans exist and are comprehensive in scope and detail. Change plans and strategies are included in Performance Management Agreements of Senior Executives. Course adjustments and improvements to strategies are made regularly.
Recommendations

Highlights

Opportunities

8.1 Change plan: Strong

Established and robust capacity is in place to evaluate whether or not change is required.
The organization has the capacity to evaluate whether or not change is required.

8.2 Engagement: Strong

A learning culture exists within the organization.
Comprehensive change management related training programs are available throughout the organization.
Employees and stakeholders are actively engaged at all phases and are committed to advancing strategies and initiatives.

8.3 Assessment: Strong

Assessment plans exist and are comprehensive in scope and detail.
Change plans and strategies are included in Performance Management Agreements of Senior Executives.
Course adjustments and improvements to strategies are made regularly.

Recommendations

9. Effectiveness of Corporate Risk Management

Highlights	Opportunities
*
Recommendations

10. Extent to which the Workplace is Fair, Enabling, Healthy and Safe

Strong

Highlights	Opportunities
10.1 Fair: Strong This section is based on the assessment submitted by this separate employer to TBP. Evidence shows that labour relation matters are proactively and innovatively managed/addressed. 10.2 Enabling: Strong The Official Languages portion of this evaluation has been made by CPSA. This section is based on the assessment submitted by this separate employer to TBP. Organization demonstrates the necessary linguistic capacity to provide personal and central services and supervision in both official languages. Organization is representative of all four employment equity designated groups. Work instruments, electronic systems and communications with employees are always or nearly always available in both official languages. 10.3 Healthy and safe: Strong This section is based on the assessment submitted by this separate employer to TBP Evidence shows that the organization has in place a well-managed program to protect employees' occupational health and safety which follows or establishes best practices in occupational health and safety. The majority of employees feel recognized for positive performance.
Recommendations

Highlights

Opportunities

10.1 Fair: Strong

This section is based on the assessment submitted by this separate employer to TBP.
Evidence shows that labour relation matters are proactively and innovatively managed/addressed.

10.2 Enabling: Strong

The Official Languages portion of this evaluation has been made by CPSA.
This section is based on the assessment submitted by this separate employer to TBP.
Organization demonstrates the necessary linguistic capacity to provide personal and central services and supervision in both official languages.
Organization is representative of all four employment equity designated groups.
Work instruments, electronic systems and communications with employees are always or nearly always available in both official languages.

10.3 Healthy and safe: Strong

This section is based on the assessment submitted by this separate employer to TBP
Evidence shows that the organization has in place a well-managed program to protect employees' occupational health and safety which follows or establishes best practices in occupational health and safety.
The majority of employees feel recognized for positive performance.

Recommendations

11. Extent to which the Workforce is Productive, Principled, Sustainable and Adaptable

Strong

Highlights	Opportunities
11.1 Productive: Strong This section is based on the assessment submitted by this separate employer to TBP. A significant number of employees indicate their organization supports their career development and learning needs. 11.2 Principled: Strong The Official Languages portion of this evaluation has been made by CPSA. Communications with and services to the public in both official languages are always or nearly always available. Employees consider that they always or nearly always can communicate in the official language of their choice within their organization and work instruments, electronic systems and communications in both official languages are always or nearly always available. Necessary linguistic capacity is in place as is shown by the vast majority of incumbents of bilingual positions who meet the language requirements of their position. Organization is representative of all four employment equity designated groups. 11.3 Sustainable: Acceptable This section is based on the assessment submitted by this separate employer to TBP. Evidence indicates human resources planning integrated with business planning is generally in place and governance/organizational infrastructure generally exists to support it. 11.4 Adaptable: Acceptable This section is based on the assessment submitted by this separate employer to TBP. A sufficient number of employees indicate their organization encourages continuous learning, improvement and innovation.
Recommendations

Highlights

Opportunities

11.1 Productive: Strong

This section is based on the assessment submitted by this separate employer to TBP.
A significant number of employees indicate their organization supports their career development and learning needs.

11.2 Principled: Strong

The Official Languages portion of this evaluation has been made by CPSA.
Communications with and services to the public in both official languages are always or nearly always available.
Employees consider that they always or nearly always can communicate in the official language of their choice within their organization and work instruments, electronic systems and communications in both official languages are always or nearly always available.
Necessary linguistic capacity is in place as is shown by the vast majority of incumbents of bilingual positions who meet the language requirements of their position.
Organization is representative of all four employment equity designated groups.

11.3 Sustainable: Acceptable

This section is based on the assessment submitted by this separate employer to TBP.
Evidence indicates human resources planning integrated with business planning is generally in place and governance/organizational infrastructure generally exists to support it.

11.4 Adaptable: Acceptable

This section is based on the assessment submitted by this separate employer to TBP.
A sufficient number of employees indicate their organization encourages continuous learning, improvement and innovation.

Recommendations

12. Effectiveness of Information Management

Acceptable

Highlights	Opportunities
12.1 Governance: Strong IM requirements are fully integrated as a part of the approval, development, implementation, evaluation, and reporting of departmental policies, programs, services, and projects and mechanism are in place to continuously evaluate and modify the requirements. IM is fully represented in the corporate-wide governance structure and in the corporate-wide governance or approval committee(s). Responsibilities are identified for IM policy development and implementation is wholly consistent with the GC IM Strategy and policy instruments. 12.2 Strategy: Acceptable An approved and resourced IM strategy identifies support to business priorities and operations, information needs and accountabilities, IM policy considerations and is integrated with corporate strategies, plans, and planning cycles. An IM strategy implementation plan, including some timelines and resources, is underway and some achievements to date are identified. IM awareness activities are underway in the department to help staff and executives understand their IM roles, responsibilities and accountabilities. 12.3 Privacy Act: Acceptable Organization submitted an Annual Report to Parliament but did not address all of the mandatory reporting requirements. Most of the organization’s collections of personal information are described in registered Personal Information Banks and/or Classes of Personal Information in accordance with the requirements of the Privacy Act. 12.4 Access to Information Act: Opportunity for Improvement Organization submitted an Annual Report to Parliament but did not address all of the mandatory reporting requirements. A significant number of institution-specific Classes of Records do not meet Treasury Board Secretariat requirements. Although the organization has made several improvements to its 2008 Chapter of Info Source: Sources of Federal Government Information, revisions are still necessary to meet all Treasury Board Secretariat requirements. Although the overall rating for CSIS is Acceptable, the Service has not met several of the assessed statutory requirements of the Access to Information Act.	Improve reporting and monitoring on the IM strategy initiatives to ensure they are aligned with the business strategy. Review institution-specific Classes of Records to ensure that all descriptions in Info Source are comprehensive, complete, up-to-date, and comply with Treasury Board Secretariat requirements. Ensure that all information relevant to the institution's functions, programs, activities and related information holdings is described in the Info Source publications. Address all mandatory reporting requirements in Annual Reports to Parliament.
Recommendations
.

Highlights

Opportunities

12.1 Governance: Strong

IM requirements are fully integrated as a part of the approval, development, implementation, evaluation, and reporting of departmental policies, programs, services, and projects and mechanism are in place to continuously evaluate and modify the requirements.
IM is fully represented in the corporate-wide governance structure and in the corporate-wide governance or approval committee(s).
Responsibilities are identified for IM policy development and implementation is wholly consistent with the GC IM Strategy and policy instruments.

12.2 Strategy: Acceptable

An approved and resourced IM strategy identifies support to business priorities and operations, information needs and accountabilities, IM policy considerations and is integrated with corporate strategies, plans, and planning cycles.
An IM strategy implementation plan, including some timelines and resources, is underway and some achievements to date are identified.
IM awareness activities are underway in the department to help staff and executives understand their IM roles, responsibilities and accountabilities.

12.3 Privacy Act: Acceptable

Organization submitted an Annual Report to Parliament but did not address all of the mandatory reporting requirements.
Most of the organization’s collections of personal information are described in registered Personal Information Banks and/or Classes of Personal Information in accordance with the requirements of the Privacy Act.

12.4 Access to Information Act: Opportunity for Improvement

Organization submitted an Annual Report to Parliament but did not address all of the mandatory reporting requirements.
A significant number of institution-specific Classes of Records do not meet Treasury Board Secretariat requirements.
Although the organization has made several improvements to its 2008 Chapter of Info Source: Sources of Federal Government Information, revisions are still necessary to meet all Treasury Board Secretariat requirements.

Although the overall rating for CSIS is Acceptable, the Service has not met several of the assessed statutory requirements of the Access to Information Act.

Improve reporting and monitoring on the IM strategy initiatives to ensure they are aligned with the business strategy.
Review institution-specific Classes of Records to ensure that all descriptions in Info Source are comprehensive, complete, up-to-date, and comply with Treasury Board Secretariat requirements.
Ensure that all information relevant to the institution's functions, programs, activities and related information holdings is described in the Info Source publications.
Address all mandatory reporting requirements in Annual Reports to Parliament.

Recommendations

13. Effectiveness of Information Technology Management

Strong

Highlights	Opportunities
13.1 Leadership: Acceptable The senior official has responsibility and accountability for the full scope of information technology responsibilities and ensures that information technology supports organizational outcomes. Adequate participation in setting government-wide directions for information technology is evident. 13.2 Planning: Strong A comprehensive information technology plan is in place and it aligns with the government-wide directions for information technology and with departmental business needs. Information technology management position is held by a highly engaged senior official designated within the corporate governance structure and related planning processes. 13.3 Value: Strong Organization analyzes and plans for the appropriate use of information technology shared services to an optimal extent. Organization demonstrates management commitment to service costing, asset management, performance measurement and reporting to ensure value delivery.	Contribute to setting GC-wide directions for information technology through participation of the senior official for IT and the management team in designated governance, advisory and working group forums. Commended for its progress and encouraged to share its integrated set of processes and practices for governance, planning and benefits realization in order to monitor and oversee the delivery of business value from IT investments. Commended for its progress and encouraged to share its qualitative and quantitative set of Key Performance Indicators and techniques to assess performance that provide metrics to guide better decision making, increase performance levels and enable continuous improvement.
Recommendations

Highlights

Opportunities

13.1 Leadership: Acceptable

The senior official has responsibility and accountability for the full scope of information technology responsibilities and ensures that information technology supports organizational outcomes.
Adequate participation in setting government-wide directions for information technology is evident.

13.2 Planning: Strong

A comprehensive information technology plan is in place and it aligns with the government-wide directions for information technology and with departmental business needs.
Information technology management position is held by a highly engaged senior official designated within the corporate governance structure and related planning processes.

13.3 Value: Strong

Organization analyzes and plans for the appropriate use of information technology shared services to an optimal extent.
Organization demonstrates management commitment to service costing, asset management, performance measurement and reporting to ensure value delivery.

Contribute to setting GC-wide directions for information technology through participation of the senior official for IT and the management team in designated governance, advisory and working group forums.
Commended for its progress and encouraged to share its integrated set of processes and practices for governance, planning and benefits realization in order to monitor and oversee the delivery of business value from IT investments.
Commended for its progress and encouraged to share its qualitative and quantitative set of Key Performance Indicators and techniques to assess performance that provide metrics to guide better decision making, increase performance levels and enable continuous improvement.

Recommendations

14. Effectiveness of Asset Management

Acceptable

Highlights	Opportunities
14.1 Investment Planning: Acceptable The organization’s investment planning documents do not cover all asset classes. The organization’s investment planning process considers investments over multiple years. The organization has a planning document that ranks priority investments. Organizational priorities and areas of highest risk are identified and guide investment decisions. 14.2 Real Property Management: Acceptable All elements of a real property management framework are implemented. Governance structures, approval processes and authority limits are documented and disseminated. Comprehensive internal policies are documented and disseminated. Reliable and integrated information systems are in place. Indicators of real property performance are monitored and performance measurement is ongoing. Certification of information in the DFRP is received and accepted. 14.3 Materiel Management: Acceptable All elements of a materiel management framework are evident. Governance structures, approval processes and authority limits are documented and disseminated. Comprehensive internal policies are documented and disseminated. Reliable and sufficiently integrated information systems are in place. Some indicators of materiel performance are monitored.	Develop an integrated investment planning process and document all investments in an integrated long-term investment plan.
Recommendations

Highlights

Opportunities

14.1 Investment Planning: Acceptable

The organization’s investment planning documents do not cover all asset classes.
The organization’s investment planning process considers investments over multiple years.
The organization has a planning document that ranks priority investments.
Organizational priorities and areas of highest risk are identified and guide investment decisions.

14.2 Real Property Management: Acceptable

All elements of a real property management framework are implemented.
Governance structures, approval processes and authority limits are documented and disseminated.
Comprehensive internal policies are documented and disseminated.
Reliable and integrated information systems are in place.
Indicators of real property performance are monitored and performance measurement is ongoing.
Certification of information in the DFRP is received and accepted.

14.3 Materiel Management: Acceptable

All elements of a materiel management framework are evident.
Governance structures, approval processes and authority limits are documented and disseminated.
Comprehensive internal policies are documented and disseminated.
Reliable and sufficiently integrated information systems are in place.
Some indicators of materiel performance are monitored.

Develop an integrated investment planning process and document all investments in an integrated long-term investment plan.

Recommendations

15. Effective Project Management

Acceptable

Highlights	Opportunities
15.1 Governance and Oversight: Acceptable Business cases, which define expected outcomes, are required to support proposals for major projects. There is evidence of formal project governance and oversight mechanisms and that approved projects are generally linked with the strategic plans and priorities of the organization through established organization-wide procedures. Approval and corrective action decisions are documented. There is no evidence that the organization has exceeded Treasury Board approval limits. 15.2 Effective Management of Project Resources: Acceptable Adequate processes/procedures exist to ensure that planned projects have the required resources to achieve expected outcomes. The funding models used for projects support the achievement of expected project outcomes and cost estimates are generated at the work package level and consider historical data and/or industry benchmarks. There is no evidence that the organization has failed to meet TB conditions regarding projects. While there is evidence that some managers prepare a staffing plan, it is not required prior to project execution. 15.3 Effective Management of Project Results: Acceptable The organization requires that project milestones, deliverables and outcomes are documented for major projects. There is evidence of organization-wide procedures and processes which communicate project monitoring and performance information to project managers and project oversight mechanisms. There is evidence that the organization monitors project performance and uses this information to support corrective action.	Integrating CSIS' facilities management decision making with its investment review committee would be an important step in ensuring project alignment across the Service.
Recommendations

Highlights

Opportunities

15.1 Governance and Oversight: Acceptable

Business cases, which define expected outcomes, are required to support proposals for major projects.
There is evidence of formal project governance and oversight mechanisms and that approved projects are generally linked with the strategic plans and priorities of the organization through established organization-wide procedures. Approval and corrective action decisions are documented.
There is no evidence that the organization has exceeded Treasury Board approval limits.

15.2 Effective Management of Project Resources: Acceptable

Adequate processes/procedures exist to ensure that planned projects have the required resources to achieve expected outcomes.
The funding models used for projects support the achievement of expected project outcomes and cost estimates are generated at the work package level and consider historical data and/or industry benchmarks.
There is no evidence that the organization has failed to meet TB conditions regarding projects.
While there is evidence that some managers prepare a staffing plan, it is not required prior to project execution.

15.3 Effective Management of Project Results: Acceptable

The organization requires that project milestones, deliverables and outcomes are documented for major projects.
There is evidence of organization-wide procedures and processes which communicate project monitoring and performance information to project managers and project oversight mechanisms.
There is evidence that the organization monitors project performance and uses this information to support corrective action.

Integrating CSIS' facilities management decision making with its investment review committee would be an important step in ensuring project alignment across the Service.

Recommendations

16. Effective Procurement

Acceptable

Highlights	Opportunities
16.1 Governance and Oversight: Acceptable Clear links have been established between procurement activities and the organization-wide program plans, priorities and long-term investments. Effective and accountable procurement management processes and controls are in place (e.g., contract review mechanisms, documented decision making, guidance documents, appropriate delegation instruments or proper use of delegated authorities). 16.2 Meeting Operational Requirements: Acceptable Efficient and integrated procurement information systems and processes are in place. Mandatory training underway. Procurement processes that contribute to cost savings and value for money are in use. Qualified procurement human resources exist. Results and reviews are used to continuously adjust current procurement management activities and future procurement plans. Some staff enrolled in the Professional Development and Certification program. Timely and accurate procurement financial and non-financial reports have been submitted.	The Service could consider increasing the amount delegated to operation managers to $10,000.
Recommendations
The Service should consider undertaking another internal audit of its contracting activities within the next 12 months.

Highlights

Opportunities

16.1 Governance and Oversight: Acceptable

Clear links have been established between procurement activities and the organization-wide program plans, priorities and long-term investments.
Effective and accountable procurement management processes and controls are in place (e.g., contract review mechanisms, documented decision making, guidance documents, appropriate delegation instruments or proper use of delegated authorities).

16.2 Meeting Operational Requirements: Acceptable

Efficient and integrated procurement information systems and processes are in place.
Mandatory training underway.
Procurement processes that contribute to cost savings and value for money are in use.
Qualified procurement human resources exist.
Results and reviews are used to continuously adjust current procurement management activities and future procurement plans.
Some staff enrolled in the Professional Development and Certification program.
Timely and accurate procurement financial and non-financial reports have been submitted.

The Service could consider increasing the amount delegated to operation managers to $10,000.

Recommendations

The Service should consider undertaking another internal audit of its contracting activities within the next 12 months.

17. Effectiveness of Financial Management and Control

Acceptable

Highlights

Opportunities

17.1 Authorities and Policies: Acceptable

Audit report results show evidence of deficiencies that are of some concern.
Departmental procedures, tools, training and support for those individuals delegated with Section 34 authority show evidence of solid financial management practices.
Departmental processes for classification of moneys, internal controls for receiving and recording money and depositing money show evidence of solid financial management practices.
Departmental processes for informing those delegated with Section 33 authority of their responsibilities and dealing with requests for payments that are problematic show evidence of solid financial management practices.
Departmental processes to provide individuals delegated Section 33 authority with the information necessary to assess and approve specific transactions and to assess the adequacy of Section 34 account verification show evidence of solid financial management practices.

17.2 Public Accounts Reporting: Strong

Greater than 97% (Grade A) of Public Accounts plates completed on time.
Minimal Central Financial Management Reporting System (CFMRS) coding errors.

17.5 Internal Reporting: Acceptable

The internal financial reporting package is accompanied by a good discussion and analysis.
The internal financial reporting package is presented to senior management eight to nine times per year.
The internal financial reporting package is presented to senior management less than one month after period end.
The process for reviewing information before it is presented to senior management to ensure no material errors or omissions is well established.
The scope of the internal financial reporting package is comprehensive.

17.6 Other Initiatives: Acceptable

Evidence of some initial measures taken towards implementing the Guide to Costing.

The Service's rating has decreased from a Strong to Acceptable. Given the sensitive nature of the Service's operations, the two areas that need to be highlighted are the stability of the financial management organization and internal controls over financial reporting.

By submitting new initiatives in financial management, obtaining more positive audit results and focusing attention on its financial reporting internal control frameworks, the Service will greatly improve its overall rating.

Recommendations

The Service needs to improve the stability of its financial management organization and improve its internal controls over financial reporting by conducting risk assessments and monitoring of its controls.

18. Effectiveness of Internal Audit Function

Acceptable

Highlights

Opportunities

18.1 Internal Audit governance: Acceptable

There is an approved Internal Audit Charter in line with the 2006 Policy on Internal Audit.
The Implementation Plan covers all of the required policy elements.
Ongoing monitoring of, and progress in implementing, key elements of the plan are on track with planned timelines.
Chief Audit Executive reports solely and exclusively to the Deputy Head.
An independent Departmental Audit Committee has either recently been established or is scheduled to be in place and is on track with planned timelines.
There is an approved Departmental Audit Committee Charter in line with the 2006 Policy on Internal Audit.
There is an approved Departmental Audit Committee Annual Plan for fiscal year 2008-2009.
There is a written statement indicating that a Departmental Audit Committee Annual Report will be produced for fiscal year 2008-2009 and future years.

18.2 Internal Audit Professional Practices: Acceptable

The Risk-Based Audit Plan was approved by the Deputy Head and sent to the Office of the Comptroller General in a timely manner.
Annual Risk-Based Audit Plan methodology is evident and applied.
There is evidence of preparation to provide for holistic assurance.
Majority of planned work is on audit assurance versus other types of activities.
There is limited identification of post-engagement follow-up activities.
Approved assurance products are consistent with policy and internal audit standards requirements.
High completion rate of assurance products (number of assurance audit reports) against 2007-2008 Risk-Based Audit Plan.
Internal Quality Assurance and Improvement Program is well documented and in place.
Assurance products (reports) are produced in a very timely manner.
Post-engagement follow-up process is well documented, and recommendations are followed up using a risk-based approach.
The department or agency provides notification to the Treasury Board Secretariat on issues of importance on an ad hoc basis or is aware of this requirement.

18.3 Administration of the Internal Audit Function: Strong

Recruitment and external resourcing activities are guided by a documented Human Resources Plan.
Investment in Certified Internal Auditor certification, learning and training exceeds 10% of FTE salaries.
Planned FTEs dedicated to internal audit have been maintained comparatively to 2007-2008. They meet the resource level identified in the planned internal audit function’s budget for 2008-2009.
Planned spending, *, was given to the Office of the Comptroller General. When comparing current spending of 2008-2009 with planned financial resources of 2007-2008, resource levels identified exceeds the resource level identified in 2007.

18.4 Internal Audit Performance: Acceptable

A Chief Audit Executive Annual Report for 2007-2008 was presented to the Departmental Audit Committee and the Deputy Head and submitted to the Office of the Comptroller General.
Extensive periodic reporting on the follow-up of Management Action Plans is evident.

The Service has made progress in the areas of Internal Audit Governance, Professional Practices, and Management of the IA Function.

As noted previously in MAF Round V, the Risk-Based Audit Plan could be improved by including the planned use of all audit function resources, including costing of individual projects, and more detailed information on follow-up and carry-over engagements.

Additionally, the Service could further expand the CAE Annual Report to address significant risk exposures, control issues and corporate governance issues.

Recommendations

19. Effective Management of Security and Business Continuity

Acceptable

Highlights

Opportunities

19.1 Departmental Security Program: Strong

Organization's security program is fully developed and sustainable, and comprises all key policy elements.
Organization demonstrates leadership and contributes to the government-wide security program.
Organization's security strategy is completely aligned and integrated with its corporate priorities and business plan.

19.2 Management of IT Security (MITS): Acceptable

Organization has achieved the three priority objectives that form the foundation for Management of Information Technology Security (MITS) and complies with most MITS requirements.
No significant deficiencies in meeting key MITS requirements.

19.3 Business Continuity Planning (BCP): Opportunity for Improvement

*
Some deficiencies in meeting key BCP program requirements.
Business Continuity Planning (BCP) program governance has not been fully established.
Business Impact Analysis (BIA) has been completed to identify and prioritize the organization's critical services and assets.
*
Maintenance cycle has been put in place to review, test and audit business continuity plans.

Pursue ongoing initiatives to continue improving the departmental security program, including review of policy instruments and the establishment of a performance measurement system.
Maintain efforts to achieve and sustain MITS compliance, including addressing deficiencies related to incident management and vulnerability management.
Continue activities currently underway related to business continuity planning, including the establishment of BCP governance, *.
Continue to participate in government-wide security initiatives and to share best practices with other federal institutions to assist them in establishing and improving their security program.

Recommendations

20. Citizen-focused Service

Acceptable

Highlights

Opportunities

20.1 Management Engagement – Service and CLF: Acceptable

There are clear expectations set by senior management for an institutional focus on meeting the needs of clients, specifically with respect to service standards and client satisfaction measurement.
There is a committee at the institutional level, composed of senior management accountable for service, which has a documented and communicated responsibility for making decisions about the overall management of service.
There is monitoring by senior management to ensure that the requirements of CLF 2.0 are being met institution-wide; this information is generally used to make timely and proactive decisions and course correction.
There is systematic and frequent monitoring of progress by senior management towards the achievement of the institution-wide goals for service, with timely course correction if necessary.

20.3 Official Languages: Strong

Analysis of the Annual Review on OL shows the institution is fully meeting its obligations.
In general, the institution has adequate resources to serve the public in both OL.
No complaint or minimal number of founded complaints exits.

For Line of Evidence 20.1, CSIS provided a self-assessment for Questions 1-3. TBS assessed CSIS with regard to Question 4 and Line of Evidence 20.3.

TBS encourages CSIS to benchmark its performance against similar organizations in other jurisdictions.

Recommendations

21. Alignment of Accountability Instruments

Strong

Highlights	Opportunities
	All departments and agencies should place a heightened focus on clear accountabilities, face to face, mid-year review and performance improvement plans.
Recommendations