Common menu bar links
Breadcrumb Trail
ARCHIVED - Horizontal Internal Audit of Information Technology Asset Management in Large Departments and Agencies
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Detailed Findings and Recommendations
Finding 1: Government-wide management of IT
Context
The efficient and effective use of IT across the Government of Canada requires clear roles and responsibilities for both central agencies and other departments and agencies.
We examined the government-wide management structures in place for managing the Government of Canada's investment in IT assets. We also examined the roles and responsibilities of TBS and LDAs for providing effective IT asset management government-wide. Finally, we examined the departmental management structures for providing direction and oversight of IT asset management decisions made within LDAs.
TBS has established clear roles and responsibilities for government-wide IT asset management
We found that TBS has put government-wide structures in place to provide direction on managing IT assets and has assigned specific roles and responsibilities to central agencies and departments. TBS, in consultation with departments, is responsible for setting government-wide strategic direction, identifying areas in which IT can yield significant government-wide benefits, and leading initiatives to achieve government-wide solutions. TBS has addressed these responsibilities through policies, directives, guidance, and annual IT performance assessments within LDAs. TBS also leads monthly meetings with all chief information officers to discuss IT issues of government-wide importance. For their part, departments are responsible for balancing individual departmental interests with government-wide interests and aligning IT asset management to government-wide directions and strategies.
Most LDAs are effectively managing their IT assets
Most LDAs had successfully implemented an appropriate level of governance to provide oversight for IT asset management. Most LDAs had long-term IT plans in place for making IT investment decisions within their organization, which generally addressed both the life cycle of their IT assets and other risks. Most LDAs had developed policies and procedures to guide IT asset management decisions. Finally, LDAs were able to demonstrate that their decisions were based on both short-term and long-term departmental strategic objectives and that they had considered government-wide directions and strategies.
TBS does not track LDA investment plans to enable common solutions
TBS does not have a formal process for identifying government-wide opportunities for and risks associated with IT investment plans. As noted above, IT issues of government-wide importance are discussed at the monthly meetings of the Chief Information Officer Council (CIOC); however, specific LDA IT investment plans are not formally tracked. The Policy on Management of Information Technology requires TBS to identify areas that yield government-wide benefits. Without formally tracking IT asset investment planning across LDAs, TBS cannot enable LDAs to work together to develop common solutions that would result in government-wide benefits, including value for money.
Recommendation
1. TBS should collect and analyze LDA IT investment plans for the purpose of identifying government-wide opportunities and risks that may facilitate common solutions.
Finding 2: Planning IT acquisitions
Context
The development of an IT asset investment plan requires an analysis of the risks and the life cycle of existing IT assets and the identification of future requirements. Risk-based planning ensures that IT asset management decisions are based on an assessment of current and future risks associated with IT assets. A life cycle management approach ensures that organizations put in place effective planning for future replacement and maintenance costs. Consolidation of acquisitions ensures that departments are taking advantage of opportunities to maximize economies of scale and to limit implementation and configuration costs.
As well, the Policy on Management of Information Technology requires departments to use common or shared IT assets and services where available and appropriate. The expected results of this requirement are improvements in government-wide efficiency. A well-developed government-wide plan for sharing assets should be in place so that departments can make progress toward meeting the policy requirement. Central agency support for sharing IT assets should include reducing or eliminating barriers to sharing and identifying opportunities for sharing assets and services that would yield government‑wide benefits.
We examined IT asset acquisition planning to determine whether IT planning processes were risk-based, used a life cycle management approach, and included a regular internal consolidation of acquisitions. We also examined compliance with, and the implementation of, the government-wide policy to increase the use of common or shared IT assets and services among departments, including shared procurement and government-wide guidance provided to departments to support them in implementing this initiative. We did not assess the merits or the value of the increased use of common or shared IT assets and services or whether it would lead to greater efficiencies.
Most LDAs have well-developed IT investment planning processes
Most LDAs had IT investment plans that prioritized the replacement of their assets on the basis of a formal or informal assessment of risk. Some organizations were able to show evidence of actively monitoring and updating their IT investment plan on the basis of an ongoing assessment of risk and priorities. In the majority of the organizations we examined, a life cycle management approach was being applied, with replacement dates based on industry standards. In almost all organizations that we examined, acquisitions were being consolidated to maximize economies of scale and limit multiple configurations. Our examination of LDA IT investment plans also showed that LDAs considered sharing assets and services on a case-by-case basis; however, longer-term planning was minimal.
Many LDAs have not supported sharing common or shared IT assets and services
We found that support for the value of common and shared services varied among departments. When used,we found that there were numerous approaches among LDAs for sharing IT assets and services. Some LDAs were using assets and services provided by PWGSC, while others had entered into collaborative arrangements to share IT assets and services with other departments and agencies. These collaborative arrangements included some LDAs acting as a service provider for other departments and agencies and some LDAs having service provided to them. We found that integrated planning between departments was successfully carried out when Memoranda of Understanding clearly articulated these arrangements. Finally, some LDAs were using shared assets and services only when it was mandatory, in accordance with the Common Services Policy, to do so.
Identification of interdepartmental sharing opportunities
We noted that TBS is not centrally monitoring departments' IT assets and spending to develop a comprehensive picture of their potential to share assets and services.In the absence of central enablement, we found only limited evidence of departments actively searching for opportunities to share IT assets and services on their own.
PWGSC receives information from LDAs onIT acquisitions when PWGSC is used as the procurement agent. When the nature and timing of department's requirements are similar, there are opportunities to consolidate purchases for increased economies of scale. However, this is only done on a limited basis as it is not within PWGSC's mandate to develop shared procurement opportunities. Without a consistent long-term central perspective, opportunities for sharing assets and for shared procurement will continue to be limited.
There are barriers to interdepartmental sharing
We noted that there are a number of barriers to interdepartmental sharing of IT assets and services.
There are legislative barriers that prevent line departments from sharing assets and services. Currently, only a limited number of departments have the mandated legislative authority to provide shared assets and services to other departments. In addition to limitations posed by legislative authority, it is not clear if sharing assets and services includes the sharing of information that may be subject to privacy laws. A working group at the OCG is currently working on addressing both of these issues.
LDAs and PWGSC have indicated that there are also some barriers to the use of shared services and assets provided by PWGSC. Foremost, it can be more expensive for a department to adopt a shared asset or service solution provided by PWGSC than to develop its own. In addition, some departments have concerns that service levels could decrease if they were to use a shared solution versus an in-house solution.
Finally, there is no consistency in the way departments track their IT asset spending, which makes it difficult to compare alternative sharing strategies. Without common standards for comparability, LDAs cannot make informed decisions about the use of shared assets and services.
Recommendations
2. TBS should look for opportunities that provide benefits for LDAs to use common or shared assets and services and determine how best to enable departments in implementing these initiatives.
3. TBS should address the barriers to interdepartmental sharing.
4. TBS should investigate establishing common standards to enable comparability of costs for IT management across the government.
Finding 3: Monitoring Processes
Context
Departments and central agencies need to monitor the performance of IT assets. This monitoring is a prerequisite for determining the extent to which investments in IT will enable departments and the government as a whole to achieve their objectives. Continuous monitoring of IT performance is also key to thoroughly understanding the current IT environment and making effective investments in IT that reflect this environment. A sound monitoring regime also ensures that departments are complying with software licensing agreements. Finally, monitoring enables departments to verify their IT asset inventories.
We examined departmental and government-wide processes for monitoring IT performance against both departmental and government-wide expectations. We also looked at departmental practices for tracking and monitoring hardware and software assets.
TBS and LDAs have developed basic indicators for monitoring the performance
TBS, through the CIOC, has developed some initial government-wide performance indicators to assist departments in measuring the performance of their IT assets. These initial indicators were informally developed in 2008 as guidance on IT planning; however, they have not been formally communicated to all relevant stakeholders in LDAs. At the time of the audit, TBS had not begun to use these indicators for assessing the extent to which departmental IT assets align with, and contribute to, government-wide and departmental objectives.
For their part, we found that most LDAs in our sample had developed basic non-financial and financial indicators for measuring IT asset performance; however, the full development and use of these indicators were still in the very early stages at the time of our audit, and further progress needs to be made.
The non-financial indicators generally related to the tracking of service levels, including incidents involving systems failures ("up time versus down time"). We found that most LDAs could provide statistics on actual service and capacity levels; however, they had not set targets for service or capacity levels based on either industry-accepted benchmarks or actual departmental requirements for maintaining effective and efficient services. Without set targets, there is a risk that actual service and capacity levels may be lower or higher than what an organization needs to operate efficiently and effectively.
LDAs' financial indicators generally consisted of IT spending against budget. Most of these indicators were reviewed and reported on regularly. We found that LDAs were monitoring overall spending as part of the budget process; however, they were not analyzing whether their actual IT budgets and IT spending were appropriate in relation to industry benchmarks and the IT spending of organizations of a similar nature and size.
As noted above, TBS has begun to develop common performance indicators for IT. We found limited evidence that LDAs have begun to collect the data that will eventually be needed to support reporting against these indicators.
Most LDAs do not consistently track their IT hardware and software assets
Best practice suggests that departments periodically (at least annually) verify (keep track of) their IT assets. Our audit found that most of the LDAs in our sample had implemented systems to track IT software and hardware. Though the LDAs had tracking systems in place, we found little evidence that they were conducting regular verifications of inventory to ensure compliance with both accounting requirements and software licensing agreements. Without periodic verifications, LDAs cannot ensure that the IT assets documented in their records are accurate for auditable financial statements and that all their current licensing agreements remain valid. This in turn creates a financial and legal risk for the Government of Canada.
Recommendations
5. LDAs should collect the data needed to measure their IT performance and compare this to pre-established targets.
6. TBS should ensure that the performance indicators that have been developed for IT have been communicated appropriately to those who are responsible for collecting data and measuring performance.
7. LDAs should conduct periodic verifications of their IT assets to ensure compliance with the terms of their contractual agreements and with the accounting requirements for auditable financial statements.
Management Action Plans
The findings and recommendations of this audit were presented to TBS and the eight departments and agencies included in the scope of the audit.
The OCG's Internal Audit Sector has asked the chief audit executive in each of the departments and agencies included in the audit to have management prepare detailed Management Action Plans addressing the recommendations in this report and to have the plans endorsed by the department's audit committee.
The responsibility for reporting on the actions taken by management against the recommendations rests with the chief audit executive of each department and agency. The respective audit committees will periodically receive reports from the chief audit executive on the actions taken where Management Action Plans are in place.
Deputy heads of LDAs not included in the scope of this audit are encouraged to consider the results of this horizontal internal audit and develop Management Action Plans as necessary. They should also brief their audit committee on the results of this audit.