Treasury Board of Canada Secretariat
Symbol of the Government of Canada

 

ARCHIVED - Horizontal Internal Audit of Information Technology Asset Management in Large Departments and Agencies

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.



Horizontal Internal Audit of Information Technology Asset Management in Large Departments and Agencies

April 2010



Contents



Executive Summary

The objective of this audit was to determine whether the management and control structures in place in central agencies and in large departments and agencies (LDAs) provide an effective framework for making information technology (IT)-related decisions at the government-wide and departmental levels, respectively.

Why this is important

The Government of Canada spends a significant amount of its annual budget on IT assets and services. As well, IT is an essential component of the government's strategy to address challenges of increasing productivity and enhancing services to the public for the benefit of citizens, businesses, taxpayers, and employees. For these reasons, it is important to have assurance on the extent to which appropriate structures are in place for managing IT assets and risks, acquiring these assets, and monitoring their performance. This audit is intended to provide that assurance.

Key findings

The Treasury Board of Canada Secretariat (TBS) has defined roles and responsibilities with respect to IT asset management, providing policies, directives, and guidance that clearly outline the expectations for IT asset management, at both the departmental and government-wide levels. For their part, LDAs have put appropriate governance structures in place to oversee their IT asset management, have developed long-term IT asset plans, and have integrated these plans with their departmental and government-wide strategies and directions. Nevertheless, an opportunity exists for TBS to track LDA investment plans. This exercise would enable TBS to identify opportunities for developing common or shared service solutions that yield government-wide benefits.

TBS, in consultation with departments, has defined the objectives and expected results of its IT asset management policy, including the use of shared or common services when available and appropriate; however, it has not identified opportunities for LDAs to share IT assets and services. In particular, central support to help departments realize expected benefits from sharing IT assets or services has been limited. At the time of this audit, there was limited evidence that TBS had attempted to determine the potential savings or other benefits from sharing IT assets and services. In addition, TBS has not yet dealt with certain issues, such as cost, service quality, and legislative concerns, that pose barriers to the use of common and shared IT assets and services. However, the Office of the Comptroller General within TBS is currently working on addressing some of these barriers.

Most LDAs have developed IT asset planning processes that are informed by an appropriate consideration of risk, life cycle management, and opportunities to consolidate internal procurement requirements, but very few LDAs were able to show evidence that they considered common or shared assets and services in their long-term planning.

Government-wide and departmental performance indicators for IT asset management are not fully developed. TBS, with support from LDAs, has developed some initial government-wide performance indicators, but it has not yet used them to assess the extent to which departmental IT assets align with, and contribute to, the achievement of government-wide and departmental objectives. Most LDAs have developed basic indicators for measuring IT asset performance, but this process was in the early stages at the time of our audit. We noted that most departments had done only limited work to collect the data that would eventually be needed to support reporting against the government-wide performance indicators that were being developed.

Most LDAs were not periodically confirming the existence of their IT assets or confirming whether the number of copies of software in use respected licence agreements. Without verifying IT hardware and software assets, LDAs cannot provide assurance that they are meeting all contractual and accounting requirements, including licensing agreements, thereby exposing the Government of Canada to potential financial and legal risks.

Conclusion

We found that in general, TBS and departments have management and control structures in place that provide an effective framework for making IT-related decisions at both the government-wide and departmental levels. We did however note areas for improvement, including opportunities to further explore the benefits from government-wide solutions, the enhancement of performance reporting, and the reporting and verification of IT hardware and software assets. These opportunities have led to the recommendations found in this report.

Statement of Assurance

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.[1]

Brian M. Aiken CIA, CFE
Assistant Comptroller General
Internal Audit Sector, Office of the Comptroller General of Canada

Background

The Treasury Board Policy on Internal Audit requires the Comptroller General to lead horizontal audits in large departments and agencies (LDAs). Horizontal audits assess those risks that transcend individual departments, focusing on the state of governance, controls, and risk management across government. This report presents the results of the Horizontal Internal Audit of Information Technology Asset Management in Large Departments and Agencies. Various Treasury Board policies and directives, which are briefly outlined below, guide the government's information technology (IT) asset management practices.

The objectives of the Policy on Management of Information Technology are to achieve efficient and effective use of IT in support of government priorities and program delivery, to increase productivity, and to improve services to the public. The expected results of these objectives include clear roles and responsibilities for IT management in the Government of Canada, increased use of common or shared IT assets and services, and enhanced management of IT across the government to ensure that IT supports program delivery and provides value for money.

The policy also sets out the roles and responsibilities for IT management:

The role of deputy heads is to ensure the effective management of IT within their respective departments. Related responsibilities include making sound IT investment decisions, ensuring full integration of the IT asset investment plan with the departmental business plan, using common or shared IT assets and services where available and appropriate, and providing ongoing measurement of IT performance.

The role of TBS is to establish overall government-wide strategic direction for IT in consultation with deputy heads, to lead initiatives resulting in government-wide solutions, and to implement government-wide directions with common service or shared service organizations.

The Policy Framework for the Management of Assets and Acquired Services sets the direction for asset management to ensure that assets deliver value for money. The policy framework states that value for money incorporates strategic and integrated decision-making and management processes at the government-wide and departmental levels to optimize the use of assets. The policy framework also specifies that management systems, processes, and information serve as the basis for managing performance and allocating costs, and it outlines the principles for a life cycle approach to managing assets. 

Audit Objectives, Scope, and Approach

Objectives and scope

The objective of this audit was to determine whether the management practices of the Government of Canada provide effective governance and control over IT assets. Specifically, we examined whether the management and control structures in place in central agencies and in LDAs provide an effective framework for making IT‑related decisions at the government-wide and departmental levels, respectively.

We examined the management structures of TBS and departments for managing investment-related opportunities and risks and for setting spending priorities. We assessed the existing use of common or shared IT assets and services. We reviewed departmental processes that inform future IT acquisition plans. We assessed the procedures for monitoring the performance of IT assets as well as the procedures that departments use to ensure compliance with the terms of licensing agreements for the software on their systems. Finally, we looked at the frequency with which departments verified their inventory of IT assets.

The scope of this audit included government-wide IT asset management practices in place in LDAs as of December 2009. The audit focused on systems and practices used in the governance, management, and oversight of IT hardware and software assets.

Audit approach

The audit was conducted in three phases.

Phase 1 – planning

To focus the audit on the appropriate risks and controls, we performed an environmental scan of IT asset management in the Government of Canada. The scan consisted of the following: a review of the key government-wide policies and directives relating to IT; interviews with senior IT managers from LDAs, TBS  (the government's central agency responsible for designing and implementing Treasury Board policies), and Public Works and Government Services Canada (PWGSC) (the government's primary common service provider for IT and the government's central procurement agent); a review of the literature on key IT asset management risks and controls; and a review of best practices outlined in the Control Objectives for Information and related Technology (CobiT) framework. We also discussed our audit with the individuals from the Office of the Auditor General of Canada who are involved in the audit of aging IT systems to ensure that our own work would focus on different IT risks to the government. See Appendix A for a list of the criteria that guided our audit.

To select the sample of organizations for our audit, we analyzed the IT asset management environment in all LDAs using their Management Accountability Framework (MAF) assessments on Effectiveness of Information Technology Management and information on LDAs' annual IT spending. This exercise ensured that our final selection was based on performance and spending factors and included a range of organizations. As a result of this analysis, we chose eight LDAs. See Appendix B for the organizations included in our sample.

Phase 2 – examination

The internal audit function of each of the LDAs included in our sample carried out the examination phase of the audit in its organization. The Office of the Comptroller General of Canada (OCG) provided the interview questionnaires and set the requirements for the document review. Officials responsible for IT asset management within the LDAs were interviewed on their IT asset management practices, and supporting documentation was examined.

The OCG carried out a detailed examination of TBS, which consisted of interviews with officials involved in government-wide management of IT assets and a review of the documents and tools that support LDAs in managing their IT assets, including policies and guidance materials.

In addition, the OCG consulted with PWGSC to understand its role as a Common Service Provider of IT services and to verify facts related to its mandate. PWGSC, however, was not included in the scope of this audit.

Phase 3 – reporting

Following the detailed examination phase of the audit, the OCG met with the internal audit functions of the selected LDAs to consolidate their findings and to identify any horizontal issues. The OCG also conducted a quality review assessment of the audit work performed in each LDA to ensure that the work program was consistently applied across departments. Lastly, the OCG developed the findings from the results of its detailed examination within LDAs and TBS.



Detailed Findings and Recommendations

Finding 1: Government-wide management of IT

Roles and responsibilities for IT asset management are clearly defined.

Context

The efficient and effective use of IT across the Government of Canada requires clear roles and responsibilities for both central agencies and other departments and agencies.

We examined the government-wide management structures in place for managing the Government of Canada's investment in IT assets. We also examined the roles and responsibilities of TBS and LDAs for providing effective IT asset management government-wide. Finally, we examined the departmental management structures for providing direction and oversight of IT asset management decisions made within LDAs.

TBS has established clear roles and responsibilities for government-wide IT asset management

We found that TBS has put government-wide structures in place to provide direction on managing IT assets and has assigned specific roles and responsibilities to central agencies and departments. TBS, in consultation with departments, is responsible for setting government-wide strategic direction, identifying areas in which IT can yield significant government-wide benefits, and leading initiatives to achieve government-wide solutions. TBS has addressed these responsibilities through policies, directives, guidance, and annual IT performance assessments within LDAs. TBS also leads monthly meetings with all chief information officers to discuss IT issues of government-wide importance. For their part, departments are responsible for balancing individual departmental interests with government-wide interests and aligning IT asset management to government-wide directions and strategies.

Most LDAs are effectively managing their IT assets

Most LDAs had successfully implemented an appropriate level of governance to provide oversight for IT asset management. Most LDAs had long-term IT plans in place for making IT investment decisions within their organization, which generally addressed both the life cycle of their IT assets and other risks. Most LDAs had developed policies and procedures to guide IT asset management decisions. Finally, LDAs were able to demonstrate that their decisions were based on both short-term and long-term departmental strategic objectives and that they had considered government-wide directions and strategies.

TBS does not track LDA investment plans to enable common solutions

TBS does not have a formal process for identifying government-wide opportunities for and risks associated with IT investment plans. As noted above, IT issues of government-wide importance are discussed at the monthly meetings of the Chief Information Officer Council (CIOC); however, specific LDA IT investment plans are not formally tracked. The Policy on Management of Information Technology requires TBS to identify areas that yield government-wide benefits. Without formally tracking IT asset investment planning across LDAs, TBS cannot enable LDAs to work together to develop common solutions that would result in government-wide benefits, including value for money.

Recommendation

1.   TBS should collect and analyze LDA IT investment plans for the purpose of identifying government-wide opportunities and risks that may facilitate common solutions.

Finding 2: Planning IT acquisitions

There are opportunities for TBS to further enable LDAs to pursue the use of common or shared services.

Context

The development of an IT asset investment plan requires an analysis of the risks and the life cycle of existing IT assets and the identification of future requirements. Risk-based planning ensures that IT asset management decisions are based on an assessment of current and future risks associated with IT assets. A life cycle management approach ensures that organizations put in place effective planning for future replacement and maintenance costs. Consolidation of acquisitions ensures that departments are taking advantage of opportunities to maximize economies of scale and to limit implementation and configuration costs.

As well, the Policy on Management of Information Technology requires departments to use common or shared IT assets and services where available and appropriate. The expected results of this requirement are improvements in government-wide efficiency. A well-developed government-wide plan for sharing assets should be in place so that departments can make progress toward meeting the policy requirement. Central agency support for sharing IT assets should include reducing or eliminating barriers to sharing and identifying opportunities for sharing assets and services that would yield government‑wide benefits.

We examined IT asset acquisition planning to determine whether IT planning processes were risk-based, used a life cycle management approach, and included a regular internal consolidation of acquisitions. We also examined compliance with, and the implementation of, the government-wide policy to increase the use of common or shared IT assets and services among departments, including shared procurement and government-wide guidance provided to departments to support them in implementing this initiative. We did not assess the merits or the value of the increased use of common or shared IT assets and services or whether it would lead to greater efficiencies.

Most LDAs have well-developed IT investment planning processes

Most LDAs had IT investment plans that prioritized the replacement of their assets on the basis of a formal or informal assessment of risk. Some organizations were able to show evidence of actively monitoring and updating their IT investment plan on the basis of an ongoing assessment of risk and priorities. In the majority of the organizations we examined, a life cycle management approach was being applied, with replacement dates based on industry standards. In almost all organizations that we examined, acquisitions were being consolidated to maximize economies of scale and limit multiple configurations. Our examination of LDA IT investment plans also showed that LDAs considered sharing assets and services on a case-by-case basis; however, longer-term planning was minimal.

Many LDAs have not supported sharing common or shared IT assets and services

We found that support for the value of common and shared services varied among departments. When used,we found that there were numerous approaches among LDAs for sharing IT assets and services. Some LDAs were using assets and services provided by PWGSC, while others had entered into collaborative arrangements to share IT assets and services with other departments and agencies. These collaborative arrangements included some LDAs acting as a service provider for other departments and agencies and some LDAs having service provided to them. We found that integrated planning between departments was successfully carried out when Memoranda of Understanding clearly articulated these arrangements. Finally, some LDAs were using shared assets and services only when it was mandatory, in accordance with the Common Services Policy, to do so.

Identification of interdepartmental sharing opportunities

We noted that TBS is not centrally monitoring departments' IT assets and spending to develop a comprehensive picture of their potential to share assets and services.In the absence of central enablement, we found only limited evidence of departments actively searching for opportunities to share IT assets and services on their own.

PWGSC receives information from LDAs onIT acquisitions when PWGSC is used as the procurement agent. When the nature and timing of department's requirements are similar, there are opportunities to consolidate purchases for increased economies of scale. However, this is only done on a limited basis as it is not within PWGSC's mandate to develop shared procurement opportunities. Without a consistent long-term central perspective, opportunities for sharing assets and for shared procurement will continue to be limited.

There are barriers to interdepartmental sharing

We noted that there are a number of barriers to interdepartmental sharing of IT assets and services.

There are legislative barriers that prevent line departments from sharing assets and services. Currently, only a limited number of departments have the mandated legislative authority to provide shared assets and services to other departments. In addition to limitations posed by legislative authority, it is not clear if sharing assets and services includes the sharing of information that may be subject to privacy laws. A working group at the OCG is currently working on addressing both of these issues.

LDAs and PWGSC have indicated that there are also some barriers to the use of shared services and assets provided by PWGSC. Foremost, it can be more expensive for a department to adopt a shared asset or service solution provided by PWGSC than to develop its own. In addition, some departments have concerns that service levels could decrease if they were to use a shared solution versus an in-house solution.

Finally, there is no consistency in the way departments track their IT asset spending, which makes it difficult to compare alternative sharing strategies. Without common standards for comparability, LDAs cannot make informed decisions about the use of shared assets and services.

Recommendations

2. TBS should look for opportunities that provide benefits for LDAs to use common or shared assets and services and determine how best to enable departments in implementing these initiatives.

3. TBS should address the barriers to interdepartmental sharing.

4. TBS should investigate establishing common standards to enable comparability of costs for IT management across the government.

Finding 3: Monitoring Processes

LDAs do not have fully developed IT asset performance management processes and are not tracking their IT asset inventories in a timely manner.

Context

Departments and central agencies need to monitor the performance of IT assets. This monitoring is a prerequisite for determining the extent to which investments in IT will enable departments and the government as a whole to achieve their objectives. Continuous monitoring of IT performance is also key to thoroughly understanding the current IT environment and making effective investments in IT that reflect this environment. A sound monitoring regime also ensures that departments are complying with software licensing agreements. Finally, monitoring enables departments to verify their IT asset inventories.

We examined departmental and government-wide processes for monitoring IT performance against both departmental and government-wide expectations. We also looked at departmental practices for tracking and monitoring hardware and software assets.

TBS and LDAs have developed basic indicators for monitoring the performance

TBS, through the CIOC, has developed some initial government-wide performance indicators to assist departments in measuring the performance of their IT assets. These initial indicators were informally developed in 2008 as guidance on IT planning; however, they have not been formally communicated to all relevant stakeholders in LDAs. At the time of the audit, TBS had not begun to use these indicators for assessing the extent to which departmental IT assets align with, and contribute to, government-wide and departmental objectives. 

For their part, we found that most LDAs in our sample had developed basic non-financial and financial indicators for measuring IT asset performance; however, the full development and use of these indicators were still in the very early stages at the time of our audit, and further progress needs to be made.

The non-financial indicators generally related to the tracking of service levels, including incidents involving systems failures ("up time versus down time"). We found that most LDAs could provide statistics on actual service and capacity levels; however, they had not set targets for service or capacity levels based on either industry-accepted benchmarks or actual departmental requirements for maintaining effective and efficient services. Without set targets, there is a risk that actual service and capacity levels may be lower or higher than what an organization needs to operate efficiently and effectively.

LDAs' financial indicators generally consisted of IT spending against budget. Most of these indicators were reviewed and reported on regularly. We found that LDAs were monitoring overall spending as part of the budget process; however, they were not analyzing whether their actual IT budgets and IT spending were appropriate in relation to industry benchmarks and the IT spending of organizations of a similar nature and size.

As noted above, TBS has begun to develop common performance indicators for IT. We found limited evidence that LDAs have begun to collect the data that will eventually be needed to support reporting against these indicators.

Most LDAs do not consistently track their IT hardware and software assets

Best practice suggests that departments periodically (at least annually) verify (keep track of) their IT assets. Our audit found that most of the LDAs in our sample had implemented systems to track IT software and hardware. Though the LDAs had tracking systems in place, we found little evidence that they were conducting regular verifications of inventory to ensure compliance with both accounting requirements and software licensing agreements. Without periodic verifications, LDAs cannot ensure that the IT assets documented in their records are accurate for auditable financial statements and that all their current licensing agreements remain valid. This in turn creates a financial and legal risk for the Government of Canada.

Recommendations

5. LDAs should collect the data needed to measure their IT performance and compare this to pre-established targets.

6. TBS should ensure that the performance indicators that have been developed for IT have been communicated appropriately to those who are responsible for collecting data and measuring performance. 

7.   LDAs should conduct periodic verifications of their IT assets to ensure compliance with the terms of their contractual agreements and with the accounting requirements for auditable financial statements.

Management Action Plans

The findings and recommendations of this audit were presented to TBS and the eight departments and agencies included in the scope of the audit.

The OCG's Internal Audit Sector has asked the chief audit executive in each of the departments and agencies included in the audit to have management prepare detailed Management Action Plans addressing the recommendations in this report and to have the plans endorsed by the department's audit committee.

The responsibility for reporting on the actions taken by management against the recommendations rests with the chief audit executive of each department and agency. The respective audit committees will periodically receive reports from the chief audit executive on the actions taken where Management Action Plans are in place.

Deputy heads of LDAs not included in the scope of this audit are encouraged to consider the results of this horizontal internal audit and develop Management Action Plans as necessary. They should also brief their audit committee on the results of this audit.



Appendix A: Audit Criteria

Criteria Sub-Criteria
IT governance structures provide strategic direction for IT asset management.
  1. Roles and responsibilities are defined and communicated (e.g. leadership, control over acquisition, monitoring, and oversight).
  2. Policies and procedures are defined and communicated (e.g. risk expectations, acquisition standards, and technological direction).
  3. Departmental IT plans are linked to departmental strategic plans and government-wide initiatives (e.g. shared services) and include both short-term and long-term time frames.
Processes are in place for planning the acquisition of IT assets.
  1. Plans for IT asset acquisitions are ranked and linked to the overall IT investment plan.
  2. Plans for IT asset acquisitions take into consideration life cycles and risk.
  3. Plans for IT asset acquisitions are consolidated internally for configuration and cost considerations.
  4. Plans for IT asset acquisitions take into consideration shared services through common service providers and with other departments.
Processes are in place for monitoring the performance of IT assets.
  1. Legislative, regulatory, and policy requirements are identified, and there is assurance of compliance.
  2. Asset performance is monitored, including financial and non-financial key performance indicators for purchasing and maintenance.
  3. Asset tracking systems are in place for inventory management, including software licences.

Appendix B: Departments and Agencies Included in the Audit Engagement

Large Departments and Agencies

  1. Agriculture and Agri-Food Canada
  2. Canadian Grain Commission
  3. Correctional Service Canada
  4. Foreign Affairs and International Trade Canada
  5. Environment Canada
  6. Industry Canada
  7. Public Prosecution Service of Canada
  8. Statistics Canada

Central Agency

  1. Treasury Board of Canada Secretariat

Common Service Provider included in the audit for the purpose of providing further description of IT asset management roles and responsibilities

  1. Public Works and Government Services Canada

Appendix C: Ranking of Recommendations

The following table presents the recommendations and their assigned priority ranking. Rankings were determined based on the relative importance of the recommendations across the government and their potential to motivate long-term change and reduce risk across the government.

Recommendations Priority
1. TBS should collect and analyze LDA IT investment plans for the purpose of identifying government-wide opportunities and risks that may facilitate common solutions. High
2. TBS should look for opportunities that provide benefits for LDAs to use common or shared assets and services and determine how best to enable departments in implementing these initiatives. High
3. TBS should address the barriers to interdepartmental sharing. High
4. TBS should investigate establishing common standards to enable comparability of costs for IT management across the government. Medium
5. LDAs should collect the data needed to measure their IT performance and compare this to pre-established targets. Medium
6. TBS should ensure that the performance indicators that have been developed for IT have been communicated appropriately to those who are responsible for collecting data and measuring performance. Medium
7. LDAs should conduct periodic verifications of their IT assets to ensure compliance with the terms of their contractual agreements and with the accounting requirements for auditable financial statements. High

Appendix D: Links to Applicable Frameworks, Policies, Standards, and Directives

[1]. The Office of the Comptroller General has not undergone an external assessment at least once in the past five years or been subject to ongoing monitoring or to periodic internal assessments of its horizontal internal audit activity that would confirm its compliance with these standards.