Skip to content Skip to institutional links

Common menu bar links

Breadcrumb Trail

Institutional links

Reports

ARCHIVED - Horizontal Internal Audit of Electronic Recordkeeping in Small Departments and Agencies

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Executive Summary

The objective of this audit was to determine whether small departments and agencies (SDAs) and departments that have a central role are fulfilling the requirements of the information management (IM) policy suite, with a particular focus on electronic recordkeeping.

Why This Is Important

The management of information in the Government of Canada impacts all lines of business and is a key component of departmental service delivery. Electronic information is being created throughout government at a rate that is growing exponentially, and without the ability to effectively manage this information, departments may be at risk of losing their ability to identify and retrieve information needed for decision making in an organized and timely fashion. This could result in an inability to meet information requests from Canadians and other obligations.

This audit supports the Treasury Board of Canada Secretariat (the Secretariat) in enabling departments and agencies to meet policy objectives for electronic recordkeeping by identifying systemic issues and common challenges with compliance with the Policy on Information Management.

Key Findings

A government-wide strategy and action plan for IM have been implemented, and these are actively communicated to departments and agencies. Most SDAs do not have IM plans in place and are not monitoring the effectiveness of their IM activities.

Most SDAs have not yet developed a framework for identifying information of business value. This is an important first step so that information of business value can be retained and organized in a manner that makes retrieval for decision making timely and effective. Most SDAs have yet to define business value as it relates to their IM needs and provide little to no guidance for departmental staff.

Most SDAs do not have retention and disposition processes that reflect the electronic environment. Disposition of electronic records is performed mostly on an ad hoc basis by staff and is not linked to established retention and disposition processes

Electronic recordkeeping systems are inconsistently used by departmental staff. Most SDAs have not made electronic recordkeeping systems mandatory, and instead leave usage up to the individual. This results in some electronic records being saved on shared drives, personal drives, or portable storage devices, rather than on an enterprise-wide system. While it is possible to effectively manage information of business value outside an enterprise-wide system, doing so decreases the efficiency of retrieval of this information in a timely manner and impedes sharing of information government-wide.

Training for IM practitioners is planned and coordinated government-wide. Departmental employees are being provided with some electronic recordkeeping training. Further analysis should be done to identify learning needs.

Conclusion

While strategic direction for electronic recordkeeping has been established within the Government of Canada, implementation of departmental plans to address the strategy is in the early stages. SDAs have not yet developed a framework for identifying information of business value to support decision making on a timely basis. SDAs are addressing training requirements for their IM practitioners but not for all departmental staff. Electronic records of business value are not being identified, managed, stored and disposed of consistently across SDAs.

Conformance with Professional Standards

The conduct of this engagement was done in accordance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.[1]

Brian M. Aiken, CIA, CFE
Assistant Comptroller General
Internal Audit Sector, Office of the Comptroller General

Background

The Government of Canada has long made the management of information an operational priority. In the past, paper records were managed by a team of dedicated record keepers who would file what was often the only copy of any one record.

The arrival of the electronic age complicated traditional recordkeeping. Every email or draft document is created and saved as an original file and is thus considered an electronic record. Much of the information generated and managed by the federal government is electronic and can be categorized into two groups: structured and unstructured data.

Structured data represents information maintained in enterprise systems such as financial or human resources systems. Information is often entered into these enterprise systems through pre-defined fields such as “name,” “telephone number”, etc. There are numerous controls to manage the risks associated with this type of information, such as who can enter or edit the information, or what type of information can be entered into specific fields.

Unstructured data, on the other hand, is information that includes working documents such as project plans, spreadsheets, emails, and records of decision. One of the major risks of managing this data is that the controls are frequently much less structured and often ad hoc in nature. This may mean that information is more difficult to track or that multiple versions saved in multiple locations compromise the reliability of the information. However, this data often forms the basis for critical decision making.

The notion of a physical space being used to centrally house all records is no longer a reality. All employees are now tasked with managing a multitude of records they may create every day. The number of records generated by the government has grown exponentially, challenging its previous ability to track and manage its information with certainty and effectiveness.

Acknowledging the changing environment, in 2006 the Treasury Board of Canada Secretariat (the Secretariat) led a government-wide effort to identify challenges in modernizing recordkeeping. Representatives from multiple government departments participated in the exercise, and two reports were produced that laid the foundation for a unified government direction: Information Management in the Government of Canada: The Business Problem Assessment and Information Management in the Government of Canada: The Vision.

In 2007, the Secretariat published a new Policy on Information Management, followed by two new directives: Directive on Information Management Roles and Responsibilities (2007) and Directive on Recordkeeping (2009). While the new policy suite established responsibilities for IM in departments, it was the Government of Canada Information Management Strategy (published in 2008) that aligned IM goals and provided clear objectives for the community as a whole.

Life-cycle management of information is a common thread throughout the IM policy suite and the Government of Canada Information Management Strategy. Specifically, departments must determine which electronic records are worth retaining in the long term (and for how long) and which records should be disposed of after an appropriate period of time. “Business value” is the term used to describe whether or not a record has value for operations. Because so many electronic records are transitory, they are not seen as having long-term value to the interests of the government. Yet these types of records often outnumber more “valuable” records by a significant margin.

Attributing business value to electronic records allows IM practitioners to assign life-cycle parameters according to the long-term requirements. If this process is well established, retention and disposition of records becomes an automated process.

Library and Archives Canada (LAC) is the agency responsible to provide guidance and support to help determine retentions and to provide delegated authorities to allow for disposition of corporate records within government departments. These delegated authorities are required to be in place prior to the disposition of records because they state which records are to be destroyed and which records should be archived for the long-term benefit of the Government of Canada and of Canada's national interest.

Audit Objective, Scope and Approach

Objective and Scope

The objective of this audit was to determine whether SDAs and departments that have a central role are fulfilling the requirements of the IM Policy Suite, with a particular focus on electronic recordkeeping.

For the purposes of this audit, we limited our scope to unstructured electronic data.

Fourteen SDAs were reviewed during the horizontal audit of electronic record keeping. In addition, the Secretariat and LAC were also included in the audit because of their specific responsibilities identified in the IM policy suite: the Secretariat in providing policy and functional guidance to departments, and LAC in issuing records disposition authorities. The SDA community in the federal government is extremely diverse, varying, for example, in organizational structure and size, budget, nature of work, and relationship with larger departments. The budgets of SDAs do not exceed $300 million per year. Their full‑time equivalents vary from 6 to 500 employees. These factors contribute to the extent of the electronic record keeping systems and controls that SDAs have implemented for decision making and accountability. (Appendix A contains a list of the departments and agencies examined.)