Common menu bar links
Breadcrumb Trail
ARCHIVED - Horizontal Internal Audit of Information Technology Asset Management in Small Departments and Agencies
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
Detailed Findings and Recommendations
Finding 1: IT governance structures and planning
In most SDAs, the governance structures for managing IT assets were reasonably designed and implemented.
Context
A well-defined governance structure is a prerequisite to enabling an organization to invest its IT resources effectively. A long-range IT plan is also important. It sets out the IT objectives, ensures that investments align with departmental and government-wide objectives, and reduces the likelihood of investing in low-priority technology assets. When IT investments are guided by an organization-wide IT strategy, the risk of acquiring incompatible or unsupportable technologies is
We reviewed the roles and responsibilities of the IT governance structures in SDAs included in our audit to determine whether they were appropriate. We also reviewed departmental IT plans to determine the extent to which they were linked to departmental business plans and government-wide objectives. Lastly, we assessed departmental IT plans to establish how far the IT plans projected into the future.
Governance structures
SDAs had established governance structures appropriate to the size and scope of their IT activities. Most had a committee composed of IT and general management that reviewed and approved IT investments. In most SDAs, a senior person had been formally assigned responsibilities for managing IT assets.
Long-term IT planning
The Directive on Management of Information Technology requires all departments and agencies to develop long-term IT plans with a minimum five-year horizon. It also requires that long-term IT plans be aligned with the department's business objectives to increase the likelihood that IT investments will be of
Although we found evidence of short-term IT planning in most SDAs, many could not demonstrate that they had carried out long-term planning. In addition, many could not demonstrate in their IT plans how proposed IT investments would support departmental and government-wide objectives. We noted that some SDAs did not view IT as central to their core mandate. In other SDAs, investment in IT was relatively small. As a result, many SDAs were managing IT on a day-to-day basis, which would account for the general lack of long-term IT planning across these organizations.
Given the size and scope of IT assets in some SDAs, respecting the requirements of government-wide policies in this area may be more demanding than the value added. Making risk-informed decisions about policy compliance may be appropriate in this area. The Directive on Management of Information Technology, as well as related policy instruments, does not address this issue.
Recommendation
1. TBS, in collaboration with SDAs, should determine whether government‑wide IT policies governing the management of IT in SDAs are consistent with the IT
Finding 2: Planning IT acquisitions
Most SDAs were not prioritizing their IT asset acquisitions. In addition, there was limited evidence of IT asset sharing by SDAs.
Context
Effective planning for IT acquisitions ensures that investments support the goals of the organization and that technology dollars are directed to those assets that are most important to its operations. Planning should incorporate a life cycle approach to IT assets, taking into account, for example, the risks associated with a decision to replace an aging asset or to extend its life. Planning should also include consideration of shared IT assets where available
We reviewed the long-range asset acquisition plans to determine whether they were linked to the departments' business plans, and we assessed the extent to which SDAs had prioritized their planned IT asset acquisitions. We examined the extent to which SDAs had considered the life cycle of IT assets in their planning process and whether that process accounted for IT risk. Lastly, we assessed the extent to which SDAs had considered the use of common or shared IT assets and services with other organizations when planning their IT acquisitions.
Planning and prioritizing IT asset acquisitions
We found that SDAs had carried out some level of planning for the acquisition of IT assets. Most of this work was undertaken as part of the annual budget planning cycle, when SDAs establish their IT infrastructure requirements and plan their IT acquisitions for the next fiscal year.
We found that most SDAs in our sample had not prioritized their planned IT acquisitions. Some could not demonstrate that they had considered the life cycle of assets in planning for IT acquisitions. Others could not demonstrate that their IT acquisition plans had considered the risk associated with any decision to replace a given asset. As a result, we have no assurance that SDAs spent their technology dollars on the IT items of highest priority or that they replaced items only when necessary and not before the end of their useful life.
A key reason for these weaknesses in planning for IT acquisitions is that most IT units in SDAs only submit a cost estimate for planned IT acquisitions to their finance units for their annual budgeting cycle. Although this approach does indicate how much money should be set aside to acquire assets, it does not indicate the specific IT assets that the organization will acquire with the allotted funds or whether these assets are the highest priority in terms of risk or operational needs.
Sharing IT assets and services
We found that the majority of SDAs included in our audit considered shared IT infrastructure on a case-by-case basis. Evidence of actual sharing of IT assets was limited. Generally, each SDA had established its own infrastructure, which paralleled the infrastructure of other organizations. Parallel infrastructures present an opportunity for rationalization or sharing that should be further explored.
There are barriers to interdepartmental sharing
We noted that there are a number of barriers to interdepartmental sharing of IT assets and services.
For example, legislative barriers exist that prevent departments from sharing assets or providing services to other departments. In addition, privacy laws may prohibit sharing of information. A working group at the OCG is currently working on addressing both of these issues.
SDAs and the common service provider for IT have indicated that there are some barriers to the use of shared services and assets provided by the common service provider. Foremost, it can be more expensive for an SDA to adopt a shared asset or a shared service solution provided by the common service provider than to develop its own. In addition, since each SDA defines IT services differently and allocates asset costs to services according to its own model, it can be difficult to compare the costs of doing IT work within a department with a shared services model. Finally, some SDAs have concerns that service levels could decrease if they were to use a shared solution versus an in-house solution.
The scope of this audit did not include an assessment of whether the above concerns are valid. Nevertheless, these issues need to be addressed in order to determine the extent to which they may be discouraging SDAs from considering shared IT asset and service solutions.
Best practice in sharing IT assets
We noted that one SDA had organized its technology services to reduce redundancy of IT resources and assets by using shared IT assets. This particular SDA has signed a Memorandum of Understanding with a large department to receive IT services, and it has a shared vote on IT spending with that department. The SDA participates in the IT planning cycle of the large department, where it makes known its objectives. Under this arrangement, the large department owns and manages all "back office" IT assets and resources (for example, servers, back office software, LAN/WAN infrastructure, and IT staff) other than desktops. As a result, the SDA does not maintain these IT assets or related staff. This arrangement eliminates duplication of IT assets and resources for the SDA.
We considered this arrangement to be a best practice. It transfers the management of an activity that is not a core competence of the SDA to a third party while establishing a mechanism to ensure that the level of service will remain as high as if these activities were carried out in-house. The SDA and the large department are in the process of developing a Service Level Agreement to formalize this arrangement.
Recommendations
2. SDAs should ensure their IT plans for proposed acquisitions address areas of highest priority in terms of risk, life cycle of assets, or operational needs.
3. TBS should identify and resolve the barriers that limit the adoption of shared IT assets and services by SDAs where appropriate. This activity should include an examination of parallel infrastructures that present an opportunity for rationalization or sharing.
Finding 3: Monitoring processes
Most SDAs did not have indicators for measuring the performance of their IT assets.
Context
To ensure that IT assets deliver maximum value to the organization, SDAs need to know, for example, whether IT assets are underutilized or over-utilized, what the failure rates are, and whether cost targets are being met. Monitoring and measuring the performance of these and other aspects of IT provide valuable information that SDAs can use to identify and deal with problem areas. They also provide information on which SDAs can base decisions about future IT acquisitions.
Good stewardship requires that an organization track its IT assets to verify their location and condition. The output of asset tracking systems can also provide early warning signs of missing assets. Software licences should also be tracked because organizations have a legal obligation to comply with software licensing agreements.
We reviewed the processes used to measure IT asset performance. We verified whether SDAs had defined financial and non-financial performance indicators and the extent to which they were measuring and reporting performance against these indicators. We interviewed senior management within SDAs to understand how assets were tracked. Finally, we reviewed inventory reports for evidence of a system for tracking software licences.
Tracking assets
Most SDAs had well-defined processes for tracking and accounting for their IT assets. As well, most SDAs periodically inventoried their hardware and software assets to ensure accountability and compliance with software licensing agreements.
Non-compliance with policy on measuring IT performance
The majority of SDAs were not able to demonstrate that they had an adequate process for measuring and reporting on the performance of IT assets as required by the Policy Framework for Information and Technology. None of the SDAs had defined objective, quantitative performance (financial or non-financial) targets, such as cost overruns, service levels, and downtime. Some SDAs had considered subjective, qualitative data, such as users' opinions on the performance of their computers on different days, when making IT asset purchase decisions. However, such data may not provide useful information for decision making because the data are subjective and offer only a limited picture of the performance of an asset.
Rationale for non-compliance with policy on measuring IT performance
The reasons for not measuring IT performance varied. Some SDAs told us that their small-scale use of IT assets did not warrant a comprehensive process for monitoring and measuring IT performance. Others noted that they had competing priorities that were more important relative to measuring IT performance. However, without some form of objective performance measurement, the ability to make
TBS, in consultation with SDAs, has developed some preliminary performance indicators for IT assets; however, they have not been formally communicated to all relevant stakeholders in SDAs. As such, we saw no evidence of these being
Recommendations
4. SDAs should develop processes for measuring the performance of IT to ensure that they have objective information to support their management decisions about IT.
5. TBS should ensure that the performance indicators that have been developed for IT have been communicated appropriately to those who are responsible for collecting data and measuring performance.
Management Action Plans
The findings and recommendations of this audit were presented to TBS and the eleven SDAs included in the scope of the audit.
The OCG's Internal Audit Sector asked TBS and the SDAs included in the audit to prepare detailed Management Action Plans addressing the recommendations in this report.
The Internal Audit Sector of the OCG will follow-up on the Management Action Plans proposed by the SDAs and the Chief Audit Executive of TBS will follow up on the Management Action Plans proposed by TBS. The purpose of this follow up is to ensure that the Management Action Plans have been successfully implemented to address underlying risks. The respective audit committees will periodically receive reports on the status of management actions taken where Management Action Plans are in place.
Deputy heads of SDAs not included in the scope of this audit are encouraged to consider the results of this horizontal internal audit and develop Management Action Plans as necessary.