Common menu bar links
Breadcrumb Trail
ARCHIVED - Internal Audit and Evaluation Bureau - Audit of Electronic Record Keeping
This page has been archived.
Archived Content
Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.
2.0 Audit Details
2.1 Objectives and Scope
The objective of the audit was to provide assurance that the management control framework over electronic recording keeping is in place and provides relevant, timely and accessible information to support decision making at the departmental level.
It was acknowledged that most information created by the Government of Canada is electronic and can be categorized into the following two types:
- Structured data are generated from enterprise systems, such as SAP or PeopleSoft. Numerous controls exist to manage the risks associated with this type of information.
- Unstructured data include information in working documents, such as project plans, spreadsheets, emails, and records of decision. The management of this information faces similar risks, yet the controls are frequently much less structured, often ad hoc in nature.
For the purposes this audit, the scope was limited to unstructured data, with an emphasis on electronic record keeping. In addition, because management of electronic data is not considered to be a discrete IM activity, observations and findings that refer to IM also apply to electronic record keeping unless otherwise noted.
The scope of IAEB's work was limited to the Secretariat as a large department. Work was carried out by IAEB from February 2011 to July 2011 and covered activity during the 2010–11 and 2011–12 fiscal years.
Scope Exclusion
Although the Secretariat has a central agency role relative to IM, this role is covered by the OCG's horizontal audit and was excluded from IAEB's examination.
It should be noted that on August 8, 2011, the Government of Canada announced the creation of Shared Services Canada, to streamline information technology (IT) within the federal government.Its role will be to consolidate email, data centre, and network services across the public service. While this new initiative does not impact the findings and observations of this audit, it is recognized that it will impact the implementation of actions related to the electronic infrastructure and architecture upon which electronic record keeping rests.
2.2 Criteria
The audit of electronic record keeping included the following five lines of enquiry:
- Policy and Governance;
- People and Capacity;
- Enterprise and Information Architecture;
- Information Management Tools and Applications; and
- Information Management and Service Delivery.
The criteria for the audit were drawn from the Treasury Board Policy on Information Management and its supporting directives. Detailed audit criteria for each of these lines of enquiry are presented in Appendix B.
2.3 Approach and Methodology
The audit approach and methodology followed the Internal Auditing Standards for the Government of Canada and The Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives are achieved. For this audit, planning was initiated by OCG in consultation with large departments' and agencies' internal audit functions.
The audit consisted of interviews with Secretariat staff, documentation reviews, and detailed testing and analysis of administrative data. We interviewed a sample of staff members to gain an understanding of IM practices within the Secretariat, focusing on electronic record keeping. We also reviewed documents to validate our findings. OCG provided an audit work plan and program for the first phase of the examination. This audit work plan was supplemented by additional audit work carried out by IAEB staff during the second phase, to provide further assurance in selected areas. Additional interviews and a documentation review were also conducted. Where merited, audit testing beyond OCG requirements was conducted to support the development of a stand-alone audit report for the Secretariat.
In conducting this audit, we also noted some strong IM and electronic record-keeping practices within the Secretariat. These are presented for information purposes in Appendix C.