Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Horizontal Internal Audit of Information Technology Asset Management in Small Departments and Agencies


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Executive Summary

The objective of this audit was to determine whether the management and control structures in place in small departments and agencies (SDAs) provide an effective framework for managing information technology (IT) assets. We also examined the policies and the guidance provided by the Treasury Board of Canada Secretariat (TBS) to SDAs in this regard.

Why this is important

The Government of Canada spends a significant amount of its annual budget on IT assets and services. As well, IT is an essential component of the government's strategy to address the challenges of increasing productivity and enhancing services to the public for the benefit of citizens, businesses, taxpayers, and employees. For these reasons, it is important to have assurance on the extent to which appropriate structures are in place for managing IT assets and risks, acquiring these assets, and monitoring their performance. This audit is intended to provide that assurance.

Key findings

SDAs have established governance structures appropriate to the size and scope of their IT activities. We found evidence of short-term IT investment planning in most SDAs; however, many of the SDAs included in our audit had not developed long-term plans as required by the Treasury Board Directive on Management of Information Technology.Nevertheless, respecting the requirements of the directive in this area may be more demanding than the value added for some SDAs, given the size and scope of their IT‑related activities. As such, an opportunity exists for TBS—the central agency responsible for setting IT policy—to work with SDAs to examine if existing IT policies are consistent with the IT asset management risks faced by SDAs.

There was evidence that SDAs considered the budget required for acquisition of IT assets during the annual budget planning cycle. However, many SDAs could not demonstrate that they were prioritizing their planned IT acquisitions on the basis of the life cycle of assets or other risks. Accordingly, we cannot provide assurance that SDAs have spent their technology dollars on IT items of highest priority in terms of risk or operational needs or that they have replaced items only when necessary and not before the end of their useful life.

The Policy on Management of Information Technology requires departments and agencies to use shared assets and IT‑related services where appropriate and when available; however, certain legislative and other barriers tend to discourage SDAs from complying with that policy. A working group at the Office of the Comptroller General of Canada (OCG) is currently working on addressing this and other related issues. Nevertheless, we found evidence of one SDA that had successfully adopted a shared IT asset model in collaboration with a large department.

Most SDAs were not measuring the performance of their IT assets as required by the Policy Framework for Information and Technology. None of the SDAs had developed appropriate targets and indicators—the basic prerequisites to measuring performance. We noted that TBS has developed some preliminary performance indicators in consultation with SDAs. However, these indicators have not been formally communicated to relevant stakeholders in SDAs. As such, we saw no evidence of these being used by the SDAs included in our audit.

Conclusion

Overall, we are satisfied that, given the scale and scope of the activities within the SDAs included in our audit,  the management and control structures in place provide an effective framework for managing IT assets.

Statement of Assurance

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional [1]


Brian M. Aiken CIA, CFE
Assistant Comptroller General
Internal Audit Sector, Office of the Comptroller General of Canada

Background

The Treasury Board Policy on Internal Audit requires the Comptroller General to lead horizontal audits in small departments and agencies (SDAs). Horizontal audits assess those risks that transcend individual departments, focusing on the state of governance, controls, and risk management across government. This report presents the results of the Horizontal Internal Audit on Information Technology Asset Management in Small Departments and Agencies. Various Treasury Board policies and directives, which are briefly outlined below, guide the government's IT asset management practices.

The objectives of the Policy on Management of Information Technology are to achieve efficient and effective use of IT to support government priorities and program delivery, to increase productivity, and to improve services to the public. The expected results of these objectives include clear roles and responsibilities for IT management in the Government of Canada, increased use of common or shared IT assets and services, and enhanced management of IT across the government to ensure that IT supports program delivery and provides value for money.

The Policy Framework for the Management of Assets and Acquired Services, among other things, outlines key asset management principles, including the use of a life cycle approach when planning acquisitions such as IT assets.

The Directive on Management of Information Technology sets out specific requirements for the governance and management of IT and emphasizes the need for a long-range (five-year) IT plan that is integrated with the annually reviewed and updated departmental investment plan.

The Policy on Investment Planning – Assets and Acquired Services requires departments and agencies to develop investment plans that are aligned with their strategic direction and to take asset performance (including cost and risk) into consideration.

The SDA community in the federal government is extremely diverse, varying in, for example, organizational structure and size, budget, nature of work, and relationship with larger departments. The budgets of SDAs do not exceed $300 million per year, while personnel gross expenditures represent approximately 65% of expenditures. Their full‑time equivalents vary from 10 to 500 employees. These factors contribute to the nature of the financial systems and controls that SDAs have implemented for decision making and accountability.

Audit Objectives, Scope, and Approach

Objectives and scope

The objective of this audit was to determine whether the management and control structures in place in SDAs provide an effective framework for managing IT assets.

The scope of this audit included IT asset management systems and practices in place in a sample of SDAs as of December 2009. The audit focused on IT governance structures, IT acquisition planning processes, the extent to which SDAs had taken advantage of opportunities to share IT assets and services with other organizations, and the processes used to measure the performance of their IT assets. We also examined the actions and the guidance provided by TBS to SDAs in this regard.

Audit approach

The audit team consisted of internal auditors from the Internal Audit Sector of the OCG. The audit was conducted in three phases.

Phase 1 – planning

To focus the audit on the appropriate areas of risk, we performed an environmental scan of IT asset management in the Government of Canada. The scan consisted of the following: a review of the key government-wide policies and directives relating to IT; interviews with senior IT managers from TBS (the government's central agency responsible for designing and implementing Treasury Board policies) and Public Works and Government Services Canada (PWGSC) (the government's primary common service provider for IT and the government's central procurement agent); a review of the literature on key IT asset management risks and controls; an analysis of the IT asset management systems and practices in place in two SDAs; and a review of best practices outlined in the Control Objectives for Information and related Technology (CobiT) framework. We also discussed our audit with individuals from the Office of the Auditor General who are involved in the audit of aging IT systems to ensure that our work did not duplicate the audit work of other assurance providers. See Appendix A for a list of the criteria that guided our

To select the sample of organizations for our audit, we analyzed the results of the annual assessment of IT management practices in government departments, the prior participation of SDAs in other horizontal audits, and the level of spending of individual SDAs. This exercise ensured that our final selection was based on performance and spending factors and included a range of organizations. As a result of this analysis, we chose 11 SDAs. See Appendix B for a list of the organizations included in our sample.

Phase 2 – examination

We began this phase by interviewing personnel responsible for managing IT assets in the selected SDAs. We then examined supporting documents to corroborate the information collected from the interviews. These documents included departmental IT or investment plans, IT asset acquisition plans, organizational charts, job descriptions, and reports on IT performance and inventory management.

Fact sheets were prepared for each of the SDAs and were confirmed with them before the audit team began to write the report.

The OCG carried out interviews with TBS officials involved in government-wide management of IT assets. The OCG also reviewed documents and tools that support SDAs in managing their IT assets, including policies and guidance materials.

In addition, the OCG consulted with the PWGSC to understand its role as a common service provider of IT services and to verify facts related to its mandate. PWGSC, however, was not included in the scope of this audit.

Phase 3 – reporting

Following the detailed examination phase of the audit, we consolidated our findings to identify any horizontal issues. Finally, we drafted our final horizontal internal audit report.