Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Supreme Court of Canada

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Internal Audits and Evaluations

Name of
Internal Audit 
Audit of Information
Technology Infrastructure
Assurance Audit

Name of
Internal Audit 
Electronic Link to Report
Audit of Information
Technology Infrastructure
May 31, 2008

The purpose of this audit was to provide the Registrar with an independent and objective assessment of the Court’s IT (Information Technology) Infrastructure. Criteria used to assess the audit objectives were taken from Control Objectives for Information and related Technology (COBIT - Version 4.0).

The scope of the audit included all aspects of the Court’s IT infrastructure, except for application development and maintenance; security penetration was covered by the audit in that auditors concluded that a reasonable level of reliance could be put on internally conducted intrusion detection/penatration testing. The audit was conducted between December 20, 2007 and March 31, 2008, and the report was approved in May 2008.

The key findings of this audit included:

1. The IM/T Business Plan is linked to the LISS Sector Business Plan and therefore auditors conclude that the vision and strategy for IT supports the Court’s business strategy and government-wide directions.

2. Accountabilities, roles and responsibilities relating to the Court’s IT infrastructure are defined, understood and effectively acted upon however the IT Security Coordinator currently performs two contradictory roles: one role is to establish firewall rules and the other role is to monitor the firewall activity.

3. There is an effective IT governance structure. Auditors conclude that the Court’s governance structure for managing its IT infrastructure is established and effective in setting priorities for IT investments and resources, and IT investment plans are integrated into the corporate pland ans processes.

4. The Court’s IT infrastructure is reliable since backups are performed on a regular schedule and network monitorintg is being conducted. However there is no approved documented Business Continuity Plan and although network monitoring is being conducted auditors noticed that there is a third party allowed to access the SCC network.

5. Some risks to the IT infrastructure are appropriately identified and managed with a Draft Modernization Risk Management Plan. However, there have been not Threat and Risk Assessments conducted on systems, services and programs.

6. IT policies have been created to support the IT strategy and these policies were communicated to Court staff. Therefore auditors conclude that effective controls are in place such that activities and actions supporting the management of the IT infrastructure are in compliance with some applicable Treasury Board Secretariat and Court policies, directives, standards and procedures, particularly the new Policy on Management of IT promulgated on July 1, 2007, the Enhanced Framework for the Management of Information Technology Projects, and the MITS Policy. However since no Threat and Risk Assessments have been conducted the SCC is not in full compliance with MITS.

7. Performance related to the Court’s managment of IT is measured on an ongoing basis however there are no reports showing IT service preformance compared to approved service levels.

8. There are Quality Management (QM) items currently being implement but there is no documentation to ensure that IT has adequate measurements for monitoring Quality Management Systems and there is no distinct development, testing and production environment at SCC. Therefore auditors conclude that some aspects of quality and continuous improvement to the management of IT are fostered in the Court’s control process.

Except as noted above, auditors can provide assurance that the Court’s infrastructure management and control framework is effective. There are some areas where current practices and processes could be improved to further strengthen the Court’s IT infrastructure. The observations and recommendations of the report address these areas of concern. The Court management has accepted all of the recommendations and has put in place an action plan to implement them in the short-term.