ARCHIVED - Horizontal Internal Audit of Information Technology Asset Management in Large Departments and Agencies

• Previous Page
• Table of Contents
• Next Page

This page has been archived.

Executive Summary

The objective of this audit was to determine whether the management and control structures in place in central agencies and in large departments and agencies (LDAs) provide an effective framework for making information technology (IT)-related decisions at the government-wide and departmental levels, respectively.

Why this is important

The Government of Canada spends a significant amount of its annual budget on IT assets and services. As well, IT is an essential component of the government's strategy to address challenges of increasing productivity and enhancing services to the public for the benefit of citizens, businesses, taxpayers, and employees. For these reasons, it is important to have assurance on the extent to which appropriate structures are in place for managing IT assets and risks, acquiring these assets, and monitoring their performance. This audit is intended to provide that assurance.

Key findings

The Treasury Board of Canada Secretariat (TBS) has defined roles and responsibilities with respect to IT asset management, providing policies, directives, and guidance that clearly outline the expectations for IT asset management, at both the departmental and government-wide levels. For their part, LDAs have put appropriate governance structures in place to oversee their IT asset management, have developed long-term IT asset plans, and have integrated these plans with their departmental and government-wide strategies and directions. Nevertheless, an opportunity exists for TBS to track LDA investment plans. This exercise would enable TBS to identify opportunities for developing common or shared service solutions that yield government-wide benefits.

TBS, in consultation with departments, has defined the objectives and expected results of its IT asset management policy, including the use of shared or common services when available and appropriate; however, it has not identified opportunities for LDAs to share IT assets and services. In particular, central support to help departments realize expected benefits from sharing IT assets or services has been limited. At the time of this audit, there was limited evidence that TBS had attempted to determine the potential savings or other benefits from sharing IT assets and services. In addition, TBS has not yet dealt with certain issues, such as cost, service quality, and legislative concerns, that pose barriers to the use of common and shared IT assets and services. However, the Office of the Comptroller General within TBS is currently working on addressing some of these barriers.

Most LDAs have developed IT asset planning processes that are informed by an appropriate consideration of risk, life cycle management, and opportunities to consolidate internal procurement requirements, but very few LDAs were able to show evidence that they considered common or shared assets and services in their long-term planning.

Government-wide and departmental performance indicators for IT asset management are not fully developed. TBS, with support from LDAs, has developed some initial government-wide performance indicators, but it has not yet used them to assess the extent to which departmental IT assets align with, and contribute to, the achievement of government-wide and departmental objectives. Most LDAs have developed basic indicators for measuring IT asset performance, but this process was in the early stages at the time of our audit. We noted that most departments had done only limited work to collect the data that would eventually be needed to support reporting against the government-wide performance indicators that were being developed.

Most LDAs were not periodically confirming the existence of their IT assets or confirming whether the number of copies of software in use respected licence agreements. Without verifying IT hardware and software assets, LDAs cannot provide assurance that they are meeting all contractual and accounting requirements, including licensing agreements, thereby exposing the Government of Canada to potential financial and legal risks.

Conclusion

We found that in general, TBS and departments have management and control structures in place that provide an effective framework for making IT-related decisions at both the government-wide and departmental levels. We did however note areas for improvement, including opportunities to further explore the benefits from government-wide solutions, the enhancement of performance reporting, and the reporting and verification of IT hardware and software assets. These opportunities have led to the recommendations found in this report.

Statement of Assurance

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.^[1]

Background

The Treasury Board Policy on Internal Audit requires the Comptroller General to lead horizontal audits in large departments and agencies (LDAs). Horizontal audits assess those risks that transcend individual departments, focusing on the state of governance, controls, and risk management across government. This report presents the results of the Horizontal Internal Audit of Information Technology Asset Management in Large Departments and Agencies. Various Treasury Board policies and directives, which are briefly outlined below, guide the government's information technology (IT) asset management practices.

The objectives of the Policy on Management of Information Technology are to achieve efficient and effective use of IT in support of government priorities and program delivery, to increase productivity, and to improve services to the public. The expected results of these objectives include clear roles and responsibilities for IT management in the Government of Canada, increased use of common or shared IT assets and services, and enhanced management of IT across the government to ensure that IT supports program delivery and provides value for money.

The policy also sets out the roles and responsibilities for IT management:

The role of deputy heads is to ensure the effective management of IT within their respective departments. Related responsibilities include making sound IT investment decisions, ensuring full integration of the IT asset investment plan with the departmental business plan, using common or shared IT assets and services where available and appropriate, and providing ongoing measurement of IT performance.

The role of TBS is to establish overall government-wide strategic direction for IT in consultation with deputy heads, to lead initiatives resulting in government-wide solutions, and to implement government-wide directions with common service or shared service organizations.

The Policy Framework for the Management of Assets and Acquired Services sets the direction for asset management to ensure that assets deliver value for money. The policy framework states that value for money incorporates strategic and integrated decision-making and management processes at the government-wide and departmental levels to optimize the use of assets. The policy framework also specifies that management systems, processes, and information serve as the basis for managing performance and allocating costs, and it outlines the principles for a life cycle approach to managing assets. 

Audit Objectives, Scope, and Approach

Objectives and scope

The objective of this audit was to determine whether the management practices of the Government of Canada provide effective governance and control over IT assets. Specifically, we examined whether the management and control structures in place in central agencies and in LDAs provide an effective framework for making IT‑related decisions at the government-wide and departmental levels, respectively.

We examined the management structures of TBS and departments for managing investment-related opportunities and risks and for setting spending priorities. We assessed the existing use of common or shared IT assets and services. We reviewed departmental processes that inform future IT acquisition plans. We assessed the procedures for monitoring the performance of IT assets as well as the procedures that departments use to ensure compliance with the terms of licensing agreements for the software on their systems. Finally, we looked at the frequency with which departments verified their inventory of IT assets.

The scope of this audit included government-wide IT asset management practices in place in LDAs as of December 2009. The audit focused on systems and practices used in the governance, management, and oversight of IT hardware and software assets.

Audit approach

The audit was conducted in three phases.

Phase 1 – planning

To focus the audit on the appropriate risks and controls, we performed an environmental scan of IT asset management in the Government of Canada. The scan consisted of the following: a review of the key government-wide policies and directives relating to IT; interviews with senior IT managers from LDAs, TBS  (the government's central agency responsible for designing and implementing Treasury Board policies), and Public Works and Government Services Canada (PWGSC) (the government's primary common service provider for IT and the government's central procurement agent); a review of the literature on key IT asset management risks and controls; and a review of best practices outlined in the Control Objectives for Information and related Technology (CobiT) framework. We also discussed our audit with the individuals from the Office of the Auditor General of Canada who are involved in the audit of aging IT systems to ensure that our own work would focus on different IT risks to the government. See Appendix A for a list of the criteria that guided our audit.

To select the sample of organizations for our audit, we analyzed the IT asset management environment in all LDAs using their Management Accountability Framework (MAF) assessments on Effectiveness of Information Technology Management and information on LDAs' annual IT spending. This exercise ensured that our final selection was based on performance and spending factors and included a range of organizations. As a result of this analysis, we chose eight LDAs. See Appendix B for the organizations included in our sample.

Phase 2 – examination

The internal audit function of each of the LDAs included in our sample carried out the examination phase of the audit in its organization. The Office of the Comptroller General of Canada (OCG) provided the interview questionnaires and set the requirements for the document review. Officials responsible for IT asset management within the LDAs were interviewed on their IT asset management practices, and supporting documentation was examined.

The OCG carried out a detailed examination of TBS, which consisted of interviews with officials involved in government-wide management of IT assets and a review of the documents and tools that support LDAs in managing their IT assets, including policies and guidance materials.

In addition, the OCG consulted with PWGSC to understand its role as a Common Service Provider of IT services and to verify facts related to its mandate. PWGSC, however, was not included in the scope of this audit.

Phase 3 – reporting

Following the detailed examination phase of the audit, the OCG met with the internal audit functions of the selected LDAs to consolidate their findings and to identify any horizontal issues. The OCG also conducted a quality review assessment of the audit work performed in each LDA to ensure that the work program was consistently applied across departments. Lastly, the OCG developed the findings from the results of its detailed examination within LDAs and TBS.

• Previous Page
• Table of Contents
• Next Page