Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - Internal Audit and Evaluation Bureau - Audit of Electronic Record Keeping


Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

Executive Summary

Background

The Internal Audit and Evaluation Bureau (IAEB) has completed an audit of electronic record keeping for the Treasury Board of Canada Secretariat (the Secretariat) as part of a broader horizontal audit initiated by the Office of the Comptroller General (OCG).

This report relates specifically to the Secretariat as a large department. While OCG developed the audit program, IAEB conducted both the detailed examination phase and the supplementary audit procedures in order to produce a stand-alone audit report for the Secretariat.

Objective and Scope

The objective of the audit was to provide assurance that the management control framework over electronic record keeping is in place and provides relevant, timely and accessible information to support decision making at the departmental level.

The scope of the audit was limited to unstructured electronic data (i.e., data produced outside enterprise systems, such as SAP), and was divided into the following five lines of enquiry that were identified by OCG during the planning phase:

  • Policy and Governance;
  • People and Capacity;
  • Enterprise and Information Architecture;
  • Information Management Tools and Applications; and
  • Information Management and Service Delivery.

Key Findings

The main audit findings are presented below:

  • Policy and Governance: A governance framework is in place within the Secretariat that defines information management (IM) roles and responsibilities to support unstructured electronic record keeping at each level. Although key monitoring and reporting processes are in place, improvements to planning, performance measurement and compliance monitoring would further strengthen the governance framework.
  • People and Capacity: Some processes to support the development of highly skilled workforces are in place, but there is room for improvement. Specifically, available learning resources are not being universally leveraged by staff, and opportunities exist to improve planning for these activities.
  • Enterprise and Information Architecture: The Secretariat has not consistently been developing information architecture and processes that respect IM risks, controls, and operational requirements. Practices vary by sector and user group.
  • Information Management Tools and Applications: The extent to which key methodologies, mechanisms, and tools have been established and implemented to support departmental record keeping throughout the Secretariat varies by sector, with few consistent practices department-wide.
  • Information Management and Service Delivery: Record-keeping practices have not been fully implemented to ensure that information is timely, accurate, and accessible.

Conclusion

We conclude with a high level of assurance that although key aspects of a management control framework over unstructured electronic record keeping are in place within the Secretariat, a number of significant improvements are necessary to fully ensure the provision of relevant, timely and accessible electronic information to support decision making and general IM practices.

Recommendations

The following recommendations are directed to the Secretariat's departmental Chief Information Officer (CIO), in relation to the management of unstructured electronic information. While the focus of our audit was electronic record keeping in general, these recommendations could be applied to IM as a whole.

  1. The CIO should define performance expectations and performance measures for IM strategies and operational activities and should ensure periodic reviews and reports on performance results (including compliance) against these expectations;
  2. The CIO should define monitoring and reporting roles and responsibilities for IM in order to meet the needs of the Secretariat and to ensure that IM strategies and goals are met. This should be done by leveraging the knowledge of sectors and defining their responsibilities for IM, while respecting the holistic IM stewardship responsibilities of the Enterprise Information Management Services (EIMS) group within the Secretariat. Once defined, these roles and responsibilities should be approved by the Secretariat's governance committees to ensure acceptance;
  3. The CIO should develop an inventory of existing IM practices and should identify key practices that may be transferable or applicable to the Secretariat as a whole. EIMS should develop department-wide IM practices and tools based on these key practices, as appropriate, and should ensure that existing sector capabilities are leveraged to support their development and implementation;
  4. The CIO, in conjunction with sectors, should perform a gap analysis of the IM life cycle of electronic records to ensure that consistent IM life-cycle practices are in place across the Secretariat and information repositories, ensuring that:
    • Information needs and processes are defined, documented, and periodically reviewed for all of the Secretariat's user groups; and
    • Policies and training are updated to support the consistent application of these practices and to meet the needs of the Secretariat's users.

A management response and action plan has been developed by the Secretariat and is presented in Appendix D.