Archived information

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Audit of Governance of Information Management - Final Report

Foreign Affairs, Trade and Development Canada
Office of the Chief Audit Executive

March 2014

Table of Contents

Acronyms

CIDA
Canadian International Development Agency
CIMS
Corporate Information Management Section
CIO
Chief Information Officer
EDRMS
Enterprise Document and Record Management System
IM
Information Management
IT
Information Technology
IMTB
Information Management and Technology Branch
IM/IT SAC
Information Management / Information Technology Senior Advisory Committee
TB
Treasury Board

Executive Summary

In accordance with the 2012─2015 Risk-based Audit Plan, the Office of the Chief Audit Executive at the Canadian International Development Agency (CIDA)Footnote 1 conducted an internal audit on information management (IM). The objective was to provide reasonable assurance that an appropriate governance structure is in place to support the effective management of information at CIDA and compliance with relevant legislation and policies.

Treasury Board defines IM as a discipline that directs and supports effective and efficient management of information in an organization, from planning and systems development to disposal or long-term preservation. Information is a valuable asset to any organization and should be timely, relevant, reliable, comprehensive and accessible. The key is to manage this information effectively to support the delivery of programs and services. At CIDA, the Corporate Information Management Section (CIMS) within the Information Management and Technology Branch (IMTB) is the functional lead for IM while it is the responsibility of all CIDA employees to apply IM principles, standards and practices in the performance of their duties.

Relevant committees have been established to provide oversight and accountability on IM matters by branch representatives at an appropriate level. Reporting channels among the committees are clear and IM matters are raised at relevant corporate governance committees when seeking recommendation or approval. For the first time in 2012─2013, the Performance Management Agreements of the Information Management/ Information Technology (IM/IT) Senior Advisory Committee members were used to further strengthen IM accountability.

CIDA has IM policy instruments that are aligned with Government of Canada legislation; however, certain policy requirements have yet to be implemented. Roles and responsibilities for IM specialists are clearly defined and assigned in CIDA’s Standard on IM Roles and Responsibilities: however, they are not reflected in IM specialists’ job descriptions. Also, CIDA has no authority to dispose of records in the field. CIMS is aware of the above two critical requirements and is in the process of addressing them. In addition, CIDA has not identified information resources of business value, a critical prerequisite for effective recordkeeping practices.

IMTB has developed strategic and operational plans for IM demonstrating a strong planning culture. While measures of success are outlined in these plans, monitoring is limited to activities as set out in IM operational plans. There is a lack of formal mechanisms to measure performance, monitor compliance and report on results. In addition, a branch risk assessment has not been updated since 2010 and it did not inform the branch planning process. Given the recent announcement of the amalgamation of CIDA and the Department of Foreign Affairs and International Trade, a joint IM/IT strategic plan is being prepared to replace draft strategies prepared by IMTB originally intended for CIDA.

CIMS has made notable efforts to promote IM awareness to information users about their roles and responsibilities by increasing access to tools and resources to better manage information. Users indicated that there is a gap in IM knowledge and differing levels of satisfaction with available IM systems and tools. By obtaining feedback and input from users to support the branch planning process, CIMS could better utilize their resources to achieve expected results.

The IM aspects of Agency initiatives and business processes are not consistently taken into consideration at the outset of new projects. Greater IM awareness by users and engagement by IM specialists would ensure that business requirements are better met to support reliable information for decision-making purposes.

Components of an effective IM governance structure remain the same in any organization. As such, the recommendations in this report have been developed to remain relevant in the context of a new entity resulting from the amalgamation of CIDA and the Department of Foreign Affairs and International Trade.

Audit Conclusion

CIDA has established a foundation for IM governance, demonstrated by: relevant oversight committees; existing CIDA policy instruments that are aligned to Government of Canada legislation; and notable efforts to promote awareness throughout the Agency. Further strengthening is required to establish a comprehensive planning approach that is risk-based and includes mechanisms to measure and assess the overall compliance and performance of Agency IM programs.

Statement of Conformance

In my professional judgment as the Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.

Chief Audit Executive

1.0 Background

Information management (IM) is defined by Treasury Board (TB) as a discipline that directs and supports effective and efficient management of information in an organization, from planning and systems development to disposal or long-term preservation. Information is an asset that should be timely, relevant, reliable, comprehensive and accessible in order to be considered strategic. The key is to manage this information effectively to support the delivery of programs and services. It is critical that the information life cycle be considered in the development of policy, programs, services and systems to ensure the efficient sharing and retention of information resources of business value.Footnote 2

The governance of IM includes a collective suite of management processes and controls that are in place to set strategic direction, operational plans, objectives and priorities and to provide clear direction on how resources should be allocated to achieve objectives. A key enabler of accountability is an appropriate organizational structure. This structure clarifies authorities and responsibilities thereby fostering an effective decision-making process.

At the Canadian International Development Agency (CIDA), the Corporate Information Management Section (CIMS) within the Information Management and Technology Branch (IMTB) is the functional lead for IM while the responsibility to practice good IM rests with CIDA employees. Various policy instruments as well as strategic and operational plans have been developed to support the practice of IM within the Agency. A key branch-led governance committee is the Information Management and Information Technology Senior Advisory Committee (IM/ITSAC) chaired by the Chief Information Officer (CIO).

The federal government has rolled out Canada’s Action Plan on Open Government to foster greater openness and accountability, specifically promoting the importance of IM. CIDA must align its management of information practices with federal legislation, regulation, policies and procedures established by central agencies that have set the following three key deadlines:

Recent government and Agency initiatives have affected the operations of IMTB. For example, in August 2011, Shared Services Canada was created to streamline IT within the federal government, centralizing email, data centre and telecommunications services. In addition, CIDA’s decentralization initiative and Agency Programming Process have required the services of IMTB to fulfill IM /IT requirements of these processes. Also, the Government of Canada’s Deficit Reduction Action Plan has resulted in a reduction of resources in 2012─2013. Given the high degree of public scrutiny resulting in the continuous demand for accurate, timely and relevant information as well as the changes described above, the Office of the Chief Audit Executive identified IM as an area of high priority.

2.0 Audit Objective, scope, approach and criteria

2.1 Objective

The objective of the audit was to provide reasonable assurance that an appropriate governance structure is in place to support the effective management of information at CIDA and compliance with relevant legislation and policies.

2.2 Scope

The focus of the audit was on the governance aspects of IM related to all types and formats of information held in key corporate information repositories. Processes and controls put in place by the functional lead for the management of information at CIDA, CIMS under the direction of the CIO, were examined. The criteria below outline the areas of governance that were examined. Although information was gathered from users through interviews and a questionnaire, an assessment of their IM practices was not included in the scope of this audit.

The following key federal legislation guided the conduct of the audit:

2.3 Approach and Methodology

The audit was conducted in accordance with the TB Policy on Internal Audit and the International Professional Practices Framework of the Institute of Internal Auditors. In order to conclude on the criteria, the following methods were used to gather audit evidence:

2.4 Audit Criteria

The following six audit criteria were used that, collectively, set the standard against which the audit was conducted: 

3.0 Main Audit Findings and Recommendations

Governance is a collective suite of processes and controls put in place by management to set strategic direction, operational plans and priorities in order to achieve an organization’s objectives. Good governance will enable an organization to operate effectively and attain its expected outcomes.

3.1 Information Management Committees

A foundation of governance is the establishment of a committee structure to provide oversight and accountability on the effective delivery of IM across the Agency. These committees should have a clear mandate, regular meetings and appropriate representation. In addition, reporting channels among the committees should be clear with appropriate dissemination of information to relevant parties. Roles and responsibilities should be understood by the committee members and carried out to fulfill their relevant mandate.

The following IM-related committee structures, created in early 2011, were examined to determine the extent of oversight and accountability:

Based on a review of Terms of Reference and available records of decisions from April 2012 to December 2012, the three committees meet regularly, have clearly defined mandates and have appropriate representation. In addition, reporting channels among all three committees are clear. Based on interviews, most committee members clearly understand their roles and responsibilities.

As each branch across the Agency is represented at the IM/IT SAC, it provides an appropriate forum to communicate branch IM and IT needs. Annually, branch IM and IT needs are gathered through the Agency’s Integrated Business Planning process and are prioritized by IM/IT SAC members. This prioritization process encourages a holistic perspective to improve alignment with Agency priorities and meet business requirements. Also, a number of IM-specific matters, such as standards, guidelines and plans are presented at this committee. Pertinent IM matters are brought forward to the appropriate corporate governance committee for either recommendation or approval purposes. However, based on interviews, not all IM / IT related matters are disseminated back to the branches.

To further the exchange of information, the senior management of IMTB meet weekly as a Branch Management Committee. Based on a review of their records of decisions, IM‑related matters are discussed and action items are consistently tracked and monitored.

For the first time in 2012─2013, IM/IT SAC executive members were held accountable for the effective management of information throughout its life cycle through their performance management agreements. At the time of this report, although the results had not yet been reported to measure the success of this initiative, using this accountability instrument is a good practice to support IM governance.

Relevant committees have been established to provide oversight and accountability on IM matters by an appropriate group of representatives and executives. As IM matters continue to be raised at committee meetings, IM will be integrated in all aspects of CIDA operations.

3.2 CIDA’s Information Management Policy Instruments

An important building block of governance is an appropriate suite of policy instruments to provide an authoritative reference to CIDA employees on the practice of IM. It is important that these policy instruments adequately address the requirements of relevant federal legislation as well as be aligned with them.

To remedy gaps between federal legislative requirements and CIDA’s existing policy instruments, CIMS developed the IM Policy Framework for CIDA in 2011. This framework is accompanied by a detailed list of policy instruments to be developed. More recently, CIMS developed a 2012─2015 CIDA Recordkeeping Action Plan and a corresponding Recordkeeping Compliance Plan, which outline specific activities to be carried out in order to comply with the TB Directive on Recordkeeping.

CIDA’s existing policy instruments are aligned with Government of Canada’s legislative requirements; however, certain requirements have yet to be completed. Three areas of priority that should be initially completed to mitigate risks are described below.

Roles and Responsibilities of Information Management Specialists

General roles and responsibilities for IM specialists are clearly defined and assigned in CIDA’s Standard on IM Roles and Responsibilities;however, specific job descriptions for individual positions have not been finalized and approved. In 2011, IM functions were centralized to IMTB and the number of IM specialists was reduced. This centralization process led to a reconfiguration of positions and a reallocation of tasks among IM specialists without redefining roles and responsibilities. This resulted in a duplication of effort and tasks that are not performed. CIMS is in the process of finalizing job descriptions for all IM specialists to clarify their roles and responsibilities.

Identification of Information Resources of Business Value

According to the TB Directive on Recordkeeping, CIDA should identify information resources of business value based on an analysis of Agency functions and activities. In general, information resources of business value are documentation that provides evidence of CIDA’s business activities and decisions. An analysis will assist IMTB to understand critical holdings, identify inherent risks (i.e. security, privacy, loss, etc.) and articulate processes to ensure the safeguarding and integrity of information resources of business value. CIMS is aware of this requirement but has yet to document business processes and information flow to facilitate the identification of information resources of business value. This analysis is critical as a prerequisite to support effective IM practices related to information identification, classification, protection, retention, and disposition.

Recommendation 1

The CIO should conduct an analysis of CIDA’s activities and functions to identify information resources of business value to support effective recordkeeping practices.

Retention and Disposition

CIDA’s decentralization initiative to conduct more programming in the field has resulted in an increasing amount of information originating in the field. Consequently, disposing of records in the field would facilitate operations; however, Library and Archives Canada has not given CIDA this specific authority. In light of this absence, paper documents are shipped to headquarters resulting in high shipping and storage costs. Also, they are sorted by individuals not familiar with the subject matter, thereby risking the disposal of information that may be important or the retention of excessive information that may be redundant. As a prerequisite to obtaining authority to dispose of records in the field, CIDA has to fulfill certain recordkeeping practices. Accordingly, CIMS has submitted necessary documentation to Library and Archives Canada to demonstrate conformance and is awaiting their assessment.

3.3 Planning Framework for Information Management

Planning is the primary mechanism to ensure activities are aligned to resources to deliver on the Agency’s mandate, strategic outcome, expected results and priorities. A strategy is a high-level plan that provides a vision and guidance to achieve an organization’s objectives. An approved IM strategy and corresponding operational plans should be aligned with Government of Canada and Agency priorities. In addition, these plans should incorporate federal legislative requirements and Agency operational needs. It is also important that these plans be risk-based and integrate performance monitoring and reporting.

An IM/IT Strategic Plan for the period 2010─2013 was approved in 2010 and a draft IM/IT Strategic Plan for the period 2013─2016 has been prepared. Based on our review of this draft IM/IT Strategic Plan, IM initiatives are aligned to Government of Canada and Agency priorities. This alignment is supported by CIDA’s participation in various IM- and IT-related interdepartmental committees, which allows IMTB to be aware of upcoming Government of Canada initiatives.

In December 2012, the CIO presented a Business Enterprise Systems Transformation (B.E.S.T.) Approach to IM/IT SAC. This strategic approach is different from the draft 2013─2016 IM/IT Strategic Plan in that it outlines estimated multiyear funding requirements and a new proactive approach to better meet user needs and integrate Agency systems. The B.E.S.T. Approach includes an important IM initiative of replacing the current corporate IM repository, Enterprise Document and Record Management System (EDRMS), with a new government-wide solution (GCDOCS). However, it does not include other important IM matters as set out in the TB Directive on Recordkeeping, such as the disposition of documents, monitoring of compliance, training and awareness.

A comprehensive IM and IT strategy is necessary to guide the way forward. Given the recent announcement of the amalgamation of the Agency and the Department of Foreign Affairs and International Trade, approval of the B.E.S.T Approach along with the draft 2013─2016 IM/IT Strategic Plan is no longer being sought. IMTB is working with the Department of Foreign Affairs and International Trade to prepare a joint IM/IT strategic plan taking into consideration government-wide solutions.

Subsequent to the 2010─2013 IM/IT Strategic Plan, various operational plans were prepared, namely: 2011─2014 IM Operational Plan, 2012─2014 IM Awareness and Education Plan, 2012─2014 IM Communication Strategy, 2012─2016 Disposition Plan and the 2012─2015 Recordkeeping Action Plan. In addition, IMTB annually prepares an Integrated Business Plan, as part of the Agency-wide planning process. The development of these various plans demonstrates a strong operational planning culture in CIMS that recognizes the need to guide IM activities. However, the existence of numerous operational plans results in overlap and dispersion of activities.

A risk assessment at the branch level is normally done to inform the branch’s planning process so that high priority areas are addressed to minimize risk exposure. A risk assessment process comprises an identification of risk, mitigating strategies and a ranking of risks resulting in a prioritization of activities. IMTB prepared a risk assessment in 2010; however, it was not linked to the strategic plan and has not been updated. With an outdated branch risk assessment, and one that did not inform the branch planning process, those areas that require immediate action may not be addressed in an adequate and timely manner. Furthermore, a risk-based approach to planning will improve the streamlining and integration of plans.

The TB Policy on Information Management and the TB Directive on Recordkeeping mandate that requirements be monitored, expected results be measured, and gaps in performance and compliance be reported. Measures of success are outlined in the IM/IT Strategic Plan and the IM Operational Plan; however, they were not measured. In addition, CIMS performed some monitoring but it was limited to the activities outlined in the IM Operational Plan. Further impeding the monitoring and reporting of results of IM plans and initiatives, is the dispersion of activities in the IM Operational Plan and various disposition plans in order to meet Library and Archives Canada’s deadlines of June 30, 2013Footnote 4 and 2017Footnote 5. Without a comprehensive approach to measure performance and monitor compliance, CIMS cannot determine whether requirements and deadlines are being met.

Recommendation 2

The CIO should adopt a comprehensive planning framework that is risk-based and includes mechanisms to measure performance and monitor compliance with Agency and federal legislative requirements related to IM.

3.4 Information User Needs

Personnel from various branches were interviewed, a questionnaire was sent and relevant documentation was reviewed to assess information user needs and obtain feedback on IM awareness, knowledge and satisfaction.

Information Management Systems and Tools

Effective IM systems and tools are those that support the IM governance framework, meet user needs, and facilitate good IM practices. Furthermore, consideration of user needs when developing IM enterprise-wide systems and tools ensure that business requirements are being met, facilitating user acceptance.

At CIDA, the main corporate information repositories are the following:

In addition, there are other tools such as Email, e-Collaboration tools, CIDA@Work, Project Browser, Monitoring and Reporting Tool and Partners@CIDA.

Approximately half of the respondents from the questionnaire stated that their top requirement to improve the management of information was the availability of IM systems and tools that meet their needs. With regards to satisfaction with existing systems and tools, users are the most satisfied with Email, CIDA@Work and Project Browser. On the other hand, users are the least satisfied with EDRMS and the Monitoring and Reporting Tool due to system and network limitations and a lack of user-friendliness.

Understanding user requirements is an essential component to the development and implementation of information systems. User needs are communicated through branch representatives at IM/IT SAC and branch Integrated Business Plans, as mentioned previously. Furthermore, when developing applications, IMTB staff work with users to identify their needs and develop solutions and supporting tools such as a manual, quick reference guides etc. However, based on interviews, users indicated a lack of formal mechanisms to gather user feedback on information systems and tools.

Correspondingly, 84 percent of questionnaire respondents indicated that they have rarely or never been prompted to provide feedback on existing systems and tools and input when developing applications even though 52% would have been interested in doing so.

The consideration of user needs in the development and implementation of systems could enhance user acceptance and satisfaction and reduce training costs. For example, to successfully implement GCDOCS, a consultative process with users and application of lessons learned from EDRMS limitations should support effective electronic recordkeeping.

Information Management Training and Awareness

IM training and awareness is another essential element of governance. It encompasses all organized activities, aimed at educating employees to improve their IM practices. Adequate IM training, communication, and awareness initiatives should be in place. Specifically, employees should have the appropriate knowledge and skills, as well as access to the necessary policy instruments to fulfill their IM roles and responsibilities.

CIMS’ approach to increasing IM awareness focuses on educating users about their responsibilities and strengthening the IM culture across the Agency. CIMS recently updated the IM Website, as one of the central online reference locations for policies, standards, guidelines and tools, which users found to be useful and user-friendly. Numerous initiatives to increase awareness exist, including IM Awareness Week, IM packages for new and field employees, and promotional materials. CIMS also offers one-on-one coaching sessions for new and departing employees. Users can obtain training via the online IM Basics course and EDRMS training. In addition, as part of the decentralization initiative, CIMS offers training sessions in the field, Field Support Packages, and coaching.

While many training resources are available, based on feedback from questionnaires, many respondents are not aware or have never used IM Quickr place, print publications, IM Basics course, or EDRMS Job Aids. The IM Basics course, for example, is mandatory for new CIDA employees according to IM compliance checklists; yet nearly a quarter of the questionnaire respondents indicated they are either unaware or have never participated in this course. Sixty-eight percent (68%) of questionnaire respondents indicated that they have referred to IM policies and guidelines. In general, these policies and guidelines are considered useful and clear, but many feel that they could be more easily accessible. Correspondingly, although the IM website was revamped to provide a single point of access to IM tools and references, IM reference materials are also found in other locations such as in IM Quickr place and CIDA@Work. Users expressed differing viewpoints with respect to the understanding of their IM roles and responsibilities. Sixty-eight (68%) of questionnaire respondents confirmed familiarity with their roles and responsibilities. On the contrary, based on interviews with both IM specialists and managers from various branches, users across the Agency do not consistently understand their IM roles and responsibilities and they are not aware of retention periods and disposition procedures. This may be due to training that is voluntary rather than mandatory or a lack of awareness of training sources, policies, guidelines and tools.

There are no formal mechanisms to assess user-training needs and measure the effectiveness of existing training and awareness activities. Therefore, it is difficult to assess users’ level of IM awareness and knowledge in order to better utilize resources to achieve expected results.

Recommendation 3

The CIO should develop formal mechanisms to obtain input and feedback from users on IM systems, tools, training and awareness initiatives to support the branch planning process.

Information Management Life Cycle

According to the TB Policy on Information Management, government programs and services should integrate IM requirements into development, implementation, evaluation and reporting activities. As such, information life cycle requirements, as depicted below, should be incorporated in the development of Agency business processes and initiatives. Applying the information life cycle will improve the availability of timely and accurate information.

Information Management Life Cycle
Text Alternative

Plan → Collect, create & capture → Organize, use & disseminate → Maintain, protect & preserve → Dispose → Evaluate

IM life cycle requirements are considered in certain Agency initiatives. For example, IM aspects were included in the later stages of the Agency Programming Process to develop an electronic file naming convention and identify key documents. Likewise, in the decentralization initiative, IMTB staff developed tools and IM processes to support business activities. On the other hand, upon development of business processes, IMTB staff and managers from various branches stated that information needs and IM life cycle requirements were not always considered. This may be due to a lack of either user awareness or IMTB engagement. As CIMS was aware of the limited consideration of IM aspects, they increased efforts to promote awareness and updated relevant documentation to include an IM requirement when developing systems but not business processes. Despite these efforts, IM aspects continue to be considered on an inconsistent basis.

Without greater integration of IM life cycle requirements in the development of Agency initiatives and business processes, there is a risk that information may not be reliable to meet business requirements.

Recommendation 4

The CIO should establish a methodology to ensure that information needs and processes are defined, documented, and reviewed when developing Agency initiatives and business processes.

Appendix A: List of Recommendations and Management Action Plan

Recommendation: 1. The CIO should conduct an analysis of CIDA’s activities and functions to identify information resources of business value to support effective recordkeeping (RK) practices.

Responsibility: Chief Information Officer (CIO)

Proposed Management Measures: In order to comply with the Recordkeeping (RK) Directive, CIDA’s corporate information management section has elaborated a RK plan and obtained its approval by CIDA’s Information Management Senior Officer. It includes the following activities in order to identify information resources of business value (IRBV):

Target Date: Complete

Recommendation: 2. The CIO should adopt a comprehensive planning framework that is risk-based and includes mechanisms to measure performance and monitor compliance with Agency and federal legislative requirements related to IM.

Responsibility: CIO

Proposed Management Measures: In the context of amalgamation, a new comprehensive planning framework will be developed and will include an IM strategy plan with related operational plans, including defined risks, mitigants, performance measures and targets to allow for monitoring and corrective actions.

Target Date: Complete

Recommendation: 3. The CIO should develop formal mechanisms to obtain input and feedback from users on IM systems, tools, training and awareness initiatives to support the branch planning process.

Responsibility: CIO

Proposed Management Measures:

Target Date: Complete

Recommendation: 4. The CIO should establish a methodology to ensure that information needs and processes are defined, documented, and reviewed when developing Agency initiatives and business processes.

Responsibility: CIO

Proposed Management Measures:

Target Date: Complete

Date Modified: