ARCHIVED Audit of the Financial Management Control Framework IT Purchases

Transcription

1 NATIONAL RESEARCH COUNCIL CANADA ARCHIVED Audit of the Financial Management Control Framework IT Purchases This PDF file has been archived on the Web. Archived content Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats by contacting us at

2 NATIONAL RESEARCH COUNCIL CANADA Audit of the Financial Management Control Framework IT Purchases Internal Audit, NRC June 2012

3

4 1.0 Executive Summary and Conclusion Audit objective The overall objective of this audit was to provide assurance on the adequacy of NRC s financial management control framework in supporting management decisions regarding IT purchases in compliance with relevant governmental and NRC policies, directives and guidelines. Why is this important Information Technology (IT) is an essential component in delivering NRC and Government of Canada strategies and programs for the benefit of citizens, businesses, taxpayers and employees. An adequate financial management framework is crucial in ensuring effective and sustainable management of IT resources across NRC. Audit opinion and conclusion We found that overall NRC has established an adequate financial management control framework for IT purchases in compliance with Government of Canada policies and directives. This conclusion is largely due to recent improvements undertaken by NRC management with the implementation of a project-based business model and strengthened financial management model. Over the course of the audit, the operating context of NRC changed. Following the Order-in-Council by the Government of Canada on August 4, 2011 establishing Shared Services Canada, NRC no longer has financial management authorities for data center, networks, telecommunications and server infrastructure services thus resulting in lower financial management risk. The audit opinion, conclusion and recommendations take these changes into account. Significant strengths were found with respect to the overall governance framework. Opportunities for further strengthening of the framework include completion of recent June

5 initiatives around life cycle management and establishing monitoring processes and responsibilities to ensure the new, improved framework is consistently complied with. Our detailed review of the purchasing transactions identified certain areas of concern regarding former IBPs understanding of the old financial management framework for IT expenditures resulting in its inconsistent application across NRC. Most of those areas are addressed by recent improvements to NRC s financial management model and consolidated common services; the following recommendations address the remaining areas requiring improvement. Elements of Control Environment Examined in the Audit 1. Overall Governance Framework Strong 2. Governance Roles and Responsibilities Adequate 3. Financial Management Policies and Tools Adequate 4. Financial Risk Management Adequate 5. Financial Signing Authorities Adequate 6. Segregation of Duties Adequate 7. Financial Systems Controls / IT Systems Adequate 8. Training Adequate June

6 Summary of Recommendations 1. NRC Finance Branch should define roles and responsibilities for establishing a monitoring process for the implementation of the new financial management framework for IT expenditures for adequate resource management. [Priority: MODERATE] Management Response: When Shared Services Canada (SSC) and Information Technology and Security Services (ITSS) have both fully defined and implemented the financial management framework for IT expenditures, Finance Branch will establish a monitoring process for IT expenditures for adequate resource management and for ensuring adherence to the IT financial management framework established by SSC and ITSS. Dependent on the date of full implementation of the financial management framework for IT expenditures by SSC and ITSS, the monitoring process is expected to be fully implemented during fiscal year NRC Information Technology and Security Services should finalize current initiatives related to developing standard workstation roll-outs and implement full life cycle management for distributed computing equipment in order to ensure effective and efficient resource management. [Priority: MODERATE] Management Response: ITSS is committed to moving forward with consolidating and standardizing NRC s desktop environments. ITSS is in the process of developing the hardware and software standards for workstations and these standards. Any workstations rolled out after September 2012 will conform to the standard. A survey of age and configuration of existing workstations has been completed and ITSS is now in a position to implement full life cycle management for distributed computing equipment. June

7 Full implementation of hardware and software standards for workstations is expected by September Statement of assurance In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon by management. The opinion is applicable only to the entity examined. Alexandra Dagger, Chief Audit Executive NRC Audit Team Members: Irina Nikolova, F.C.C.A, CIA, CISA Andy Lang, B.Com Allison Bush, BA June

8 Appendix: Potential Overall Ratings Management Attention Required significant issues exist that require management s attention. Needs Improvement some areas of practices / processes are in compliance with Government of Canada and NRC laws, regulations, policies and directives pertaining to management of IT purchases but many deficiencies exist. Adequate most of the areas of practices / processes are in compliance with Government of Canada and NRC laws, regulations, policies and directives pertaining to management of IT purchases but there are opportunities for continuous improvement. Strong all areas of practices / processes are in compliance with Government of Canada and NRC laws, regulations, policies and directives pertaining to management of IT purchases. No areas for improvement were identified. June