Audit of Information Management. Internal Audit Report

Transcription

1 Audit of Information Management Internal Audit Report October 2011

2 Table of Contents EXECUTIVE SUMMARY INTRODUCTION BACKGROUND RISK ASSESSMENT AUDIT OBJECTIVES AND SCOPE APPROACH AND METHODOLOGY AUDIT CRITERIA STATEMENT OF ASSURANCE AUDIT OPINION FINDINGS, RECOMMENDATIONS AND ACTION PLANS POLICY AND GOVERNANCE PEOPLE AND CAPACITY APPROACH TO MANAGING INFORMATION

3 EXECUTIVE SUMMARY BACKGROUND The amount of information that the Canada Border Services Agency (CBSA) holds and must manage is compounding annually. The ability to manage this information effectively so that it is secure and readily available for use is central to the CBSA s operations. The quality of Information Management (IM) affects all lines of business. To the extent that IM is effective and enables CBSA employees to access the information they need to do their jobs, it can contribute significantly to enabling the Agency to achieve its objectives. The CBSA participated in a horizontal internal audit of IM carried out in 2011 by the Office of the Comptroller General (OCG). This audit was aimed at helping large departments and agencies (LDAs) to align their IM programs with central legislation, policies and directives. The OCG intends to issue its Government-Wide Report on Information Management in December This CBSA internal audit report communicates the results of the audit from a CBSA perspective. While this report may include similar themes as the OCG s government-wide report, a separate CBSA internal audit was done to provide greater CBSA-specific detail than would be provided by the OCG report. SIGNIFICANCE OF THIS AUDIT Information management is a critical element of the Agency s business activities. It plays a central role in adequately safeguarding sensitive information, and in ensuring that information that is important to fulfilling the CBSA s mandate and meeting its operational objectives is readily available. In its Enterprise Risk Profile, IM was identified as a high risk area for the Agency. It was noted that problems with collecting, classifying, organizing, retrieving and destroying information can lead to inefficiencies, and negatively affect the Agency s decision making if key information is not available on a timely basis. Incomplete or incorrect information could also compromise the Agency s reputation and affect its legal cases. AUDIT OBJECTIVES AND SCOPE The objective of the audit was to provide assurance that the management control framework over information management was in place and provided relevant, timely and accessible information to support decision making in the Agency. This audit is based on the criteria developed by the OCG for its horizontal audit of IM. In addition, the audit assessed the adequacy of the Agency s IM Strategic and Action plans, and identified possible barriers that could affect the Agency s ability to implement a new IM regime. Much of the information generated and managed by the Agency is electronic and can be categorized as either structured or unstructured data. For the purposes of this audit, the scope was limited to unstructured data. 2

4 STATEMENT OF ASSURANCE The audit engagement was planned and conducted in accordance with the Internal Auditing Standards for the Government of Canada. AUDIT OPINION The current management control framework for IM is at the initial stage of maturity. Management has recognized that issues exist and need to be addressed. There were no consistent national processes or practices: instead, there were approaches to IM that were applied on a local basis. This translates to moderate risk exposure for the CBSA 1. As a result, management may not have relevant, reliable and timely information to support corporate memory, legal cases and decision making. The Agency does have an Information Management Strategic Plan, which is supported by a three-year Action Plan. Successful implementation of this plan will go a long way to address the deficiencies. KEY FINDINGS The fundamental elements of IM governance were in place. The Agency had an IM framework which included a Vision and Strategic Plan, oversight committees, and a three-year Action Plan. The Action Plan is funded this fiscal year, and approval of subsequent funding is subject to review of performance and revised estimates. While the Agency has a good plan for IM, there is a risk that the momentum toward strengthening IM could be hampered if adequate funding is not continued. At the time of the audit, the Agency had a small team to deliver IM services across the Agency. Branch management has recognized the need to develop additional capacity and has developed a People Management Strategy. As well, an approach to training CBSA management and staff in IM is being developed with the Training and Learning Directorate. The CBSA does not have an organization-wide electronic system for managing its information holdings. Program management use common drives to store and manage information in addition to maintaining paper files. An enterprise-wide electronic system is part of the Action Plan for CBSA employees were generally not sufficiently aware of the IM Strategy and Program, or their role in managing information effectively. Awareness sessions with employees have taken place in the past year and more are planned for However, effective approach to change management will be a key success factor to implement the new IM Program. Unless the Agency can better communicate and explain IM priorities and their alignment to Agency objectives, employees may not institutionalize the new IM practices and tools putting at risk the investment planned for information management. RECOMMENDATIONS This report makes two recommendations: 1 Moderate risk exists where key controls are not operating as intended, are poorly designed or do not exist, and the related risk is more than inconsequential. However, compensating controls exist. Corrective action is needed to avoid sole reliance on compensating controls and/or ensure controls are cost effective. 3

5 Develop a contingency plan should funding fall short of expectations for the final two years of the IM Action Plan. Develop a Change Management Strategy to support the implementation of the Information Management Program. MANAGEMENT RESPONSE The Information, Science and Technology Branch (ISTB) has reviewed the Internal Audit report on IM and agrees with the recommendations. We are also pleased that the Audit report supports our IM Action Plan to address the Agency s deficiencies and further develop the management control framework for IM. When the CBSA was created during 2003, the Agency s focus was on maintaining appropriate levels of border security and on establishing the CBSA organization. The Information Management Program was established within the CBSA Comptrollership Branch through the merge of CBSA-related information holdings previously managed by three separate organizations: the Canadian Food Inspection Agency (CFIA), the Canada Customs and Revenue Agency (CCRA), and, Citizenship and Immigration Canada (CIC). Legacy organizational models were maintained to allow the Agency to form and stabilize. During 2006, the Comptrollership Branch conducted an Agency IM Capacity Check (IMCC). The results indicated that the CBSA was considered to be at the initial stages of IM maturity. A common understanding of IM, its role in decision making, program and service delivery, and accountability had yet to be established within the new Agency. In 2007, the Treasury Board Secretariat (TBS) published revisions to the IM Policy followed by the new Recordkeeping Directive in 2009 that jointly created a new set of requirements for departments and agencies. Since the transfer of the IM function to ISTB in April 2009 as a result of the Change Agenda, the IM Program has been planning extensively while assisting branches in meeting their IM responsibilities. The Program now has an approved organization structure with staffing processes underway to build our resource capacity. The IM Strategy will be delivered through three pillars: IM Governance, IM Strategic Planning and Implementation, and IM Practice. To date, the IM Division has established the IM Governance with representation from the Regions and Headquarters, received approval for the revised IM Policy and has integrated its plan with key stakeholders (e.g. Border Management Action Plan and Strategic Technology Plan). This strategic positioning will assist in enforcing IM best practices, contribute to policy compliance and encourage IM planning as an integral part of program and service delivery. The first year action plan is focused on building the IM foundation including the revised policy, IM communications, awareness and employee training, and a functional classification plan that will serve all CBSA business lines in capturing, organizing and classifying information of business value. The IM Program is funded this fiscal year in part from the Agency s Investment Fund. The IM contingency plan will address the impacts on the IM Action Plan should funding fall short of expectations for both the one-time investments and ongoing costs. 4

6 The IM Program brings significant change to the day-to-day activities of Agency employees. The IM communications and awareness strategies are some of the foundation pieces required to manage employee expectation and change. A Change Management Strategy will be developed to support the gradual implementation of the IM Program, including a description of the change, the compelling drivers and reasons for the change, critical success factors and implications for the Agency, and a list of activities with timetable. Now that the National Capital Region Service model has been approved, the program is starting to engage with regions to elaborate the regional Resource Allocation Model (RAM) and ensure that changes resulting from the implementation of the program are sustainable. The IM Program will continue to evolve and widen its focus to ensure that IM requirements are identified and addressed during CBSA program and information technology system design or redesign. This will ensure that all CBSA information assets, including structured (i.e. data that is generated and stored in our databases) and unstructured data (i.e. s, spreadsheets, MS Word documents) are captured and managed in a disciplined manner. It will also ensure that the CBSA is aligned with new TBS requirements while enabling effective information sharing with partners and supporting sustainable development targets for the reduction of paper. 5

7 1.0 INTRODUCTION 1.1 BACKGROUND Sound Information Management (IM) is central to ensuring that records and information are treated as valuable assets that support an organization both in decision making, and in delivering its programs and services. Information plays a crucial role in the organization s agility, performance, and internal and external collaboration and communication. The Canada Border Services Agency s (CBSA) IM Program and practices have consistently fallen short of the government s goals and requirements for managing information. In Round 8 of the Management Accountability Framework assessment in 2011, the Agency received an opportunity for improvement rating for IM. Reports by the Office of the Auditor General and the Office of the Information Commissioner have also noted deficiencies that needed to be addressed. The CBSA participated in the horizontal internal audit of IM carried out in 2011 by the Office of the Comptroller General (OCG). This audit was aimed at helping large departments and agencies (LDAs) to align their IM programs with central legislation, policies and directives. The OCG is expected to issue a Government-Wide Report on Information Management in December 2011 on government-wide successes and challenges for IM. Although the OCG s report will not name specific LDAs, recommendations will be made on government shared systems, roles and responsibilities, and the management of information throughout its life cycle. This CBSA internal audit report communicates the results of this assessment from a CBSA perspective. The CBSA Audit Committee approved for an internal audit of the Management of Government Information Holdings as part of the Risk-Based Multi-Year Audit Plan. While this report may include the similar themes of the OCG government-wide report, a separate report was done to provide greater CBSA-specific detail than would be provided by the OCG report. The Agency s IM Strategic Plan 2010 provides the basis for moving from where the Agency is now to where it should be in three years with respect to instituting a much improved IM Program. The proposed IM Action Plan presents a phased implementation over the next three years 2. Activities associated with adhering to the Recordkeeping Directive are planned to begin in The IM Strategic Plan will be revised on a regular basis as required, and it will be extended to other IM practice areas such as structured data in systems. 2 The proposed IM Action Plan includes four phases: Phase 1 Build the IM Foundation , and includes roll-out of the new functional classification plan to employees, approved CBSA disposition authorities, selection of tools, and measuring program effectiveness. Phase 2 Deliver the IM Foundation includes roll out of tools and training. The tools will facilitate the capture, access and retrieval of CBSA s information resources of business value. Phase 3 Operationalize/Integrate includes conversion and implementation of tools, for compliance with legislation, policy and the Recordkeeping Directive. Phase 4 Ongoing Maintenance

8 1.2 RISK ASSESSMENT The management of information in the CBSA affects all lines of business and is a key element in achieving Agency objectives. Information is being created throughout the Agency at a rate that is compounding annually. Without the ability to effectively manage this information, the CBSA may be at risk of losing its ability to identify and retrieve information in an organized and timely fashion. In planning this audit, the following key challenges were identified: the accessibility of information and the management of knowledge are important for timely decisions; the alignment of the information management priorities with the objectives of the Agency; the culture of the organization to recognize information as an important asset that needs to be managed; and resource availability and capacity within the Agency to implement the IM Program as envisaged in the IM Strategic Plan and related business case. 1.3 AUDIT OBJECTIVES AND SCOPE The objective of the audit was to provide assurance that the management control framework over information management was in place and provided relevant, timely and accessible information to support decision making in the Agency. The audit assessed the adequacy of the Agency s IM Strategic and Action plans, and identified possible barriers that could affect the Agency s ability to implement a new IM regime. Much of the information generated and managed by the Agency is electronic and can be categorized into either structured 3 or unstructured 4 data. For the purposes of this audit, the scope was limited to unstructured data. 1.4 APPROACH AND METHODOLOGY The audit work was carried out from February to April This audit is based on the criteria and Lines of Enquiry developed by the OCG for its horizontal audit of IM. Sixteen interviews were conducted with executives and IM program managers. The findings are also based on a review and analysis of key documents relating to the IM program framework and plan. 1.5 AUDIT CRITERIA The following chart shows the audit criteria and the corresponding three lines of enquiry: 3 Structured data represents information generated from enterprise systems such as SAP or PeopleSoft. Numerous controls exist to manage the risks associated with this type of information. 4 Unstructured data is information that includes working documents such as project plans, spreadsheets, s, records of decisions. The management of this data faces similar risks yet the controls are frequently much less structured, often ad hoc in nature. This data often forms the basis for critical decision making. 7

9 Line of Enquiry Audit Criteria 1. Policy and Governance The CBSA should have appropriate governance structures including plans, policies and resources for managing information adequately. 2. People and Capacity The Agency should have sufficient resources with the required skills to support the delivery of IM services. 3. Approach to Managing Information Employees across the Agency should manage their information in a way that reflects its sensitivity and criticality to the CBSA s operations. 1.6 STATEMENT OF ASSURANCE The audit engagement was planned and conducted in accordance with the Internal Auditing Standards for the Government of Canada. 2.0 AUDIT OPINION The current management control framework for IM was at the initial stage of maturity. Management has recognized issues exist and need to be addressed. There were no consistent national processes or practices; instead, there were approaches to IM that were applied on a local basis. This translates to moderate risk exposure for CBSA 5. As a result, management may not have relevant, reliable and timely information to support corporate memory, legal cases and decision making. The Agency does have an Information Management Strategic Plan, which is supported by a three-year Action Plan. Successful implementation of this plan will go a long way to address the deficiencies. 3.0 FINDINGS, RECOMMENDATIONS AND ACTION PLANS 3.1 POLICY AND GOVERNANCE The Agency should have appropriate governance structures in place to effectively support an information management strategy and information management outcomes. This includes plans, policies and resources, to manage information adequately. The audit found that CBSA met this criterion. The audit found that the fundamental elements of governance were in place. The CBSA s governance model emphasizes strategic planning and coordination to deal with growing IM demands. IM 5 Moderate risk exists where key controls are not operating as intended, are poorly designed or do not exist, and the related risk is more than inconsequential. However, compensating controls exist. Corrective action is needed to avoid sole reliance on compensating controls and/or ensure controls are cost effective. 8

10 governance and accountability structures were in place, and representatives from the IM function participated in organization-wide governance and approval committees. The Agency had developed an IM framework that included a Vision and a Strategic Plan approved in February The IM Strategic Plan linked directly with the CBSA s long- and medium-term plans and business direction, and it outlined objectives and a roadmap for enabling the Agency to comply with government requirements for IM. The CBSA had also developed a business case in January 2011 and a supporting three-year Action Plan. Oversight mechanisms were in place, including updates to CBSA governance committees which included the IM Working Group, the IM Sub-Committee, the Information, Science and Technology Standing Committee (ISTSC) and the Executive Committee. The ISTSC should receive quarterly updates on the three-year IM Action Plan which was approved by the Executive Committee. At the time of the audit, the Information, Science and Technology Branch (ISTB) was planning to develop key performance indicators for IM. These will be incorporated in the Performance Management Dashboard for use by Executive Committee in The Agency was revising its IM policy to ensure that it reflects the realigned organization and the various Central Agency requirements. It will clarify the principles, roles and accountabilities for managing information across CBSA. Specifically, it will enable the Agency to meet Management Accountability Framework expectations. The funding needed for the new IM Strategic Plan and Action plans is estimated at $1.49 million, $3.8 million and $4.6 million for the current and next two fiscal years. At the time of the audit, funding had been allocated to implement the IM Strategy in the first year only. This is in addition to the current IM Division budget of $935,000. Subsequent funding approval will be assessed each year based on performance and revised estimates. Hence, there is a risk that sufficient resources may not be allocated to the IM Program due to other investment priorities. The implications are that the momentum for implementing IM Program could be lost, and the Agency might not be able to establish the IM function as planned. Recommendation: 1. The Vice-President of the Information, Science and Technology Branch, in collaboration with the Vice-President of the Comptrollership Branch, should develop a contingency plan in the event that funding falls short of expectations for the final two years of the IM Action Plan. Management Action Plan The Director General of Enterprise Architecture and Information Management Directorate, ISTB, will be responsible to deliver an approved project contingency plan: assess alternate source of funding such as base and projects; assess scenarios and revise scheduling of deliverables and action plan; assess impact on Agency performance and commitments; Completion Date February

11 Management Action Plan report and monitor through governance; and continue work with Comptrollership to advance both onetime investment funding and ongoing funding. Completion Date 3.2 PEOPLE AND CAPACITY The Agency should have sufficient resources with the required skills to support the delivery of IM services. This includes developing a workforce to ensure that capacity exists to deliver on the Agency s information management outcomes. The audit found that the Agency partially met the people and capacity requirement. At the time of the audit, the Enterprise IM Division, which is the Office of Primary Interest for information management, had five IM and seven Records Room staff to deliver services across the Agency. Training for IM employees in focused on Government of Canada training courses offered by the Canada School of Public Service. Management has recognized the need to add 20 staff to implement the IM Program over the next three years. It should be noted that the Branch has developed a draft People Management Strategy for The audit found that the IM Division offers IM awareness sessions at Headquarters and in the Regions. According to the records, 475 employees attended these sessions in Feedback from attendees indicated that they considered the sessions relevant and useful. Program management has informed us that these sessions will continue in , and that they are a component of the Action Plan. In addition, the IM Program is working with the CBSA Training and Learning Directorate to include IM in a core learning curriculum for CBSA employees. There are no recommendations for the people and capacity requirement as the audit concluded that the IM Strategic and Action plans should address the gaps identified. 3.3 APPROACH TO MANAGING INFORMATION Employees across the Agency should manage their information in a way that reflects its sensitivity and criticality to its operations. This means that departments should develop an information architecture and processes that respect their information management risks and operational requirements, and have common information management tools and recordkeeping practices to ensure that information is timely, accurate and accessible. This criterion was not met. File Classification A prerequisite to organizing and managing information effectively is to develop a system for classifying records. Such a system is central to ensuring that employees can store and retrieve information quickly and efficiently. The audit found the Agency s File Classification Plans were defined based on organization and subject. There were Library and Archives Canada (LAC) approval retention and disposition authorities covering 10

12 operational and all administrative records, except for a few areas. The CBSA has engaged LAC to complete the Agency retention and disposition authorities in IM is working with Branches and Regions to implement the Agency s functional classification plans to meet IM requirements and business needs. Staff who were interviewed indicated that some areas in the Agency were classifying and sharing the information they produce using a classification structure, and that access was usually limited to their own area. As mentioned above, the ISTB has delivered Records and IM awareness sessions in the Regions and continues to deliver them for Headquarters staff. These sessions provide general information to employees in areas such as IM objectives, responsibilities, information security classification, life cycle, records and resources, and classification plans. All of these are key to strengthening information management across the organization. Document Management Electronic systems are the preferred means of creating, using and managing information. The CBSA does not have a specific electronic system for managing its information holdings in a consistent manner among Headquarters and regional offices. Program management use common drives to store and manage electronic information in addition to maintaining paper files. Management has acknowledged the need for an electronic system that meets government standards, and an Electronic Document and Records Management System (EDRMS) is part of the IM Strategic and Action plans for According to the IM Strategic and Action plans, activities associated with adhering to the government s new Recordkeeping Directive commence in This Directive requires the Agency, among other things, to systematically classify its information in terms of its sensitivity and importance to the CBSA s operations, and to manage that information accordingly. Meeting these requirements will entail significant work. This includes converting, as appropriate, paper-based records to the electronic format, reclassifying information and managing it throughout its life cycle. These activities will help to ensure that all information can be readily accessed, is adequately protected given its importance, and is complete and accurate for decision making and operational use. Change Management Implementing the new IM Program will require, among other things, informing and educating management and staff about the role and importance of IM in the Agency. Our interviews indicated that management and staff were generally not aware of IM policy and procedures and the importance of managing the organization s information, or upcoming plans to conduct IM awareness sessions. As change is planned and introduced, it will be important to consult and communicate with those most affected and have managers in the organization implementing the required program changes. Appropriate consultation and communication will be key to instituting consistent national IM practices, coordinating Headquarters and regional IM activities, and delivering an effective IM Program. Unless this occurs, there is a risk that CBSA managers and employees will not implement the new IM regime as intended when it is introduced. It was noted during the audit that management has acknowledged the need for a change management strategy. This is important to address the changes that will occur when new processes, tools and technologies are instituted. More specifically, the strategy should: 11

13 focus efforts on communication, training and awareness; recognize IM opportunities such as the elimination of inefficient practices and dated policies; and look for new ways to introduce industry best practices. At the time of the audit, the development of a Change Management Strategy for IM was at its preliminary stages. Recommendation: 2. The Vice-President of the Information, Science and Technology Branch should develop a Change Management Strategy to support the implementation of the Information Management Program. Management Action Plan The Director General (DG) of the Enterprise Architecture and Information Management Directorate, ISTB, will define the overall approach needed to make IM implementation a priority and make a strong commitment to change in CBSA. The change management strategy will assess the Agency s readiness to change and place the appropriate focus to change IM practices to reap the full benefits of IM. The plan will cover all aspects of IM implementation, including: a description of the change, the compelling reasons for the change; drivers and an analysis of the current situation and the context for change; a description of the vision for change and the desired outcome of the change (how IM will benefit officers, line managers and senior executives in their environment); critical success factors and implications for the Agency scope (who, how many, where), impacts on people (who, how), change readiness, risks, timelines, IM focus relevant to key performance indicators (DG-level) etc.; a well defined roadmap of stakeholders and sponsors roles in planning, managing and implementing the change (e.g. dedicated implementation teams that integrate business, IM and change management skills as Completion Date December

14 well as program management representatives); a comprehensive timetable and plan/strategy to move the Agency to the future environment and business processes; a detailed change management activities plans (communication plan to increase awareness and establish two-way consultation; learning and training plan; risk management plan and mobilization plan; coaching plan); and regular reviews, monitoring and reporting as needed. 13