2010 Spring Report of the Auditor General of Canada

Main Points

What we examined

Aging information technology (IT) systems refers not only to a system’s age in years but also to issues that affect its sustainability over the long term, such as the availability of software and hardware support and of people with the necessary knowledge and skills to service these systems. The term also relates to a system’s ability to adequately support changing business needs or emerging technologies, such as 24/7 online availability.

The Treasury Board of Canada Secretariat, through its Chief Information Officer Branch (CIOB), is responsible for establishing the federal government’s overall strategic direction for IT, in consultation with deputy heads of departments. It is also responsible for identifying areas that offer significant government-wide benefits and for leading initiatives to achieve government-wide solutions. According to the most recent figures available (for 2005), departments and agencies spend about $5 billion a year on IT.

We examined whether five of the government entities with the largest IT expenditures—the Canada Revenue Agency, Public Works and Government Services Canada, Human Resources and Skills Development Canada, the Royal Canadian Mounted Police, and Citizenship and Immigration Canada—have adequately identified and managed the risks related to aging IT systems. The audit also examined whether the Treasury Board of Canada Secretariat, and specifically its Chief Information Officer Branch, has determined if aging IT systems is an area of importance to the government as a whole and to what extent it has provided direction or leadership in developing government-wide responses to address the related risks.

We also looked at three major systems that deliver essential services to Canadians—the Employment Insurance Program, the Personal Income Tax and Benefits Return administration system, and the Standard Payment System—to determine how the responsible entities have addressed the risks related to the aging of the IT systems that support these services. The Employment Insurance Program processed more than 3.1 million claims and paid out over $16.3 billion to claimants in the 2008–09 fiscal year. The Personal Income Tax and Benefits Return administration system processed more than 27 million income tax and benefit returns that provided $166 billion of revenue and also distributed $17 billion in payments for benefits and credits in 2008–09. The Standard Payment System (SPS) is the principal system the government uses for issuing payments, including Old Age Security, Canada Pension Plan, and Employment Insurance benefits. It issued more than 250 million payments in 2008. In about 60 percent of cases, these payments are the only income or the main source of income for the people who are receiving them.

Audit work for this chapter was substantially completed on 30 November 2009.

Why it’s important

The federal government relies heavily on IT systems to deliver programs and services to Canadians. Even though these systems are functioning, many of them consist of legacy applications that are supported by old infrastructure and are at risk of breaking down. A breakdown would have wide and severe consequences—at worst, the government could no longer conduct its business and deliver services to Canadians. Even applications that meet current business needs can be difficult and expensive to operate and may not be flexible enough to respond quickly to changes.

The renewal and modernization of IT systems does not happen overnight. It must be planned and budgeted for over the long term. The cost to renew and modernize IT systems are significant and can take many years to fund, and implementation can take five years or longer. Without sufficient and timely investments to modernize or replace aging systems, the ability of departments and agencies to serve Canadians is at risk.

What we found

  • Aging IT has been identified as a significant risk by the five organizations we examined, and the majority of them consider it sufficiently important to include it in their corporate risk profiles. They state that if these risks are not addressed in a timely manner, the systems may not have the capacity to meet current and future business needs.
  • Although the Chief Information Officer Branch of the Treasury Board of Canada Secretariat is aware that the aging of IT systems is an issue, it has not formally identified it as an area of importance for the government. Nor has it assessed the issue from a government-wide perspective or worked with departments and agencies to develop government-wide solutions. Despite the significant funding likely to be needed across government to renew aging systems—estimated at a total of $2 billion in three of the five entities alone—the CIOB has not formulated strategic directions or a plan to address these issues on a government-wide level.
  • Citizenship and Immigration Canada, Public Works and Government Services Canada, and Human Resources and Skills Development Canada have taken some steps to manage the risks related to their aging IT systems, but much work remains to be done. The Canada Revenue Agency and the Royal Canadian Mounted Police are farther along. They have both identified the significant risks associated with their aging systems and completed a multi-year investment plan that defines and prioritizes ongoing and future work. Based on their preliminary estimates, they have determined that the costs involved are significant and that presently they lack sufficient resources to complete critical investments.

The departments and agencies have responded. The departments and agencies agree with all of our recommendations. Their detailed responses follow the recommendations throughout the chapter, as applicable.

Introduction

1.1 Canadians expect the government to provide them with many services, such as processing personal income tax returns, issuing pension and benefit payments, and safeguarding personal information. Information technology is now a vital part of service delivery for the government. Government business is supported by a vast array of information technology (IT) systems, some of which have been in use for several decades. However, the term “aging IT systems” refers to more than just how old a system is in years. Many systems that are 10 years old or older were designed to be continuously upgraded. These systems are functioning and are likely to continue to do so for some time.

Risks relating to information technology systems

1.2 For the purposes of this audit, “aging IT systems” refers to applications and infrastructure that may be meeting current needs but are becoming increasingly expensive to operate and may pose certain risks. These risks may affect security or restrict the way the government conducts its business because systems cannot be easily updated to respond to changing business needs flowing from new laws, regulations, or industry standards. The most damaging risk is that an aging critical system could break down and prevent the government from delivering key services to the public—such as issuing income tax refunds and employment insurance and pension cheques. While these risks could apply to any IT system, they are more likely to affect older systems. Exhibit 1.1 describes some of the major factors that drive departments to modernize their aging systems.

Exhibit 1.1—Overview of major factors driving the modernization of aging systems

Factor Description
Skills shortage Fewer staff and contractors have the skills and knowledge to use older programming languages and source code structures.
Vendor support Vendors may no longer exist or no longer support older products.
Regulatory compliance Outdated systems may be hard to update to comply with changing laws, regulations, and industry standards.
Maintenance costs Costs go up because aging systems are very complex and difficult to maintain, there are few service providers, and parts are scarce and often very costly.
Access to data Information becomes increasingly cumbersome to extract and analyze as data structures age.
Meeting client expectations Older systems cannot be modified to support modern technologies and meet expectations such as 24/7 availability and workflow.
Security Legacy systems* cannot always be modified to conform to changing security requirements (for example, password complexity).
Green IT initiatives Older IT systems are generally not energy efficient and are hard to modify to reduce their environmental impact.
Disaster recovery The older the system, the harder it is to recover data after a disaster.
*Legacy systems—Old technology, computer systems or application programs that continue to be used, even though newer technology or more efficient methods of performing a task are now available.

1.3 In 1999, the government identified as a significant issue the deterioration or obsolescence of hardware and software that cannot be, or has not been, upgraded to meet its needs or deliver its services. In 2005, a Treasury Board of Canada Secretariat (the Secretariat) study noted that the government under-invests in up-to-date hardware and software.

1.4 Canada is not alone in this situation. A 2008 survey of chief information officers in state governments in the United States noted that modernizing aging IT systems and infrastructure presented a significant financial, technical, and program management challenge in that country. It also noted that without spending to modernize or replace existing systems, state governments risked losing their ability to operate as modern organizations and serve their citizens.

Focus of the audit

1.5 This audit looked at the extent to which five selected organizations—Citizenship and Immigration Canada, the Canada Revenue Agency, Human Resources and Skills Development Canada, Public Works and Government Services Canada, and the Royal Canadian Mounted Police—have adequately identified and managed the risks associated with the aging of IT systems. The audit also focused on three critical aging systems to determine whether the organizations using them have identified and managed those risks. Finally, the audit examined whether the Secretariat, and specifically its Chief Information Officer Branch, has determined if aging IT is an area of importance to the government as a whole, and the extent to which it has provided direction or leadership in developing government-wide responses.

1.6 As part of our audit, we surveyed 40 chief information officers of departments and agencies in the federal government that accounted for more than 95 percent of spending on IT. The purpose of the survey was to assess the condition of the government’s aging IT systems and infrastructure, and obtain an overall and government-wide picture of the risks those systems present—as well as the magnitude of the risks. Specifically, we assessed the risks that aging critical systems pose to delivering government services. The survey response rate was 100 percent. The results of the survey support our detailed audit observations presented later in this chapter.

1.7 More details on the audit objectives, scope, approach and criteria are in About the Audit at the end of this chapter.

Observations and Recommendations

Risk identification within organizations

1.8 Risk identification is the first step of any risk assessment. An information technology (IT) risk assessment involves making a clear link between the identified risks and their potential impact on the business and operations of the department or agency. The likelihood that these risks will occur must also be established. In order to do so, it is important that senior management be provided with an assessment of how sustainable critical IT systems are. This is often referred to as a “health check” in the IT industry. Exhibit 1.2 provides examples of criteria that can be used to help management identify problems that could affect their operations.

Exhibit 1.2—Examples of factors that can help identify information technology system sustainability issues

External factors

  • regulatory/legislative changes
  • changes to industry standards (for example, Canadian Payments Association)
  • control environment changes (for example, Treasury Board policies)
  • contractual obligations (for example, software licensing)

Age factors

  • systems operating on hardware or software that are no longer supported
  • incompatibility between hardware and software components
  • software and hardware no longer supported by the department and announced with a long lead time

Service-level factors

  • poor performance
  • reduced availability
  • unreliable service
  • reduced capacity
  • higher costs to operate

Source: Adapted from Great West Life IT Infrastructure Health Assessment Process

1.9 The Treasury Board Directive on Management of Information Technology requires departments to prepare an IT plan each year that identifies IT risks, reflects departmental priorities, and outlines planned investments in IT for at least the next five years.

1.10 As part of the plan, we expected that the entities we examined would have identified risks related to their aging IT systems, using factors similar to those listed in Exhibit 1.2.

1.11 We examined five of the largest government organizations based on IT spending to determine whether they have adequately identified the risks associated with their aging IT systems. The Canada Revenue Agency (CRA), Public Works and Government Services Canada (PWGSC), and Human Resources and Skills Development Canada (HRSDC) are very large, while the Royal Canadian Mounted Police (RCMP) and Citizenship and Immigration Canada (CIC) are somewhat smaller but also rely heavily on IT.

1.12 We also examined three systems to determine the extent to which the organizations using them have identified the risks associated with aging IT. These systems are the following: the Personal Income Tax and Benefits Return administration system at CRA, the Employment Insurance Program at HRSDC, and the Standard Payment System at PWGSC.

Organizations have identified significant risks related to aging systems

1.13 Exhibit 1.3 summarizes our examination criteria, including risk identification, and results for each entity examined.

Exhibit 1.3—Organizations assessed against key criteria

Organizations Criteria
Identification of aging IT risks Management of aging IT risks Continuous monitoring of aging IT risks
Citizenship and Immigration Canada Many systems and practices in place. Improvements still required. Some systems and practices in place. Significant improvements required. Many systems and practices in place. Improvements still required.
Canada Revenue Agency Most systems and practices in place. Minor improvements could still be made. Most systems and practices in place. Minor improvements could still be made. Most systems and practices in place. Minor improvements could still be made.
Human Resources and Skills Development Canada Most systems and practices in place. Minor improvements could still be made. Many systems and practices in place. Improvements still required. Many systems and practices in place. Improvements still required.
Public Works and Government Services Canada Most systems and practices in place. Minor improvements could still be made. Some systems and practices in place. Significant improvements required. Many systems and practices in place. Improvements still required.
Royal Canadian Mounted Police Most systems and practices in place. Minor improvements could still be made. Most systems and practices in place. Minor improvements could still be made. Many systems and practices in place. Improvements still required.

Most systems and practices in place. Minor improvements could still be made. Most systems and practices in place. Minor improvements could still be made.

Many systems and practices in place. Improvements still required. Many systems and practices in place. Improvements still required.

Some systems and practices in place. Significant improvements required. Some systems and practices in place. Significant improvements required.

1.14 We found that the five organizations we examined have all identified risks related to the aging of their IT systems that pose a significant risk to their operations. They reported these risks as significant in their respective departmental or agency IT plans and strategies. As a result, senior management of each entity has been made aware of them. CIC, CRA, HRSDC, and PWGSC assessed certain risks relating to aging as significant enough to be elevated to corporate level risks. The RCMP did not include aging IT as a corporate risk.

1.15 We found that the methodology all the selected organizations used or intended to use to identify risks was generally consistent with the Treasury Board Risk Management Policy.

1.16 Canada Revenue Agency. The Agency 2009 Corporate Risk Inventory identified 14 key risks. Two of those risks relate to aging IT. The first risk is linked to 141 national applications that are difficult to sustain because the database platform or the programming language is being phased out and will no longer be used for new applications. The second risk involves the aging of one of the Agency’s data centres, which houses its key systems. This data centre will not be able to support the Agency’s long-term service needs because it is located in a 40-year-old complex that was not built to accommodate a data centre. Its age, location, and other factors pose a significant risk.

1.17 Personal Income Tax and Benefits Return administration system. The CRA Personal Income Tax and Benefits Return administration system provides Canada, the provinces, and the territories with their principal source of revenue. The system also determines eligibility for individual Canadians who receive benefit payments and tax credits each year. The current system was implemented in the 1970s. In the 2008–09 fiscal year, CRA processed more than 27 million personal income tax and benefit returns, of which 56 percent were filed electronically. In the same year, the Personal Income Tax and Benefits Return administration system provided $166 billion in revenue and distributed 91 million ongoing payments for benefits and credits, totalling over $17 billion.

1.18 Since 2007, CRA has identified significant risks relating to the sustainability of applications and hardware, and the agility and adaptability of the many systems associated with the Personal Income Tax and Benefits Return administration system. CRA has measured the likelihood and impact of those risks, basing them on qualitative (subjective) and quantitative (objective) indicators, and management experience, using its Integrated Risk Management Framework. As a result, CRA has identified and included in its Strategic Investment Plan the modernization of the Personal Income Tax and Benefits Return administration system as one of the top three critical investments it needs to make.

1.19 CRA’s corporate risk profile refers to a lack of sustainability—the ability to keep applications (software) and infrastructure (hardware) operating and meeting operational demands—as a significant risk for aging IT systems. Although it does not specifically mention sustainability issues in connection with the Personal Income Tax and Benefits Return administration system, the documentation from the IT Branch links this risk directly to this system.

1.20 Public Works and Government Services Canada. The PWGSC 2008 corporate risk profile identified 12 key risks that could affect the achievement of the Department’s objectives. Several branches within PWGSC identified issues associated with outdated systems that have adversely affected their programs. Examples included lower productivity, inability to support business requirements, and increased time and costs to search for information. The profile identified “ability of IM [information management]/IT infrastructure to meet needs” as the fourth most severe risk, based on the likelihood that this risk would disrupt the Department’s operations and the impact it would have.

1.21 Also, PWGSC stated in its 2008 corporate risk profile that some outdated IT systems such as the Pay and Pension systems were close to imminent collapse, and compensation specialists were leaving as a result. The Department has initiated new projects to modernize both the Pay and Pension systems. We did not audit these systems.

1.22 Standard Payment System. PWGSC operates the Receiver General Standard Payment System (SPS). The SPS was initially put into production in 1995 to replace 37 separate cheque issuing systems. It processes all Receiver General payments and issues more than 250 million payments each year. Some 60 percent of the total payments issued represent the sole or principal source of income for recipients. The most critical programs include Old Age Security, Canada Pension Plan, and Employment Insurance.

1.23 The SPS is currently meeting its operating service standards and business requirements even with a 30 percent increase in the volume of payments it has processed over the last 10 years. Over the years, the system has been working well and meeting clients’ needs. Although the Department does monitor the system’s operating performance, it has not conducted a formal sustainability analysis to determine when the SPS will reach the end of its useful life. This analysis would assess the system’s ability to meet future capacity requirements.

1.24 Human Resources and Skills Development Canada. The HRSDC 2009 corporate risk profile identified six key risks. Due to growing demand for departmental services because of the current economic downturn, and existing technologies that are reaching the end of their useful life, the Department recognizes that there is a high risk that its IT infrastructure will not be able to support the delivery of its core programs, such as Employment Insurance (EI). HRSDC also identified the lack of sustainable funding for renewing IT infrastructure as a significant corporate risk.

1.25 Much of the current infrastructure is no longer supported by the manufacturers. This has led to costly maintenance contracts. For example, the heating ventilation and air conditioning system in the Montreal data centre is over 16 years old and the vendors no longer exist or make parts. As a result, the Department’s Innovation, Information and Technology Branch (IITB) has spent $152,000 for repairs and maintenance contracts to maintain cooling capacity in the past year. Also, the lack of funding for replacement of existing equipment has been identified as one of the major reasons behind the increase in the risk of major service outages.

1.26 Employment Insurance program (EI program). The EI program is a highly decentralized series of systems and applications, some of which date as far back as the 1980s. More than 24 applications are used to process an EI claim from initiation to payment. Of those, 12 are considered to be critical. Statistics show that in the 2008–09 fiscal year, more than 3.1 million EI claims were processed, 24 million payment transactions were made, and $16.3 billion was paid to claimants.

1.27 For the past three years, IITB has identified aging IT risks for hardware and applications that support the EI program and are central to delivering benefits to Canadians. IITB has measured the likelihood and impact of those risks using HRSDC’s Integrated Risk Management Framework. These risks were significant enough to be incorporated into the Department’s corporate risk profile.

1.28 We found that indicators for evaluating the likelihood and potential impact or consequences of risks were largely qualitative in nature and that few quantitative indicators were used. Good quantitative information lends weight or authority to the potential risk impacts and is also a useful tool for prioritizing risks as well as projects. For example, the Infrastructure Renewal Program and the Application Modernization Project, both initiated to address the aging IT risks, have been delayed. These projects have received only partial funding since they need a more thorough analysis. This analysis would include such aspects as the implications and risks of not proceeding, as well as business cases.

1.29 Citizenship and Immigration Canada. The 2008 CIC corporate risk profile describes and prioritizes 13 key risk areas. The risk area titled “Maintenance of IM/IT Systems and Infrastructure” applies directly to aging IT systems. CIC has also determined that the obsolescence, redundancy, and complexity of its legacy systems and infrastructure are a security and business risk.

1.30 For example, the Field Operations Support System is a 29-year-old system critical to the National Immigration Program. It is considered high risk because the programming language is no longer being taught, and staff familiar with it are retiring. It is also very difficult, if not impossible, to integrate this application with newer systems.

1.31 CIC has an Integrated Risk Management Framework that dates back to 2002. A review of this policy in 2008 by internal audit led to recommendations for improvements to governance, impact statements, and a better Department-wide integration of risks. As a result, CIC has drafted a new Integrated Risk Management Framework. At the time of our audit, the revised Framework was still in draft form.

1.32 Royal Canadian Mounted Police. The RCMP recently completed a corporate risk profile that identifies 12 key risks. Although aging IT systems is not included as a risk in the corporate risk profile, it is considered significant enough to be included in the most recent IT Investment Plan. For example, one of those aging IT risks involves radio systems that use older technology unable to support current security and privacy requirements. According to the RCMP, this increases the risk to police and public safety and could lead to injury or death.

1.33 Chief Information Officer (CIO) Survey. In our survey of CIOs across government departments, we asked the following question: “Do aging IT systems pose a major risk to your agency or department?” The CIOs in seven of the ten departments and agencies with the most IT spending that we surveyed—including four of the five entities we examined—identified aging IT as a major risk.

Risk management within organizations

1.34 The Treasury Board Policy on Investment Planning requires that departments use a portfolio management approach when determining the appropriate balance of investments between those needed to sustain ongoing operations and those needed to improve the efficiency and effectiveness of their programs. This approach ensures that they focus on current and planned IT investments that best contribute to meeting business objectives, with an acceptable degree of risk and at a reasonable cost. This policy is currently being phased in across the government.

1.35 The systems and practices that support portfolio management include the following:

  • a multi-year strategic investment plan;
  • information about the existing portfolio of IT assets, including sustainability and risks;
  • clearly defined portfolio categories and objectives; and
  • evaluation criteria for choosing investments.

In the case of IT, a portfolio management approach entails looking at all IT assets—aging and otherwise—before setting priorities for modernizing them. This approach provides a basis for prioritizing projects and achieving a balance between investing in a new system or systems, and investing to maintain the health of existing systems.

1.36 We examined whether the selected organizations had assessed the aging IT risks identified, and whether they were designing and implementing cost-effective strategies for preventing, reducing, or avoiding those risks. We expected departments that have significant investments in IT to use a portfolio management approach when setting their priorities for managing the related risks.

Risk management practices in some entities need significant improvement

1.37 We found that the Canada Revenue Agency (CRA) and the Royal Canadian Mounted Police (RCMP) had assessed their aging IT risks and had put in place strategies to manage those risks through their investment plans. CRA and the RCMP were the only organizations among the five we examined that followed a portfolio management approach. Citizenship and Immigration Canada (CIC), Public Works and Government Services Canada (PWGSC), and Human Resources and Skills Development Canada (HRSDC) did not have department-wide portfolio investment plans to manage their aging IT risks.

1.38 Canada Revenue Agency. Recently, the Agency established the Application Sustainability Program to assess the health of its major systems. This new annual process measures operations and business metrics for applications within the portfolio and exposes problem areas and trends that can be addressed across the Agency. The associated investment plan to improve long-term sustainability over the next 10 years was presented to the Agency’s Management Committee in 2008.

1.39 Personal Income Tax and Benefits Return administration system. Senior management at CRA has agreed that the Personal Income Tax and Benefits Return administration system has significant risks due to aging that need to be addressed as a priority. Its Strategic Investment Plan indicates that the Agency will have sufficient funds available to complete the redesign of two priority income tax systems in its portfolio of IT assets—the Personal Income Tax and Benefits Return administration system and the trust income tax system—if the work is spread out over a period of up to 10 years. Since modernizing the Personal Income Tax and Benefits Return administration system could require up to 70 percent of the funds available, it is doubtful that the Agency will, in fact, have the necessary financial flexibility to commit to these two highest priority projects, let alone the various other business sustainability investments that will be required during the same period. The Agency will have to make some difficult choices to balance the priorities in its portfolio, without putting the integrity of its core tax programs and services at risk. The plan currently lists 19 major investment projects that will be on hold beyond 2018 unless further funds are secured.

1.40 Royal Canadian Mounted Police. The RCMP followed a portfolio management approach to prepare its most recent investment plan. It has aligned its IT portfolio with its business strategic objectives. The IT investment plan describes the IT portfolio in terms of asset condition, asset demand, capacity, and risks. It also links the IT investment strategy to strategic corporate initiatives for major IT assets.

1.41 Human Resources and Skills Development Canada. HRSDC developed its first Long-Term Capital Plan in 2008. This plan broadly identified its most significant IT investment priorities. However, the analysis did not provide any specific information about the portfolio of IT assets, such as the sustainability and evaluation criteria for ranking specific investments.

1.42 Since then, HRSDC has prepared an update to its Long-Term Capital Plan; however, the analysis remains incomplete. In reviewing the strategies identified to manage the risks related to aging, we found that the Innovation, Information and Technology Branch (IITB) had not performed an analysis to ensure that these strategies are the most cost-effective, relative to other options or solutions. Senior management acknowledges that aging IT presents significant risks, but it has challenged and, in some cases, not approved the approaches identified for dealing with these risks.

1.43 Other than the Infrastructure Renewal Program, which has a very detailed analysis, the other projects in the updated Plan have not been prioritized over multiple years, and a portfolio view with timelines, costs, and priorities is missing. The Department needs to provide a complete view of all required IT investments, including those initiated by the program branches, and their relative priority. Without this information, it is difficult to determine how HRSDC will be able to ensure that its systems, including those that support the EI program, will continue to function without continuously requiring emergency funding.

1.44 IITB has also identified alignment between IT and business as a significant risk in its 2009–10 risk register. The consequence of business/IT misalignment is reflected most significantly in the current IT-enabled projects, where success depends on common goals and well-defined requirements. As well, the business side of the Department is not taking sufficient ownership of IT issues that have an impact on its programs. HRSDC has responded in the past year by putting in place an investment management process to address this risk and has created a senior departmental committee to oversee this process.

1.45 Employment Insurance Program. As stated earlier, IITB has identified both aging infrastructure and legacy applications as risks that have a significant impact on the EI program. To address these, two major initiatives were developed. The first is the Infrastructure Renewal Program, estimated to cost $214 million over five years. According to IITB, this renewal program is needed to ensure that technology aligns to business requirements to meet the needs and expectations of Canadians. Secondly, the Application Modernization Project addresses the risk posed by the current extensive inventory of custom-built legacy applications that are obsolete and difficult to sustain. At the time of our audit, this project was at the preliminary stage and still needed a comprehensive assessment of applications and the development of an action plan. Currently, IITB estimates that this project will cost between $100 million and $150 million over four years.

1.46 Citizenship and Immigration Canada. The CIC Information Management Technology Branch (IMTB) prepares an annual business plan where IT risks are measured. Although the plan includes a list of high-priority initiatives, senior management has stated that better methods are needed to further prioritize these initiatives. CIC has completed a comprehensive review of its IT infrastructure; however, it has not reviewed its applications at the same level. The Department has not used a portfolio management approach that considers the interdependence of IT assets. As well, CIC currently does not have an IT investment plan.

1.47 Public Works and Government Services Canada. PWGSC currently manages its IT infrastructure centrally, while business applications are managed by each branch.

1.48 PWGSC does not prepare a Department-wide IT investment plan beyond a one-year period. Without such a plan, the Department cannot be sure which aging IT assets need to be replaced. In addition, PWGSC does not manage its IT investments as a portfolio. We did note some elements of investment planning, such as an inventory of IT infrastructure and identified priorities, timelines, and costs associated with its replacement. In addition, the Department developed management plans to address one aging corporate IT-related risk it had identified. However, when we reviewed the plans, we found neither a definite timeline nor any estimated costs to address and mitigate this risk. There is also no formal investment plan to address Department-wide funding shortfalls related to aging IT. PWGSC has launched some initiatives to replace aging IT assets but did so without a formal Department-wide investment plan to address aging IT issues.

1.49 Recommendation. Citizenship and Immigration Canada, Human Resources and Skills Development Canada, and Public Works and Government Services Canada should use a department-wide portfolio management approach to ensure that they focus on current and planned IT investments that best contribute to meeting their business objectives, with an acceptable degree of risk and at a reasonable cost.

Citizenship and Immigration Canada’s response. Agreed. Work is already underway, as part of the 2010–11 Integrated Corporate Planning process, to develop a department-wide portfolio approach for IT investments. The Department plans to have the process fully implemented for the 2011–12 planning cycle.

Human Resources and Skills Development Canada’s response. Agreed. The Department will continue to strengthen its implementation of a portfolio management approach to move toward an optimum maturity level.

Public Works and Government Services Canada’s response. Agreed. While the Department has many of the elements in place, it recognizes the benefits of developing an IT Portfolio Management Framework that will support a portfolio management approach for both IT infrastructure and business applications. The plan will be completed by June 2010 and implemented over the next year.

The Department will also enhance its IT Governance Framework to provide oversight of the portfolio management approach. This framework will respect the unique funding structures of the Department. More specifically, it will support governance of IT systems within programs whose funding models include full cost recovery revolving funds, full cost recovery shared services, and common services funded from the general operating budget.

Using its current approach to managing IT investments, the Department has successfully managed a number of IT-enabled business transformation projects. It has obtained Treasury Board funding for projects by providing business cases that identified risk management strategies. Specifically, it has received funding for two critical modernization projects totalling $412 million and self-funded $50 million for other initiatives. Finally, the Department secured funding of $29 million from Treasury Board for IT infrastructure upgrades and has self-funded $9 million toward the $61 million, five-year ever-greening plan.

1.50 Recommendation. Citizenship and Immigration Canada, Human Resources and Skills Development Canada, and Public Works and Government Services Canada should develop a multi-year IT investment plan that presents a balanced mix of mandatory, sustaining, and discretionary investments that they require to both sustain existing systems and to improve service delivery.

Citizenship and Immigration Canada’s response. Agreed. The Department already has a multi-year investment plan for IT Infrastructure and will add an application component to create an integrated multi-year investment plan. The plan will indicate the mandatory, sustaining, and discretionary investments for meeting business requirements. The Department plans to complete this work over the next two years.

Human Resources and Skills Development Canada’s response. Agreed. The Department is working on a revised multi-year investment plan to be completed in 2010, with specific attention to the full economic life cycle of IT assets and the establishment of quantitative performance metrics for improved risk assessment of our technology assets. This plan will include strategic options analysis and investment scenarios based on available funding sources.

Public Works and Government Services Canada’s response. Agreed. The Department will bring together the several existing components of planning from which we will produce a multi-year integrated information management (IM)/IT investment plan that will include all IT investments organized by

  • the assets portfolio, which includes mandatory and sustaining investments;
  • the innovation and business transformation project portfolio, which includes discretionary investments; and
  • the client portfolio, which presents a branch-specific view of all IT investments.

In addition to portfolio information, the IM/IT investment plan will provide a mechanism to consider common IT requirements across the Department to help ensure that maximum value is obtained from IT investments taking into account the most likely availability of funds. This IM/IT investment plan will be updated on an annual basis to reflect past investment decisions, emerging business needs, and the aging of infrastructure and applications. This IM/IT investment plan will be developed in compliance with the Treasury Board Policy on Management of Information Technology and an initial iteration will be completed by March 2010.

This detailed IM/IT investment plan will complement the integrated investment plan being developed by the Department in compliance with the Treasury Board Policy on Investment Planning—Assets and Acquired Service for which the initial iteration will be provided to the Treasury Board of Canada Secretariat by the end of March 2010. The integrated investment plan will provide a Department-wide overview of the investment planning activities for real property, material, and information technologies.

Risk monitoring within organizations

1.51 In keeping with the Treasury Board Risk Management Policy, we expected that management responsible for protecting IT assets and controlling risks associated with aging IT systems would review their department’s risk mitigation and control activities. This would ensure that IT assets are adequately protected and that they could be recovered or replaced within the department’s tolerance for loss.

1.52 We examined whether the selected organizations were actively monitoring the aging IT risks identified and assessed. We expected the selected organizations to have in place risk action plans that included specific strategies, key activities, deliverables, and timelines to manage these risks. We also expected that progress would be regularly reported to senior management.

Monitoring of risks is incomplete

1.53 We found that the management of the Canada Revenue Agency (CRA) was aware of the aging IT risks and that managers were monitoring the Agency’s ongoing activity to control those risks. We found that the monitoring of risk mitigation and control activities by Citizenship and Immigration Canada (CIC), Human Resources and Skills Development Canada (HRSDC), Public Works and Government Services Canada (PWGSC), and the RCMP was incomplete.

1.54 Canada Revenue Agency. The CRA Management Committee and the Resource and Investment Management Committee review all major risks and investment projects regularly to ensure that the Agency has allocated its resources to the highest priority activities and projects. CRA’s Risk Action Plan outlines specific strategies, key activities, deliverables, and timelines for the initiatives designed to respond to each of the corporate risks listed in the Corporate Risk Inventory.

1.55 Citizenship and Immigration Canada. In the past year, CIC has implemented a formal quarterly process to monitor its key corporate and business-related risks. However, CIC currently has no formal risk action plans. The Department is currently working to establish performance indicators to improve monitoring and management of the key risks in its corporate risk profile.

1.56 Royal Canadian Mounted Police. The RCMP monitors risks through its Integrated Risk Management process and is supported by its Corporate Risk Register System. The risks specifically for aging IT systems are found in the Chief Information Officer (CIO) Sector Risk Register. The Register provides structured information by project or portfolio, which includes many indicators such as risk rating, current status, impact(s), mitigation approach, and risk owner. To validate the assessment of its risks, the CIO Sector created a Strategic Review Committee (SRC) in September 2008. The SRC is responsible for identifying emerging IT risks and providing recommendations, strategic advice, and guidance to the Senior Executive Committee. However, the SRC has not yet started to report its key IT risks to this committee.

1.57 Human Resources and Skills Development Canada. As a result of an internal audit of its Integrated Risk Management Framework, HRSDC now requires that a risk status report be prepared by all branches including the Innovation, Information and Technology Branch (IITB). HRSDC has also established a senior committee that approves the updated departmental Risk Management Strategy and monitors its implementation. IITB currently does not have key performance indicators to help it monitor progress against the mitigation strategies for the aging IT risks. IITB has a senior committee to oversee the monitoring of risks; however, there are no minutes or records of decision, and so it was not possible to assess how well this review was working.

1.58 Public Works and Government Services Canada. PWGSC submits risk mitigation strategies for each of its branches to its Chief Risk Officer for review as part of the annual and semi-annual planning process as well as for other senior committee reviews. However, we noted that quantitative key performance and risk indicators to assess mitigation progress and independent evaluations could be improved. Such key indicators would help the Department assess to what extent the IT risk, particularly aging IT risks, have been reduced.

1.59 Recommendation. Human Resources and Skills Development Canada, Public Works and Government Services Canada, Citizenship and Immigration Canada, and the Royal Canadian Mounted Police should develop an action plan for each significant aging IT risk. The plans should include specific strategies, key activities, deliverables, and timelines to manage these risks. These entities should report progress regularly to senior management.

Citizenship and Immigration Canada’s response. Agreed. Over the next two years, the Department will develop an action plan for each significant aging IT risk. The plan will include specific strategies, activities, and timelines to manage these risks. Additionally, progress will be reported to senior management on a quarterly basis.

Human Resources and Skills Development Canada’s response. Agreed. The Department is updating its corporate risk register, and it will continue to monitor and report progress on mitigation strategies to senior management.

Public Works and Government Services Canada’s response. Agreed. The Department will use the Operational Risk Profile exercise, which was launched in December 2009 and will finish in March 2010, and the refreshed corporate risk profile to validate the corporate risks, including those relating to aging IT systems and their related applications, and to identify any emerging key risks to Public Works and Government Services Canada.

In addition, an IT-specific risk profile exercise will be conducted with the Departmental IM/IT Steering Committee to develop a departmental IT risk profile. Each of the IT risks will be assessed and prioritized by the Steering Committee. Risk owners for each risk will be identified and engaged in the development of the appropriate risk response strategies. For each risk mitigation strategy, key deliverables will be identified and timelines for completion of those deliverables and indicators to measure success of the strategies will be established. Implementation of these strategies will be monitored and modified when necessary. Their implementation status and success will also be reported to senior management through the Departmental IM/IT Steering Committee and Deputy Minister’s Management Committee. The Department will complete implementation of the process by winter 2011.

Royal Canadian Mounted Police’s response. Agreed. The RCMP will develop specific strategies, key activities, deliverables, and timelines to manage these risks. As of January 2010, significant IT program risks associated with aging systems are reported on the corporate RCMP Risk Register, in compliance with the Treasury Board Risk Management Policy. Risk management updates will occur on a quarterly basis.

Funding strategy to address risks

1.60 We noted earlier that the Treasury Board Policy on Investment Planning—Assets and Acquired Services requires departments to prepare an investment plan that both reflects departmental priorities and outlines planned investments for at least the next five years. The development and approval of an investment plan alone is not enough to address the risks associated with aging systems. We expected to find that organizations had prepared an investment plan that identifies investment options. Further, we expected that the organizations would have presented funding strategies that take into account what source of funding would most likely be available in the five-year planning period.

Departmental investment plans need to be supported by a funding strategy

1.61 We found that the departmental investment plans for the Canada Revenue Agency (CRA), Human Resources and Skills Development Canada (HRSDC), and the RCMP did not identify sufficient sources of funding to complete all the initiatives necessary to manage the aging IT risks identified in their respective IT plans. Citizenship and Immigration Canada (CIC) and Public Works and Government Services Canada (PWGSC), as stated earlier, did not have multi-year investment plans.

1.62 CRA was the only organization that had completed a multi-year investment plan that identified investment options. It was also the only one to develop funding priorities that took into account what funding would most likely be available in the five-year planning period.

1.63 In our audit report on the Management of IT Investments at CRA, presented in December 2008, we found that about one third of the Agency’s national applications—of which about 50 percent were considered critical to enable it to fulfill its mandate—were at risk because they were not sustainable in the long term. The OAG recommended, in part, that the Canada Revenue Agency finish developing its multi-year Strategic Investment Plan and document clear evaluation criteria for prioritizing and selecting IT investments for the portfolio.

1.64 The Agency has followed up on this recommendation. It introduced a more formal process to plan and set priorities for its major strategic investment projects. The process centred on developing the Strategic Investment Plan with a multi-year view of current and future investments in major projects.

1.65 CRA identified in its Strategic Investment Plan a total of 55 investments estimated to cost $1.8 billion over 10 years. After assessing this list of investments, senior management reduced it to 24 critical, high-value investments that cost about $1.24 billion over the same period. The Agency has $410 million available to finance these investments over the next 10 years. This leaves a funding shortfall of $830 million. CRA management has determined that the inability to make the critical investments to replace aging IT presents an unacceptable risk to its continuing operations. At the time of our audit, the Agency had not yet secured additional funding to address the shortfall.

1.66 In 2008, HRSDC prepared its first Long-Term Capital Plan. A senior departmental committee oversaw its development to ensure that investment strategies aligned with the overall direction and priorities of the Department. The investment priorities that resulted from this process were assessed and ranked to determine an overall funding scenario. These investments were deemed necessary to allow HRSDC to maintain its operations and meet minimum program outcomes, as well as to develop capacity to meet future priorities. This list of investments consists of 20 projects and initiatives that cost an estimated $947.4 million over five years. Given that the current five-year base funding level of the Department is $424 million over five years, the above estimates result in a shortfall of $523.4 million. Senior management discussed the 2008 Long-Term Capital Plan but did not approve the projects, approach, and funding requirements.

1.67 Since HRSDC developed its initial Long-Term Capital Plan, it has updated it with comprehensive details for IT infrastructure renewal. However, the application projects in the updated plan are not ranked and an updated funding strategy has not been included. Without this information, the full long-term funding requirements of HRSDC to address its aging IT risks are unclear.

1.68 The RCMP’s latest investment plan was prepared in 2009 to comply with the new Treasury Board Policy on Investment Planning. The investments identified in the plan were reviewed to ensure that resources would be allocated according to the Department’s needs. The RCMP’s challenge is to maintain funding for operational readiness while at the same time investing in large capital mission-critical systems. The funding requirements identified for IT totalled $1.257 billion over five years. Given that the existing base funding is $637 million over five years, the resulting shortfall amounts to $620 million. The RCMP has not yet prioritized its investment needs to develop an overall funding strategy for its IT portfolio.

1.69 For the three organizations we reviewed that have departmental investment plans—CRA, HRSDC, and the RCMP—we found significant shortfalls in available funding that could prevent them from making all the investments they need to modernize their critical information systems and technology infrastructure. These three organizations alone have estimated the funding shortfall at $2 billion. We have not audited or attempted to verify the accuracy of the investment proposals included in these departmental investment plans. However, the funding shortfall indicates a significant challenge facing departments that are required to sustain and improve some of the most complex and critical information systems in the Government of Canada. We also found that, except for the Canada Revenue Agency, these departments had made proposals for funding to control aging IT risks on a project-by-project basis. The Canada Revenue Agency is the only organization that has made a comprehensive proposal to obtain long-term capital funding so that it can make continuing investments to modernize its entire portfolio of information systems and technology assets.

1.70 Of note is that 28 of 40 chief information officers (CIOs) we surveyed stated that insufficient funding is by far the major obstacle or challenge their organizations are facing in modernizing their aging IT systems. The CIOs in 8 of the 10 largest departments reported that obtaining funding was the greatest obstacle they experienced.

1.71 Recommendation. Human Resources and Skills Development Canada and the Royal Canadian Mounted Police should identify an appropriate funding strategy. The funding strategy should present investment options, or scenarios that take into account what source of funding would most likely be available in the five-year planning period.

Human Resources and Skills Development Canada’s response. Agreed. The Department will review its enterprise-wide governance model to ensure the right processes are in place for IT priorities, their funding strategy, and assignment of resources to a balanced mix of IT-enabled projects.

Royal Canadian Mounted Police’s response. Agreed. The RCMP’s latest investment plan was prepared in 2009 to comply with the new Treasury Board Policy on Investment Planning. The IT investments included in the plan will be reviewed and updated on a quarterly basis to ensure resources are allocated according to the RCMP’s needs. IT investments will be prioritized based on operational priorities governed by the Chief Information Officer Strategic Review Council.

Risk identification and management by the Treasury Board of Canada Secretariat

1.72 Although, deputy heads are accountable to their respective ministers and to the Treasury Board for the management of assets and acquired services in their departments, including information technology, they cannot always address the risk posed by aging IT systems alone. Many of the practices commonly used to address the modernization of aging IT systems, such as common and shared services, cannot be implemented by a single department or agency. In effect, central leadership and coordination by the Chief Information Officer Branch (CIOB) is required to implement these practices.

1.73 According to the Policy on Management of Information Technology, the Treasury Board of Canada Secretariat (the Secretariat) is responsible for establishing and implementing the overall government-wide strategic directions for IT. This involves identifying areas that offer significant government-wide benefits or are of importance to the government. The Secretariat is also responsible for leading necessary initiatives to achieve government-wide solutions.

1.74 We expected CIOB to have assessed whether the aging of critical IT systems poses significant government-wide risks. CIOB should have worked with departments to establish and implement relevant government-wide strategic directions and have led the necessary initiatives for managing those risks. We examined whether the Treasury Board of Canada Secretariat, and specifically its Chief Information Officer Branch, has determined if aging IT systems is an area of importance to the government as a whole, and the extent to which it has provided direction or leadership in developing government-wide responses to address the related risks.

The Chief Information Officer Branch has been aware of the significant risks of aging IT for over a decade

1.75 We found that over the last decade, many federal departments and agencies, including CIOB, have identified aging (also referred to as “rust-out”) as a risk, and stated that critical aging IT systems pose significant government-wide risks. This has been communicated to CIOB in various ways, described in the next few paragraphs.

1.76 In 1999, CIOB identified IT capital rust-out as a horizontal issue and described this issue as the deterioration or obsolescence of hardware and software that cannot be or has not been upgraded to meet operational requirements or that may pose a risk to meeting minimal service delivery standards and stated that it must be addressed.

1.77 A survey on the IT status of the Government of Canada, reported on in the 2004 Expenditure Review Committee studies, identified risks relating to the aging of IT systems. These risks included the lack of consistent, ongoing infrastructure investment and renewal, and the inability of aging systems to adapt to new requirements—both legislative and operational. Also in 2004, Citizenship and Immigration Canada (CIC) accessed some of the federal rust-out funding to address the aging IT issues it was experiencing at the time.

1.78 In 2005, the Secretariat published an Information Technology Services Review entitled Strategies for Improving IT and its Management, which presented the results of an assessment of the state of IT in the federal government. It noted, among other things, that the Government of Canada under-invests in up-to-date hardware and software tools in comparison with “peer enterprises.”

1.79 In recent years, as more and more departments have prepared corporate risk profiles based on the Secretariat’s Integrated Risk Management Framework, they have been identifying and documenting several risks related to aging IT systems. For example, HRSDC noted such concerns in many documents submitted to the Secretariat, including its corporate risk profile for the past three years. In addition, other entities, such as PWGSC, CIC, the RCMP, and CRA, also submitted documents pointing to the need to update and modernize their IT systems. Moreover, a search of the Government of Canada website has resulted in numerous references to risks and sustainability issues associated with aging IT assets in federal departments.

1.80 Furthermore, the Prime Minister’s Advisory Committee on the Public Service reported in February 2009 that the IT systems currently in place are inadequate considering the government’s goal of achieving an innovative and efficient workplace. The Committee recognizes that investments to modernize IT systems are long overdue but understands the reluctance to address this issue because of the potential significant investments required.

The Chief Information Officer Branch is not fully exercising its central leadership in addressing aging IT risks

1.81 As aging IT has been identified as a significant risk, we expected CIOB to have demonstrated its central leadership for addressing this risk across the government. Central leadership is exercised by setting government-wide strategic directions through a formal course of action that leads to the achievement of goals. As CIOB is responsible for establishing and implementing IT strategic directions across the government, we expected that CIOB would have developed an IT strategy that would include

  • a vision;
  • the areas of importance;
  • the associated risks addressed through IT strategic directions;
  • the milestones, deliverables, measurable outcomes, and benefits; and
  • the assignment of responsibility for monitoring and reporting on progress.

1.82 CIOB has initiated some work that relates indirectly to the aging of IT systems. For example, it has provided some direction to entities via policies, standards, guidelines, tools, and other means on how key risks are to be identified and reported. CIOB has engaged with the IT community using electronic tools, such as email and social networking, as well as formal and informal face-to-face meetings.

1.83 CIOB has made a number of presentations on information technology trends at various events during the past few years. These presentations clearly showed that CIOB was aware of aging IT risks and potential solutions for the government as a whole. In one presentation, it named the lack of consistent, ongoing IT infrastructure investment and renewal as one of the six drivers for change in the Government of Canada. However, it has not formally established any strategic directions since 1999.

1.84 CIOB has not systematically gathered and analyzed information to assess the nature, extent, and impact of aging IT risks across the government. Currently, CIOB does not have a government IT strategy that outlines the IT vision, the strategic directions, the priorities, and work plans with clearly defined milestones and resource requirements.

1.85 CIOB has not assessed the magnitude or the urgency of funding required to address the issue of aging IT systems in the coming years. As mentioned previously, the estimated funding shortfall for HRSDC, the RCMP, and CRA alone represents about $2 billion. Given the magnitude of investments required to address aging IT risks, such an analysis would provide CIOB with a global view of the immediate and longer term investments required to address the issue.

1.86 Recommendation. The Chief Information Officer Branch (CIOB) of the Treasury Board of Canada Secretariat should exercise its central leadership role by collecting and analyzing relevant information to assess the state of aging IT systems across government. The CIOB should prepare a report on its assessment and the related cost estimates for the government as a whole. In consultation with deputy heads, it should also develop a plan that will set the IT strategic directions for the government to mitigate risks associated with aging IT systems on a sustainable basis.

Treasury Board of Canada Secretariat’s response. Agreed. The Secretariat agrees but notes that it does not formulate funding or investment needs either for departments or for the government; current and future investment needs, and decisions related thereto, are developed and made by ministers and Cabinet, as well as by deputy heads under their authorities.

In consultation with deputy heads and the chief information officer community, the Chief Information Officer Branch (CIOB) of the Secretariat will prepare a report on the state of the aging IT systems that present material risk to the government. CIOB will also develop a strategic direction for IT systems for the government of Canada, and supporting guidance for use by departments, that will help them address ever-greening for mission critical IT systems. The strategic direction developed in concert with the CIO community will assist departments in setting their IT investment priorities, including for aging IT systems that are material to the government.

The assessment of aging IT systems will be completed by April 2011. The strategic direction and supporting guidance for ever-greening mission critical IT systems will be completed by March 2012, and departments will be encouraged to implement the guidance, starting in fiscal 2012–13.

Conclusion

1.87 The five entities we reviewed—the Canada Revenue Agency (CRA), Public Works and Government Services Canada (PWGSC), Human Resources and Skills Development Canada (HRSDC), the Royal Canadian Mounted Police (RCMP) and Citizenship and Immigration Canada (CIC)—have identified and taken some steps to manage the risks related to their aging IT systems.

1.88 We found that over the last decade, departments and agencies as well as the Chief Information Officer Branch (CIOB) of the Treasury Board of Canada Secretariat have been aware of the aging IT risks. However, no strategic directions have been formally established by CIOB since 1999. The Treasury Board of Canada Secretariat, through CIOB, should exercise its central leadership role and develop a formal government-wide IT strategy to provide strategic directions that would include a global estimate to address the current and future investment needs for the government on a sustainable basis.

1.89 The management of the risks presented by aging IT systems could be significantly improved in several of the departments that we audited. We found important gaps in the manner in which these entities are managing the risks.

  • As noted earlier, CRA is the only one of the five entities we examined that could demonstrate that it had adequately identified, managed, and controlled the significant risks associated with its aging information systems. It has prepared a multi-year strategic investment plan to manage its portfolio of IT investments. The Agency has identified a significant shortfall to address critical investments that, if they remain unfunded, could put their operations at risk.
  • The RCMP has prepared multiple documents, including a five-year investment plan, which identifies several issues about aging IT systems. It has not yet prioritized its investment needs to develop an overall funding strategy for its IT portfolio.
  • PWGSC does not manage its IT investments by portfolio. Its IT investments are prioritized within each branch, using branch specific criteria. PWGSC has not prepared a multi-year IT investment plan for the whole Department.
  • HRSDC has developed its first Long-Term Capital Plan, which identified and prioritized its most significant investments in information technology. Work is still needed to further develop evaluation criteria for prioritizing IT investments.
  • CIC recognizes that it needs to evaluate its entire portfolio of IT assets and prepare an investment plan that goes beyond ensuring the sustainability of existing infrastructure assets. CIC has yet to develop an investment plan that will use a portfolio management approach to arrive at an appropriate balance of IT investments.

1.90 Two of the three systems we examined (the Personal Income Tax and Benefits Return administration system and the Employment Insurance program) contain significant aging IT risks that, if left unaddressed, will cause an unacceptable level of risk and could disrupt the distribution of employment insurance benefits or the assessment of personal income tax.

About the Audit

All of the audit work in this chapter was conducted in accordance with the standards for assurance engagements set by The Canadian Institute of Chartered Accountants. While the Office adopts these standards as the minimum requirement for our audits, we also draw upon the standards and practices of other disciplines.

Objectives

The objective of our audit was to determine whether selected entities had adequately identified and were managing the risks related to critical aging information technology (IT) systems.

Scope and approach

In examining how well the Government of Canada was identifying and managing the risks related to aging IT systems across the government, we carried out the following tasks:

  • We looked at the extent to which the Treasury Board of Canada Secretariat (the Secretariat) and five government organizations had identified and managed the IT-related risks noted above. The five organizations were the Canada Revenue Agency (CRA), Public Works and Government Services Canada (PWGSC), Human Resources and Skills Development Canada (HRSDC), the Royal Canadian Mounted Police (RCMP), and Citizenship and Immigration Canada (CIC). These five entities met the following selection criteria:
    • They deliver significant services to Canadians.
    • They are large organizations that rely extensively on IT systems in delivering services.
    • They represent material (significant) IT expenditures and involve IT-related risk, including risks associated with aging IT systems.
  • In addition, we examined three critical systems from the entities selected: HRSDC Employment Insurance Program, CRA Personal Income Tax and Benefits Return administration system, and PWGSC Standard Payment System. These systems were selected because they are central to delivering critical services to Canadians, such as processing and calculating personal and corporate taxes and pensions and other income-related benefits. Any failure of these key systems would directly affect businesses and the lives of Canadians.
  • Finally, we surveyed the chief information officers in 40 government organizations included in the Treasury Board of Canada Secretariat’s Chief Information Officer Council. Collectively, these organizations account for more than 95 percent of the federal government’s expenditures on IT. The purpose of the survey was to determine the state of the government’s aging IT systems and infrastructure. Specifically, the survey was designed to create a broad, representative picture of the risks that aging, critical IT systems pose to delivering government services. The results of the survey also provided us with an overview of specific practices that government departments and agencies are using to modernize their aging IT infrastructure and systems. The response rate to the survey was 100 percent.

Our approach included interviewing officials at the Secretariat and in the five selected entities, analyzing various documents (policies and guidelines), and meeting employees and managers involved in global or IT risk management. In addition to our work at headquarters, the audit included a visit to HRSDC’s Montreal data and call centres.

Criteria

Listed below are the criteria that were used to conduct this audit and their sources.

Criteria Sources

We expected the central agencies to have assessed whether aging critical IT systems pose risks for the government as a whole.

  • Policy on Management of Information Technology, section 8, Treasury Board, 2007

We expected the central agencies, where appropriate, to have either provided direction, or led initiatives to provide government-wide solutions to respond to the risks posed by aging critical systems.

  • Policy on Management of Information Technology, section 8, Treasury Board, 2007
  • Policy on Investment Planning—Assets and Acquired Services, section 6.2, Treasury Board, 2007
  • Implementation Strategy for the Policy on Investment Planning—Assets and Acquired Services, Treasury Board
  • Policy on the Management of Projects, section 6.1, Treasury Board, 2007
  • Directive on Management of Information Technology, section 8.1, Treasury Board, 2009

We expected selected entities to have adequately identified the risks relating to aging IT systems.

  • Policy on Investment Planning—Assets and Acquired Services, sections 3.4 and 6.2, Treasury Board, 2007
  • Risk Management Policy—Appendix B, Phase 1, Treasury Board, 2001
  • Integrated Risk Management Framework—Element 1: Developing the Corporate Risk Profile, Treasury Board
  • Val IT Framework 2.0—IM4: Develop full life-cycle costs and benefits, IT Governance Institute
  • COBIT 4.1, PO9.3: Event Identification; PO9.4: Risk Assessment; PO9.5: Risk Response, IT Governance Institute

We expected selected entities to have adequately managed the risks relating to aging IT systems.

  • Policy on Investment Planning—Assets and Acquired Services, sections 3.4 and 6.2, Treasury Board, 2007
  • Risk Management Policy—Appendix B, Phases 2 and 3, Treasury Board, 2001
  • Integrated Risk Management Framework—Element 3: Practising Integrated Risk Management
  • Val IT Framework 2.0, VG5.3: Define reporting methods and techniques; PM5.1: Monitor and report on investment portfolio performance; PM6.1: Optimise investment portfolio performance; IM4: Develop full life-cycle costs and benefits, IT Governance Institute
  • COBIT 4.1, PO9.1: IT Risk Management Framework; PO9.5: Risk Response; PO9.6: Maintenance and Monitoring of a Risk Action Plan, IT Governance Institute

We expected the selected entities to have adequately identified the risks relating to selected critical IT systems.

  • Policy on Investment Planning—Assets and Acquired Services, sections 3.4 and 6.2, Treasury Board, 2007
  • Risk Management Policy—Appendix B, Phase 1, Treasury Board, 2001
  • Integrated Risk Management Framework—Element 1: Developing the Corporate Risk Profile, Treasury Board
  • Val IT Framework 2.0—IM4: Develop full life-cycle costs and benefits, IT Governance Institute
  • COBIT 4.1, PO9.3: Event Identification; PO9.4: Risk Assessment; PO9.5: Risk Response, IT Governance Institute

We expected the selected entities to have adequately managed the risks relating to selected critical IT systems.

  • Policy on Investment Planning—Assets and Acquired Services, sections 3.4 and 6.2, Treasury Board, 2007
  • Risk Management Policy—Appendix B, Phases 2 and 3, Treasury Board, 2001
  • Integrated Risk Management Framework—Element 3: Practising Integrated Risk Management, Treasury Board
  • Val IT Framework 2.0, VG5.3: Define reporting methods and techniques; PM5.1: Monitor and report on investment portfolio performance; PM6.1: Optimise investment portfolio performance; IM4: Develop full life-cycle costs and benefits, IT Governance Institute
  • COBIT 4.1, PO9.1: IT Risk Management Framework; PO9.5: Risk Response; PO9.6: Maintenance and Monitoring of a Risk Action Plan, IT Governance Institute

Management reviewed and accepted the suitability of the criteria used in the audit.

Period covered by the audit

The period under audit is from 2007 to 2009. Other documents reviewed that were pertinent to the period under audit go as far back as 1999. Audit work for this chapter was substantially completed on 30 November 2009.

Audit team

Assistant Auditor General: Nancy Y. Cheng
Principal: Richard Brisebois
Lead Director: Tony Brigandi

Directors: Bernard Battistin
Greg Boyd
Marie-Claude La Salle

Simon Couvrette
Violaine Guillerm
Jessica L. Perkins

For information, please contact Communications at 613-995-3708 or 1-888-761-5953 (toll-free).

Appendix—List of recommendations

The following is a list of recommendations found in Chapter 1. The number in front of the recommendation indicates the paragraph where it appears in the chapter. The numbers in parentheses indicate the paragraphs where the topic is discussed.

Recommendation

Response

Risk management within organizations

1.49 Citizenship and Immigration Canada, Human Resources and Skills Development Canada, and Public Works and Government Services Canada should use a department-wide portfolio management approach to ensure that they focus on current and planned IT investments that best contribute to meeting their business objectives, with an acceptable degree of risk and at a reasonable cost.
(1.34–1.48)

Citizenship and Immigration Canada’s response. Agreed. Work is already underway, as part of the 2010–11 Integrated Corporate Planning process, to develop a department-wide portfolio approach for IT investments. The Department plans to have the process fully implemented for the 2011–12 planning cycle.

Human Resources and Skills Development Canada’s response. Agreed. The Department will continue to strengthen its implementation of a portfolio management approach to move toward an optimum maturity level.

Public Works and Government Services Canada’s response. Agreed. While the Department has many of the elements in place, it recognizes the benefits of developing an IT Portfolio Management Framework that will support a portfolio management approach for both IT infrastructure and business applications. The plan will be completed by June 2010 and implemented over the next year.

The Department will also enhance its IT Governance Framework to provide oversight of the portfolio management approach. This framework will respect the unique funding structures of the Department. More specifically, it will support governance of IT systems within programs whose funding models include full cost recovery revolving funds, full cost recovery shared services, and common services funded from the general operating budget.

Using its current approach to managing IT investments, the Department has successfully managed a number of IT-enabled business transformation projects. It has obtained Treasury Board funding for projects by providing business cases that identified risk management strategies. Specifically, it has received funding for two critical modernization projects totalling $412 million and self-funded $50 million for other initiatives. Finally, the Department secured funding of $29 million from Treasury Board for IT infrastructure upgrades and has self-funded $9 million toward the $61 million, five-year ever-greening plan.

1.50 Citizenship and Immigration Canada, Human Resources and Skills Development Canada, and Public Works and Government Services Canada should develop a multi-year IT investment plan that presents a balanced mix of mandatory, sustaining, and discretionary investments that they require to both sustain existing systems and to improve service delivery.
(1.34–1.48)

Citizenship and Immigration Canada’s response. Agreed. The Department already has a multi-year investment plan for IT Infrastructure and will add an application component to create an integrated multi-year investment plan. The plan will indicate the mandatory, sustaining, and discretionary investments for meeting business requirements. The Department plans to complete this work over the next two years.

Human Resources and Skills Development Canada’s response. Agreed. The Department is working on a revised multi-year investment plan to be completed in 2010, with specific attention to the full economic life cycle of IT assets and the establishment of quantitative performance metrics for improved risk assessment of our technology assets. This plan will include strategic options analysis and investment scenarios based on available funding sources.

Public Works and Government Services Canada’s response. Agreed. The Department will bring together the several existing components of planning from which we will produce a multi-year integrated information management (IM)/IT investment plan that will include all IT investments organized by

  • the assets portfolio, which includes mandatory and sustaining investments;
  • the innovation and business transformation project portfolio, which includes discretionary investments; and
  • the client portfolio, which presents a branch-specific view of all IT investments.

In addition to portfolio information, the IM/IT investment plan will provide a mechanism to consider common IT requirements across the Department to help ensure that maximum value is obtained from IT investments taking into account the most likely availability of funds. This IM/IT investment plan will be updated on an annual basis to reflect past investment decisions, emerging business needs, and the aging of infrastructure and applications. This IM/IT investment plan will be developed in compliance with the Treasury Board Policy on Management of Information Technology and an initial iteration will be completed by March 2010.

This detailed IM/IT investment plan will complement the integrated investment plan being developed by the Department in compliance with the Treasury Board Policy on Investment Planning—Assets and Acquired Service for which the initial iteration will be provided to the Treasury Board of Canada Secretariat by the end of March 2010. The integrated investment plan will provide a Department-wide overview of the investment planning activities for real property, material, and information technologies.

Risk monitoring within organizations

1.59 Human Resources and Skills Development Canada, Public Works and Government Services Canada, Citizenship and Immigration Canada, and the Royal Canadian Mounted Police should develop an action plan for each significant aging IT risk. The plans should include specific strategies, key activities, deliverables, and timelines to manage these risks. These entities should report progress regularly to senior management.
(1.51–1.58)

Citizenship and Immigration Canada’s response. Agreed. Over the next two years, the Department will develop an action plan for each significant aging IT risk. The plan will include specific strategies, activities, and timelines to manage these risks. Additionally, progress will be reported to senior management on a quarterly basis.

Human Resources and Skills Development Canada’s response. Agreed. The Department is updating its corporate risk register, and it will continue to monitor and report progress on mitigation strategies to senior management.

Public Works and Government Services Canada’s response. Agreed. The Department will use the Operational Risk Profile exercise, which was launched in December 2009 and will finish in March 2010, and the refreshed corporate risk profile to validate the corporate risks, including those relating to aging IT systems and their related applications, and to identify any emerging key risks to Public Works and Government Services Canada.

In addition, an IT-specific risk profile exercise will be conducted with the Departmental IM/IT Steering Committee to develop a departmental IT risk profile. Each of the IT risks will be assessed and prioritized by the Steering Committee. Risk owners for each risk will be identified and engaged in the development of the appropriate risk response strategies. For each risk mitigation strategy, key deliverables will be identified and timelines for completion of those deliverables and indicators to measure success of the strategies will be established. Implementation of these strategies will be monitored and modified when necessary. Their implementation status and success will also be reported to senior management through the Departmental IM/IT Steering Committee and Deputy Minister’s Management Committee. The Department will complete implementation of the process by winter 2011.

Royal Canadian Mounted Police’s response. Agreed. The RCMP will develop specific strategies, key activities, deliverables, and timelines to manage these risks. As of January 2010, significant IT program risks associated with aging systems are reported on the corporate RCMP Risk Register, in compliance with the Treasury Board Risk Management Policy. Risk management updates will occur on a quarterly basis.

Funding strategy to address risks

1.71 Human Resources and Skills Development Canada and the Royal Canadian Mounted Police should identify an appropriate funding strategy. The funding strategy should present investment options, or scenarios that take into account what source of funding would most likely be available in the five-year planning period.
(1.60–1.70)

Human Resources and Skills Development Canada’s response. Agreed. The Department will review its enterprise-wide governance model to ensure the right processes are in place for IT priorities, their funding strategy, and assignment of resources to a balanced mix of IT-enabled projects.

Royal Canadian Mounted Police’s response. Agreed. The RCMP’s latest investment plan was prepared in 2009 to comply with the new Treasury Board Policy on Investment Planning. The IT investments included in the plan will be reviewed and updated on a quarterly basis to ensure resources are allocated according to the RCMP’s needs. IT investments will be prioritized based on operational priorities governed by the Chief Information Officer Strategic Review Council.

Risk identification and management by the Treasury Board of Canada Secretariat

1.86 The Chief Information Officer Branch (CIOB) of the Treasury Board of Canada Secretariat should exercise its central leadership role by collecting and analyzing relevant information to assess the state of aging IT systems across government. The CIOB should prepare a report on its assessment and the related cost estimates for the government as a whole. In consultation with deputy heads, it should also develop a plan that will set the IT strategic directions for the government to mitigate risks associated with aging IT systems on a sustainable basis.
(1.72–1.85)

Treasury Board of Canada Secretariat’s response. Agreed. The Secretariat agrees but notes that it does not formulate funding or investment needs either for departments or for the government; current and future investment needs, and decisions related thereto, are developed and made by ministers and Cabinet, as well as by deputy heads under their authorities.

In consultation with deputy heads and the chief information officer community, the Chief Information Officer Branch (CIOB) of the Secretariat will prepare a report on the state of the aging IT systems that present material risk to the government. CIOB will also develop a strategic direction for IT systems for the government of Canada, and supporting guidance for use by departments, that will help them address ever-greening for mission critical IT systems. The strategic direction developed in concert with the CIO community will assist departments in setting their IT investment priorities, including for aging IT systems that are material to the government.

The assessment of aging IT systems will be completed by April 2011. The strategic direction and supporting guidance for ever-greening mission critical IT systems will be completed by March 2012, and departments will be encouraged to implement the guidance, starting in fiscal 2012–13.

 

PDF Versions

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet: