Internal Audit and Program Evaluation Directorate
Audit of Information Management

April 2016

Introduction

Information is the cornerstone of a democratic, effective and accountable governmentFootnote 1 and an essential component of effective management across departments. The availability of high-quality, authoritative information supports the delivery of programs and services, and enables departments to be more responsive and accountable to Canadians.Footnote 2 Therefore, information must be well managed throughout its life cycle to enable an effective and responsive government.Footnote 3

The Canada Border Services Agency (the CBSA or the Agency) collects a large volume of information to support its mandate. Information Management (IM) supports the Agency to effectively and efficiently plan, capture, retain, organize, use, disseminate, secure and dispose of the vast quantities of information that it collects.

The overall responsibility for information management is shared among many stakeholders. Under the CBSA’s IM Policy, the President is expected to set the culture and resourcing for integrating IM into Programs. The Vice-President of the Information Science and Technology Branch then ensures tools and processes are in place to manage business information. Vice-presidents communicate IM needs and implement IM practices. Managers at all levels are to deliver programs and support information integrity. Employees at all levels are expected to follow the Agency’s IM practices and communicate issues.

In 2011, the CBSA participated in the horizontal internal audit of IM carried out by the Office of the Comptroller General (OCG). The audit identified opportunities to develop the IM capacity and align IM priorities with the Agency’s objectives. Recommendations were made to develop a contingency plan should IM funding fall short of expectations; and a change management strategy to support the implementation of the IM Program.

The CBSA participated in a horizontal internal audit of IM carried out in 2015–2016 by the Office of the Comptroller General (OCG). IM was ranked as a high audit priority in the OCG’s risk-based audit planning process because it is fundamental to all aspects of government programs and services, supports informed decision-making, efficient and effective service delivery, and is critical to achieving goals and mandate of the government. The Management Accountability Framework (MAF) and past audits have confirmed the existence of IM compliance issues related to recordkeeping; however, the root causes of these issues remain unknown.

The OCG intends to issue its own, government-wide report on IM. The report may not name specific departments and agencies and recommendations will be made based on shared observations and themes.

This CBSA internal audit report communicates the results of the audit from the Agency’s perspective. While this report may include similar themes to those identified in the OCG report, it intends to provide greater detail about the CBSA’s controls over IM.

Significance of the Audit

This audit is of interest to management due to the large volume of information managed by the Agency, and the requirement for timely access to high-quality information to support the Agency’s activities.

The audit objective was to determine whether governance and monitoring frameworks over IM are in place.

The scope of this audit included the IM governance and monitoring control frameworks in place as at December 31, 2015Footnote 4. The audit scope excluded the following:

The audit criteria can be found in Appendix A.

Statement of Conformance

The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. The audit approach and methodology followed the International Standards for the Professional Practice of Internal Auditing as defined by the Institute of Internal Auditors and the Internal Auditing Standards for the Government of Canada, as required by the Treasury Board’s Policy on Internal Audit.

Audit Opinion

The Agency has governance and monitoring control frameworks in place to support IM; however, IM is currently delivered as a number of initiatives instead of an Agency-wide program. As a result, there is an ongoing risk that IM will not be integrated as a foundational business support for the Agency’s activities. Opportunities exist to enhance roles and responsibilities, accountabilities, procedures, and reporting and monitoring practices for IM.

Key Findings

Governance committees exist and are comprised of management that has the ability to influence IM initiatives. While roles and responsibilities were defined and documented, additional communication is required to ensure that all stakeholders are aware of their responsibilities.

IM accountabilities were established for IM committees and the executive level, but not for all employees with IM responsibilities.

Policies, guidance, tools and training were developed and accessible to employees. Opportunities exist to further implement and communicate standard IM tools, guidance and best practices across the Agency to support the consistent implementation of IM.

At the time of the audit, operational and human resources plans to support IM were under development with a draft anticipated for September 2016.

The current monitoring and reporting practices for IM were limited in scope. Expanding activities to monitor and report on IM is needed to support oversight and the identification of issues requiring corrective action.

Summary of Reccomendations

The audit makes four recommendations to:

Management Response

The Information, Science and Technology Branch agrees with the audit report and accepts the recommendations. The actions detailed in this management response will seek to address the opportunities, issues and risks identified in the audit.

Although the management of government information continues to be the responsibility of all government employees, the management of information in an electronic environment is progressively becoming more complex and will increasingly require the expertise and intervention of information specialists. To that end, the function of Information Management in the CBSA continues to evolve in response to internal agency pressures, Government of Canada information initiatives and technological evolution, and in alignment with private industry information practices and worldwide trends in Information Management science. The recommendations advanced through this audit will ensure that the function of Information Management will continue to support the growth of an organizational culture that values information and its effective management.

The four audit recommendations cover the topics of roles, responsibilities and communications, information tools and best practices, operational and human resources plans and reporting and monitoring. Together, these effectively cover all core aspects of the information management function as outlined under policy and directives. The management action plan will clearly define the processes and activities that will address each of the recommendations. By responding to the recommendations, the IM function will continue to mature as a foundational business support; enabling the management of information as a business resource in continued alignment with transformation initiative.

Audit Findings

Governance Framework

Audit Criteria:

Governance structures support sound Information Management (IM) accountability and the Government of Canada IM Program.Footnote 6

Governance, Accountability, and Roles and Responsibilities

Managing information is essential to the effective delivery of the Agency’s mandate. Documented and communicated accountabilities, and roles and responsibilities for information management support the value of information throughout its useful life.Footnote 7

Roles and Responsibilities

The roles and responsibilities for IM stakeholders are defined in the Treasury Board (TB) Policy on IM and Directive on IM Roles and Responsibilities. IM roles and responsibilities for CBSA specific positions are included in the Agency’s IM Policy.

The Agency has also developed a Data Governance Framework that defines additional responsibilities for data ownership and governance. At the time of the audit, the Framework had been approved; but not yet circulated to all stakeholders.

IM requires the collective effort of numerous stakeholders. At the CBSA, these stakeholders and responsibilities include:

Table 1: Summary of Oversight and Responsibilities for IM

Stakeholders Responsibilities
President Setting the IM culture, resourcing, integrating IM into programs and services, participation in government-wide IM initiatives, reporting concerns to the Treasury Board Secretariat, and designating the Agency’s Information Management Senior Official (IMSO).
Vice-President of the Information Science and Technology, IMSO Championing, leading and coordinating the Agency’s IM program by ensuring the appropriate direction, processes and tools are in place to effectively manage business information.
IM Functional Specialists Supporting the effective management of departmental information throughout its life cycle through various initiatives.
Vice-presidents, direct reports to the President, and regional directors general Communicating IM needs to the IMSO, and implementing and IM guidelines, standards, practices and tools.
Director General Communications Approving decision that impact the Agency’s internet and intranet; and ensuring compliance of web content and posted information.
Managers at all levels Managing information as an integral part of their program and service delivery and as a strategic business resource; and for managing resources, tools and processes to support information integrity and achieve outcomes.
Employees at all levels Applying information management policy, standards, procedures, directives, guidelines, tools and best practices; documenting their activities and decisions; and communicating IM issues and requirements to their manager.

Accountability

At the executive level, the following IM accountabilities are identified in performance management agreements:

Below the executive level, IM accountabilities are not consistently included in the performance agreements of all employees.

While the Treasury Board Secretariat (TBS) and CBSA policy instruments identify IM roles and responsibilities for all employees, employees below the executive level may not have formal IM accountabilities that make them aware of their IM roles and responsibilities.

The findings noted in the above section are addressed through recommendation #1.

Governance

The Agency has established IM governance committees with documented roles and responsibilities, agendas and records of decision that were communicated through the Agency’s intranet (Atlas), wiki and electronic document and record management system (Apollo). Roles and responsibilities were documented at the committee-level, and IM committee membership included representation from all responsibility areas identified in both TB and CBSA IM policy instruments with the exception of the Director General of Communications. Opportunities exist to include a representative from the Agency’s Communications Directorate in IM committee membership to satisfy CBSA’s IM Policy requirements related to effective oversight of the Agency’s intranet, internet and web content.

During the audit period, the Agency’s IM governance structure was undergoing changes to enhance oversight. Until November 2015, the Agency’s IM governance structure had the following indirect reporting relationship with the Executive Committee (EC). A summary of the committees involved can be found in Appendix B.

Figure 1. Pre-November 2015 - IM Governance Structure with Indirect Reporting to EC

Pre-November 2015 - IM Governance Structure with Indirect Reporting to EC

The indirect IM governance structure had the following limitations:

In November 2015 the following direct IM governance structure was approved by the Agency’s EC:

Figure 2. As at November 2015 - IM Governance Structure with Direct Reporting to EC

As at November 2015 - IM Governance Structure with Direct Reporting to EC

The Information Management Committee (IMC) merged the IMISC and the DFSC into one forum. The IMC, which reports directly to the EC, has a membership that includes numerous vice-presidents and directors general. The creation of the IMC was intended to enhance the management, access, and integrity of the Agency’s data and information assets to enable better business decision making; the first meeting was expected in January 2016.

In summary, roles and responsibilities for governance committees and employees were defined, documented and communicated. While IM performance targets were established for the executive level and functional specialists, opportunities exist to further align IM accountabilities for all employees with the IM responsibilities defined in the CBSA and TB instruments. Implementation of a direct IM governance structure is expected to enhance senior management’s oversight of IM.

Recommendation 1:

The Vice-President of the Information, Science and Technology Branch should ensure that responsibilities and accountabilities for IM are further defined and communicated.

Management Response: Completion Date:
The Information, Science and Technology Branch agrees with this recommendation. The responsibilities and accountabilities for the management of information as defined under both the Agency Policy on Information Management and the Treasury Board Information Management policy suite will be reviewed in consultation with stakeholder representatives to identify any potential gaps with the Agency’s current distribution of IM responsibilities and accountabilities. In order to ensure thorough communication of responsibilities and accountabilities, multiple mediums will be used. A comprehensive communications plan focusing on strengthening the organizational information culture will be developed and executed. September 30, 2016

Agency-level IM Guidance and Initiatives

Formalized policies, procedures, tools and training support the consistent application of IM across the Agency.

Promotion, Policies and Procedures

The Agency established a web page on its Atlas Intranet dedicated to IM that provided access to guidance, including:

Additional IM support was communicated to all employees on an ad-hoc basis by email.

Overall, guidance to support IM was developed and made accessible to employees.

IM Initiatives

The Government of Canada IM Strategy outlines changes in the strategic and operating environment including the transition to an enterprise-wide IM solution (e.g. GCDocs, the Government of Canada's primary repository for unstructured information), the Email Transformation Initiative, and the launch of Canada’s Open Government Initiative. The Agency has been focusing on the following initiatives:

Apollo is the CBSA’s version of GCDocs. Its implementation is intended to consolidate unstructured information stored in multiple independent sources such as shared drives, emails, and filing cabinets. At the time of the audit, Apollo was implemented at headquarters and deployment to the regions was scheduled for 2016–2017. Implementation has required more time than anticipated due to:

Once the national implementation of Apollo is complete, the Agency will be able to enforce its mandatory use and communicate best practices for its use. However, additional consideration will be required to manage protected and classified documents.

The Email Transformation Initiative is a major project led by Shared Services Canada (SSC) intended to consolidate the email services of over 43 government departments and agencies into a single cost-effective, secure, and modern email solution. While SSC’s implementation of the project has been delayed, the Agency continues to provide guidance related to storage limits to prepare employees for the updated transition anticipated in 2016.

Open Government is the practice of making government data and information freely available to the public to promote transparency, participation, collaboration, and innovation. At the time of the audit, the Agency has shared six datasets including border wait times, volumes of travellers and conveyances, and a directory of CBSA offices. In addition, both Apollo and the Email Transformation Initiative are Open Government innovation initiatives.

In November 2015, the Agency developed a Data Governance Framework intended to protect data quality and integrity, and to support the use of data to improve decision making and service delivery. At the time of the audit, the Framework had been approved, but not yet circulated to all stakeholders.

The audit confirmed that the Agency is supporting Government of Canada Initiatives; however, compliance with Government of Canada initiatives has been the focus of its IM efforts over the past few years. Opportunities exist for the Agency to focus on maturing its IM function to further support the achievement of its own business objectives.   

Recommendation 2:

The Vice-President of the Information Science and Technology Branch should ensure that standard IM tools, guidance, and best practices are fully implemented and communicated across the Agency.

Management Response: Completion Date:

The Information, Science and Technology Branch agrees with this recommendation. Over the past two years, the CBSA has been implementing the Apollo Electronic Document and Records Management system. Apollo is aligned with the standard GC build and configuration and built to facilitate the eventual transfer to the GC hosted service. Other standard IM methodologies currently in use include the Record Keeping Assessment Tool for records management and an information classification structure aligned with the GC structure for the management of common administrative services including Finance, Human Resources.

In order to identify other standard tools and methodologies, the ISTB will conduct an environmental scan of other departments (law enforcement focus) in order to identify any gaps in the IM services currently provided. Through the development of an Information Management service model in conjunction with the new IM Strategy, the IM functional specialists will continue to disseminate best practices, guidance and methodologies for the management of business information.

March 31, 2017

Strategic and Operational Plans

An operational plan is a multi-year plan that outlines the goals, actions, priorities, resources, policies, standards, and procedures that are required to achieve strategic objectives.Footnote 8

The audit confirmed that Agency-level IM priorities were aligned with those of the Government of Canada, identified in the CBSA Integrated Business Plan 2015–2018, and communicated through the Agency’s intranet.

IM strategic plans were developed for 2010–2014, 2014–2015 and 2015–2018 and included a framework, office of primary interest, and target date for key initiatives to achieve the IM objectives. The IM strategic plans were available on the Agency’s wiki and Apollo. Although the 2015-2018 IM Strategy had been presented to the IM committees and reviewed by the Vice-President of the Information, Science and Technology Branch (VP ISTB), it has not been approved. The audit also identified that the IM strategies only required approval by the VP-level, and that without the Executive Committee’s endorsement, IM may be perceived as an ISTB initiative instead of an Agency-wide program to support business objectives.

At the time of the audit, an operational plan to achieve the objectives of the 2015–2018 IM Strategy was under development. A draft was anticipated by September 2016. Opportunities exist for the VP ISTB to engage the branches and regions in the development of operational plans to support IM as an Agency-wide function.

The delay of approval of the 2015–2018 strategy and implementation of operational plans may impact the achievement of strategic IM objectives.

The findings noted in the above section are addressed through recommendation #3.

Human Resources Plans

People are a key factor in successful information management.Footnote 9 Effective planning ensures resources are allocated in a manner that supports program outcomes and government priorities.Footnote 10

IM Competencies and Capacity

The evolution of IM has outpaced the available support for the IM Community. Management indicated that multi-disciplinary professionals were required to support the required changes in IM. At the time of the audit, human resources plans to support IM professional and multi-disciplinary teams were under development and anticipated for September 2016. The intention is to staff management positions skilled in business process, change management, information architecture and client service, followed by teams of information analysts, digital specialists and facilitators. However, current occupational groups and training may not be sufficient to support required IM competencies:

Recommendation 3:

The Vice-President of the Information, Science and Technology Branch should ensure operational and human resource plans are developed and implemented in collaboration with branches and regions to develop Agency-wide support for IM.

Management Response: Completion Date:

The Information, Science and Technology Branch agrees with this recommendation. The support level the current IM function is able to provide to the Agency is limited to the management of paper records within the Headquarters area, the management of electronic information currently in Apollo, and the provision of some regional support in the form of guidance and advice. Agency-wide support for standardizing information management practices has yet to be developed and it is recognized that the CBSA is currently managing only a relatively small portion of its information with inconsistent information practices across the country.

Organizational understanding of IM and IM functional support for the regions will only be built through the alignment of several factors including: the stabilization of the central IM function with the normalization of the Apollo team from project to ongoing state, the dissemination and implementation of the Retention and Disposition Authority expected from Library and Archives Canada, and the creation of an HR and training plan to strengthen the core IM functional team and propose IM positions for the regions.

March 30, 2017

Monitoring Control Framework

Audit Criteria:

Monitoring and reporting are ongoing, systematic processes for collecting, analyzing, and communicating performance information. They are essential components of an organization’s progress towards meeting expected results and making adjustments, if necessary, to ensure that they are achieved. Monitoring and reporting support decision-making, accountability and transparency. Footnote 11

Compliance with Policy Requirements

The monitoring and reporting requirements for IM were defined, documented and communicated in TB policy instruments.

The Agency has assessed compliance with the TB policy requirements through the following:

Action plans were developed by the offices of primary interest to address observations and implementation status was periodically monitored by various Agency-level committees.

While additional compliance activities could provide assurance that the Agency is compliant with policy requirements, management indicated that the IM function was not sufficiently resourced to adequately monitor compliance.

Agency-specific Monitoring and Reporting

The Agency has established key performance indicators, and a monitoring and reporting practice for the implementation of initiatives such as Apollo. Reports were presented to the Agency’s Executive Committee on a semi-annual basis. Updates on IM and initiatives were also presented to various committees.  

The current monitoring and reporting practices for IM were limited in scope. At the time of the audit, additional performance indicators were being developed for the 2016–2017 Integrated Business Planning process, which may provide for a broader measurement of the IM activity.

Expanding activities to monitor and report on IM will support timely oversight and the identification of issues requiring corrective action.

Recommendation 4:

The Vice-President of the Information Science and Technology Branch should ensure that monitoring and reporting practices are in place to support timely oversight of IM and identification of issues requiring corrective action, and results are regularly presented to the appropriate committees.

Management Response: Completion Date:
The Information, Science and Technology Branch agrees with this recommendation. In order to ensure the CBSA has sufficient oversight of IM and any associated issues, monitoring and reporting activities must be put in place in order to identify gaps in the management of information and to allow for the development of timely mitigation activities. Initiate reporting at branch and regional levels to support the presentation of best practices, potential risks and areas requiring improvement, to appropriate committees. December 30, 2016

Appendix A – About the Audit

Audit Objectives and Scope

The audit objective was to determine whether governance frameworks, along with monitoring control frameworks, over IM are in place.

The scope of this audit included the IM governance and monitoring control frameworks in place as at December 31, 2015Footnote 12. The audit scope excluded the following:

The audit criteria can be found in Appendix A.

The audit’s planning phase was from April 2015 to August 2015; the conduct phase, from September 2015 to December 2015; and the reporting phase, from January 2016 to April 2016.

The Northern Ontario Region was visited during planning. Teleconferences were held with the Quebec and Pacific regions during the examination phase.

The Audit of Information Management (IM) was approved as part of the Canada Border Services Agency’s (CBSA or the Agency) 2014–2015 to 2016–2017 Risk-Based Audit Plan.

Risk Assessment

To assist in audit planning and determine potential priorities and areas of audit, the audit team conducted a preliminary risk assessment. Areas with risks assessed as medium-low or low were scoped out. Based on client interviews, documentation review, and a site visit to Northern Ontario Region during the planning phase, the following key risks were identified:

Approach and Methodology

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada. The examination phase of this audit was performed using the following approach:

Audit Criteria

The audit criteria were derived from the Office of the Comptroller General’s Audit Criteria Related to the Management Accountability Framework: A Tool for Internal Auditors, the Assertions from the CICA Handbook and the CICA Criteria of Control Framework (CoCo).

Lines of Enquiry Audit Criteria Audit Sub-Criteria
2. Governance Framework 2.1 Governance and accountability structures, including definitions of roles and responsibilities, are in place. 2.1.1 Departmental governance committees are established, are achieving their purpose, meet regularly and consider IM related objectives and initiatives.
2.1.2 Departmental governance committees have a documented and communicated mandate, purpose and roles and responsibilities.
2.1.3 Departmental stakeholders have defined and communicated roles and responsibilities for IM
2.2 IM policies are defined, documented, communicated and aligned with the applicable policies. 2.2.1 Departmental IM policies, procedures, guidance and tools have been developed, are in place and are kept up to date to ensure alignment with the government’s IM policy framework.
2.2.2 Departmental IM policies and procedures have been communicated to all stakeholders within the departments.
2.3 Plans are in place and communicated to implement government-wide and Agency IM initiatives. 2.3.1 IM operational plans have been developed and communicated with consideration of government-wide and departmental IM objectives.
2.4 HR plans are established and aligned with government and Agency priorities. 2.4.1 The IM function promotes and builds the IM capacity.
3. Monitoring Control Framework 3.3 Monitoring and reporting on compliance with IM policies has been implemented. 3.3.1 IM policies and procedure requirements are monitored and reported for compliance.
3.4 Action plans have been developed and implemented to address gaps in compliance. 3.4.1 Action plans are developed to address gaps in the compliance with departmental IM policies and procedures.

Appendix B – CBSA’s Previous Indirect Governance Structure

The following table identifies committees in the CBSA’s governance structure for IM prior to November 2015:

Governance Committee Description IM Oversight:
Executive Committee (EC) The Agency’s senior management decision-making forum responsible for the overall strategic management and direction of the Agency’s policy, program and corporate responsibilities. Indirect
Transformation Executive Steering Committee (TESC) Accountable to the EC. Provides strategic management and direction of the Agency’s transformation initiatives, provides horizontal linkages, and sets strategic and operational priorities to deliver on the Agency’s modernization initiatives. Ad-hoc
Transformation Innovation and Project Portfolio (TIPP) Committee Accountable to the EC. Supports co-chairs and members in decision making related to project portfolios within their authority. IMISC
Corporate Management Committee (CMC) Accountable to the EC. Supports the co-chairs and members in decision making related to their authorities in strategic management and stewardship of human resources, financial resources, and infrastructure. IMISC
Program Policy Committee (PPC) Accountable to the EC. Supports the co-chairs in decision making related to their authorities in the areas of strategic management of Agency priorities. DFSC
IM Initiatives Steering Committee (IMISC) Accountable to the TIPP, and to the CMC for the Management Accountability Framework. Responsible for the overall strategic management and direction of major IM initiatives as defined by the IMSO. Direct
Data Fusion Steering Committee (DFSC) Accountable to the PPC. The co-chairs set the overall strategic direction to request that items be brought forward at a specified date, and to approve agendas. Direct

Appendix C – List of Acronyms

CBSA
Canada Border Services Agency
CMC
Corporate Management Committee
DFSC
Data Fusion Steering Committee
EC
Executive Committee
GCDOCS
Official enterprise document and records management solution of the Government of Canada
HR
Human Resources
IM
Information Management
IMC
Information Management Committee
IMISC
IM Initiatives Steering Committee
IMSO
Information Management Senior Official
ISTB
Information, Sciences and Technology Branch
OCG
Office of the Comptroller General (TBS)
PPC
Program Policy Committee
SSC
Shared Services Canada
TB
Treasury Board
TBS
Treasury Board Secretariat
TESC
Transformation Executive Steering Committee
TIPP
Transformation Innovation and Project Portfolio Committee

Date modified: