Agence spatiale canadienne
Symbol of the Government of Canada

Table of Contents

Audit report

Audit of Information Technology Planning and Development Risks
Projet # 09/10 01-04

prepared by
the Audit and Evaluation Directorate

March 2010

Table of Contents

Top of page

1.0 Summary

1.1 Audit Objectives

The objective of this audit was to evaluate whether existing information technology (IT) planning and development processes and procedures align IT with user needs.

1.2 Audit Opinion

In our opinion, the IT planning and development processes and procedures have moderate issues requiring management focus.

1.3 Statement of Assurance

In my professional judgment as Chief Audit Executive, the audit procedures followed and the evidence collected are sufficient and appropriate to support the opinion stated in this report. This opinion is based on a comparison of the circumstances, as they existed at the time, with pre-established audit criteria approved by management. This opinion is only applicable to the subject examined.

1.4 Summary of Recommendations

We noted a number of good practices in IT planning and development. We noted that the Canadian Space Agency (the Agency) placed a high priority on the Information Management and Information Technology (IMIT) strategic planning process and developed a four-year plan. A five-year equipment replacement plan was also developed to cover future needs.

As a result of our testing of existing IT planning and development processes and procedures, we recommend that the Agency:

  • Consider resuming CIMIS Committee meetings or implementing a new user committee to prioritize project proposals related to Agency applications;

  • Document and keep test plans and results, release approvals and rollback plans;

  • Review developer access rights and improve task segregation by restricting write-mode access to production environments.

 

Signature of Chief Audit Executive

Original signed by Dominique Breden

_________________________________________

Audit team member

Pierre Lapointe, Associate Partner, Samson Bélair/Deloitte & Touche s.e.n.c.r.l.
David Liberatore, Senior Manager, Samson Bélair/Deloitte & Touche s.e.n.c.r.l.
Stephanie Ranno, Senior Auditor, Samson Bélair/Deloitte & Touche s.e.n.c.r.l.
Anne Turski, Senior Auditor, Samson Bélair/Deloitte & Touche s.e.n.c.r.l.
Ndeye Astou Ndao, Senior Auditor, Samson Bélair/Deloitte & Touche s.e.n.c.r.l.

Top of page

2.0 Audit Report

2.1 Background

The Agency's mission is to lead the development and application of space knowledge for the benefit of Canadians and humanity. Its mandate is to promote the peaceful use and development of space, to advance the knowledge of space through science and to ensure that space science and technology provide social and economic benefits for Canadians.

The Agency has some 635 employees with about 90% of them employed at the John H. Chapman Centre, the Agency's headquarters located in St-Hubert, Quebec. There are 90 positions in the IMIT sector (79 employees and 11 vacancies). About 30 of the 79 employees are assigned to information management and the rest handle IT management. They perform traditional IT duties including :

  • designing and implementing telecommunications systems, networks and storage systems,

  • installing and configuring work stations, applications and databases, and

  • providing associated technical support.

About 85% of the Agency's information systems run in a Windows environment and 15% in a UNIX environment. Their network now has from 900 to 1,000 users, most of them working at the Agency's headquarters in St-Hubert, Quebec.

The Agency's organizational structure reflects the global context. Space activities are increasingly service-oriented and mainly focus on the needs of end users and the integration of technologies with terrestrial applications. The scope of the IMIT Directorate's responsibility includes managing applications, data and technologies for corporate systems. Approximately 60 applications, either commercial or internally developed, are managed by IMIT.

IMIT's role is to understand requirements and circumstances and develop and implement policies, procedures, programs and activities in response to these requirements.

There are risks involved in achieving IMIT's objectives, such as the quantity and scope of the data it manages. Given the volume of data managed by IMIT, adequate backup and data retention are a significant risk. Systems and data access security is also a significant risk.

2.2 Audit Objectives, Scope and Approach

The purpose of the audit was to evaluate whether existing IT planning and development processes and procedures enables IT to meet user needs. The audit examined IT planning and development processes and activities. More specifically, we examined the following elements:

  • IT planning and development
  • - Change management:
    • i. Applications;
    • ii. Database management systems;
    • iii. Operating systems;
    • iv. Network equipment.

The audit only covered corporate systems, including applications, database management systems, operating systems and underlying network equipment, which are under IMIT's responsibility, thus excluding specific technological environments such as those of Satellite Operations and the International Space Centre's Mission Control Centre. Moreover, certain corporate systems including SAP are not managed by IMIT and were not covered by this audit. The audit was mainly performed at the Agency's headquarters in St-Hubert, Quebec.

Audit procedures were carried out from January to March 2010. The audit tests we performed consisted of interviewing the different stakeholders, examining existing documentation, examining existing equipment configurations and comparing procedures and controls implemented by the Agency against industry practices and their application.

Top of page

2.3 Findings, Recommendations and Management Responses

The findings, recommendations and management responses are presented in detail in the following Appendix.

Ref.
Findings
Impacts
Recommandations
Management Response / Action Plan
Timetable
1
A change management procedure was written but never fully implemented. Work methods for changes to applications, database management systems and operating systems are not standardized.
This situation increases the risk that changes will be inconsistent with management's intentions.
  • Train staff to follow the Agency's change management procedure for all changes.

Responsible : Chief Information Officer (CIO)

Steps will be taken to formalize the new change management process and implement it in the various IMIT sectors. The purpose of the new procedure is precisely to standardize the method.

The process will be in place and incorporated into IM/IT procedures by September 30, 2010.
2
Although some changes such as operating system patches are preauthorized, these exceptions are not documented in the change management procedure.
This situation increases the risk that changes will be inconsistent with management's intentions.
Document preauthorized changes in the change management procedure.

Responsible : CIO

Preauthorized changes are well defined and the risk of undesired change is low.

Nonetheless, the documentation will be amended to incorporate the preauthorized change procedure.

Documentation will be amended by September 30, 2010.
3
The CIMIS steering committee, made up of members from each of the Agency's sectors, no longer meets regularly to approve IT projects related to Agency applications.
This situation increases the risk that changes will be inconsistent with the needs of the user community.
Consider resuming CIMIS committee meetings or implementing a user committee to prioritize project proposals related to Agency applications.

Responsible : CIO

IMIT is reviewing its governance model. This model includes a strategic committee made up of sector representatives that take part in decisions on proposals submitted to IMIT.

Committee will be implemented by December 31, 2010.
4
The systems development team's change approvals are not retained.
This situation increases the risk of follow-up of problematic changes.
Keep the system development team's approvals.

Responsible : CIO

Pre-release approvals required by the application owner are always obtained, but are often verbal. A written confirmation will be requested in each case. Note that all change requests have been kept for more than two years now.

Change will be implemented by June 30, 2010.
5
Our sample indicated that test plans and results were not systematically documented.

This situation increases the risk that that changes will be inconsistent with management's intentions.

It also increases the risk of delayed business resumption if there is a problem during a release.

Document and keep release approvals and rollback plans.

Responsible : CIO

The current process is a hybrid between change request and release. Corrections are planned in the release process implementation project.

The corrections should be made towards March 31, 2011.
6

There is no formal standard or procedure for documenting tests during application software changes.

Our sample indicated that test plans and results were not systematically documented.

This situation increases the risk that changes will be inconsistent with management's intentions.
  • Develop a test documentation standard or procedure, including required test scripts for application software changes.
  • Document and keep test plans and results.

Responsible : CIO

Test documentation standards, templates and procedures will be developed in response to this situation. Note that some tests are now in place because of the VISTA project. They have to be incorporated into work habits and processes.

Mars 2011.
7

We were informed that two members of the systems development team release Oracle forms into production.

Also, based on our sample, some developers may have write-mode access to applications in production.

These situations increase the risk of unauthorized system changes.
  • Improve task segregation by restricting access to releases to systems operation staff.
  • Train appropriate systems operation staff to perform these tasks.
  • Review developer access and improve task segregation by restricting write-mode access to production environments.

Responsible : CIO

Assigning all releases to systems operation staff significantly increases their workload and may cause delays in correcting applications in production.

Only two people on the development team have in-production access and only for Oracle technology. The two people are experienced and have knowledge that is currently unavailable in the systems operation group. Each release must be supported by a version document and a change request. No incidents in the last five years. The risk is minimal. If the staffing situation changes, the process will be reviewed.

No action for now.
8
A formal post-implementation review is not done systematically after major changes.
This situation could reduce the effectiveness of future projects and changes.
Amend the change management procedure to include a post-implementation review of major changes.

Responsible : CIO

Formal reviews are done at the end of projects. We will have to define what constitutes a major change.

Implementation of formal reviews following major changes by September 30, 2010.