Annual Report as at March 31, 2012 Management Action Plans Follow-up for Internal Audit

Management Action Plans Follow-up for Internal Audit
Canadian Space Agency (CSA)

Annual Report as at March 31, 2012
Prepared by the
Audit and Evaluation Directorate
April 2012

Implementation Summary

This follow-up report on the implementation of management action plans concludes the internal audit process and outlines the measures taken by the various entities concerned in response to our findings and recommendations. As part of the follow-up process in effect, management action plans are to be reviewed annually until they are fully implemented, and the extent of implementation is to be assessed and reported to the Departmental Audit Committee (DAC).

This annual report contains the follow-up findings as at March 31, 2012, for 15 audit projects and for which reports and management action plans have been submitted to and approved by the DAC. The following charts give an overview of the implementation status of the management action plan elements.

The following pages set out in detail the progress of the action plans for each of the audit projects.

Opening Balances

Audit project objective

In the framework of Financial Information Strategy (FIS) implementation, the establishment of opening balances as at April 1, 2001, was the starting point for recording and accountability under the new accounting standards. The purpose of this project was to ensure that the opening balances had been correctly established and recorded in compliance with the new accounting conventions.

Nature of recommendations

It was pointed out in the audit report submitted in November 2002 that the opening balances as at April 1, 2001, as reviewed and corrected with the participation of the Receiver General and the Treasury Board Secretariat (TBS), complied with requirements. However, we submitted recommendations to the Finance Directorate to the effect that the accuracy of audit balances could be guaranteed throughout the year by validating the balances of certain accounts, setting up periodic account analysis procedures, and making effective policies available to staff.

Implementation status

The final outstanding element of the action plan was completed in 2011. It involved determining the value of Canadian Space Agency (CSA) inventory, assessing materiality, and indicating fair value in the financial statements, where applicable. To that end, the accounting group established specific inventory lists for all CSA directorates and assessed the value of the items identified.

Following the implementation of that action, management says to be able to confirm that the CSA has no items that meet the definition of a stock. Therefore, there is no stock to account for in the CSA's financial statements.

Management Framework, David Florida Laboratory (LDF) Directorate

Audit project objective

The audit project objective was to evaluate the extent to which governance, operations and information system elements in the David Florida Laboratory (DFL) Directorate's management framework allow the DFL to fulfil its mandate; carry out operations effectively, efficiently and economically while complying with requirements prescribed by acts, regulations and policies; and protect and account for the use of resources.

Nature of recommendations

Observations and recommendations to management focused on improving financial information quality, demonstrating transparency and fairness when charging external user fees, and managing accounts receivable more rigorously.

Implementation status

The reconciliation of DFL inventories with those in SAP books of account is complete. Each non-reconciled item is currently being verified and analyzed in order to determine whether it should be written off.

Adjustments will then be made to the SAP books of account so that they reflect the true value of the inventory.

Action plan implementation will be complete once these actions have been taken.

Project Management Processes and Practices

Audit project objective

The objective of this audit project was to assess to what extent the CSA's project management processes and practices (Phases 0 to E inclusive) enable it to make informed decisions as to the choice of projects/initiatives to be financed; to follow up appropriately; to implement approved initiatives in line with the principles of effectiveness, efficiency and economy; to attain the planned results as set out in the main planning documents; to comply with all relevant policies, regulations and guidelines issued by the CSA and the central agencies; and to report on resource use.

Nature of recommendations

We reported in October 2007 that the CSA had developed good project and risk management frameworks but did not make proper use of them in day-to-day management. We also observed that cost/benefit performance problem, missed deadlines and cost overruns were endemic in the projects conducted by the Agency. Our findings concerned the decision-making process, obtaining financial authority, information integrity, the Project Approval and Management Framework (PAMF), project planning, changes in project scope, cost estimates, technology maturity, project follow-up, risk management and performance evaluation.

Implementation status

The outstanding elements of the action plan involve reviewing project approval governance processes and prioritizing projects. The Planning and Performance group undertook corporate governance renewal in May 2011. A working group was established and a plan prepared to review the following aspects: the process and criteria for selecting and prioritizing projects, the governance framework, the governance structure, the consultation mechanisms for external stakeholders, the validation and approval process for assessing project complexity and risk, the delegated authority matrix, the formal resource reallocation process, performance indicators, and the implementation plan. The new target date is September 2013.

Staffing Activities and Transactions

Audit project objective

The objectives of this audit project were to evaluate the extent to which the recommendations of the Public Service Commission (PSC) audit report of May 2006 have been implemented and to determine whether the management framework for staffing activities and transactions are consistent with the new Public Service Employment Act and with PSC policies, regulations and orders.

Nature of recommendations

In August 2008, we reported that although there was still some work that needed to be done, our view was that management had responded with due diligence to the recommendations in the PSC report.

We also drew management's attention to the challenges in store for the CSA with respect to its workload and succession planning. We indicated that measures would be required to manage the workload with a view to filling vacant positions within a reasonable time frame and to cope with the massive departures expected in a number of key groups over the coming years.

Implementation status

A number of measures were put in place in 2011 to respond to the last outstanding recommendation, which was to establish a formal tracking system to measure the actual time required to complete staffing processes.

The introduction of a new electronic human resources service request (HRSR), designed to automate staffing and classification requests, now ensures rapid access to reports on the processing times for completed staffing requests. At the same time, a fast-track staffing service and service agreements with managers have also been introduced.

The PSC also assesses departmental performance using a staffing process management framework. A dashboard has been developed internally to track staffing action processing times.

With all the activities carried out in recent years, we believe that the action plan has been fully implemented.

Business Continuity Planning

Audit project objective

The objective of this audit was to evaluate the compliance of the Business Continuity Planning (BCP) Program, whose purpose is to maintain essential operations in the event of a disaster at the CSA.

Nature of recommendations

In January 2009, we reported that management had implemented a governance framework and plans in keeping with Treasury Board (TB) policies and standards.

However, a number of recommendations were made to improve the effectiveness and efficiency of business continuity planning in the event of a disaster at the CSA.

We recommended that the corporate policy be finalized, that replacements for the corporate coordination cell be designated, that training sessions be organized, and that business continuity plans related to essential services be finalized.

Implementation status

Given the complexity of the analysis of the impact of a disruption in CSA services, corporate business continuity planning for the CSA as a whole, and the fact that 2009-2010 was dominated by the issue of Influenza A (H1N1) prevention, management expects to complete action plan implementation in April 2013.

During the year, management completed the analysis of the impact of a disruption in services for the CSA as a whole. That analysis will serve as a guide for various plans that must be implemented before business continuity planning can take place. Management had already introduced a business continuity planning directive, approved by the Executive Committee, and shared it with representatives in each sector. Moreover, replacements were designated for members of the corporate coordination cell to ensure the continuity of the three CSA operations deemed essential in the event of a disaster.

In an effort to complete the implementation of the action plan, management will ensure that a maintenance cycle for all BCP Program preparatory plans, including the analytic report on lessons learned from trial runs, is available and is validated and updated.

Values and Ethics Management Framework

Audit project objective

The audit determined the extent to which the President of the CSA has integrated control activities intended to highlight the importance of values and ethics in achieving organizational objectives.

Nature of recommendations

In March 2010, we reported that, overall, management had implemented activities to promote values and ethics at the CSA.

However, we also focused management's attention on recommendations designed to improve governance, procedures, the dissemination of information, and communications on values and ethics.

Implementation status

Over the past year, management has fully implemented five of the recommendations, including the introduction of:

  • a values and ethics communications plan;
  • a process of periodically requiring employees to certify compliance with the Values and Ethics Code of the Public Service; and
  • a formal process for handling confidential reports.

Management has informed us that the outstanding element in relation with the dissemination of the new organizational code of conduct will be gradually implemented once the new version of the Values and Ethics Code for the Public Service has been approved by Parliament. The new code will serve as the basis for the final version of the CSA's own code of conduct. With the introduction of the new Values and Ethics Code for the Public Sector on April 2, 2012, management will begin addressing the outstanding element in the coming months.

Note that the CSA has a values and ethics policy committee to ensure that activities are implemented as planned. Such activities include disseminating and promoting values and ethics on the CSA website in order to keep partners, clients and service providers informed.

Corporate Risk Management Framework

Audit project objective

The audit evaluated the extent to which management has established a corporate risk management framework that ensures that operational risk is taken into account.

Nature of recommendations

In September 2009, our audit revealed that, in general, the CSA's corporate risk management framework reflects the elements of the TBS Integrated Risk Management Framework (IRMF).

However, recommendations regarding the following were made:

  • Developing a corporate policy and related procedures;
  • Distinguishing the IRMF from the project management framework;
  • Presenting IRMF information on the CSA's intranet site;
  • Having an executive assume the role of risk management champion; and,
  • Making the Director of Governance, Planning and Performance responsible for the risk management function.

Implementation status

Over the past year, progress has been made on one of the three outstanding activities. In fact, management completed work on the recommendation regarding finalizing and obtaining Executive Committee approval of the integrated risk management policy.

The three activities that are still outstanding involve:

  • Disseminating the new integrated risk management policy and related procedures;
  • Providing the clarifications needed to clearly distinguish the corporate IRMF from the project management framework;
  • Presenting information on the corporate IRMF in its own section of the intranet.

Note that some of the target dates prescribed in the initial action plan have been extended.

Currently, management is unable to set a fixed target date for disseminating the new policy and for providing clarifications to distinguish the corporate IRMF from the project management framework. On the other hand, the presentation of information on the corporate IRMF should be completed by fall 2012.

Proactive Disclosure Process

Audit project objective

The objective of the audit project was to determine whether the existing management framework allows the CSA to meet government requirements for proactive disclosure of financial and human resources information.

Nature of recommendations

In June 2010, we reported that, in our opinion, management had established a management framework, allowing it to meet requirements concerning proactive disclosure.

We drew management's attention to some observations and recommendations that were mainly designed to make some elements of its management framework more effective.

Among other things, management needed to pay particular attention to documenting duties, roles and responsibilities related to publishing grants and contributions over $25,000. Moreover, for each disclosure item, we recommended including a procedure for verifying data following quarterly publication to identify discrepancies. Finally, we recommended reviewing procedures for disclosing contracts to ensure publication of all contracts over $10,000.

Implementation status

Management took steps to include a procedure to verify data following quarterly publication of travel expenses, grants and contributions over $25,000, contracts over $10,000, and reclassifications. The documenting of tasks to be carried out, and of roles and responsibilities for the disclosure of grants and contributions over $25,000 was also completed. The publication processes for contracts over $10,000 were also reviewed to ensure that all contracts are published. All activities in the action plan were fully carried out.

Organizational Risk Profile (ORP)

Audit project objective

The Office of the Comptroller General (OCG) conducted this audit in 2009 as part of its horizontal audit plan. The audit objective was to determine whether organizational risk management systems and practices, especially those associated with ORPs, are in place to confirm the existence of risk identification and mitigation strategies in the activities of large departments and agencies (LDAs).

Nature of recommendations

In September 2009, the audit report tabled by the OCG recommended various measures to enhance governance and continuous improvement, as well as systems and practices surrounding the ORPs of LDAs.

Management was asked to:

  • Assign organizational risk management roles and responsibilities to senior managers.
  • Review its systems and procedures annually.
  • Make sure that the risk identification process includes management and corporate risks, and that it identifies external risks.
  • Define, document and disseminate a shared concept and application of risk tolerance.

Implementation status

Over the past year, management has fully implemented the recommendation on finalizing and obtaining Executive Committee approval of the integrated risk management policy, and on identifying a champion. It should be noted that, as of April 1, 2010, Governance, Planning and Performance became responsible for integrated risk management.

Outstanding activities involve reviewing systems and risk identification processes, and documenting and disseminating a shared application of risk tolerance. The delay in moving forward with the action plan is the result of a lack of resources, and management is not currently able to set a fixed target date for completion of the three outstanding activities.

Information Technology Dependence

Audit project objective

The audit objective was to evaluate the adequacy and effectiveness of mechanisms in place to control processes and procedures designed to reduce the risk of information technology (IT) dependence in the Information Management and Information Technology (IM/IT) sector.

Nature of recommendations

In March 2010, we identified a number of good practices relating to IT dependence in the IM/IT sector. We also noted that the CSA attached great importance to the IM/IT strategic planning process.

However, some recommendations were made to reduce the risk of IT dependence. Those recommendations involved data backup and restoring, human resources, computer applications, and IT architecture.

Implementation status

Over the past year, management has fully implemented (100%) four of the 15 recommendations from the audit report, bringing the number of 100% completed recommendations to seven. The completed recommendations relate to follow-up on licences, access to backup systems, backup copies, the logging of backup errors, employee training, extra employees for network administration and support duties, and the identification of obsolete applications.

The recommendations relating to the technological environment, applications, the business continuity plan, and the IT recovery plan are in the process of being implemented.

Note that some of the target dates prescribed in the initial action plan have been extended. Management plans to finish implementing the recommendations by March 31, 2013, with the exception of the testing of the business continuity plan, scheduled for 2014, and this, to ensure to meet client needs, which will be set out in the CSA's business continuity plan.

Information Technology Planning and Development Risks

Audit project objective

The objective of the audit was to evaluate the extent to which information technology IT planning and development processes and procedures ensure that IT aligns with user needs.

Nature of recommendations

In March 2010, we identified a number of good practices with regard to IT planning and development. We noted that the Agency attached great importance to the Information Management and Information Technology (IM/IT) strategic planning process.

However, some recommendations were made to help mitigate risks in IT planning and development. Those recommendations targeted change management and releases.

Implementation status

During the year, management made sure to document and keep release approvals and rollback plans. Implementation of this recommendation brings the number of 100% completed recommendations to five. The following activities were carried out in previous years, for 100% completion of the recommendations:

  • Steps were taken to formalize the new change management process;
  • Priorities were established in each sector for initiatives to be proposed in the coming year;
  • Written confirmation must now be obtained from the owner of an application when systems are modified;
  • With regard to developers' access to production environments, management decided not to take action, deeming that the risk was minimal. Management noted that the existing process would be reviewed if necessary.

The recommendations involving preauthorized changes, test documentation, and post-implementation review are currently being implemented.

Some of the target dates prescribed in the initial action plan have been extended, but management plans to finish fully implementing the action plan by March 31, 2013. However, the transition of some employees to Shared Services Canada could mean a further extension of the target dates.

Systems and Data Security

Audit project objective

The audit objective was to evaluate the extend to which processes and procedures for the security of data and systems under the responsibility of Information Management and Information Technology (IM/IT) provided adequate protection of the CSA's data and systems.

Nature of recommendations

In March 2010, we identified a number of good practices relating to the security of data and systems for which IM/IT is responsible.

However, some recommendations were made to help mitigate risks related to the security of data and systems. Those recommendations involved the documentation of standards and processes, patches, system journals, application privileges and access, databases and labs.

Implementation status

Over the past year, management has reviewed the lists of cardholders with access to the computer lab, and has documented a periodic review procedure for cardholders. This brings the number of 100% completed recommendations to seven. The following activities were carried out in previous years to achieve 100% completion:

  • Management continues to document technology configuration standards;
  • The proper operation of maintenance contracts made it possible to apply missing patches;
  • The Oracle Journals project has been operating since February 28, 2011. This project allows Oracle journals located on various servers to be accessed from one central point;
  • The transition to Windows Vista made it possible to grant users only the privileges they need to perform their duties;
  • Wherever possible, temporary passwords are used;
  • Managers are now aware of the need to inform IM/IT of all staff movements and their impact on access.

The recommendation relating to the documenting of the accreditation and certification process is currently being implemented. The new, tentative target date is September 2012.

Official Languages

Audit project objective

The audit project objectives were to determine the degree to which CSA practices with respect to official languages comply with the Official Languages Act (OLA) and the official languages policies and directives of the Treasury Board (TB), and to assess the management framework for the CSA's Official Languages Program (OLP).

Nature of recommendations

In February 2011, we noted that, overall, the CSA was complying with the OLA and with TB policies and directives concerning official languages, and that its OLP management framework was appropriate. However, recommendations were made to improve compliance and the existing management framework.

The recommendations involved the active offer of service in both official languages; the procedures for handling complaints; the rights and obligations of employees; emails; the Livelink interface and the order of presentation of names of directories; meetings and the drafting of documents; scientific training; the dissemination of action plans; and the satisfaction of DFL employees.

Implementation status

During the year, management has fully implemented (100%) three of the eight recommendations in the audit report. The following actions were taken to respond to those recommendations:

  • Management has established procedures for handling official languages complaints;
  • Management has continued to make employees and managers aware of their official languages rights and obligations;
  • The action plan, including the audit recommendations, was made available to all employees.

Good progress is being made on the recommendations relating to active offer, the Livelink interface, the drafting of documents, meetings, language of work, and training. Management expects the action plan to be fully implemented by May 2013.

Management of Testing Facilities

Audit project objective

The audit project objective was to assess whether test facility planning and management processes make it possible to effectively and efficiently fulfil internal and external clients' requirements, and so attain the program's expected objectives and outcomes DFL.

Nature of recommendations

In November 2010, we found that the DFL had adopted procedures for managing the quality of its services, and that it had a human resources succession plan.

The recommendations involved improving performance indicators and targets, the sustainability of activities and, in particular, DFL management practices.

Management was asked to:

  • Formalize and document the planning process between DFL and internal testing facilities users;
  • Draft a document outlining its overall strategy for the use of facilities and develop an associated implementation plan;
  • Review the output and outcome indicators to ensure that they are relevant and adequately measure DFL performance.

Implementation status

During the past year, DFL management has completed the documentation of the planning process between DFL and internal testing facilities users as well as the documentation outlining its overall strategy for the use of the testing facilities and the associated implementation plan. The overall strategy is an ongoing process that will be reviewed annually.

Regarding the recommendation concerning the review of indicators of output and outcome, it was completed more than 90%. Management has developed new performance measures that were approved by the Director General and included in the 2012-2013 work plan. In addition, a draft Performance Measurement Strategy has been elaborated and is presently under review. Management plans to finalize this document by October 2012.

Procurement and Contract Management

Audit project objective

The audit project objective was to determine whether a management framework is in place to ensure that contractual agreements are established in accordance with TB and CSA policies, and whether contract-related payments are authorized in accordance with delegated authorities and the Financial Administration Act (FAA).

Nature of recommendations

In March 2011, our audit showed that the entity examined is well controlled in terms of payments associated with contracts.

However, some recommendations were made on the establishment of contractual agreements in order to create a more rigorous and robust procurement management control framework.

Implementation status

Over the year, management has followed up on five of the six recommendations in the audit report. The following actions were taken to respond to those recommendations:

  • A contract quality control system was implemented;
  • A new financial delegation instrument was signed and a new quality assurance process was introduced to ensure closer monitoring of delegated contracting authorities;
  • A more rigorous process was implemented for the receiving, custody, opening, and recording of bids;
  • A checklist was established and introduced to ensure that all required documentation is contained in procurement files. In addition, a periodic audit of procurement files is being carried out;
  • Finance clerks were reminded that payments must be made in accordance with the basis of payments, and that minor deviations must be documented.

The only outstanding activity involves the updating of the user guide, for which the target date is September 2012.