Management Action Plans Follow-Up for Internal Audit - Annual Report as at March 31, 2013

Audit and Evaluation Directorate
May 2013

Implementation Summary

This follow-up report on the implementation of management action plans concludes the internal audit process and outlines the measures taken by the various entities concerned in response to our findings and recommendations. As part of the follow-up process in effect, management action plans are to be reviewed annually until they are fully implemented, and the extent of implementation is to be assessed and reported to the Departmental Audit Committee (DAC).

This annual report contains the follow-up findings, as at March 31, 2013, for 14 audit projects, for which reports and management action plans have been submitted to and approved by the DAC. The following charts provide an overview of the implementation status of the management action plan elements.

To be done (1 management action plan element) In progress ≤ 50% (4 management action plan elements) In progress > 50% (13 management action plan elements) Completed 100% (117 management action plan elements)
Management action plan elements 1 4 13 117

The following pages provide detailed descriptions of the progress made with the action plans for each audit project.

Management Framework, David Florida Laboratory Directorate

Audit project: 04/05 01-03

Audit project objective

The audit project objective was to evaluate the extent to which governance, operations and information system elements of the David Florida Laboratory (DFL) Directorate's management framework allow the DFL to fulfil its mandate; carry out operations effectively, efficiently and economically while complying with requirements prescribed in acts, regulations and policies; and protect and account for the use of resources.

Effectiveness and efficiency Compliance Management practices
21% 26% 53%

Nature of recommendations

Our observations and recommendations to management focused on improving financial information quality, demonstrating transparency and fairness when charging external user fees, and managing accounts receivable more rigorously.

Implementation status

The final two measures to be implemented last year have now been completed. The DFL's financial operations for fiscal years 2001–2002 to 2004–2005 have been reviewed to ensure that the proper financial coding was used for the new assets. The reconciliation of DFL inventories with those in SAP books of account is also complete. Assets listed in the books of account but not counted have been written off.

Implementation status
Management Framework,
David Florida Laboratory Directorate
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 100% 19

Project Management Processes and Practices

Audit project: 06/07 01-03

Audit project objective

The objective of this audit project was to assess the extent to which the Canadian Space Agency's (CSA) project management processes and practices (phases 0 to E, inclusive) enable it to make informed decisions as to the choice of projects/initiatives to be financed; to follow up appropriately; to implement approved initiatives in line with the principles of effectiveness, efficiency and economy; to attain the planned results as set out in the main planning documents; to comply with all relevant policies, regulations and guidelines issued by the CSA and the central agencies; and to report on resource use.

Decision-making process Financial authorization Information integrity PAMF Project costs
7% 7% 7% 7% 72%

Nature of recommendations

We reported in October 2007 that, although the CSA had developed good project and risk management frameworks, it did not make proper use of them in its day-to-day management. We also observed that cost/benefit performance issues, missed deadlines and cost overruns were endemic in the projects conducted by the Agency. Our findings concerned the decision making process, the obtaining of financial approval, information integrity, the Project Approval and Management Framework (PAMF), project planning, changes in project scope, cost estimates, technology maturity, project follow-up, risk management and performance assessment.

Implementation status

The review of the governance structure is almost complete, the next step being its implementation. Since October 2007, the focus has been on the following aspects: setting up of a working group and drafting of a plan for high-priority work; implementation of a directive on the preparation of business cases; development of a new governance structure; drafting and approval of a policy on investment planning; overhaul of Chapter 4 on governance and its incorporation into the investment plan; identification of factors to consider when selecting investments; updating of the organizational risk profile; and the development of integrated risk management procedures.

The deadline is September 2013.

Implementation status
Project Management
Processes and Practices
To be done 0
In progress ≤ 50% 1
In progress > 50% 1
Completed 100% 26

Business Continuity Planning

Audit project: 08/09 01-02

Audit project objective

The objective of this audit was to evaluate the compliance of the Business Continuity Planning Program (BCPP), the purpose of which is to maintain essential operations in the event of a disaster at the CSA.

Effectiveness and efficiency Compliance Planning / Training
22% 45% 33%

Nature of recommendations

In January 2009, we reported that, overall, management had set up a governance framework and implemented plans in keeping with Treasury Board Secretariat policies and standards.

However, a number of recommendations were made to improve the effectiveness and efficiency of business continuity planning in the event of a disaster at the CSA.

We recommended that the corporate policy be finalized, that replacements for the corporate coordination cell be designated, that training sessions be organized, and that business continuity plans related to essential services be finalized.

Implementation status

Despite the complexity of business continuity planning (BCP) for the CSA as a whole, management has nevertheless gradually followed up on seven of the nine recommendations in the audit report. It should be noted that the implementation of Influenza A (H1N1) prevention activities dominated 2009-2010.

Over the course of the year, management complied with three recommendations pertaining to follow-up on business continuity planning for essential services and training for all BCP management cell members and their replacements. The recommendations for the final drafting and dissemination of the corporate policy and the designation of replacements for the corporate coordination cell were fully implemented in 2010-2011.

As for the completion of the BCP communications plan, this recommendation no longer applies in the current context. Management noted that, in the event of a disaster, the responsibility for communications is assumed by crisis management members (primarily Executive Committee members, not BCP management members). However, once the business continuity plans are approved, management intends to increase employee awareness of BCP.

Management expects to complete the two action plan components associated with the maintenance cycle for all BCPP preparatory plans and Executive Committee approval of BCPs by April 2014.

Implementation status
Business Continuity Planning
To be done 0
In progress ≤ 50% 0
In progress > 50% 2
Completed 100% 7

Values and Ethics Management Framework

Audit project: 08/09 01-03

Audit project objective

The audit determined the extent to which the President of the CSA has integrated control activities intended to highlight the importance of values and ethics in achieving organizational objectives.

Procedures Dissemination of information and communication Governance
29% 43% 29%

Nature of recommendations

In March 2010, we reported that, overall, management had taken steps to promote values and ethics at the CSA.

However, we also focused management's attention on recommendations designed to improve governance, procedures, the dissemination of information, and communications on values and ethics.

Implementation status

The remaining action plan component to be implemented—disseminating and promoting public-sector values and ethics on the CSA website in order to keep partners, clients and service providers informed—was completed during the year. Also with a view to informing partners, the CSA's expectations with respect to the values and ethics applied within the Agency are set out in contract clauses.

In the past few years, management has implemented recommendations concerning follow-up on the appointment of values and ethics officers, the holding of regular steering committee meetings, the procedure for disclosing wrongdoing at the CSA, the communications plan, the procedure for meeting the requirement that employees fill out a statement every year attesting to their compliance with the Values and Ethics Code for the Public Service, and the official procedure for handling confidential reports.

It should be noted that the final version of the Agency's new code of conduct was drafted and approved by the Executive Committee in March 2013, but it is subject nonetheless to subsequent changes that may result from the scheduled review by Legal Services in June 2013. Once drafted, the new code will be posted on the Agency's Internet and intranet sites to inform partners, clients, service providers and employees.

Implementation status
Values and Ethics
Management Framework
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 100% 7

Corporate Risk Management Framework

Audit project: 08/09 01-04

Audit project objective

The audit evaluated the extent to which management has established a corporate risk management framework to ensure that operational risks are taken into account.

Management practices Policy / procedures Planning and communication
40% 20% 40%

Nature of recommendations

In September 2009, our audit revealed that, in general, the CSA's corporate risk management framework accurately reflects the elements of the TBS Integrated Risk Management Framework (IRMF).

However, the following recommendations were made:

  • Develop a corporate policy and related procedures;
  • Make a distinction between the IRMF and the project management framework;
  • Post information about the IRMF on the CSA intranet site;
  • Have a senior manager take on the role of risk management champion; and
  • Designate the Director of Governance, Planning and Performance to be responsible for the risk management function.

Implementation status

Management has fully implemented all of the recommendations made in the audit report. Over the past few years, it has

  • drafted the final version of the integrated risk management policy and had it approved by the Executive Committee;
  • disseminated the new integrated risk management policy and related procedures;
  • provided necessary clarifications so that a clear distinction can be made between the corporate IRMF and the project management framework;
  • posted information about the corporate IRMF in its own section of the intranet site.

It should be noted that the Governance, Planning and Performance Directorate serves as a centre of expertise with respect to integrated organizational risk management.

Implementation status
Corporate Risk Management Framework
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 100% 5

Organizational Risk Profile (ORP)

Audit project: OCG-02

Audit project objective

The Office of the Comptroller General (OCG) conducted this audit in 2009 as part of its horizontal audit plan. The audit objective was to determine whether organizational risk management systems and practices, especially those associated with ORPs, are in place to confirm the existence of risk identification and mitigation strategies in the activities of large departments and agencies (LDAs).

Systems and practices Governance and continuous improvement
50% 50%

Nature of recommendations

In September 2009, the audit report tabled by the OCG recommended various measures to enhance governance and continuous improvement, as well as systems and practices surrounding the ORPs of LDAs.

It was recommended that management

  • assign organizational risk management roles and responsibilities to senior managers;
  • review its systems and procedures annually;
  • make sure that the risk identification process includes management and corporate risks, and also identifies external risks; and
  • define, document and disseminate a shared concept and application of risk tolerance.

Implementation status

Management has fully implemented all of the recommendations made in the audit report. Over the past few years, it has

  • finalized the integrated risk management policy and had it approved by the Executive Committee;
  • identified a risk management champion (Director General, Corporate Services);
  • reviewed risk identification systems, processes and documentation; and
  • disseminated the ORP, including the shared application of risk tolerance, on the CSA intranet site.

It should be noted that the updated ORP was approved by the Executive Committee on March 1, 2013.

Implementation status
Organizational Risk Profile (ORP)
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 100% 4

Information Technology Dependence

Audit project: 09/10 01-03

Audit project objective

The audit objective was to evaluate the adequacy and effectiveness of mechanisms in place to control processes and procedures designed to reduce the risk of dependence on information technology (IT) in the CSA's Information Management and Information Technology (IM/IT) sector.

Succession planning Asset management Business continuity management Storage and media management
27% 33% 13% 27%

Nature of recommendations

In March 2010, we identified a number of good practices relating to IT dependence in the IM/IT sector. We also noted that the CSA attached great importance to the IM/IT strategic planning process.

However, some recommendations were made to reduce the risk of IT dependence. Those recommendations involved data backup and recovery, human resources, computer applications, and IT architecture.

Implementation status

Management has followed up on four of the eight actions outstanding, including the migration of certain technological environments to shared supported platforms. The project involving the hiring of a systems architect was shelved as a result of budgetary restrictions. Instead, management opted to set up the Architecture, Projects and Standards Committee, which deals with systems architecture issues. As for the positions that were vacant at the time of the audit, steps have been taken over the years to fill some of these positions; in other cases, staffing was no longer required owing to changes to plans or priorities.

Management noted that since the creation and restructuring of the Shared Services Canada Science Portfolio, the completion of the plan for replacing critical resources and the staffing of a storage management position are no longer relevant for the CSA's IM/IT sector. Recommendations having to do with the following aspects were fully implemented in previous years:

  • follow-up on licences
  • access to backup systems
  • backup copies
  • logging of backup errors
  • employee training
  • replacement workers for network administration and support duties, and the identification of obsolete applications

Management has set deadlines for completing the implementation of measures having to do with the four remaining items outstanding: the IT succession plan and backup copy recovery tests in March 2014; business continuity plan in October 2014; and computer applications in March 2015. Shared Services Canada is responsible for three of these outstanding items.

Implementation status
Information Technology Dependence
To be done 1
In progress ≤ 50% 2
In progress > 50% 1
Completed 100% 11

Information Technology Planning and Development Risks

Audit project: 09/10 01-04

Audit project objective

The objective of the audit was to evaluate the extent to which information technology (IT) planning and development processes and procedures ensure that IT aligns with user needs.

Operating systems Network equipment Applications Database management systems
30% 5% 35% 30%

Nature of recommendations

In March 2010, we identified a number of good practices with regard to IT planning and development. We noted that the Agency attached great importance to the Information Management and Information Technology (IM/IT) strategic planning process.

However, some recommendations were made to help mitigate risks in IT planning and development. The recommendations concerned change management and releases.

Implementation status

During the year, management fully implemented the recommendation regarding the documentation of tests. The recommendations concerning pre-authorized changes and post-implementation reviews are still being implemented. Management has therefore fully implemented six of the eight recommendations made in the audit report. In previous years, in response to those recommendations, the following measures were taken:

  • Release approvals and rollback plans were documented and kept on file;
  • Steps were taken to adopt new formal change management procedures;
  • Project priorities were established in each sector for initiatives to be proposed in the coming year;
  • Written confirmation from the owner of an application is now required when systems are modified;
  • With regard to developers' access to production environments, management decided not to take action, deeming that the risk was minimal, and noting that the existing procedure would be reviewed if necessary.

Management expects to complete the two remaining action plan items by December 31, 2013.

Implementation status
Information Technology Planning
and Development Risks
To be done 0
In progress ≤ 50% 0
In progress > 50% 2
Completed 100% 6

Systems and Data Security

Audit project: 09/10 01-05

Audit project objective

The audit objective was to evaluate the extend to which processes and procedures for the security of data and systems under the responsibility of Information Management and Information Technology (IM/IT) provided adequate protection of the CSA's data and systems.

Network perimeter security Patch management Access request management Security of applications, databases and operating systems
22% 11% 22% 45%

Nature of recommendations

In March 2010, we observed a number of good practices relating to the security of the data and systems for which IM/IT is responsible.

However, some recommendations were made to help mitigate risks related to the security of data and systems. Those recommendations involved the documentation of standards and processes, patches, system journals, application privileges and access, databases and labs.

Implementation status

Owing to a shortage of personnel, the preparation of documentation for the network certification and accreditation process has remained unchanged since last year, i.e., 50% completed. However, management fully implemented seven of the eight recommendations made in the audit report. In previous years, management.

  • reviewed the lists of cardholders with access to the computer lab;
  • documented a procedure for periodically reviewing the cardholder list;
  • documented technology configuration standards;
  • set up maintenance contracts in order to install missing patches;
  • set up a system for accessing Oracle logs located on various servers from one central point;
  • introduced measures for the transition to Windows Vista;
  • where possible, developed in house applications that used a temporary initial password; and
  • raised managers' awareness of the need to inform IM/IT of all staff movements, and the resulting impact on access rights.

Management expects to complete the final item in the action plan by March 2014.

Implementation status
Systems and Data Security
To be done 0
In progress ≤ 50% 1
In progress > 50% 0
Completed 100% 7

Official Languages

Audit project: 09/10 01-06

Audit project objective

The audit project objectives were to determine the degree to which CSA practices with respect to official languages comply with the Official Languages Act (OLA) and the official languages policies and directives of the Treasury Board (TB), and to assess the management framework for the CSA's Official Languages Program (OLP).

Management framework Management practices
25% 75%

Nature of recommendations

In February 2011, we noted that, overall, the CSA was complying with the OLA and TB official language policies and directives, and that the existing OLP management framework was adequate. However, some recommendations were made with a view to increasing compliance and improving the existing management framework.

The recommendations concerned the following: active offer of service in both official languages, procedures for handling complaints, employees' rights and obligations, emails, the Livelink interface and the order of presentation of names of directories, the drafting of documents, meetings, scientific training, dissemination of action plans, and DFL employee satisfaction.

Implementation status

After following up last year on recommendations regarding complaints, employees' rights and obligations and the communication of the action plan, management implemented three additional action plan items this year, leaving just one to be completed. The following items were implemented during the past fiscal year:

  • Agency employees are free to use the official language of their choice when drafting documents and attending meetings: no major issues were identified further to management's analysis of the findings of the 2011 Public Service Employee Survey;
  • Use of both official languages in the work units: management considered the findings of the 2011 Public Service Employee Survey to be satisfactory.
  • Scientific training in both official languages: an analysis grid was developed; organizers were made aware of the issue; and a question pertaining to learner satisfaction was added to the learning activity evaluation questionnaire.

Good progress is being made on the recommendation regarding the Livelink interface. Management expects the action plan to be fully implemented by May 2013.

Implementation status
Official Languages
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 100% 7

Management of Testing Facilities

Audit project: 09/10 01-07

Audit project objective

The audit project objective was to assess whether test facility planning and management processes make it possible to effectively and efficiently fulfil internal and external clients' requirements, and so attain the program's expected objectives and outcomes (David Florida Laboratory).

Management practices Indicators and performance targets Sustainability of activities
60% 20% 20%

Nature of recommendations

In November 2010, we found that the David Florida Laboratory (DFL) had adopted procedures for managing the quality of its services, and that it had a human resources succession plan.

The recommendations focus on improving performance indicators and targets and ensuring the sustainability of activities, particularly DFL management practices.

It was recommended that management

  • formalize and document the planning process between DFL and internal testing facilities users;
  • draft a document outlining its overall strategy for the use of facilities, and develop an associated implementation plan;
  • review the output and outcome indicators to ensure that they are relevant and adequately measure DFL performance.

Implementation status

Management has fully implemented measures relating to the documentation of the planning process between DFL and users, and to the drafting of a document outlining its overall strategy for the use of facilities and the development of an associated implementation plan.

However, the recommendation regarding the review of output and outcome indicators had not been fully implemented as at March 31, 2013. During the fiscal year ending on March 31, 2012, management developed new performance measures and completed a draft performance measurement strategy. The strategy still has to be approved by the Governance, Planning and Performance Directorate and then by the Audit and Evaluation Directorate.

A final draft of this document is expected by the end of July 2013.

Implementation status
Management of Testing Facilities
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 100% 2

Procurement and Contract Management

Audit project: 10/11 01-02

Audit project objective

The audit project objective was to determine whether a management framework is in place to ensure that contractual agreements are established in accordance with Treasury Board (TB) and CSA policies, and whether contract-related payments are authorized in accordance with delegated authorities and the Financial Administration Act (FAA).

Payment compliance Management framework
17% 83%

Nature of recommendations

In March 2011, our audit showed that the entity examined is well controlled in terms of payments associated with contracts.

However, some recommendations were made on the establishment of contractual agreements in order to create a more rigorous and robust procurement management control framework.

Implementation status

At the start of the current fiscal year, the following activities had been completed: setting up of a quality control system for contracts; signing of a new financial authority delegation instrument and implementation of new quality assurance procedures; implementation of a more rigorous procedure for the receiving, custody, opening, and recording of bids; creation and introduction of a checklist for the documentation to be assembled for files; periodic audits of procurement files; and issuing of reminders that payments must be made in accordance with the basis of payments, and that minor deviations must be documented.

The only action outstanding as at March 31, 2012, was the updating of the user guide. As at March 31, 2013, the user guide had been updated; all that remained to be done to complete the implementation of this action item was to obtain final approval for the guide and post it on the CSA intranet site. This was done in early 2013–2014. This action is therefore deemed to be fully implemented.

Implementation status
Procurement and Contract Management
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 100% 6

Major Investment Business Cases

Audit project: 10/11 01-01

Audit project objective

The objective of the audit was to determine whether, during the transition period from April 1, 2007 to the time of the audit, the Canadian Space Agency (CSA) produced business cases with the thoroughness required to comply with the requirements set out in the Treasury Board (TB) Policy on Investment Planning – Assets and Acquired Services, which will become mandatory on April 1, 2012.

Procedures Management practices
17% 83%

Nature of recommendations

In February 2012, our audit revealed that the CSA was on track, having complied with a number of the requirements of the TB Policy on Policy on Investment Planning – Assets and Acquired Services, which would become mandatory on April 1, 2012.

However, some recommendations were made with a view to increasing compliance and improving the existing management framework.

Implementation status

Over the year, management fully implemented five of the six recommendations in the audit report and took a number of steps in response to those recommendations. In fact, management has:

  • Informed managers concerned that the directive and requirements with respect to business cases within the Agency came into effect on April 1, 2012; and
  • Issued directives and introduced procedures and tools relative to business cases, which stipulated that
    • the sources of documents used to estimate costs had to be indicated;
    • the projected quantitative and qualitative benefits of a proposed investment had to be presented in a balanced manner;
    • the business cases had to include appropriate business case components; and
    • it was important to assemble, in a separate document, all the information used to make the business case by using the template designed for this purpose, which was available on the shared drive.

Management has also implemented most of the measures for the recommendation, which was that the CSA's Guide to Costing Space Projects be completed. The new deadline for this item is March 31, 2014.

Implementation status
Major Investment Business Cases
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 100% 5

International Space Station Assembly and Maintenance Operations Program Management Framework (1.2.1.1)

Audit project: 11/12 01-02

Audit project objective

The objective of this audit project was to determine whether the management framework in place enables the program to achieve its objectives and to comply with relevant policies, regulations and guidelines issued by the CSA and the central agencies.

  Management framework
  100%

Nature of recommendations

Our audit in September 2012 demonstrated that the International Space Station (ISS) Assembly and Maintenance Operations Program has put in place good practices regarding to operational planning, adequate financial resource planning procedures, and effective procedures and controls for the management of operations.

Nevertheless, we did note some opportunities for improvement with respect to the compiling of documents and information related to the anticipated one-time costs associated with the extension of Canada's participation in ISS activities up until 2020, and to the documenting of the risk analysis process. We also recommended that explanations be provided for the indicator used in the Performance Measurement Framework (PMF) and that the Performance Measurement (PM) Strategy be completed and implemented.

Implementation status

Management followed up on three of the four recommendations set out in the audit report. In response to those recommendations, the following actions were taken:

  • Drafting and implementation of a planning document setting out all of the anticipated potential costs for the extension of Canada's participation in ISS activities up until 2020. This planning document also assesses the probability that risks will materialize and the level of severity of the potential consequences.
  • Clarification regarding the PMF indicator.

The PM Strategy still has to be completed by management and then reviewed by the Governance, Planning and Performance and Audit and Evaluation directorates.

The set deadline is June 30, 2013.

Implementation status
International Space Station
Assembly and Maintenance Operations
Program Management Framework (1.2.1.1)
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 100% 3