Management Action Plans Follow-up for Internal Audit - Annual Report as at March 31, 2014

Download the PDF version (368 KB)

Audit and Evaluation Directorate

May 2014

Implementation Summary

This follow-up report on the implementation of management action plans concludes the internal audit process and outlines the measures taken by the various entities concerned in response to our findings and recommendations. As part of the follow-up process in effect, management action plans are to be reviewed annually until they are fully implemented, and the extent of implementation is to be assessed and reported to the Departmental Audit Committee (DAC).

This annual report contains the follow-up findings, as at March 31, 2014, for 13 audit projects, for which reports and management action plans have been submitted to and approved by the DAC. The following charts provide an overview of the implementation status of the management action plan elements.

To be done (1 action plan for the management) In progress ≤ 50% (5 actions plan for the management) In progress > 50% (10 actions plan for the management) Completed (87 actions plan for the management)
Management action plan elements 1 5 10 87

The following pages provide detailed descriptions of the progress made with the action plans for each audit project.

Project Management Processes and Practices

Audit project: 06/07 01-03

Audit project objective

The objective of this audit project was to assess the extent to which the Canadian Space Agency's (CSA's) project management processes and practices (Phases 0 to E, inclusive) enable it to make informed decisions as to the choice of projects/initiatives to be financed; to follow up appropriately; to implement approved initiatives in line with the principles of effectiveness, efficiency and economy; to attain the planned results as set out in the main planning documents; to comply with all relevant policies, regulations and guidelines issued by the CSA and the central agencies; and to report on resource use.

Desision-making process Financial authorization Information integrity PAMF Project costs
7% 7% 7% 7% 72%

Nature of recommendations

We reported in October 2007 that, although the CSA had developed good project and risk management frameworks, it did not make proper use of them in its day-to-day management. We also observed that cost/benefit performance issues, missed deadlines and cost overruns were endemic in the projects conducted by the Agency. Our findings concerned the decision-making process, the obtaining of financial approval, information integrity, the Project Approval and Management Framework (PAMF), project planning, changes in project scope, cost estimates, technology maturity, project follow-up, risk management and performance assessment.

Implementation status

The following items have been implemented since October 2007: creation of a working group and development of a plan that includes priority work; implementation of a directive for the production of business cases; development of a new governance structure; elaboration of factors to be considered in the selection of investments; updating of the organizational risk profile; and finally, development of procedures for the integrated management of risk.

During this year, a position of Executive Director, Integrated Programs and Planning was created, a new Project Management Framework was developed and approved, and an update of the investment plan was completed. The approval of the CSA's investment plan and the overhaul of its governance structure will be finalized by December 2014.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 2
Completed 26

Business Continuity Planning

Audit project: 08/09 01-02

Audit project objective

The objective of this audit was to evaluate the compliance of the Business Continuity Planning Program (BCPP), the purpose of which is to maintain essential operations in the event of a disaster at the CSA.

Effectiveness and efficiency Compliance Planning / training
22% 45% 33%

Nature of recommendations

In January 2009, we reported that, overall, management had set up a governance framework and implemented plans in keeping with Treasury Board Secretariat policies and standards.

However, a number of recommendations were made to improve the effectiveness and efficiency of business continuity planning in the event of a disaster at the CSA.

We recommended that the corporate policy be finalized, that replacements for the corporate coordination cell be designated, that training sessions be organized, and that business continuity plans related to essential services be finalized.

Implementation status

Despite the complexity of the business continuity plan for the whole of the CSA, management has nevertheless progressively followed up on eight of the nine recommendations made in the audit report. In particular, a corporate policy on the BCPP was finalized, corporate coordination cell substitutes were designated, training sessions were conducted, and business continuity plans (BCPs) were developed by each branch. The BCPs were approved by the CSA's Executive Committee (EC) on July 2, 2013.

Management plans to complete the last element of the action plan over the next year. This involves the development of a maintenance cycle that includes the updating and regular validation of all BCPs.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 8

Information Technology Dependence

Audit project: 09/10 01-03

Audit project objective

The audit objective was to evaluate the adequacy and effectiveness of mechanisms in place to control processes and procedures designed to reduce the risk of dependence on information technology (IT) in the CSA's Information Management and Information Technology (IM/IT) sector.

Succession planning Asset management Business continuity management Storage and media management
27% 33% 13% 27%

Nature of recommendations

In March 2010, we identified a number of good practices relating to IT dependence in the IM/IT sector. We also noted that the CSA attached great importance to the IM/IT strategic planning process.

However, some recommendations were made to reduce the risk of IT dependence. Those recommendations involved data backup and recovery, human resources, computer applications, and IT architecture.

Implementation status

Recommendations having to do with the following aspects were fully implemented in previous years:

  • follow-up on licences
  • access to backup systems
  • backup copies
  • logging of backup errors
  • employee training
  • replacement workers for network administration and support duties, and the identification of obsolete applications
  • the migration of certain technological environments to supported and common platforms.

With regard to the hiring of a systems architect, this project was put aside due to budgetary restrictions, and management opted instead for the establishment of a Projects and Standards Architecture Committee, which deals with issues related to systems architecture. On the other hand, with respect to positions that were vacant at the time of the audit, over the years, actions were taken to fill certain positions, and in other cases, the staffing was no longer required due to changes in plans or priorities.

With regard to the implementation of actions relating to the finalization of the critical resources replacement plan and the staffing of a storage management position, management said that they are no longer relevant to the CSA's IM/IT, since the creation and restructuring of the Shared Services Canada (SSC) sciences portfolio. The last four items outstanding are the responsibility of SSC. Some deadlines were pushed back. The most important report is the one concerning the completion of the documentation on the CSA's information technology succession plan. This due date has been deferred from March 2014 to October 2015. According to management, SSC is proceeding with the consolidation of data centres, which has an impact on the CSA's information technology succession plan.

Implementation status
To be done 1
In progress ≤ 50% 2
In progress > 50% 1
Completed 11

Information Technology Planning and Development Risks

Audit project: 09/10 01-04

Audit project objective

The objective of the audit was to evaluate the extent to which information technology (IT) planning and development processes and procedures ensure that IT aligns with user needs.

Operating systems Network equipment Applications Database management systems
30% 5% 35% 30%

Nature of recommendations

In March 2010, we identified a number of good practices with regard to IT planning and development. We noted that the Agency attached great importance to the Information Management and Information Technology (IM/IT) strategic planning process.

However, some recommendations were made to help mitigate risks in IT planning and development. The recommendations concerned change management and releases.

Implementation status

During the year, management modified its management-of-change process to include a post-implementation review of significant changes. On the other hand, action concerning the documentation of cases where changes are authorized in advance is still being implemented. Management has thus completed seven of the eight recommendations contained in the audit report. In the course of previous years, the following actions were implemented:

  • Approvals of bringing-into-production as well as backtracking plans were documented and retained;
  • Arrangements were made to formalize the new management-of-change process;
  • The prioritization of projects by sector concerning initiatives to be brought forward in the subsequent year was adopted;
  • The obtaining of written confirmation on the part of the owner of an application is required when changes are made to systems;
  • With respect to developer access to production environments, management decided not to take action because it found that the risk was minimal and indicated that the process in effect would be reviewed if necessary; and
  • The documentation of tests.

Management plans to complete the last element of the action plan that is still pending by March 2015.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 7

Systems and Data Security

Audit project: 09/10 01-05

Audit project objective

The audit objective was to evaluate the extent to which processes and procedures for the security of data and systems under the responsibility of Information Management and Information Technology (IM/IT) provided adequate protection of the CSA's data and systems.

Network perimeter security Patch management Access request management Security of applications, databases and operating systems
22% 11% 22% 45%

Nature of recommendations

In March 2010, we observed a number of good practices relating to the security of the data and systems for which IM/IT is responsible.

However, some recommendations were made to help mitigate risks related to the security of data and systems. Those recommendations involved the documentation of standards and processes, patches, system journals, application privileges and access, databases and labs.

Implementation status

Management completed seven of the eight recommendations contained in the audit report. In fact, in the course of previous years, management:

  • reviewed the lists of cardholders with access to the computer lab;
  • documented a procedure for periodically reviewing the cardholder list;
  • documented technology configuration standards;
  • set up maintenance contracts in order to install missing patches;
  • set up a system for accessing Oracle logs located on various servers from one central point;
  • introduced measures for the transition to Windows Vista;
  • where possible, developed in-house applications that used a temporary initial password; and
  • raised managers' awareness of the need to inform IM/IT of all staff movements, and the resulting impact on access rights.

The last action concerns the documentation of an accreditation and certification process. In order for management to complete its part of the action, Shared Services Canada (SSC) must complete its own which, in the opinion of management, is well advanced. The deadline planned for all of these items is March 2015.

Implementation status
To be done 0
In progress ≤ 50% 1
In progress > 50% 0
Completed 7

Official Languages

Audit project: 09/10 01-06

Audit project objective

The audit project objectives were to determine the degree to which CSA practices with respect to official languages comply with the Official Languages Act (OLA) and the official languages policies and directives of the Treasury Board (TB), and to assess the management framework for the CSA's Official Languages Program (OLP).

Management framework Management pratices
25% 75%

Nature of recommendations

In February 2011, we noted that, overall, the CSA was complying with the OLA and TB official language policies and directives, and that the existing OLP management framework was adequate. However, some recommendations were made with a view to increasing compliance and improving the existing management framework.

The recommendations concerned the following: active offer of service in both official languages, procedures for handling complaints, employees' rights and obligations, emails, the Livelink interface and the order of presentation of names of directories, the drafting of documents, meetings, scientific training, dissemination of action plans, and DFL employee satisfaction.

Implementation status

During the year, management completed the last item in its action plan. In fact, a bilingual Livelink interface is now functional, and the Livelink directory names have been renamed and reordered accordingly. In addition to following the recommendations concerning complaints, the rights and obligations of employees and communication of the action plan, management implemented the following actions over the course of previous years:

  • Agency employees are free to use the official language of their choice when drafting documents and attending meetings: no major issues were identified further to management's analysis of the findings of the 2011 Public Service Employee Survey;
  • Use of both official languages in the work units: management considered the findings of the 2011 Public Service Employee Survey to be satisfactory.
  • Scientific training in both official languages: an analysis grid was developed; organizers were made aware of the issue; and a question pertaining to learner satisfaction was added to the learning activity evaluation questionnaire.
Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 8

Management of Testing Facilities

Audit project: 09/10 01-07

Audit project objective

The audit project objective was to assess whether test facility planning and management processes make it possible to effectively and efficiently fulfil internal and external clients' requirements, and so attain the program's expected objectives and outcomes (David Florida Laboratory).

Management practices Indicators and performance targets Sustainability of activities
60% 20% 20%

Nature of recommendations

In November 2010, we found that the David Florida Laboratory (DFL) had adopted procedures for managing the quality of its services, and that it had a human resources succession plan.

The recommendations focus on improving performance indicators and targets and ensuring the sustainability of activities, particularly DFL management practices.

It was recommended that management:

  • formalize and document the planning process between the DFL and internal testing facilities users;
  • draft a document outlining its overall strategy for the use of facilities, and develop an associated implementation plan;
  • review the output and outcome indicators to ensure that they are relevant and adequately measure DFL performance.

Implementation status

The actions relative to the documentation of the planning process between the DFL and users as well as the documentation of its overall strategy for the use of the facilities and the development of the related implementation plan were completed by management.

The recommendation concerning the review of output and performance indicators is almost completed. During the year, management developed new performance measurements and a draft of a performance measurement (PM) strategy. On March 31, 2014, this PM strategy had been reviewed by the Executive Director, Integrated Programs and Planning (IPP) and was at the approval stage with the Audit and Evaluation Directorate (AED). The PM strategy was subsequently approved by the AED on April 16 and by the responsible DG on May 1, 2014. These latest developments will be taken into account in the next round of monitoring of the action plans.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 2

Major Investment Business Cases

Audit project: 10/11 01-01

Audit project objective

The objective of the audit was to determine whether, during the transition period from April 1, 2007, to the time of the audit, the Canadian Space Agency (CSA) produced business cases with the thoroughness required to comply with the requirements set out in the Treasury Board (TB) Policy on Investment Planning – Assets and Acquired Services, which became mandatory on April 1, 2012.

Procedures Management pratices
17% 83%

Nature of recommendations

In February 2012, our audit revealed that the CSA was on track, having complied with a number of the requirements of the TB Policy on Policy on Investment Planning – Assets and Acquired Services, which became mandatory on April 1, 2012.

However, some recommendations were made with a view to increasing compliance and improving the existing management framework.

Implementation status

Over the year, management fully implemented five of the six recommendations in the audit report and took a number of steps in response to those recommendations. In fact, management has:

  • Informed managers concerned that the directive and requirements with respect to business cases within the Agency came into effect on April 1, 2012; and
  • Issued directives and introduced procedures and tools relative to business cases, which stipulated that:
    • the sources of documents used to estimate costs had to be indicated;
    • the projected quantitative and qualitative benefits of a proposed investment had to be presented in a balanced manner;
    • the business cases had to include appropriate business case components; and
    • it was important to assemble, in a separate document, all the information used to make the business case by using the template designed for that purpose, which was available on the shared drive.

The development of the CSA's Guide to Costing (GTC) was recently completed by the Finance Directorate. Consultations on it will be held at the beginning of 2014-2015. The final recommendation will be completed when the GTC is approved and used.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 5

International Space Station Assembly and Maintenance Operations Program Management Framework (1.2.1.1)

Audit project: 11/12 01-02

Audit project objective

The objective of this audit project was to determine whether the management framework in place enables the program to achieve its objectives and to comply with relevant policies, regulations and guidelines issued by the CSA and the central agencies.

Management framework
100%

Nature of recommendations

Our audit in September 2012 demonstrated that the International Space Station (ISS) Assembly and Maintenance Operations Program has put in place good practices regarding operational planning, adequate financial resource planning procedures, and effective procedures and controls for the management of operations.

Nevertheless, we did note some opportunities for improvement with respect to the compiling of documents and information related to the anticipated one-time costs associated with the extension of Canada's participation in ISS activities up until 2020, and to the documenting of the risk analysis process. We also recommended that explanations be provided for the indicator used in the Performance Measurement Framework (PMF) and that the Performance Measurement (PM) Strategy be completed and implemented.

Implementation status

Management followed up on three of the four recommendations set out in the audit report. In response to those recommendations, the following actions were taken:

  • Drafting and implementation of a planning document setting out all of the anticipated potential costs for the extension of Canada's participation in ISS activities up until 2020. This planning document also assesses the probability that risks will materialize and the level of severity of the potential consequences.
  • Precision of the indicator used in the PMF.

On March 31, 2014, the development of the PM Strategy was finalized and it was at the consultation stage with the IPP Branch and the AED. Comments should be provided in May 2014. This action should be 100% completed in the coming months.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 3

The Canadian Space Agency Class Grant and Contribution Program to Support Research, Awareness and Learning in Space Science and Technology

Audit project: 12/13 01-01

Audit project objective

The audit objectives were to determine whether a management framework was in place to ensure that the CSA's Class Grant and Contribution (G&C) Program in support of research, awareness and education in science and technology was managed in accordance with the relevant laws and policies as well as with the approved program terms and conditions, and that it was subject to accountability.

In accordance with the terms and conditions of the Program In accordance with relevant legislation and policies
25% 75%

Nature of recommendations

In May 2013, our audit showed that the Centre of Expertise for the management of the CSA's G&C Program had established a control framework and best practices for the management of agreements.

On the other hand, we found some deficiencies at the level of documentation and the application of controls on certain grant and contribution files and with the inclusion in the funding agreements of all the appropriate clauses and information required in accordance with the directive on transfer payments. In addition, we would recommend that the internal directive on the audit of recipients be completed and that an audit plan be developed and implemented.

Implementation status

A process for the drafting and approval of funding agreements had already been implemented by management before the end of the audit project. The promotion of this new process with the Branches was subsequently carried out by the Centre of Expertise for the management of G&Cs. In addition, all the drafts of funding agreements greater than $25,000 were reviewed by the Centre of Expertise in order to ensure that they are complete and comply with the applicable policies and guidelines. One of the three actions has therefore been completed.

The two outstanding actions concern the documentation and application of controls for the management of files, and the internal directive on the audit of beneficiaries. Management plans to complete these actions by December 2014.

Implementation status
To be done 0
In progress ≤ 50% 2
In progress > 50% 0
Completed 1

The Process of Preparing the Canadian Space Agency's Annual Financial Statements and Quarterly Financial Reports

Audit project: 12/13 01-03

Audit project objective

The audit objective was to determine whether the design and operational effectiveness of the internal controls over the preparation process for the annual financial statements and quarterly financial reports were adequate.

Adequate design of internal controls Adequate internal controls
40% 60%

Nature of recommendations

In March 2013, our audit showed that, in general, the CSA's internal control practices were consistent with those found in the market.

However, we made four recommendations:

  • Increase awareness and training of employees concerned on the Internal Control Policy;
  • Validate the list of reviewed entries;
  • Append systematically supporting documents to journal entries;
  • Initialize supporting documents when reviewing journal entries for quality control purposes.

Implementation status

Management followed up on the four recommendations made in the audit report. The following actions were implemented in response to those recommendations:

  • Reminder to the employees involved of the importance of: 1) appending and providing all supporting documentation to quality assurance for purposes of conservation, 2) a signature appearing on the journal voucher, and 3) a complete description being shown.
  • Validation of the list of revised entries using another source.
  • Addition of written proof indicating that control has been applied.
Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 4

The AETD Program Management Framework (1.2.2.3)

Audit project: 12/13 01-06

Audit project objective

The audit objective was to determine whether the existing management framework enabled the program to attain its objectives and comply with the relevant policies, regulations and guidelines issued by the Canadian Space Agency (CSA) and central agencies.

Monitoring of operations and resources Reporting and performance measurement
50% 50%

Nature of recommendations

In November 2013, our audit showed that the Advanced Exploration Technology Development (AETD) Program has implemented best practices for operations planning and control of the resources used. The other main features were:

  • the admissibility criteria in the choice of contractors for the execution of contracts related to the Economic Action Plan (EAP) were properly applied and the selection processes were well documented
  • the program identified and managed the risks that could impede the achievement of expected results
  • financial transactions were entered into the accounts in accordance with the laws, regulations and guidelines in force
  • all the program activities were subject to accountability

However, we identified some deficiencies which led us to formulate the following two recommendations:

  • Review the procedure relating to the monitoring and approval of expenditures for interdepartmental payments
  • Adjust the performance measurement (PM) strategy based on future activities and implement it

Implementation status

Management followed up on one of the two recommendations made in the audit report. In fact, the Finance Directorate instituted a centralized monthly procedure relative to the monitoring and approval of interdepartmental payments.

On March 31, 2014, the development of the PM strategy was finalized and it was at the consultation stage with the IPP Branch and the AED. Comments should be provided in May 2014. This action should be 100% completed in the coming months.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 1