Management Action Plans Follow-up for Internal Audit - Annual Report as at March 31, 2015

Download the PDF version (966 KB)

Audit and Evaluation Directorate

June 2015

Implementation Summary

This follow-up report on the implementation of management action plans concludes the internal audit process and outlines the measures taken by the various entities concerned in response to our findings and recommendations. As part of the follow-up process, management action plans are reviewed annually until they are fully implemented, and the extent of implementation is assessed and reported to the Departmental Audit Committee (DAC).

This annual report contains the follow-up findings, as at March 31, 2015, for 12 audit projects, for which reports and management action plans have been submitted to and approved by the DAC. The following charts provide an overview of the implementation status of the management action plan elements.

To be done (0 action plan for the management) In progress ≤ 50% (2 actions plan for the management) In progress > 50% (8 actions plan for the management) Completed (84 actions plan for the management)
Management action plan elements 0 2 8 84

The following pages provide detailed descriptions of the progress made with the action plans for each audit project.

Audit project: 06/07 01-03

Project Management Processes and Practices (2007)

Audit project objective

The objective of this audit project was to assess the extent to which the Canadian Space Agency's (CSA's) project management processes and practices (Phases 0 to E, inclusive) enable it to make informed decisions as to the choice of projects/initiatives to be financed; to follow up appropriately; to implement approved initiatives in line with the principles of effectiveness, efficiency and economy; to attain the planned results as set out in the main planning documents; to comply with all relevant policies, regulations and guidelines issued by the CSA and the central agencies; and to report on resource use.

Decision-making process Financial authorization Information integrity PAMF Project costs
7% 7% 7% 7% 72%

Nature of recommendations

We reported in October 2007 that, although the CSA had developed good project and risk management frameworks, it did not make proper use of them in its day-to-day management. We also observed that cost/benefit performance issues, missed deadlines and cost overruns were endemic in the projects conducted by the Agency. Our findings concerned the decision-making process, the obtaining of financial approval, information integrity, the Project Approval and Management Framework (PAMF), project planning, changes in project scope, cost estimates, technology maturity, project follow-up, risk management and performance assessment.

Implementation status

The following items have been implemented since October 2007: creation of a working group and development of a plan that includes priority work; implementation of a directive for the production of business cases; development of a new governance structure; elaboration of factors to be considered in the selection of investments; updating of the organizational risk profile; development of procedures for the integrated management of risk; creation of the position of Director General, Programs and Integrated Planning; implementation of a new Project Management Framework and update of the Investment Plan.

Finally, the CSA Investment Plan was approved in June 2014 by the Treasury Board, and the redesign of the CSA's governance structure was completed in September 2014. The implementation of this audit project's action plan is now completed.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 28

Audit project: 08/09 01-02

Business Continuity Planning (2009)

Audit project objective

The purpose of the audit was to assess compliance of the Business Continuity Planning Program (BCPP) with the Government Security Policy and the Operational Security Standard of the Treasury Board Secretariat (TBS). The BCPP aims to maintain essential operations in the event of a disaster at the CSA.

Effectiveness and efficiency Compliance Planning / training
22% 45% 33%

Nature of recommendations

In January 2009, we reported that, overall, management had set up a governance framework and implemented plans in keeping with Treasury Board Secretariat policies and standards.

However, a number of recommendations were made to improve the effectiveness and efficiency of business continuity planning at the CSA.

We recommended that the corporate policy be finalized, that replacements for the corporate coordination cell have been designated, that training sessions be organized, and that business continuity plans related to essential services be finalized.

Implementation status

Despite the complexity of the business continuity plan for the whole of the CSA, management has nevertheless progressively followed up on eight of the nine recommendations made in the audit report. In particular, a corporate policy on the BCPP was finalized, corporate coordination cell substitutes were designated, training sessions were conducted, and business continuity plans (BCPs) were developed by each branch. The BCPs were approved by the CSA's Executive Committee (EC) on July 2, 2013.

The implementation of a maintenance cycle that includes the regular update and validation of all BCPs has been postponed to March 2016.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 8

Audit project: 09/10 01-03

Information Technology Dependence (2010)

Audit project objective

The audit objective was to evaluate the adequacy and effectiveness of mechanisms in place to control processes and procedures designed to reduce the risk of dependence on information technology (IT) in the CSA's Information Management and Information Technology (IM/IT) sector.

Succession planning Asset management Business continuity management Storage and media management
27% 33% 13% 27%

Nature of recommendations

In March 2010, we identified a number of good practices relating to IT dependence in the IM/IT sector. We also noted that the CSA attached great importance to the IM/IT strategic planning process.

However, some recommendations were made to reduce the risk of IT dependence. Those recommendations involved data backup and recovery, human resources, computer applications, and IT architecture.

Implementation status

Recommendations having to do with the following aspects were fully implemented in previous years: follow-up on licence, access to backup systems, backup copies, logging of backup errors, employee training, replacement workers for network administration and support duties, the identification of obsolete applications and the migration of certain technological environments to supported and common platforms.

With regard to the hiring of a systems architect, this project was put aside and management opted instead for the establishment of a Projects and Standards Architecture Committee, which deals with issues related to systems architecture. On the other hand, with respect to positions that were vacant at the time of the audit, over the years, actions were taken to fill certain positions, and in other cases, the staffing was no longer required due to changes in plans or priorities.

Management has noted that since the creation and restructuring of the Shared Services Canada (SSC) Science Portfolio, the completion of the plan for replacing critical resources and the staffing of a storage management position are no longer relevant for the CSA's IM/IT sector.

The review of the usefulness of the CMStat and IRims applications is finished. The CSA completed the migration of IRims to Livelink in March 2015 and has decided to replace CMStat.

The three pending recommendations are now the responsibility of SSC. They pertain to the documentation of the IT recovery plan, the documentation of the continuity plan for servers that support CSA activities and the scheduling of backup recovery tests. These actions are being implemented.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 3
Completed 12

Audit project: 09/10 01-04

Information Technology Planning and Development Risks (2010)

Audit project objective

The objective of the audit was to evaluate the extent to which information technology (IT) planning and development processes and procedures ensure that IT aligns with user needs.

Operating systems Network equipment Applications Database management systems
30% 5% 35% 30%

Nature of recommendations

In March 2010, we identified a number of good practices with regard to IT planning and development. We noted that the Agency attached great importance to the Information Management and Information Technology (IM/IT) strategic planning process.

However, some recommendations were made to help mitigate risks in IT planning and development. The recommendations concerned change management and releases.

Implementation status

The implementation of the action plan is completed. The following actions have been taken:

  • Approvals of bringing-into-production as well as backtracking plans were documented and retained;
  • Arrangements were made to formalize the new management-of-change process;
  • The prioritization of projects by sector concerning initiatives to be brought forward in the subsequent year was adopted;
  • The obtaining of written confirmation on the part of the owner of an application is required when changes are made to systems;
  • The documentation of tests;
  • With regard to developers' access to production environments, management decided not to take action. Management deemed that the risk was very low and noted that the existing process would be reviewed if necessary; and
  • With regard to documentation of the change management procedure in cases where the changes are authorized ahead of time, management decided that the action no longer applied, since the activities related to this type of change are now the responsibility of SSC.
Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 8

Audit project: 09/10 01-05

Systems and Data Security (2010)

Audit project objective

The audit objective was to evaluate the extent to which processes and procedures for the security of data and systems under the responsibility of Information Management and Information Technology (IM/IT) provided adequate protection of the CSA's data and systems.

Network perimeter security Patch management Access request management Security of applications, databases and operating systems
22% 11% 22% 45%

Nature of recommendations

In March 2010, we observed a number of good practices relating to the security of the data and systems for which IM/IT is responsible.

However, some recommendations were made to help mitigate risks related to the security of data and systems. Those recommendations involved the documentation of standards and processes, patches, system journals, application privileges and access, databases and labs.

Implementation status

Management completed seven of the eight recommendations contained in the audit report. In fact, in the course of previous years, management:

  • reviewed the lists of cardholders with access to the computer lab;
  • documented a procedure for periodically reviewing the cardholder list;
  • documented technology configuration standards;
  • set up maintenance contracts in order to install missing patches;
  • set up a system for accessing Oracle logs located on various servers from one central point;
  • introduced measures for the transition to Windows Vista;
  • where possible, developed in-house applications that used a temporary initial password; and
  • raised managers' awareness of the need to inform IM/IT of all staff movements, and the resulting impact on access rights.

The last action to be implemented concerns the documentation of an accreditation and certification process. The CSA and Shared Services Canada (SSC) have finished setting up a secret network. However, the official accreditation and certification procedure has not been documented in the past year. The deadline has been postponed to March 2016.

Implementation status
To be done 0
In progress ≤ 50% 1
In progress > 50% 0
Completed 7

Audit project: 09/10 01-07

Management of Testing Facilities (2010)

Audit project objective

The audit project objective was to assess whether test facility planning and management processes make it possible to effectively and efficiently fulfil internal and external clients' requirements, and so attain the program's expected objectives and outcomes (David Florida Laboratory - DFL).

Management practices Indicators and performance targets Sustainability of activities
60% 20% 20%

Nature of recommendations

In November 2010, we found that the DFL had adopted procedures for managing the quality of its services, and that it had a human resources succession plan.

The recommendations focused on improving performance indicators and targets and ensuring the sustainability of activities, particularly DFL management practices.

It was recommended that management:

  • formalize and document the planning process between the DFL and internal testing facilities users;
  • draft a document outlining its overall strategy for the use of facilities, and develop an associated implementation plan;
  • review the output and outcome indicators to ensure that they are relevant and adequately measure DFL performance.

Implementation status

The implementation of the management action plan stemming from this audit project is now completed. The actions related to documenting the planning process between the DFL and users and documenting the DFL's overall facility utilization strategy were carried out.

Implementation of the action concerning the review of output and outcome indicators has been completed. The performance measurement strategy for the program was reviewed and approved over the course of the last year.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 3

Audit project: 10/11 01-01

Major Investment Business Cases (2012)

Audit project objective

The objective of the audit was to determine whether, during the transition period from April 1, 2007, to the time of the audit, the Canadian Space Agency (CSA) produced business cases with the thoroughness required to comply with the requirements set out in the Treasury Board (TB) Policy on Investment Planning – Assets and Acquired Services, which became mandatory on April 1, 2012.

Procedures Management pratices
17% 83%

Nature of recommendations

In February 2012, our audit revealed that the CSA was on track, having complied with a number of the requirements of the TB Policy on Investment Planning – Assets and Acquired Services, which became mandatory on April 1, 2012.

However, some recommendations were made with a view to increasing compliance and improving the existing management framework.

Implementation status

The implementation of the management action plan stemming from this audit project is now completed. The Costing Guide was shared with the Executive Committee in August 2014.

In recent years, management has implemented several actions to address the recommendations made in the audit report. Management has:

  • Informed managers concerned that the directive and requirements with respect to business cases within the Agency came into effect on April 1, 2012; and
  • Issued directives and introduced procedures and tools relative to business cases, which stipulated that:
    • the sources of documents used to estimate costs had to be indicated;
    • the projected quantitative and qualitative benefits of a proposed investment had to be presented in a balanced manner;
    • the business cases had to include appropriate business case components; and
    • it was important to assemble, in a separate document, all the information used to make the business case by using the template designed for that purpose.
Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 6

Audit project: 11/12 01-02

International Space Station Assembly and Maintenance Operations Program Management Framework (1.2.1.1) (2012)

Audit project objective

The objective of this audit project was to determine whether the management framework in place enables the program to achieve its objectives and to comply with relevant policies, regulations and guidelines issued by the CSA and the central agencies.

Management framework
100%

Nature of recommendations

Our audit in September 2012 demonstrated that the International Space Station (ISS) Assembly and Maintenance Operations Program has put in place good practices regarding operational planning, adequate financial resource planning procedures, and effective procedures and controls for the management of operations.

Nevertheless, we did note some opportunities for improvement with respect to the compiling of documents and information related to the anticipated one-time costs associated with the extension of Canada's participation in ISS activities up until 2020, and to the documenting of the risk analysis process. We also recommended that explanations be provided for the indicator used in the Performance Measurement Framework (PMF) and that the Performance Measurement (PM) Strategy be completed and implemented.

Implementation status

Management followed up on the four recommendations in the audit report. The following actions were taken to implement these recommendations:

  • Drafting and implementation of a planning document setting out all of the anticipated potential costs for the extension of Canada's participation in ISS activities up until 2020. This planning document also assesses the probability that risks will materialize and the level of severity of the potential consequences.
  • Precision of the indicator used in the PMF.
  • Development, review and approval of the PM Strategy in the last year.
Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 4

Audit project: 12/13 01-01

The Canadian Space Agency Class Grant and Contribution Program to Support Research, Awareness and Learning in Space Science and Technology (2013)

Audit project objective

The audit objectives were to determine whether a management framework was in place to ensure that the CSA's Class Grant and Contribution (G&C) Program in support of research, awareness and education in science and technology was managed in accordance with the relevant laws and policies as well as with the approved program terms and conditions, and that it was subject to accountability.

In accordance with the terms and conditions of the Program In accordance with relevant legislation and policies
25% 75%

Nature of recommendations

In May 2013, our audit showed that the Centre of Expertise for the management of the CSA's G&C Program had established a control framework and best practices for the management of agreements.

On the other hand, we found some deficiencies at the level of documentation and the application of controls on certain grant and contribution files and with the inclusion in the funding agreements of all the appropriate clauses and information required in accordance with the directive on transfer payments. In addition, we recommended that an internal directive on the audit of recipients be drafted and that an audit plan be developed and implemented.

Implementation status

A process for the drafting and approval of funding agreements had already been implemented by management before the end of the audit project. The promotion of this new process with the Branches was subsequently carried out by the Centre of Expertise for the management of G&Cs. In addition, all the drafts of funding agreements greater than $25,000 were reviewed by the Centre of Expertise in order to ensure that they are complete and comply with the applicable policies and guidelines. One of the three actions has therefore been completed.

With regard to the application of existing control mechanisms, management plans to complete this action by September 2015.

With regard to the last action, management completed the internal directive concerning the audit of recipients and plans to develop and implement the audit plan by June 2015.

Implementation status
To be done 0
In progress ≤ 50% 1
In progress > 50% 1
Completed 1

Audit project: 12/13 01-06

The AETD Program Management Framework (1.2.2.3) (2013)

Audit project objective

The audit objective was to determine whether the existing management framework enabled the program to attain its objectives and comply with the relevant policies, regulations and guidelines issued by the Canadian Space Agency (CSA) and central agencies.

Monitoring of operations and resources Reporting and performance measurement
50% 50%

Nature of recommendations

In November 2013, our audit showed that the Advanced Exploration Technology Development (AETD) Program has implemented best practices for operations planning and control of the resources used. The other main features were:

  • the admissibility criteria in the choice of contractors for the execution of contracts related to the Economic Action Plan (EAP) were properly applied and the selection processes were well documented;
  • the program identified and manages risks that could interfere with the achievement of expected results;
  • financial transactions were entered into the accounts in accordance with the laws, regulations and guidelines in force; and
  • all the program activities were subject to accountability.

However, we identified some deficiencies which led us to formulate the following two recommendations:

  • Review the procedure relating to the monitoring and approval of expenditures for interdepartmental payments;
  • Adjust the performance measurement (PM) strategy based on future activities and implement it.

Implementation status

Management followed up on one of the two recommendations made in the audit report. In fact, the Finance Directorate instituted a centralized monthly procedure relative to the monitoring and approval of interdepartmental payments.

With regard to the second action, the PM Strategy was completed and approved by March 31, 2015. Tools used to collect and analyze data were also developed. Implementation of this action will be completed in 2015-2016, when the Phase III of the action plan will be performed, which is that data will be collected in accordance with the PM Strategy.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 1

Audit project: 13/14 01-03

Project Management Framework (2014)

Audit project objective

The audit objective was to determine whether the project management framework and practices enable the Canadian Space Agency (CSA) to comply with the requirements of the Project Management Policy (2009) of the Treasury Board of Canada (TB).

Management framework Process and mechanism of project management
33% 67%

Nature of recommendations

In March 2014, our audit demonstrated that the CSA had adopted a new Project Management Policy (PMP), developed a new governance structure and reviewed project management practices.

However, three recommendations were made to overcome identified gaps. These recommendations involved amending the CSA's PMP; developing, communicating and implementing management tools and directives tailored to the complexity and risks of projects; and developing a formal monitoring mechanism for all projects.

Implementation status

Over the course of the year, management implemented two of the three recommendations. The CSA approved the Investment Governance and Monitoring Framework (IGMF) and accompanying instructions and the Costing Guide. These documents now enable project managers to have all the tools they need to make informed decisions related to projects for which they are responsible. The implementation of the new IGMF also enables to follow up on projects.

With regard to the last recommendation, that is, the update of the PMP, a new project definition and a description of the roles and responsibilities of various stakeholders based on the elements of the new IGMF are being developed. Management plans to complete the implementation of the action plan by December 2015.

Implementation status
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 2