Management Action Plans Follow-up for Internal Audit - Annual Report as at March 31, 2016

Audit and Evaluation Directorate

June 2016

Implementation Summary

This follow-up report on the implementation of management action plans concludes the internal audit process and outlines the measures taken by the various entities concerned in response to our findings and recommendations. As part of the follow-up process, management action plans are reviewed annually until they are fully implemented, and the extent of implementation is assessed and reported to the Departmental Audit Committee (DAC).

This annual report contains the follow-up findings, as at March 31, 2016, for 8 audit projects, for which reports and management action plans have been submitted to and approved by the DAC. The following charts provide an overview of the implementation status of the management action plan elements.

To do ≤ 10% In progress 11%-50% In progress > 50% Completed 100%
Business Continuity Planning (June 2009) 0 0 1 8
IT Dependence (March 2010) 0 2 1 12
Systems and Data Security (March 2010) 0 1 0 7
Class Grant and Contribution Program (May 2013) 0 1 0 2
The AETD Program Management Framework (November 2013) 0 0 1 1
Project Management Framework (March 2014) 0 0 1 2
Governance process (June 2015) 0 1 1 2
Safety and mission assurance (June 2015) 1 2 0 0
To do ≤ 10% (1 management action plan element) In progress 11%-50% (7 management action plan elements) In progress > 50% (5 management action plan elements) Completed 100% (34 management action plan elements)
Management action plan elements 1 7 5 34

The following pages provide detailed descriptions of the progress made with the action plans for each audit project.

Audit project: 08/09 01-02

Business Continuity Planning (2009)

Audit project objective

The purpose of the audit was to assess compliance of the Business Continuity Planning Program (BCPP) with the Government Security Policy and the Operational Security Standard of the Treasury Board Secretariat (TBS). The BCPP aims to maintain essential operations in the event of a disaster at the CSA.

Effectiveness and efficiency Compliance Planning / training
22% 45% 33%

Nature of recommendations

In January 2009, we reported that, overall, management had set up a governance framework and implemented plans in keeping with Treasury Board Secretariat policies and standards.

However, a number of recommendations were made to improve the effectiveness and efficiency of business continuity planning at the CSA.

We recommended that the corporate policy be finalized, that replacements for the corporate coordination cell have been designated, that training sessions be organized, and that business continuity plans related to essential services be finalized.

Implementation status

Despite the complexity of the business continuity plan for the whole of the CSA, management has nevertheless progressively followed up on eight of the nine recommendations made in the audit report. In particular, a corporate policy on the BCPP was finalized, corporate coordination cell substitutes were designated, training sessions were conducted, and business continuity plans (BCPs) were developed by each branch. The BCPs were approved by the CSA's Executive Committee (EC) on July 2, 2013.

Following a recent decision to group the BCPs of all the branches together, the setting up of a maintenance cycle that includes the regular updating and validation of all BCPs has been postponed to fiscal year the 2017-2018.

Implementation status
To do ≤ 10% 0
In progress 11%-50% 0
In progress > 50% 1
Completed 100% 8

Audit project: 09/10 01-03

Information Technology Dependence (2010)

Audit project objective

The audit objective was to evaluate the adequacy and effectiveness of mechanisms in place to control processes and procedures designed to reduce the risk of dependence on information technology (IT) in the CSA's Information Management and Information Technology (IM/IT) sector.

Succession planning Asset management Business continuity management Storage and media management
27% 33% 13% 27%

Nature of recommendations

In March 2010, we identified a number of good practices relating to IT dependence in the IM/IT sector. We also noted that the CSA attached great importance to the IM/IT strategic planning process.

However, some recommendations were made to reduce the risk of IT dependence. Those recommendations involved data backup and recovery, human resources, computer applications, and IT architecture.

Implementation status

Recommendations having to do with the following aspects were fully implemented in previous years: follow-up on licence, access to backup systems, backup copies, logging of backup errors, employee training, replacement workers for network administration and support duties, the identification of obsolete applications and the migration of certain technological environments to supported and common platforms.

With regard to the hiring of a systems architect, this project was put aside and management opted instead for the establishment of a Projects and Standards Architecture Committee, which deals with issues related to systems architecture. On the other hand, with respect to positions that were vacant at the time of the audit, over the years, actions were taken to fill certain positions, and in other cases, the staffing was no longer required due to changes in plans or priorities.

The three recommendations still to be implemented are the joint responsibility of the CSA and Shared Services Canada (SSC). They pertain to documentation for the IT recovery plan, documentation for the continuity plan for servers supporting CSA activities, and the scheduling of readability tests. Implementation of these recommendations is under way and should be completed in September 2016.

Implementation status
To do ≤ 10% 0
In progress 11%-50% 2
In progress > 50% 1
Completed 100% 12

Audit project: 09/10 01-05

Systems and Data Security (2010)

Audit project objective

The audit objective was to evaluate the extent to which processes and procedures for the security of data and systems under the responsibility of Information Management and Information Technology (IM/IT) provided adequate protection of the CSA's data and systems.

Network perimeter security Patch management Access request management Security of applications, databases and operating systems
22% 11% 22% 45%

Nature of recommendations

In March 2010, we observed a number of good practices relating to the security of the data and systems for which IM/IT is responsible.

However, some recommendations were made to help mitigate risks related to the security of data and systems. Those recommendations involved the documentation of standards and processes, patches, system journals, application privileges and access, databases and labs.

Implementation status

Management completed seven of the eight recommendations contained in the audit report. In fact, in the course of previous years, management:

  • reviewed the lists of cardholders with access to the computer lab;
  • documented a procedure for periodically reviewing the cardholder list;
  • documented technology configuration standards;
  • set up maintenance contracts in order to install missing patches;
  • set up a system for accessing Oracle logs located on various servers from one central point;
  • introduced measures for the transition to Windows Vista;
  • where possible, developed in-house applications that used a temporary initial password; and
  • raised managers' awareness of the need to inform IM/IT of all staff movements, and the resulting impact on access rights.

The last action to be implemented concerns the documentation of an accreditation and certification process. The CSA and Shared Services Canada (SSC) have finished setting up a secret network. However, the official accreditation and certification procedure has not been documented in the past year. The deadline has been postponed to March 2017.

Implementation status
To do ≤ 10% 0
In progress 11%-50% 1
In progress > 50% 0
Completed 100% 7

Audit project: 12/13 01-01

The Canadian Space Agency Class Grant and Contribution Program to Support Research, Awareness and Learning in Space Science and Technology (2013)

Audit project objective

The audit objectives were to determine whether a management framework was in place to ensure that the CSA's Class Grant and Contribution (G&C) Program in support of research, awareness and education in science and technology was managed in accordance with the relevant laws and policies as well as with the approved program terms and conditions, and that it was subject to accountability.

In accordance with the terms and conditions of the Program In accordance with relevant legislation and policies
25% 75%

Nature of recommendations

In May 2013, our audit showed that the Centre of Expertise for the management of the CSA's G&C Program had established a control framework and best practices for the management of agreements.

On the other hand, we found some deficiencies at the level of documentation and the application of controls on certain grant and contribution files and with the inclusion in the funding agreements of all the appropriate clauses and information required in accordance with the directive on transfer payments. In addition, we recommended that an internal directive on the audit of recipients be drafted and that an audit plan be developed and implemented.

Implementation status

Management has implemented two of the three recommendations. In fact, a process for the drafting and approval of funding agreements had already been implemented by management before the end of the audit project. The promotion of this new process with the Branches was subsequently carried out by the Centre of Expertise for the management of G&Cs. In addition, all the drafts of funding agreements greater than $25,000 were reviewed by the Centre of Expertise in order to ensure that they are complete and comply with the applicable policies and guidelines. As well, the internal directive on the audit of recipients and the mitigation measures have been updated and the recipient audit plan have been drafted.

As for the last recommendation, i.e. the systematic use of existing control mechanisms for the documentation of projects, there are plans to have training given to employees involved in the management of G&Cs. Activities in that regard are currently being implemented. The deadline has been postponed to March 2017.

Implementation status
To do ≤ 10% 0
In progress 11%-50% 1
In progress > 50% 0
Completed 100% 2

Audit project: 12/13 01-06

The AETD Program Management Framework (1.2.2.3) (2013)

Audit project objective

The audit objective was to determine whether the existing management framework enabled the program to attain its objectives and comply with the relevant policies, regulations and guidelines issued by the Canadian Space Agency (CSA) and central agencies.

Monitoring of operations and resources Reporting and performance measurement
50% 50%

Nature of recommendations

In November 2013, our audit showed that the Advanced Exploration Technology Development (AETD) Program has implemented best practices for operations planning and control of the resources used. A number of best practices were identified.

However, we identified some deficiencies which led us to formulate the following two recommendations:

  • Review the procedure relating to the monitoring and approval of expenditures for interdepartmental payments;
  • Adjust the performance measurement (PM) strategy based on future activities and implement it.

Implementation status

The Finance Directorate has established a centralized monthly procedure for monitoring and approving interdepartmental payments. On March 31, 2015, the development of the PM Strategy was completed and approved. Tools for gathering and analyzing data have also been developed. Phase 3 of the implementation of this recommendation has begun. Data have been gathered to support the PM Strategy implementation. However, a database still has to be developed. The deadline has been postponed to December 2016.

Implementation status
To do ≤ 10% 0
In progress 11%-50% 0
In progress > 50% 1
Completed 100% 1

Audit project: 13/14 01-03

Project Management Framework (2014)

Audit project objective

The audit objective was to determine whether the project management framework and practices enable the Canadian Space Agency (CSA) to comply with the requirements of the Project Management Policy (2009) of the Treasury Board of Canada (TB).

Management framework Process and mechanism of project management
33% 67%

Nature of recommendations

In March 2014, our audit demonstrated that the CSA had adopted a new Project Management Policy (PMP), developed a new governance structure and reviewed project management practices.

However, three recommendations were made to overcome identified gaps. These recommendations involved amending the CSA's PMP; developing, communicating and implementing management tools and directives tailored to the complexity and risks of projects; and developing a formal monitoring mechanism for all projects.

Implementation status

Over the course of the year, management implemented two of the three recommendations. The CSA approved the Investment Governance and Monitoring Framework (IGMF) and the Costing Guide. These documents now enable project managers to have all the tools they need to make informed decisions related to projects for which they are responsible. The implementation of the new IGMF also enables to follow up on projects.

With respect to the third recommendation, i.e. changes to the PMP, the CSA has drafted a directive on the IGMF, which will replace the PMP. This directive is expected to be approved in July 2016.

Implementation status
To do ≤ 10% 0
In progress 11%-50% 0
In progress > 50% 1
Completed 100% 2

Audit project: 14/15 01-03

Governance (2015)

Audit project objective

The objective of this audit is to assess the appropriateness of the governance structures and processes in place for Canadian Space Agency (CSA) activities.

The audit was conducted to determine whether the current governance processes in place allow senior executives to manage and ensure control of CSA activities, gather relevant information, make informed decisions and be accountable for its results in such a way as to meet the expectations of the Minister of Industry, the interdepartmental community and other stakeholders.

Strategic governance Oversight of the CSAs acitivities and investments
25% 75%

Nature of recommendations

The year 2014 was a turning point for the organization, when a large number of new structures and procedures were established. We retain four noteworthy achievements of 2014: the adoption of the Canada's Space Policy Framework, the adoption of a five-year investment plan, the adoption of new investment governance and monitoring framework and the setting up of several new committees. The audit also demonstrated that the CSA has adequate governance structures and oversight processes in place to allow senior executives to manage and ensure control of CSA activities.

However, the audit also identified areas in need of improvement for which we have drawn up a number of recommendations:

  • Establish a long-term Canadian space strategy
  • Drafting of the final versions of the Integrated Investment Review Board (IIRB) and the Policy and Strategy Board (PSB) mandates
  • Support for the governance structures
  • Accountability reporting of investment activities

Implementation status

During the year, management implemented two of the four recommendations In particular, the CSA Executive Committee completed its strategic thinking with respect to the optimization of support services for the new governance framework. Moreover, in order to facilitate reporting of investment activities, project monitoring templates have been developed for presentations to the IIRB.

As for the other two recommendations, the IIRB mandate was drafted and approved in October 2015 and the PSB mandate was drafted and is expected to be approved by the spring of 2016. Discussions relative to the Long-Term Space Strategy have begun.

Implementation status
To do ≤ 10% 0
In progress 11%-50% 1
In progress > 50% 1
Completed 100% 2

Audit project: 14/15 01-02

Management Framework for Safety and Mission Assurance (2015)

Audit project objective

The objective of the audit project was to determine whether the Canadian Space Agency (CSA) has a management framework in place that enables it to achieve its safety and mission assurance (S&MA) objectives.

Policy and guide lines Tools and process
67% 33%

Nature of recommendations

In June 2015, our audit demonstrated that the S&MA function has a policy that is applied in a structured and consistent manner for major projects and that the quality and quality assurance requirements for these projects are clearly defined, and work plans developed and implemented.

However, the audit identified some shortcomings which lead us to make the following three recommendations:

  • Update the CSA's Safety and Mission Assurance Policy in order to clarify the roles and responsibilities of stakeholders;
  • Develop clear guidelines for implementing the Policy;
  • Develop standard processes and tools for planning, carrying out and documenting S&MA activities.

Implementation status

Management decided to combine the roles and responsibilities as well as the guidelines relative to safety and mission assurance activities within the same document. The first two recommendations will therefore be implemented when the drafting of this document will be completed. To date, consultations with various key stakeholders have been completed and the drafting of the guidelines has begun. The updating of the document combining the roles and responsibilities as well as the guidelines will be completed sometime next year. The development of standard processes and tools will be completed by September 2017.

Implementation status
To do ≤ 10% 1
In progress 11%-50% 2
In progress > 50% 0
Completed 100% 0