Follow-up Audit of Information Technology Asset Management

January 2013

For readers interested in the PDF version, the document is available for downloading or viewing:

Final Audit Report - Follow-up Audit of Information Technology Asset Management (PDF document - 112 KB- 20 pages)


Executive summary

The follow-up audit of recommendations from the 2009 Audit of Information Technology (IT) Asset Management was carried out as part of the Public Health Agency of Canada's (the Agency's) Risk-Based Audit Plan for 2012-13. The objective of the follow-up audit was to determine whether the implementation of the management action plan had been effective in addressing the recommendations made in the Audit of IT Asset Management tabled in June 2009.

An assessment of the actions taken by management was performed to address the recommendations outlined in the 2009 audit report. The follow-up audit was conducted from May to November 2012.

The main objectives of the 2009 Audit of IT Asset Management were:

  • to assess the appropriateness of planning, policies, processes and internal controls designed to ensure that:
    • the investment in IT assets supports the achievement of the Agency's strategic objectives; and
    • IT assets are managed with due regard to economy and efficiency. In this regard, the audit focused primarily on standardization, purchasing (including assessing prioritization processes and policies designed to keep systems current) and disposal of IT assets.
  • to assess the appropriateness of accounting procedures and internal controls used to record the costs of IT assets, and to facilitate the reliable reporting of IT assets in the Agency's financial statements.

As part of the business transformation agenda resulting from the federal Budget 2012, the Agency and Health Canada's information management and information technology directorates have consolidated the delivery of their services by creating a single shared services partnership.

The follow-up audit concludes that the implementation of the management action plan could have been more effective in addressing the recommendations made in the 2009 Audit of IT Asset Management. Seven of the fourteen recommendations (50%) have been substantially or fully implemented. Of the remaining seven recommendations, one became obsolete and the others have an associated action that is past the implementation target date.

Improvements have been noted in the development of the Asset Management Policy including the monitoring of its compliance and the reconciliation, sanitization and back-up process of surplus assets.

Further progress is required to address the following issues identified in the audit:

  • Complete an IT asset management framework and suite of procedures and directives;
  • reengineer all processes across the Agency to manage all IT assets;
  • complete IT asset replacement strategies;
  • develop and implement a comprehensive strategy to manage and control the hardware and software inventories; and
  • implement a tracking system for IT assets lent to staff.

A. Introduction

1. Background

As part of the Public Health Agency of Canada's (the Agency's) Risk-Based Audit Plan for 2012-13, the Portfolio Audit and Accountability Bureau undertook the follow-up audit of the management action plan commitments as outlined in the 2009 Audit of Information Technology (IT) Asset Management.

The 2009 audit concluded that the Agency's IT assets are not well managed or controlled. In order to rectify this situation, the Agency needed to assign responsibility for the management and control of IT assets to the Chief Information Officer (CIO), who may delegate certain processes to operational areas, as appropriate. Further, the CIO, the Director of Assets and Materiel Management Division (AMMD) and the Chief Financial Officer needed to develop and implement an appropriate management and control framework for IT assets within a reasonable period of time.

As part of the business transformation agenda resulting from the federal Budget 2012, the Agency and Health Canada's information management and information technology directorates have consolidated the delivery of their services by creating a single shared services partnership.

2. Audit objective

The objective of the follow-up audit was to determine whether the implementation of the management action plan had been effective in addressing the recommendations made in the Audit of TI Asset Management tabled in June 2009.

3. Audit scope

The follow-up audit focused on the management action plan commitments contained in the 2009 Audit of IT Asset Management. The follow-up was conducted from May to November 2012.

4. Audit approach

For each recommendation, the progress achieved against action plan commitments was assessed. The follow-up methodology included interviews and the analysis of supporting documentation.

5. Statement of assurance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the follow-up audit conclusion. The follow-up audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing.

B. Findings recommendations and management responses

1. Follow-up on the 2009 audit recommendations

1.1. Progress made on 2009 audit recommendations

Audit criterion: Management’s actions have been effective in addressing the recommendations identified in the audit tabled in 2009.

Recommendation implementation progress
Implementation rating level Number of recommendations Percentage
No progress - insignificant progress 0 0%
Planning stage 0 0%
Preparation for implementation 6 43%
Substantial implementation 2 14%
Full implementation 5 36%
Obsolete 1 7%
Total
14  

Please refer to Appendix A for the assessment rating guide and to Appendix B for the detailed assessments.

The follow-up audit concludes that the implementation of the management action plan could have been more effective in addressing the recommendations made in the 2009 Audit of IT Asset Management. Seven of the fourteen recommendations (50%) have been substantially or fully implemented. Of the remaining seven recommendations, one became obsolete and the others have an associated action that is past the implementation target date.

Improvements have been noted in the development of the Asset Management Policy including the monitoring of its compliance and the reconciliation, sanitization and back-up process of surplus assets.

Further progress is required to address the following issues identified in the audit:

  • Complete an IT asset management framework and suite of procedures and directives;
  • reengineer all processes across the Agency to manage all IT assets;
  • complete IT asset replacement strategies;
  • develop and implement a comprehensive strategy to manage and control the hardware and software inventories; and
  • implement a tracking system for IT assets lent to staff.

Scorecard

The table below summarizes the status of each audit recommendation.

Recommendations Rating Conclusion Target Date
Full implementation
Substantial implementation
Preparation for implementation
Planning stage
No progress
Obsolete
1 - Affirm the authority and responsibility of the Chief Information Officer (CIO) to manage and control information technology (IT) assets FI Completed.  
2 - Develop and implement an appropriate IT asset management framework PI Review and approval required. March 2013
3 - Ensure that appropriate financial and human resources are provided to the CIO to support the success of the IT asset management strategy FI Completed.  
4 - Develop, seek approval for and communicate an appropriate suite of IT asset management policies, practices, procedures and processes PI Harmonization, approval and dissemination required. June 2013
5 - Reengineer all processes across the Agency to manage all IT assets PI Harmonization, approval and dissemination required. September 2013
6 - Develop a recommended IT asset replacement policy PI Harmonization, approval and dissemination of evergreen strategies required. June 2013
7 - Explicitly document the rationale for Executive Committee decision to implement or modify the recommended replacement policy O Discussion and approval will be coordinated through Partnership Executive Committee.  
8 - Develop and implement a comprehensive strategy to manage and control the hardware and software inventories for all Agency IT assets PI Harmonization, approval and dissemination required. March 2013
9 - Surplus IT assets should be sent to information management/ IT to ensure that the data is backed-up and sanitized SI Approval of the implementation plan for the Disposal of Electronic and Electrical Equipment Waste required.

April 2013

10 - IT assets sent to surplus should be identified as surplus in the inventory database FI Completed.  
11 - Implement tracking systems for IT assets lent to staff PI Harmonization, approval and dissemination required. June 2013
12 - Complete, seek approval for and communicate the Asset Management Policy FI Completed.  
13 - Monitor compliance with the policy by conducting regular reviews and annual physical asset inventory count. SI Formal preparation of semi-annual inventory report to monitor compliance with Policy required. April 2013
14 - Perform a review of the IT expenses for the last financial year in order to identify unrecorded IT capital assets FI Completed.  

Appendix A - Lines of enquiry and audit criteria

Follow-up Audit of Information and Records Management
Criteria Title Audit Criteria
Line of Enquiry 1: Progress made on the 2009 Audit Recommendations
1.1 Progress made on 2009 recommendations Management's actions have been effective in addressing the recommendations identified in the audit tabled in 2009.

1. No progress or insignificant progress
No action taken by management or insignificant progress. Actions such as striking a new committee, having meetings and generating informal plans are insignificant progress.

2. Planning stage
Formal plans for organizational changes have been created and approved by the appropriate level of management (at a sufficiently senior level, usually at the Executive Committee level or equivalent) with appropriate resources and a reasonable timetable.

3. Preparation for implementation
The entity has begun necessary preparation for implementation, such as hiring or training staff, or developing or acquiring the necessary resources to implement the recommendation.

4. Substantial implementation
Structures and processes are in place and integrated in some parts of the organization, and some achieved results have been identified. The entity has a short-term plan and timetable for full implementation.

5. Full implementation
Structures and processes are operating as intended and are implemented fully in all intended areas of the organization.

6. Obsolete
Audit recommendations that are deemed to be obsolete or have been superseded by another recommendation.

Appendix B – Assessment of recommendation implementation

Recommendation 1
The Agency’s Executive Committee should affirm the authority and responsibility of the Chief Information Officer to manage and control information technology assets. This authority should be effectively communicated throughout the Agency.
Overall Assessment Full implementation
Planned Actions Target Date Progress to date Status of action item

A1. The Executive Committee (EC) will affirm the authority and responsibility of the Chief Information Officer (CIO) to manage and control Public Health Agency of Canada (Agency)-wide information technology (IT) assets. 

July 2009

 

As a result of the Budget 2012 decisions, the framework agreement between Health Canada and the Agency regarding the shared services partnership establishes a joint CIO for both organisations. The CIO has the authority to manage and control IT assets.

Full implementation

Recommendation 2
The Chief Information Officer should, in cooperation with the Chief Financial Officer, develop and implement an appropriate information technology asset management framework. The framework should be consistent with Treasury Board policy and good industry practices.
Overall Assessment Preparation for implementation
Planned Actions Target Date Progress to date Status of action item

A1. An IT asset management framework will be developed and presented to information management/information technology (IM/IT) Management Committee (MC) for endorsement/approval. Based on recommendation from 1, roles and responsibilities will be adjusted accordingly.

Draft by April 2010

 

As part of the newly established shared services partnership, the Asset Management Policy Framework already in place at Heath Canada will be adapted and extended to manage Agency assets.

This recommendation will remain outstanding until such time as the Asset Management Policy Framework has been reviewed, updated and presented for approval to the Partnership Executive Committee (PEC).


Revised date: March 2013

Preparation for implementation

Recommendation 3
The Agency’s Executive Committee should ensure that appropriate financial and human resources are provided to the Chief Information Officer to support the success of its information technology asset management strategy and to support the ongoing operational information technology asset life cycle activities.
Overall Assessment Full implementation
Planned Actions Target Date Progress to date Status of action item

A1. The EC, based on Agency priorities and available resources, will provide the financial and human resources to the CIO to support the success of its IT asset management strategy and the ongoing operational IT asset life cycle activities.

Sept.
2009

 

In July 2010, IM/IT presented fourteen business cases to the Resource Planning and Management Committee (RPMC) for approval. One of those fourteen business cases was to request funding for the implementation of an IT asset management solution, including business practices, processes and toolset to enable the Agency to track and manage the IT asset life cycle.

Seven of the fourteen business cases, based on priorities and available resources, were approved. The business case related to IT asset management was not approved.

Full implementation

 

Recommendation 4
The Chief Information Officer should develop, seek approval for and communicate an appropriate suite of information technology asset management policies, practices, procedures and processes in compliance with the Agency’s Asset Management Policy which is under development.
Overall Assessment Preparation for implementation
Planned Actions Target Date Progress to date Status of action item

A1. IM/IT is in the process of developing and documenting a suite of IT asset management protocols, processes and procedures for IT asset management and will store these documents.

Dec.
2009

 

IM/IT has developed a suite of IT asset management procedures and directives such as:

  • a draft directive on the procurement and management of IT hardware;
  • a draft directive on the procurement and management of software;
  • a draft directive on the allocation and tracking of remote IT hardware;
  • a draft procedure for the surplus of Agency computer components for regions and the National Capital Region; and
  • a draft procedure for non-standard software requests and assessments.

As part of the newly established shared services partnership, the IT Asset Management User Guide developed by Health Canada which includes policies, practices and procedures will be reviewed, updated and implemented.

This recommendation will remain outstanding until such time as the IT Asset Management User Guide has been reviewed and updated.

Revised date : June 2013

Preparation for implementation

A2. The Office of the Chief Information Officer (OCIO) will seek endorsement of Agency-wide IT asset management processes, procedures and protocols.

Feb. 2011

The updated IT Asset Management User Guide will be presented to PEC for endorsement.

Revised date : June 2013

No progress or insignificant progress

A3. Upon endorsement, the OCIO will communicate appropriate new practices to offices of primary interest (OPIs) identified in the Agency’s IT asset management framework.

Starting May 2010

Upon endorsement, the updated IT Asset Management User Guide will be communicated to OPIs.

Revised date : June 2013

No progress or insignificant progress

Recommendation 5
The Chief Information Officer should reengineer all processes across the Agency to manage all information technology assets.
Overall Assessment Preparation for implementation
Planned Actions Target Date Progress to date Status of action item

A1. IM/IT will standardize asset management procedures understanding the unique requirements of the centralized warehousing infrastructure established in Winnipeg for the National Microbiology Laboratory and the decentralized infrastructure used in the National Capital Region and regional locations.

Feb. 2010

 

As indicated in recommendation 4, as part of the newly established shared services partnership, the IT Asset Management User Guide developed by Health Canada which includes policies, practices and procedures will be reviewed, updated and implemented.  

Revised date : September 2013

Preparation for implementation

A2. Procedures will be established to manage and track priority IT assets as defined below, while the OPIs identified in the Agency’s IT asset management framework will be responsible for non-priority IT assets.

Definition of priority IT assets:

  • Network connected servers;
  • network connected routers;
  • network connected switches;
  • Blackberrys;
  • network connected desktops;
  • network connected laptops;
  • desktop/laptop software;
  • server software;
  • hardware and software maintenance contracts; and
  • network connected printers

Items not included as priority IT assets include:

  • Remote site workstations;
  • work-at-home PCs;
  • “unmanaged” software;
  • desktop peripherals (keyboards, mice etc.);
  • local printers; and
  • other attractive assets.

The implementation of standardized procedures will be dependent upon endorsement of an IT asset management framework and the required operational funding to sustain centralized management and tracking.

May 2010

 

Procedures to manage and track priority IT assets are included within the IT Asset Management User Guide that will be reviewed, updated and implemented.

Revised date : September 2013

Preparation for implementation

Recommendation 6
The Chief Information Officer should develop a recommended information technology asset replacement policy that meets the strategic needs of the Agency in an economical and effective manner. An estimate of required funding to implement the policy should accompany the recommendation to the Resource Planning Management Committee.
Overall Assessment Preparation for implementation
Planned Actions Target Date Progress to date Status of action item

A1. The IM/IT Directorate will develop two separate ever-greening strategies to accommodate acquisition and replacement of: (a) attractive assets; and (b) capital assets. The ever-greening strategies will be presented to IM/IT MC for endorsement and RPMC for approval and funding consideration.

Nov. 2009

 

Health Canada has ongoing ever-greening strategies for desktops (we were advised that all other IT infrastructure has been appropriated to Shared Services Canada) (SSC) which dovetail into greening of Government activities with Real Property and Security Directorate.  These strategies will be extended and communicated to include the Agency. A harmonized Health Canada/Agency/SSC IT asset management plan framework to be presented to PEC in January/February 2013.

Revised date: June 2013

Preparation for implementation

Recommendation 7
The Agency's Executive Committee should explicitly document the rationale for its decision to implement or modify the recommended policy so that the decision can be placed in context with the Agency's tolerance for operational and information technology risks.
Overall Assessment Obsolete
Planned Actions Target Date Progress to date Status of action item

A1. EC will document the rationale for its decision to implement or modify the recommended policy so that the decision can be placed in context with the Agency’s tolerance for operational and IT risks. 

Dec. 2009

 

Health Canada has ongoing ever-greening strategies for desktops (we were advised that all other IT infrastructure has been appropriated to SSC) which dovetail into greening of Government activities with Real Property and Security Directorate. These strategies will be extended and communicated to include the Agency. A harmonized Health Canada/Agency/SSC IT Asset Management Plan Framework to be presented to PEC in January/February 2013. 

Obsolete

Recommendation 8
The Chief Information Officer should develop and implement a comprehensive strategy to manage and control the hardware and software inventories for all Agency information technology assets.
Overall Assessment Preparation for implementation
Planned Actions Target Date Progress to date Status of action item

A1. IM/IT will implement a strategy to manage and control hardware and software inventories acquired, managed and/or controlled by IM/IT. These strategies will have the capability to be leveraged Agency-wide pending endorsement/approval of an Agency IT asset management framework and required resources and funding to carry out the work.

The comprehensive strategy will include SAP for financial management and tracking (acquisition, depreciation) of IT assets while a complimentary system will be used for IT asset lifecycle management (acquisition, deployment, operation, replacement/disposal) of IT assets.

The asset lifecycle management system will manage and track priority IT assets (see paragraph 5 for definition of priority IT assets) while the combination of SAP and the OPIs will be used to manage non-priority IT assets.

May 2010

 

As part of the newly established shared services partnership, the IT Asset Management User Guide developed by Health Canada which includes a strategy to manage and control the hardware and software inventories for all information technology assets will be reviewed, updated and implemented.  

Revised date : March 2013

Preparation for implementation

Recommendation 9
All surplus information technology assets should be sent to information management/information technology to ensure that data is backed-up and sanitized prior to disposing of them to Crown assets or Health Canada.
Overall Assessment Substantial implementation
Planned Actions Target Date Progress to date Status of action item

1. A process will be documented and implemented to ensure that all surplus IT assets are sent to IM/IT so that data is backed-up and sanitized prior to transfer to Crown assets or Health Canada for disposition.

Aug.
2009

An IM/IT approval process for the disposal and/or write-off of IT assets to ensure proper sanitization and gathering of corporate memory has been incorporated as a policy requirement in the approved and communicated Agency “Asset Management Policy”.

The draft Implementation Plan for the Disposal of Electronic and Electrical Equipment Waste in the National Capital Region has been prepared. The document defines the process to be used by IM/IT to sanitize and back-up information prior to sending to surplus as well as the responsibility of cost centre advisors to identify surplus assets and report them to IM/IT.

The recommendation will remain outstanding until such time as the draft Implementation Plan for the Disposal of Electronic and Electrical Equipment Waste in the National Capital Region is approved.

Revised date: April 2013

Substantial implementation

Recommendation 10
Information technology assets that are sent to surplus should be identified as surplus in the inventory database.
Overall Assessment Full implementation
Planned Actions Target Date Progress to date Status of action item

A1. IM/IT will implement measures to reconcile surplused assets managed by/or routed through IM/IT. These assets will be tagged as surplus and recorded in an inventory database.

 

Sept.
2009

IT assets sent to surplus are identified as surplus in an Excel database maintained by IM/IT. Furthermore, measures to reconcile surplused assets have been included in the Agency’s Asset Management Policy. The Policy states that approval by IM/IT must be obtained prior to the disposal and/or write-off of any IM/IT assets.

Full implementation

Recommendation 11
The Chief Information Officer should implement tracking systems for information technology assets lent to staff.
Overall Assessment Preparation for implementation
Planned Actions Target Date Progress to date Status of action item

A1. A process, including a proposed system, will be developed to track IT assets lent to staff. The solution will be presented to IM/IT MC for endorsement and subsequent approval by RPMC.

A system to track these items will be dependent upon approval of an IT asset management framework and associated funding for system implementation, licensing and resources to support tracking and monitoring of these assets.

June
2009

As part of the newly established shared services partnership, the IT Asset Management User Guide developed by Health Canada which includes a process to track IT assets lent to staff will be reviewed, updated and implemented.  

Revised date : June 2013

Preparation for implementation

Recommendation 12
The Director, Assets and Materiel Management Division and the Chief Financial Officer should complete, seek approval for and communicate the Asset Management Policy to include detailed procedures and guidance to properly account for information technology capital assets. Policy, procedures and guidance should be consistent with Treasury Board relevant policies and standards on capital assets and software and generally accepted accounting principles.
Overall Assessment Full implementation
Planned Actions Target Date Progress to date Status of action item

A1. Obtain approval for Agency’s Asset Management Policy, which outlines requirements for identifying all capital assets valued over $10,000 and centralizes the creation of asset master records to the Agency’s Asset and Materiel Management Division (AMMD), from the Agency’s Public Health and Policy Committee.

May
2009

As part of the Policy, asset master records were centralized to the Agency’s AMMD. A communiqué was sent to all Agency staff in July 2009 advising them of the new requirement.

Full implementation

A2. Integrate capital asset requirements into procurement training.

July 2009

Capital asset requirements have been included as part of the AMMD procurement and contracting course material since the summer of 2009.

Full implementation

A3. Develop capital assets procedures/guidance document to complement the Agency’s Assets Management Policy.

Aug. 2009

The Capital Assets Accounting Standard has been developed to complement the Agency’s Asset Management Policy. The Standard was presented to the Agency’s Public Health and Policy Committee in February 2012. It was approved in March 2012.

Full implementation

A4. Launch of materiel management intranet site and formal implementation of policy and procedures.

Aug. 2009

In addition, the Agency material management intranet site was formally launched via a “Just the PHACs” newsletter in October 2009. The site contains the Asset Management Policy and related procedures.

Full implementation

Recommendation 13
The Director, Assets and Materiel Management Division should monitor compliance with the Policy by conducting regular reviews and annual physical asset inventory count.
Overall Assessment Substantial implementation
Planned Actions Target Date Progress to date Status of action item

A1. Complete the annual capital asset inventory verification for assets valued over $10,000.

Nov.
2009

A capital asset inventory verification for assets valued over $10,000 was completed in December 2010.

Full implementation

A2. Implement a semi-annual asset inventory report to cost centre managers (CCM).

July 2009

In order to monitor and ensure compliance with the Policy, AMMD was working with IM/IT on the implementation of a statistical analysis system business intelligence tool. We were informed that the project was suspended with the announcements of Shared Services Canada and health portfolio shared services. As an alternative, AMMD provided pre & post inventory reports to CCMs through information extracted from SAP and provided in the annual inventory exercises. A first report was provided to CCMs in 2010 to initiate the first capital asset inventory. The report was updated and returned to AMMD in January 2011. A second report was sent to CCMs between April and June 2011 and the inventory report presented in March 2012.

The implementation of semi-annual inventory reports to CCMs has been delayed pending the completion of the Agency’s capital asset inventory. Due to the identified data integrity issues in SAP related to inventory reports, AMMD determined that the semi-annual reports would provide little value to CCMs until data could be updated and validated. We were informed that the data has been cleaned with the result of the first capital asset inventory in January 2011. 

 Even though AMMD did not formally prepare a semi-annual inventory report, discussions on inventory issues with CCMs and groups with capital asset holdings are occurring.

As a result of the Agency business transformation agenda, the Agency and Health Canada AMMD groups have merged into a health portfolio shared services partnership. AMMD will have to re-evaluate their approach with respect to the monitoring of the policy.

Revised date : April 2013

Substantial implementation

Recommendation 14
The Chief Financial Officer should perform a review of the information technology expenses for the last financial year in order to identify unrecorded information technology capital assets.
Overall Assessment Full implementation
Planned Actions Target Date Progress to date Status of action item

A1. IT expenses from fiscal year (FY) 2008-09 exceeding $10,000 will be reviewed to identify potential unrecorded capital assets

Oct.
2009

We note that IT assets expenses from FY 2008-09 exceeding $10,000 were not reviewed to identify potential unrecorded capital assets. However, AMMD reviews procurement documents as part of the contract review process to ensure that the assets being purchased are capitalized since January 2011. In addition, AMMD performs a review of all purchases valued over $10,000 on a monthly basis in order to identify unrecorded IT capital assets.

Full implementation

Page details

Date modified: