Language selection

Search

Top of page

Management Action Plans Follow-up for Internal Audit - Annual Report as at March 31, 2014

Audit and Evaluation Directorate

May 2014

Table of Contents

Implementation Summary

This follow-up report on the implementation of management action plans concludes the internal audit process and outlines the measures taken by the various entities concerned in response to our findings and recommendations. As part of the follow-up process in effect, management action plans are to be reviewed annually until they are fully implemented, and the extent of implementation is to be assessed and reported to the Departmental Audit Committee (DAC).

This annual report contains the follow-up findings, as at March 31, 2014, for 13 audit projects, for which reports and management action plans have been submitted to and approved by the DAC. The following charts provide an overview of the implementation status of the management action plan elements.

Overview of the implementation status of the management action plan elements
To be done In progress ≤ 50% In progress > 50% Completed
Project Management Processes and Practices (October 2007) 0 0 2 26
Business Continuity Planning (June 2009) 0 0 1 8
ITAR (November 2011) 0 0 1 4
IT Dependence (March 2010) 1 2 1 11
IT Planning and Development Risks (March 2010) 0 0 1 7
Systems and Data Security (March 2010) 0 1 0 7
Official Languages (February 2011) 0 0 0 8
Management of Testing Facilities (November 2010) 0 0 1 2
Major Investment Business Cases (February 2012) 0 0 1 5
ISS Assembly and Maintenance Operations Program Management Framework (September 2012) 0 0 1 3
Class Grant and Contribution Program (May 2013) 0 2 0 1
Process of Preparing Annual Financial Statements and Quarterly Financial Reports (March 2013) 0 0 0 4
The AETD Program Management Framework (November 2013) 0 0 1 1
Overview of the implementation status of the management action plan elements
To be done (1 action plan for the management) In progress ≤ 50% (5 actions plan for the management) In progress > 50% (10 actions plan for the management) Completed (87 actions plan for the management)
Management action plan elements 1 5 10 87

The following pages provide detailed descriptions of the progress made with the action plans for each audit project.

Audit project: 06/07 01-03

Project Management Processes and Practices

Audit project objective

The objective of this audit project was to assess the extent to which the Canadian Space Agency's (CSA's) project management processes and practices (Phases 0 to E, inclusive) enable it to make informed decisions as to the choice of projects/initiatives to be financed; to follow up appropriately; to implement approved initiatives in line with the principles of effectiveness, efficiency and economy; to attain the planned results as set out in the main planning documents; to comply with all relevant policies, regulations and guidelines issued by the CSA and the central agencies; and to report on resource use.

Nature of recommendations

We reported in October 2007 that, although the CSA had developed good project and risk management frameworks, it did not make proper use of them in its day-to-day management. We also observed that cost/benefit performance issues, missed deadlines and cost overruns were endemic in the projects conducted by the Agency. Our findings concerned the decision-making process, the obtaining of financial approval, information integrity, the Project Approval and Management Framework (PAMF), project planning, changes in project scope, cost estimates, technology maturity, project follow-up, risk management and performance assessment.

Nature of recommendations
Desision-making process Financial authorization Information integrity PAMF Project costs
7% 7% 7% 7% 72%

Implementation status

The following items have been implemented since October 2007: creation of a working group and development of a plan that includes priority work; implementation of a directive for the production of business cases; development of a new governance structure; elaboration of factors to be considered in the selection of investments; updating of the organizational risk profile; and finally, development of procedures for the integrated management of risk.

During this year, a position of Executive Director, Integrated Programs and Planning was created, a new Project Management Framework was developed and approved, and an update of the investment plan was completed. The approval of the CSA's investment plan and the overhaul of its governance structure will be finalized by December 2014.

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 0
In progress > 50% 2
Completed 26

Audit project: 08/09 01-02

Business Continuity Planning

Audit project objective

The objective of this audit was to evaluate the compliance of the Business Continuity Planning Program (BCPP), the purpose of which is to maintain essential operations in the event of a disaster at the CSA.

Nature of recommendations

In January 2009, we reported that, overall, management had set up a governance framework and implemented plans in keeping with Treasury Board Secretariat policies and standards.

However, a number of recommendations were made to improve the effectiveness and efficiency of business continuity planning in the event of a disaster at the CSA.

We recommended that the corporate policy be finalized, that replacements for the corporate coordination cell be designated, that training sessions be organized, and that business continuity plans related to essential services be finalized.

Nature of recommendations
Effectiveness and efficiency Compliance Planning / training
22% 45% 33%

Implementation status

Despite the complexity of the business continuity plan for the whole of the CSA, management has nevertheless progressively followed up on eight of the nine recommendations made in the audit report. In particular, a corporate policy on the BCPP was finalized, corporate coordination cell substitutes were designated, training sessions were conducted, and business continuity plans (BCPs) were developed by each branch. The BCPs were approved by the CSA's Executive Committee (EC) on July 2, 2013.

Management plans to complete the last element of the action plan over the next year. This involves the development of a maintenance cycle that includes the updating and regular validation of all BCPs.

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 8

Audit project: 09/10 01-03

Information Technology Dependence

Audit project objective

The audit objective was to evaluate the adequacy and effectiveness of mechanisms in place to control processes and procedures designed to reduce the risk of dependence on information technology (IT) in the CSA's Information Management and Information Technology (IM/IT) sector.

Nature of recommendations

In March 2010, we identified a number of good practices relating to IT dependence in the IM/IT sector. We also noted that the CSA attached great importance to the IM/IT strategic planning process.

However, some recommendations were made to reduce the risk of IT dependence. Those recommendations involved data backup and recovery, human resources, computer applications, and IT architecture.

Nature of recommendations
Succession planning Asset management Business continuity management Storage and media management
27% 33% 13% 27%

Implementation status

Recommendations having to do with the following aspects were fully implemented in previous years:

With regard to the hiring of a systems architect, this project was put aside due to budgetary restrictions, and management opted instead for the establishment of a Projects and Standards Architecture Committee, which deals with issues related to systems architecture. On the other hand, with respect to positions that were vacant at the time of the audit, over the years, actions were taken to fill certain positions, and in other cases, the staffing was no longer required due to changes in plans or priorities.

With regard to the implementation of actions relating to the finalization of the critical resources replacement plan and the staffing of a storage management position, management said that they are no longer relevant to the CSA's IM/IT, since the creation and restructuring of the Shared Services Canada (SSC) sciences portfolio. The last four items outstanding are the responsibility of SSC. Some deadlines were pushed back. The most important report is the one concerning the completion of the documentation on the CSA's information technology succession plan. This due date has been deferred from March 2014 to October 2015. According to management, SSC is proceeding with the consolidation of data centres, which has an impact on the CSA's information technology succession plan.

Implementation status
Management action plan elements
To be done 1
In progress ≤ 50% 2
In progress > 50% 1
Completed 11

Audit project: 09/10 01-04

Information Technology Planning and Development Risks

Audit project objective

The objective of the audit was to evaluate the extent to which information technology (IT) planning and development processes and procedures ensure that IT aligns with user needs.

Nature of recommendations

In March 2010, we identified a number of good practices with regard to IT planning and development. We noted that the Agency attached great importance to the Information Management and Information Technology (IM/IT) strategic planning process.

However, some recommendations were made to help mitigate risks in IT planning and development. The recommendations concerned change management and releases.

Nature of recommendations
Operating systems Network equipment Applications Database management systems
30% 5% 35% 30%

Implementation status

During the year, management modified its management-of-change process to include a post-implementation review of significant changes. On the other hand, action concerning the documentation of cases where changes are authorized in advance is still being implemented. Management has thus completed seven of the eight recommendations contained in the audit report. In the course of previous years, the following actions were implemented:

Management plans to complete the last element of the action plan that is still pending by March 2015.

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 7

Audit project: 09/10 01-05

Systems and Data Security

Audit project objective

The audit objective was to evaluate the extent to which processes and procedures for the security of data and systems under the responsibility of Information Management and Information Technology (IM/IT) provided adequate protection of the CSA's data and systems.

Nature of recommendations

In March 2010, we observed a number of good practices relating to the security of the data and systems for which IM/IT is responsible.

However, some recommendations were made to help mitigate risks related to the security of data and systems. Those recommendations involved the documentation of standards and processes, patches, system journals, application privileges and access, databases and labs.

Nature of recommendations
Network perimeter security Patch management Access request management Security of applications, databases and operating systems
22% 11% 22% 45%

Implementation status

Management completed seven of the eight recommendations contained in the audit report. In fact, in the course of previous years, management:

The last action concerns the documentation of an accreditation and certification process. In order for management to complete its part of the action, Shared Services Canada (SSC) must complete its own which, in the opinion of management, is well advanced. The deadline planned for all of these items is March 2015.

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 1
In progress > 50% 0
Completed 7

Audit project: 09/10 01-06

Official Languages

Audit project objective

The audit project objectives were to determine the degree to which CSA practices with respect to official languages comply with the Official Languages Act (OLA) and the official languages policies and directives of the Treasury Board (TB), and to assess the management framework for the CSA's Official Languages Program (OLP).

Nature of recommendations

In February 2011, we noted that, overall, the CSA was complying with the OLA and TB official language policies and directives, and that the existing OLP management framework was adequate. However, some recommendations were made with a view to increasing compliance and improving the existing management framework.

The recommendations concerned the following: active offer of service in both official languages, procedures for handling complaints, employees' rights and obligations, emails, the Livelink interface and the order of presentation of names of directories, the drafting of documents, meetings, scientific training, dissemination of action plans, and DFL employee satisfaction.

Nature of recommendations
Management framework Management pratices
25% 75%

Implementation status

During the year, management completed the last item in its action plan. In fact, a bilingual Livelink interface is now functional, and the Livelink directory names have been renamed and reordered accordingly. In addition to following the recommendations concerning complaints, the rights and obligations of employees and communication of the action plan, management implemented the following actions over the course of previous years:

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 8

Audit project: 09/10 01-07

Management of Testing Facilities

Audit project objective

The audit project objective was to assess whether test facility planning and management processes make it possible to effectively and efficiently fulfil internal and external clients' requirements, and so attain the program's expected objectives and outcomes (David Florida Laboratory).

Nature of recommendations

In November 2010, we found that the David Florida Laboratory (DFL) had adopted procedures for managing the quality of its services, and that it had a human resources succession plan.

The recommendations focus on improving performance indicators and targets and ensuring the sustainability of activities, particularly DFL management practices.

It was recommended that management:

Nature of recommendations
Management practices Indicators and performance targets Sustainability of activities
60% 20% 20%

Implementation status

The actions relative to the documentation of the planning process between the DFL and users as well as the documentation of its overall strategy for the use of the facilities and the development of the related implementation plan were completed by management.

The recommendation concerning the review of output and performance indicators is almost completed. During the year, management developed new performance measurements and a draft of a performance measurement (PM) strategy. On March 31, 2014, this PM strategy had been reviewed by the Executive Director, Integrated Programs and Planning (IPP) and was at the approval stage with the Audit and Evaluation Directorate (AED). The PM strategy was subsequently approved by the AED on April 16 and by the responsible DG on May 1, 2014. These latest developments will be taken into account in the next round of monitoring of the action plans.

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 2

Audit project: 10/11 01-01

Major Investment Business Cases

Audit project objective

The objective of the audit was to determine whether, during the transition period from April 1, 2007, to the time of the audit, the Canadian Space Agency (CSA) produced business cases with the thoroughness required to comply with the requirements set out in the Treasury Board (TB) Policy on Investment Planning – Assets and Acquired Services, which became mandatory on April 1, 2012.

Nature of recommendations

In February 2012, our audit revealed that the CSA was on track, having complied with a number of the requirements of the TB Policy on Policy on Investment Planning – Assets and Acquired Services, which became mandatory on April 1, 2012.

However, some recommendations were made with a view to increasing compliance and improving the existing management framework.

Nature of recommendations
Procedures Management pratices
17% 83%

Implementation status

Over the year, management fully implemented five of the six recommendations in the audit report and took a number of steps in response to those recommendations. In fact, management has:

The development of the CSA's Guide to Costing (GTC) was recently completed by the Finance Directorate. Consultations on it will be held at the beginning of 2014-2015. The final recommendation will be completed when the GTC is approved and used.

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 5

Audit project: 11/12 01-02

International Space Station Assembly and Maintenance Operations Program Management Framework (1.2.1.1)

Audit project objective

The objective of this audit project was to determine whether the management framework in place enables the program to achieve its objectives and to comply with relevant policies, regulations and guidelines issued by the CSA and the central agencies.

Nature of recommendations

Our audit in September 2012 demonstrated that the International Space Station (ISS) Assembly and Maintenance Operations Program has put in place good practices regarding operational planning, adequate financial resource planning procedures, and effective procedures and controls for the management of operations.

Nevertheless, we did note some opportunities for improvement with respect to the compiling of documents and information related to the anticipated one-time costs associated with the extension of Canada's participation in ISS activities up until 2020, and to the documenting of the risk analysis process. We also recommended that explanations be provided for the indicator used in the Performance Measurement Framework (PMF) and that the Performance Measurement (PM) Strategy be completed and implemented.

Nature of recommendations
Management framework
100%

Implementation status

Management followed up on three of the four recommendations set out in the audit report. In response to those recommendations, the following actions were taken:

On March 31, 2014, the development of the PM Strategy was finalized and it was at the consultation stage with the IPP Branch and the AED. Comments should be provided in May 2014. This action should be 100% completed in the coming months.

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 3

Audit project: 12/13 01-01

The Canadian Space Agency Class Grant and Contribution Program to Support Research, Awareness and Learning in Space Science and Technology

Audit project objective

The audit objectives were to determine whether a management framework was in place to ensure that the CSA's Class Grant and Contribution (G&C) Program in support of research, awareness and education in science and technology was managed in accordance with the relevant laws and policies as well as with the approved program terms and conditions, and that it was subject to accountability.

Nature of recommendations

In May 2013, our audit showed that the Centre of Expertise for the management of the CSA's G&C Program had established a control framework and best practices for the management of agreements.

On the other hand, we found some deficiencies at the level of documentation and the application of controls on certain grant and contribution files and with the inclusion in the funding agreements of all the appropriate clauses and information required in accordance with the directive on transfer payments. In addition, we would recommend that the internal directive on the audit of recipients be completed and that an audit plan be developed and implemented.

Nature of recommendations
In accordance with the terms and conditions of the Program In accordance with relevant legislation and policies
25% 75%

Implementation status

A process for the drafting and approval of funding agreements had already been implemented by management before the end of the audit project. The promotion of this new process with the Branches was subsequently carried out by the Centre of Expertise for the management of G&Cs. In addition, all the drafts of funding agreements greater than $25,000 were reviewed by the Centre of Expertise in order to ensure that they are complete and comply with the applicable policies and guidelines. One of the three actions has therefore been completed.

The two outstanding actions concern the documentation and application of controls for the management of files, and the internal directive on the audit of beneficiaries. Management plans to complete these actions by December 2014.

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 2
In progress > 50% 0
Completed 1

Audit project: 12/13 01-03

The Process of Preparing the Canadian Space Agency's Annual Financial Statements and Quarterly Financial Reports

Audit project objective

The audit objective was to determine whether the design and operational effectiveness of the internal controls over the preparation process for the annual financial statements and quarterly financial reports were adequate.

Nature of recommendations

In March 2013, our audit showed that, in general, the CSA's internal control practices were consistent with those found in the market.

However, we made four recommendations:

Nature of recommendations
Adequate design of internal controls Adequate internal controls
40% 60%

Implementation status

Management followed up on the four recommendations made in the audit report. The following actions were implemented in response to those recommendations:

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 0
In progress > 50% 0
Completed 4

Audit project: 12/13 01-06

The AETD Program Management Framework (1.2.2.3)

Audit project objective

The audit objective was to determine whether the existing management framework enabled the program to attain its objectives and comply with the relevant policies, regulations and guidelines issued by the Canadian Space Agency (CSA) and central agencies.

Nature of recommendations

In November 2013, our audit showed that the Advanced Exploration Technology Development (AETD) Program has implemented best practices for operations planning and control of the resources used. The other main features were:

However, we identified some deficiencies which led us to formulate the following two recommendations:

Nature of recommendations
Monitoring of operations and resources Reporting and performance measurement
50% 50%

Implementation status

Management followed up on one of the two recommendations made in the audit report. In fact, the Finance Directorate instituted a centralized monthly procedure relative to the monitoring and approval of interdepartmental payments.

On March 31, 2014, the development of the PM strategy was finalized and it was at the consultation stage with the IPP Branch and the AED. Comments should be provided in May 2014. This action should be 100% completed in the coming months.

Implementation status
Management action plan elements
To be done 0
In progress ≤ 50% 0
In progress > 50% 1
Completed 1
Date modified: