Audit of Information Management

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Prepared by the Centre for Public Management Inc.

May 13, 2010

1.0 Executive Summary

Information management is an integral part of the Office of the Privacy Commissioner (OPC)'s day to day activities, with numerous tools and systems contributing to management decision making.

The objective of the audit was to identify the effectiveness of governance, risk management processes, and the management and operational controls that are in place to support OPC's management of information. The scope of the audit included all of the main activities relating to information management at OPC, including inquiries, investigations, audits, reviews, Privacy Impact Assessments (PIA) reviews, public outreach and communication activities, research, policy development, parliamentary affairs, and litigation activities.

The main findings and recommendations of the audit are organized under three major themes representing the criteria used during the fieldwork, which took place during July and August of 2009:

Performance Reports

The majority of performance reporting at OPC is provided by the monthly scorecard (services provided to the public), the quarterly report (internal metrics) and the Performance Measurement Framework (PMF—supporting the OPC's strategic outcome that privacy rights of individuals are protected).

Main findings

  • There was no documented, formal employee training on the use of the performance reporting tools. Supporting documentation for the scorecard does not describe practical information such as source systems, reputable external sources, and data collection requirements, processes and timelines. There is no Terms of Reference for the quarterly report. Also, Corporate Services does not have the source documents or mandate required to perform an effective quality review.

Recommendations

  • Management should continue the development of formal quarterly report Terms of Reference.
  • Branch Managers, working with Corporate Services should develop branch specific scorecard Terms of Reference or guidelines. These would outline various aspects including detailed scorecard processes, information requirement definitions, and accountabilities.
  • Management should develop and deliver formal employee training on OPC's relevant performance mechanisms and tools, such as the monthly scorecard and quarterly report.

Operational Requirements

The core activities of OPC are investigations and inquiries, which both rely on case files. Case files at OPC are a combination of electronic and traditional paper. In addition to these core activities, the OPC uses information to manage its affairs and communicate with stakeholders, and this information is predominately in electronic format.

Main findings

  • During the course of the audit the OPC was in the process of replacing its existing case management system, the Integrated Investigation Application (IIA), with the new Case Management System (CMS). Implementation of the CMS was completed after the completion of the audit fieldwork but prior to the issuance of this audit report, and as such the audit focused on project planning and requirements for the new system.
  • The audit noted that although risk assessments and post-implementation planning related to the conversion occurred, these processes were not formally documented.

Recommendations

  • Management should develop a formal, documented CMS Post-Implementation Strategy to support the system on an on-going basis.
  • For future IT projects management should perform and document a formal risk assessment related to data conversion, with mitigation strategies, to minimize the risk of any data or reporting issues.
  • Given the importance of the CMS to the operations of OPC, management should perform a post implementation reviewFootnote 1 of the CMS to ensure that it meets its objectives, particularly in the area of management information for decision making, and that opportunities for improvement are identified.

Governance Structure, Mechanisms, and Resources

The IM/IT Division is responsible for IM governance as well as the IT systems which carry the electronic information through OPC. Governance of the information itself rests with the branches that create it. The IM/IT division published an IM/IT strategic plan in June 2009 to address these challenges and opportunities.

Main findings

  • OPC lacks a formal process for the integration/inter-linkage of sources and tracked research across branches which would support service delivery and job duties, and the Records, Document and Information Management System (RDIMS) is not enabling this process.
  • Spreadsheets are used extensively in the organization to support management decision making, but OPC has no guidelines in place addressing controls over these end user computing applications.
  • The IM/IT Strategic Plan and the implementation of CMS are major change initiatives. However, although change management activities have taken place there is no formal, documented communications and change management plan in place to address the "human component" of these changes.

Recommendations

  • Management should continue with the Information Management Internal Service Improvement Strategy and integrate and/or consolidate existing IM and knowledge sharing tools through the re-engineering of business processes by OPC branches.
  • Management should develop, implement and monitor the application of guidelines regarding key end user computing applications used for management decision making which addresses testing, documentation, change control and back-ups.
  • Management should improve RDIMS Business Rules to take into account quality assurance to ensure the reliability, usefulness, authenticity and shareability of the information contained in RDIMS.
  • Management should develop a formal, documented IM/IT Communication and Change Management Plan to assist in the implementation of the initiatives identified in the IM/IT strategic plan.

Conclusion

Based on the results of the audit, we conclude that while significant progress has been made in implementing the governance, risk management processes and the management and operational controls that support OPC's management of information, there are improvements required to fully meet the audit criteria. The successful implementation of both the Case Management System (CMS) and the recommendations identified in this report along with the completion of other initiatives already underway by management will further strengthen information management at OPC.

Statement of Assurance

We have conducted this engagement in accordance with Government of Canada Internal Auditing Standards, using the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. The audit examined sufficient, relevant evidence and obtained sufficient information and explanations to provide reasonable assurance on the reported conclusion.

Signed:

(Original signed by)

Centre for Public Management Inc.

September 15th, 2009

Date

2.0 Background

2.1 Introduction

Mandate of the Office of the Privacy Commissioner (OPC)

The OPC is responsible for overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private sector privacy law.

The Privacy Commissioner of Canada is an Agent of Parliament who reports directly to the House of Commons and the Senate. The Commissioner works independently from any other part of the government to investigate complaints from individuals with respect to the federal public sector and the private sector.

The Commissioner is an advocate for the privacy rights of Canadians and her powers include:

  • Investigating complaints, conducting audits and pursuing court action under two federal laws;
  • Publicly reporting on the personal information-handling practices of public and private sector organizations;
  • Supporting, undertaking and publishing research into privacy issues; and
  • Promoting public awareness and understanding of privacy issues.

The OPC has a single Strategic Outcome, the privacy rights of individuals are protected; and its Program Activity Architecture (PAA) is designed around the Office's three core functions of: compliance activities (including investigations, inquiries, and audits), research and policy development, and public outreach. These three program activities are supported by a fourth activity, Internal Services, which enables the OPC to deliver on its mandate.

Context for Management Initiatives at OPC

As an Agent of Parliament, the OPC works independently from the Government of Canada and is therefore not obligated to follow the management improvement initiatives put forward in the Federal Public Service. Nevertheless, the Office is firmly committed to achieving a standard of organizational excellence, applying sound business management practices, and continually improving its performance.

The OPC has invested considerable effort over the past three years to put in place a solid management framework including numerous key initiatives such as developing and approving a Performance Measurement Framework and implementing a method to self assess management processes and practices against the requirements of the Management Accountability Framework (MAF).

Management of Information for Decision-Making

The OPC relies on a number of systems and tools to generate information for decision-making. The Office's core activities of conducting investigations and responding to inquiries have been supported by the Integrated Investigation Application (IIA) system since 2004. The IIA is an in-house application that was initially designed by and for the Office of the Information Commissioner. The OPC has adapted the IIA to suit its privacy information requirements. The IIA system was implemented at the OPC in January 2004. Within a few years, it became clear that the system could not generate all of the information that management required for decision-making. Limitations with the IIA are attributed to at least two factors: first, the technological potential of the system platform has been reached, thereby making it very costly to process further change requests; second, several of the data fields in the IIA were not used for a variety of reasons, making it difficult to generate management information that would be useful for operational decision-making as well as performance monitoring and reporting.

Since 2007-2008, the OPC has been investing in the Case Management System (CMS) Project to implement a new, custom made application to replace the IIA. The new application, built using COTS tools, is Web-based and the intent is to make the system more accessible to all relevant users. The CMS Project was managed in parallel with a major re-engineering initiative at the OPC that has the objective of making the inquiry and complaint investigation processes more efficient.

In addition to the IIA and the new CMS, several new tools have been developed recently to facilitate information sharing among the branches including the Legal Corner—an improved legal research database, centralized records of complaints, a list of current Privacy Impact Assessments (PIA), gathering and dissemination of research information on emerging technology and privacy issues, training provided to investigators on legal aspects, and a new litigation database (under development). Furthermore, the OPC is implementing a new SharePoint system tool to provide more integrated information on the critical activities of the Office, starting with a focus on the four priority issues published in the 2008 – 2009 Report on Plans and Priorities. The SharePoint application offers a work environment that is conducive to sharing of information and sound project management (e.g. includes a calendar of critical tasks and an array of performance indicators).

Planning for information management activities is integrated with strategic and business planning processes at the OPC. In the 3rd quarter of 2008-2009, the OPC launched an initiative to develop an updated IM/IT strategy which was presented to senior management in June 2009.

The audit was undertaken by the Centre for Public Management Inc on behalf of OPC and was identified as part of the OPC Risk-Based Audit Plan for 2009/10-2011/12, which was approved by the Departmental Audit Committee in March 2009. This engagement covered the 2008-09 fiscal year and was conducted in accordance with the Government of Canada's Policy on Internal Audit as well as the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing.

2.2 Objective

The objective of the audit was to determine the effectiveness of governance, risk management processes, and the management and operational controls that support OPC's management of information.

2.3 Scope

The scope of this audit includes the information management aspects of all of the main activities of the OPC, including inquiries, investigations, audits, PIA reviews, public outreach and communications activities, research, policy development, parliamentary affairs, litigation, finance and human resource management.

This audit assignment takes into account the re-engineering initiative of the inquiries and complaints investigation processes and the related Case Management System (CMS) project. The final implementation of the CMS occurred after the completion of the audit fieldwork, and it is premature to assess whether it is meeting its objectives. This is best included in the scope of a standalone post implementation review.

The audit focused on whether the OPC managers and staff effectively apply the rigour and discipline necessary in managing information such that reliable, useful and timely information is generated consistently and effectively used. The period under examination was the 2008-2009 fiscal year.

2.4 Approach and Audit Criteria

Observations and assessments were drawn against the following audit criteria:

  • Performance Reports: Performance reports, stemming from OPC programs and services, provide accurate, reliable, complete, relevant, accessible, and timely information which is simple to understand and is incorporated into management/operational decision making.
  • Operational Requirements: OPC information and records are managed as valuable assets which support OPC programs and services, operational needs, accountabilities and job duties and address the information needs of the users it supports.
  • Governance Structure, Mechanisms, and Resources: OPC's information management governance structure, mechanisms and resources (i.e., management processes, information sharing mechanisms, collection processes, controls, communication plans) are in place to ensure the continuous and effective management of information.

As part of the audit planning, conduct, and reporting phases, we:

  • Reviewed and analyzed relevant information management documentation;
  • Conducted interviews with senior management and selected staff;
  • Conducted a risk assessment within each functional area;
  • Based on the risk assessment, developed the Audit Criteria; and
  • Developed a detailed Audit Program.

3.0 Detailed Observations and Recommendations

3.1 Performance Reports

Audit Criterion: Performance reports, stemming from OPC programs and services, provide accurate, reliable, complete, relevant, accessible, and timely information which is simple to understand and is incorporated into management/operational decision making.

The majority of performance reporting at OPC is provided by the following reports:

  • Monthly scorecard: Activity and timeframe information related to the services provided by OPC to the public;
  • Quarterly report: Internal finance and human resources metrics; and,
  • Performance Measurement Framework (PMF): Indicators which support the OPC's strategic outcomes.

Interviews indicated that there were concerns with the accuracy and consistency of the various performance reports. In order to address the potential risk posed by inaccurate and inconsistent performance information, the audit team tested the scorecard and quarterly report and documented the process for collecting and reporting the information. The audit procedures included a review of the relevant terms of reference (ToR) and training material, as applicable.

The audit found the following:

  • The monthly scorecard and the PMF have ToR which outline how the tools are to be used, while the quarterly report does not. A ToR is an important document to ensure that all stakeholders, both those providing information and those reading it, have the same interpretation of the information presented. This is particularly important when the information is financial in nature, such as that found in the quarterly report, as there are many possible assumptions which can be made in the preparation of the information.
  • There is no documented, formal employee training on the use of the tools. In addition, the scorecard ToR does not describe practical information such as source systems, reputable external sources, and data collection requirements, processes and timelines. This detailed information is important to ensure consistency in performance information from month to month, particularly when there is staff turnover.
  • Populating the scorecard and quarterly report was performed in the branches based upon source documents, spreadsheets and systems unique to the branch. Once reviewed by the branch managers and directors, subsequent review by Corporate Services is based on overall reasonability and consistency with prior months reporting. Corporate services does not have a formal quality assurance mandate, or access to source documents in order to perform a more detailed review.
  • The branch specific nature of the data collection process, which relies on a key resource in each branch to collect the data, makes it difficult to backfill the role when key branch individuals are not available due to illness or vacation. This coupled with the lack of specific guidance noted above increases the risk of incomplete or erroneous performance information.

Conclusion

Improvements are required to the performance reporting system to ensure that performance reports provide accurate, reliable, complete, relevant, accessible, and timely information which is simple to understand and is incorporated into management/operational decision making.

Recommendations

  • 1. Management should continue the development of formal quarterly report Terms of Reference.
  • 2. Branch Managers, working with Corporate Services should develop branch specific Scorecard Terms of Reference or guidelines. These would outline various aspects including detailed Scorecard processes, informational requirement definitions, and accountabilities.
  • 3. Management should develop and deliver formal employee training on OPC's relevant performance mechanisms and tools, such as the monthly scorecard and quarterly report.

3.2 Operational Requirements

Audit Criterion: OPC information and records are managed as valuable assets which support OPC programs and services, operational needs, accountabilities and job duties and address the information needs of the users it supports.

The core activities of OPC are investigations and inquiries, which both rely on case files. Case files at OPC are a combination of electronic and traditional paper.

The audit expected to find that both electronic and paper files as well as other information are managed in a manner which ensures that information is accessible to those who need it, when they need it, while respecting all requirements for privacy, confidentiality and the concept of "need to know".

In addition to these core activities, the OPC uses information to manage its affairs and communicate to stakeholders, and this information is predominately in electronic format. This non-case file information is covered in Section 3.3, Governance Structure, Mechanisms and Resources in order to reduce duplication.

3.2.1 Electronic Case File Management

As noted in the introduction, the Integrated Investigation Application (IIA) was the case management system in place during the execution phase of the audit. This application was not meeting the reporting and flexibility needs of the OPC, and as such the decision was made to replace it with a new Case Management System (CMS). Implementation of the CMS occurred after the completion of the audit fieldwork but prior to the issuance of this audit report, and is reflected in this audit report as appropriate.

The new CMS is a custom application that is expected to rectify the IIA shortcomings and fill information gaps by automatically generating performance reports which are currently prepared manually.

The operational/functional objectives of the Case Management System include:

  • Review and design of new processes associated with inquiries, complaints and investigations to make them more effective and responsive;
  • Implement the new processes and case management solution throughout the OPC, in all business areas involved in receiving and processing inquiries, complaints and investigations; and
  • Integrate the needs of Branches outside Investigations and Inquiries, including system requirements, with a view to optimize existing systems.

The expectations of the new CMS, as identified by Investigations managers, include:

  • A link to the RDIMS repository;
  • Advanced reporting/ad hoc reporting tools;
  • Advanced searching using more fields;
  • CMS queries function which would eliminate hard copy reports;
  • Consistent time reporting across all branches; and
  • The ability to view trends (e.g., number of resources dedicated to a case, backlogs).

The expected efficiencies of the new system support objectives such as the ability to plan workloads, present more accurate data for strategic decision-making and parliamentary reporting, and planning for emerging issues.

At the point where the audit fieldwork was completed the information mapping for the CMS had been completed, a pilot of the new system had been launched and a CMS prototype was created. Since the implementation of the CMS was underway during the fieldwork phase of the audit, the audit focused on the gathering of requirements and assessment of risk, and found the following:

  • Although steps had been taken, the post-implementation requirements needed to support the CMS had not been fully defined (e.g. the appropriate number of resources available to support the system, the appropriate number of resources available to handle volume changes, maintenance requirements, etc.). This is important information which helps ensure that the system will meet expectations when implemented. These items were defined subsequent to the completion of the audit fieldwork, but were not formalized in a written post implementation strategy. It is customary for this strategy to be formulated and documented at the outset of the project, and then fine-tuned as the project is underway.
  • Feedback obtained from OPC indicates that the data conversion, which occurred after the completion of the audit fieldwork, was successful. Although interviews indicated that risks and mitigation plans regarding the system transition were considered as part of project planning and execution, the audit found that they were not formally documented prior to conversion. A system conversion between two sensitive and important systems such as the IIA and CMS poses increased risk which could impact reporting and as such should be subject to a formal risk assessment and mitigation plan prior to conversion.

Conclusion

As has been identified by management the IIA did not meet the information management needs of OPC. The objectives of the CMS address the shortcomings in the IIA, however since the CMS was not fully implemented at the time of the audit, we are unable to conclude against the criterion at this time. Future projects will benefit from formal, documented risk and post-implementation strategies prior to commencing the project.

Recommendations

  • 4. Management should develop a formal, documented CMS Post-Implementation Strategy to support the system on an on-going basis.
  • 5. For future IT projects management should perform and document a formal risk assessment related to data conversion, with mitigation strategies, to minimize the risk of any data or reporting issues.
  • 6. Given the importance of the CMS to the operations of OPC, management should perform a post implementation reviewFootnote 2 of the CMS to ensure that it meets its objectives, particularly in the area of management information for decision making, and that opportunities for improvement are identified.

3.2.2 Paper Case File Management

Paper files present different risks and benefits than electronic files. While it is simple to physically secure a paper file, if it is misplaced there is usually no back-up copy. For this reason the OPC has a system to track the physical location of paper files. The audit tested this system, and found that all files selected were able to be located.

Conclusion

In general, paper based information and records are managed as valuable assets.

3.3 Governance Structure, Mechanisms, and Resources

Audit Criterion: OPC's information management governance structure, mechanisms and resources (i.e., management processes, information sharing mechanisms, collection processes, controls, communication plans) are in place to ensure the continuous and effective management of information.

There are many internal stakeholders to the information management process at OPC, and all of these stakeholders both produce and use information. The IM/IT Division is responsible for IM governance as well as the IT systems which carry the electronic information through OPC. Governance of the information itself rests with the branches that create it. The IM/IT division published an IM/IT strategic plan in June 2009 to address these challenges and opportunities.

3.3.1 The Use of Information Management and Knowledge Sharing Tools to ensure the continuous and effective management of information

The OPC has several internal IM and knowledge sharing tools to support the continuity of departmental operational needs. These include shared network drives, Human Resources Information System (HRIS), Records, Documents and Information Management System (RDIMS) and SharePoint. The OPC also has a number of tools which allow it to communicate externally, such as the departmental web site, blogs and Twitter. In addition to facilitating knowledge sharing within OPC, the internal IM tools must also facilitate informing those internal to the organization what was communicated externally.

The audit found the following:

  • OPC policy is to use RDIMS for all document management, where technically possible.
  • RDIMS is not being fully leveraged as an information management tool due to a number of factors:
    • There is no formal quality assurance process for information contained within RDIMS, consequently it is difficult for users to judge the quality (confidence, reliability, finality, authenticity) of the information contained within it;
    • Users often do not formally indicate which version of the document is final;
    • Many documents stored in RDIMS are locked to all except the document creator; and,
    • Although outgoing emails can be filed and are accessible after transmission, this RDIMS feature is not widely used.
  • OPC lacks a formal process for the integration/inter-linkage of sources and tracked research across branches which would support service delivery and job duties. As a result, there is an extensive dependency on personal relationships for information sharing rather than information systems.
  • Management has taken a step toward supporting the continuity of departmental operational needs by making "Internal Service Improvement" a priority in their IM/IT Strategic Plan. This priority includes integrating and/or consolidating existing IM and knowledge sharing tools through the re-engineering of business processes by OPC branches.

Conclusion

In general the information management governance structure, mechanisms and resources are in place to ensure the continuous and effective management of information. Due to the continuously evolving nature of technology there are opportunities for further improvement in this area, which have been identified by management as part of the IM/IT Strategic Plan.

Recommendation

  • 7. Management should continue with the Information Management Internal Service Improvement strategy and integrate and/or consolidate existing IM and knowledge sharing tools through the re-engineering of business processes by OPC branches.

3.3.2 Risks and Opportunities of End-User Computing Applications

The term end-user computing is broadly used to describe small applications developed by end users to facilitate their day to day jobs. These normally consist of spreadsheets and databases, and represent both an opportunity and a risk. By providing users the ability to track and manipulate information, particularly when extracted from large systems, these applications provide an opportunity to reduce work effort and improve analysis. However, the complexity of the spreadsheet or database along with the tendency for them to not be fully tested, documented, change controlled or backed up presents a risk to OPC if management decisions are made using erroneous information. Specific criteria against which all end user computing applications should be evaluated include:

  • Testing: Spreadsheets must be tested by the creator to ensure that formulas and macros are accurate.
  • Documentation: Most spreadsheets have input fields, where the user is expected to input their information, calculation fields which contain formulas and output fields which provide the results that the user is looking for. When the user who created the spreadsheet is the one using it the risk of error is low. However if a spreadsheet is being used by someone else (e.g. due to illness), without the proper documentation on how to use it, the risk is high that they will not use it properly and erroneous information will result.
  • Change control: In cases where changes are made to a spreadsheet formula, it should be re-tested to ensure it still functions as expected.
  • Back-up: If a spreadsheet is used to make management decisions, a clean backed-up copy should be maintained in case the original becomes corrupted.

The audit found that OPC has no policies in place addressing controls over end user computing applications, even though spreadsheets are used extensively in the organization to support management decision making.

Conclusion

A lack of controls over end user computing applications increases the risk to the continuous and effective management of information which relies on these applications.

Recommendation

  • 8. Management should develop, implement and monitor the application of guidelines regarding key end user computing applications used for management decision making which addresses testing, documentation, change control and back-ups.
  • 9. Management should improve RDIMS Business Rules to take into account quality assurance to ensure the reliability, usefulness, authenticity and shareability of the information contained in RDIMS.

3.3.3 Dissemination of OPC's Document and Information Management Practices

With the IM/IT strategic plan tabled in June of 2009, a communication and change management plan will be important to ensure that the resulting changes are embraced by the organization. Most of the initiatives identified to improve information management have a "human component" in addition to the systems component, and by following a formal communication and change management plan OPC will increase the return on its investment.

Conclusion

Communication and change management plans addressing planned initiatives are currently not in place, increasing the risk to the continuous and effective management of information.

Recommendation

  • 10. Management should develop a formal, documented IM/IT Communication and Change Management Plan to assist in the implementation of the initiatives identified in the IM/IT strategic plan.

4.0 Overall Conclusion

Based on the results of the audit we conclude that while significant progress has been made in implementing the governance, risk management processes and the management and operational controls that support OPC's management of information, there are improvements required to fully meet the audit criteria. The successful implementation of both the Case Management System (CMS) and the recommendations identified in this report along with the completion of other initiatives already underway by management will further strengthen information management at OPC. A management action plan to address our recommendations can be found in Appendix A.

Appendix A – Management Response and Action Plan

Audit Recommendations
(Taken integrally from the Final Audit Report)
Management Response
(Agree or Disagree-with rationale)
Action Plan Key Performance Indicator
(specific items to be completed)
Deadline Responsibility Status
1. Management should continue the development of a formal Quarterly Report Terms of Reference Agree Development of a Quarterly Report Terms of Reference. Quarterly Report Terms of Reference January 31, 2010 Lead - CSB, Director, Business Planning and Management Practices Completed
2. Branch managers, working with Corporate Services, should develop branch specific Scorecard Terms of Reference or guidelines. These would outline various aspects including detailed scorecard processes, information requirement, definitions, and accountabilities. Agree Preparation of branch specific scorecard Terms of Reference will be the responsibility of each branch with assistance from the Corporate Services Branch. Branch specific scorecard Terms of Reference July 30, 2010 Lead - CSB, Director, Business Planning and Management Practices Completed
3. Management should develop and deliver formal employee training on OPC's relevant performance mechanisms and tools, such as the monthly scorecard and quarterly report. Agree Development of a formal training manual on definitions and what type of planning and performance information to produce for specific planning and performance exercises (eg, guidance tool on producing input to monthly and quarterly scorecards, DPR, RPP, MAF, etc.). Formal training manual October 2010 Lead - CSB, Director, Business Planning and Management Practices ongoing
4. Management should develop a formal, documented CMS Post-Implementation Strategy to support the system on an on-going basis. Agree CSB met with the Investigations and Inquires Branch to discuss next steps and to clarify responsibility areas. An IMIT Architect has been hired to assist in supporting and evaluating changes made to the application (in conjunction with the Applications Manager and the client team).

A CMS Post-Implementation Strategy is presently in place and will be formally documented.
Documented CMS Post-Implementation Strategy May 31, 2010 Lead - CSB, Director, IMIT ongoing
5. For future IT projects, management should perform and document a formal risk assessment related to data conversion, with mitigation strategies, to minimize the risk of any data or reporting issues. Agree No action required at this time. No key indicators at this time N/A Lead - CSB, Director, IMIT No action required
6. Given the importance of the CMS to the operations of OPC, management should perform a post implementation review of the CMS to ensure that it meets its objectives, particularly in the area of management information for decision making, and that opportunities for improvement are identified. Agree A more comprehensive (independent) review will be considered as part of the annual risk based audit planning exercise, currently underway.

Management will further review the development of the CMS.

A physical count of case files - to be completed by the I&I Branch (will be coordinated by CSB).
Implementation review of the CMS has already been conducted.

As stated in the RBAP there will be a more comprehensive review of the CMS.

Number of case files (physical count)
October 31, 2010 Lead - CSB, Director, IMIT ongoing
7. Management should continue with the Information Management Internal Service Improvement Strategy and integrate and/or consolidate existing IM and knowledge sharing tools through the re-engineering of business processes by OPC branches. Agree There will be an increased focus on IM in 2010-11. This is a multi-year project. IMIT will visit OPC branches to review the requirements and scope of the project deliverables for 2010-11, as well as offer tools and training. Approved Project Plan April 30, 2010 Lead - CSB, Director, IMIT Ongoing - Planned activities have been presented to all DGs. CSB will review the IM strategy to prioritize next activities.
8. Management should develop, implement and monitor the application of guidelines regarding key end user computing applications used for management decision making which addresses testing, documentation, change control and back-ups. Agree IMIT will survey the branches to determine extent of use of end user applications.

Development of guidelines to address key end user computing applications
Survey (extent of use of end user applications)

Guidelines (key end-user applications)
July 31, 2010 Lead - CSB, Director, IMIT ongoing
9. Management should improve RDIMS Business Rules to take into account quality assurance to ensure the reliability, usefulness, authenticity and shareability of the information contained in RDIMS. Agree The RDIMS Business Rules will be updated - by working closely with IT (there will be a process in place to review Business Rules periodically). This effort will be achieved through training and modification to the IM Policy and to the Business Rules, pending approval by SMC. SMC approved updated Business Rules and training to staff Sept. 30, 2010 Lead - CSB, Director, IMIT ongoing
10. Management should develop a formal, documented IMIT Communication and Change Management Plan to assist in the implementation of the initiatives identified in the IM/IT strategic plan. Agree CSB will work together with the Communications and HR branches during fiscal year 2010-2011 to develop a Communication and Change Management Plan to address the implementation of the initiatives identified in the IM/IT Strategic Plan. IMIT Communication and Change Management Plan November 2010 Lead - CSB, Director, IMIT ongoing
Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: