Final Audit Report - Audit of Information Management / Information Technology (IM/IT) Governance

December 2009

Help on accessing alternative formats, such as Portable Document Format (PDF), Microsoft Word and PowerPoint (PPT) files, can be obtained in the alternate format help section.

Management Response and Action Plan

Table of Contents

• Executive Summary
• Introduction
  • Background
  • Audit Objectives
  • Scope and Approach
• Findings, Recommendations and Management Response
  • IM/IT Governance
  • Strategic Planning and Alignment
  • Performance Measurement
  • Shared Services Initiatives
  • Asset Management
• Conclusion
• Appendix A - Lines of Enquiry and Audit Criteria
• Appendix B - IM/IT Governance Framework

Executive Summary

Information Management and Information Technology (IM/IT) governance provides the structure that links IM/IT processes, IM/IT resources and IM/IT information to enterprise strategies and objectives. It also integrates and institutionalizes best practices for planning, acquiring, implementing, supporting, and monitoring performance to ensure that an organization's technology support its business objectives.

The objective of this audit was to: assess the Departmental IM/IT governance structure guiding the identification of strategic information requirements and investments in IM/IT, including the effectiveness of information technology investment management in support of the Department's business strategy and the delivery of programs and services.  The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, and has examined sufficient, relevant evidence and obtained sufficient information and explanations to provide a reasonable level of assurance in support of the audit conclusion.

In 2007-08, Health Canada's Information Management Services Directorate (IMSD), completed "The Way Forward" initiative - An Enterprise Approach to Information Technology.  The initiative was recognized in October 2008 at the Government of Canada's Technology and Exhibition Conference and was awarded a gold medal for distinction in information technology.  One of the key commitments from the initiative was to consolidate Health Canada's IT infrastructure and facilities. 

"The Way Forward" was the precursor to the Department's enterprise approach to IM/IT and spawned a re-engineered governance structure with an increased focus on stewardship and the development of a shared services model, whereby IM/IT infrastructure and services would be consolidated across the Department to achieve greater economies of scale and efficiency. Enterprise IT has brought organizational and cultural change to Department with regards to how the demands for IM/IT services are managed - from a cost center to business contributor. Senior management has reported approximately $19 million that has been returned to the Department over the past two years as a result of this transformation.

The implementation of Enterprise IT has resulted in a substantial positive change in direction and as a result Health Canada's IM/IT governance has been strengthened.  While the Information Management Services Directorate has streamlined its governance structure, it will need to strengthen committee membership and implement a communication strategy.  Continuity of senior membership combined with a communication strategy will provide better assurance that pertinent information is being transferred back to the programs. 

The Department has implemented an integrated planning process this year which will improve alignment of IM/IT resources with strategic priorities.  As a result of this process, IMSD will be able to collect and analyze project information in a timelier manner, much earlier than in previous years, thus laying the foundation for enabling strategic decisions at all levels of governance.   

The Department also subscribes to a number of Information technology services with the Government of Canada's information technology service provider, Public Works and Government Services Canada, in order to avoid unnecessary costs and to permit IMSD to focus on its core business functions.  However, IMSD would benefit from conducting financial analysis in order to support these business decisions.

Health Canada is taking an active approach to managing its information technology assets.  Tools are in place to gather relevant information on assets and, as these tools continue to develop they will provide valuable information for custodial and planning purposes.

IMSD has developed some volume measures to track and evaluate information on information technology benefits and related services.  While the limited information collected provides management with some knowledge on the Department's information technology investment decisions, management would benefit from receiving more substantive financial performance information so that they may better assess the full spectrum of benefits to be derived from its investments in information technology.

Finally, a technology plan could not be linked to an information technology lifecycle approach for managing information technology investments.  The technology plan is a key component to the Department's IM/IT strategic Plan.  In addition, it is difficult to determine how the Department aligns information technology purchase plans to an "Evergreening Plan" and to business goals and for negotiating volume discounts.  

Management has agreed, with an action plan, to the four recommendations which will serve to strengthen IM/IT governance.

IM/IT governance is a "structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise's goals by adding value while balancing risk versus return over Information Technology (IT) and its processes."

Introduction

Background

Success of any organization requires effective management of its information and related information technology.  Embedded in most organizations' corporate governance regime is an Information Management and Information Technology (IM/IT) governance regime.  IM/IT governance provides the structure that links IM/IT processes, IM/IT resources and IM/IT information to enterprise strategies and objectives.

IM/IT governance integrates and institutionalizes best practices for planning, acquiring, implementing, supporting, and monitoring performance to ensure that the Department's information and related technology support its business objectives. Management must also optimize the use of available resources including data, application systems, technology, facilities and people.  In addition, management must be able to determine if it has made the right investment decisions, respond quickly to changes or deviations from plan and determine if the benefits from the investment decisions are being achieved.

In 2007-08, Health Canada's Information Management Services Directorate (IMSD), completed "The Way Forward" initiative - An Enterprise Approach to Information Technology.  The initiative was recognized in October 2008 at the Government of Canada's Technology and Exhibition Conference and was awarded a gold medal for distinction in Information Technology.  One of the key commitments from the initiative was to consolidate much of IT infrastructure and facilities. 

The Way Forward was the precursor to the Department's enterprise approach to IM/IT and spawned a re-engineered governance structure with an increased focus on stewardship and the development of a shared services model, whereby IM/IT infrastructure and services would be consolidated across the Department to achieve greater economies of scale and efficiency.  Enterprise IT has brought organizational and cultural change to the Department with regards to how the demands for IM/IT services are managed - from a cost center to business contributor. Senior management has reported approximately $19 million that has been returned to the Department over the past two years as a result of this transformation.

Health Canada's "draft" IM/IT Strategic Plan (2008-2011) reports anticipated Enterprise IT and IM funding requirements over the next three Fiscal Years (2008-09 to 2010-11) to be $105 million, $100 million and $97 million respectively. 

Audit Objectives

The objective of this audit was to assess the Departmental IM/IT governance structure guiding the identification of strategic information requirements and investments in IM/IT, including the effectiveness of Information Technology investment management in support of the Department's business strategy and the delivery of programs and services.

Scope and Approach

The audit was undertaken by the Audit and Accountability Bureau as per Health Canada's Risk-Based Audit Plan for 2008-09, which was approved by the Departmental Audit Committee on April 3, 2008.  The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, and has examined sufficient, relevant evidence and obtained sufficient information and explanations to provide a reasonable level of assurance in support of the audit conclusion.

The audit covered the period from January 1, 2008 to March 31, 2009 and examined the following elements of IM/IT governance and stewardship:

• IM/IT strategic planning and priority frameworks;
• technological infrastructure planning;
• asset lifecycle management; and
• specific controls for compliance with Health Canada and central agency  IM/IT development, architecture and security standards.

The audit relied on Treasury Board of Canada Secretariat core management control criteria to assess governance, risk management, controls and stewardship.  (Appendix A)  The lines of enquiry and audit criteria were agreed upon by the Corporate Services Branch.

The methodology for the audit included a review of IM/IT governance documentation, records of decisions, policies, guidelines and standards.  Interviews were conducted with IMSD, Planning Integration Management Services Directorate and program staff. Documentation was collected and reviewed and a test of controls was completed.

Findings, Recommendations and Management Response

IM/IT Governance

Audit Criterion

There should be an established and effective governance framework that defines organizational structures, processes, leadership, roles and responsibilities and controls to ensure that enterprise IM/IT investments support and align with Departmental priorities.

Governance Structure

In spring 2009 the Corporate Services Branch reported that they conducted a review of the IM/IT governance structure to clarify roles and responsibilities and to identify opportunities to improve its efficiency and effectiveness.  The result is a governance structure that is built around fewer but more effective committees with an increased emphasis on decision-making, collaboration and communication.   While at the time of the audit, the Directorate had not yet completed the transition from its previous structure to the current one, it was in the process of being approved. (see Appendix B)

The proposed governance structure consists of three key IM/IT oversight bodies - the Senior Management Board (SMB), its subcommittee on Operations, and the Information Management Accountability Board (IMAB).

Rounding out the proposed new governance structure are five other working committees designed to support the Information Management Accountability Board.  In addition IMSD is also contributing as an active member at other decision-making tables related to IM/IT including the Director General Internal Services Committee and Branch Executive IM/IT Committees.

A review of the "Terms of Reference" for the various committees and boards list the purpose, mandate, guiding principles, scope, membership, operating procedures, rules, secretariat functions and quorum. A governance matrix was developed that outlines the decision domains within the context of the IM/IT business functions against the authority role for each of the committee and sub-committees.  In addition, the business functions, including the roles and responsibilities of the various governance bodies are all well described individually for each of the committees and sub-committees.

However, in the past, consistent participation by its membership at the various committees and working groups has not been well maintained.  While the Terms of Reference permit members to identify an alternate, many members send unidentified staff or simply do not attend. 

At the time of the audit, the IM/IT governance structure did not have a communication strategy or an area responsible for managing this key business function. Committee members representing their respective programs are responsible for communicating IM/IT long and short-term strategic and tactical plans.   Continuity of senior membership combined with a communication strategy will provide better assurance that pertinent information is being transferred back to the programs.

The Corporate Services Branch has reported that over the course of the audit, IMSD has taken significant action to ensure participation, engagement and consultation throughout the IM/IT governance structure.  IMSD is working to integrate Enterprise Information Technology at all key decision making tables in the Department, including Branch Executive Committee meetings, key operations committees, and working groups. The IMSD Executive Director of Client Relationship Services has been identified, along with the Chief Information Officer, as the primary individuals responsible for the communication strategy, policy and result reporting.   Management is confident that these measures will contribute to improved communications and ensure IMSD and its clients are working towards shared objectives.

IMSD Senior Management also report that "the governance review focussed on increasing transparency, streamlining governance and engaging management."  Recommendations for change have since been approved by IMAB and the recently established Director General Internal Services Committee.

In addition, management reports that the governance review was only one element of a business transformation strategy approved at SMB Operations in May of 2009.  Over the last year, as part of its strategy, IMSD has taken an increased focus on building decision based agendas around key risks and strategies.  This effort has increased the level of committee debate, quality of decisions made, and transparency.  It has also served to facilitate the decision making and visibility of key risks at SMB Operations. Consequently, the management team indicated that "engagement, representation, and sound decision making are now present."

There has also been an increased effort on the part of IMSD to engage client branches though the governance structure, particularly in regard to key corporate initiatives such as Enterprise Architecture and the annual IM/IT priority setting processes.  Both these initiatives are critical to supporting Health Canada's business and ongoing transformation.  A new ADM Advisory Committee has been established to specifically address the Enterprise Architecture initiative. Enterprise Architecture is a significant undertaking that will require direct client engagement, and will ultimately facilitate medium and long term IM/IT strategic planning.

Recommendation 1

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, ensure that attendance and participation at committee and working group meetings is consistently maintained by its membership and develop and implement a communication strategy to be incorporated into the IM/IT governance structure.

Management Response

IMSD will continue its work to improve governance within its new structure in line with the recent Treasury Board Directive on Management of Information Technology. 

The Directorate has also initiated a best practices review of IM/IT governance and IM/IT integrated planning systems in other science-based departments and agencies in order to ensure Health Canada is a leader in governance practices for business driven information management and technology.  Health Canada business leaders and corporate partners will participate in the definition of strategies and risk management challenges. This work was completed in November 2009. 

The Directorate will use this work to identify best practices to build on the current communications/engagement strategy that will improve information sharing, decision-making and accountability internally and amongst the Directorate's clients within the governance structure

 Strategic Planning and Alignment

Audit Criteria

IM/IT should have a planning framework to ensure transparency, oversight by involving senior management through committees and alignment of IM/IT priorities with organizational needs.  Formal processes and the administration of policies and procedures for all functions should be in place. Performance measures are in place to evaluate the benefits of the Departments investment decisions.

Planning Framework

Strategic and operational planning activities are overseen by the Senior Management Board (SMB) and set the overall management of the department's substantive and corporate responsibilities.   These activities are reflected in a few key strategic documents such as the Department's Operational Plan.

The 2009-2010 Health Canada, Departmental Operational Plan outlines the initiatives and activities that are planned to be undertaken over the next fiscal year aimed at meeting Health Canada's goals and objectives. It identifies expected results and performance targets. It also integrates planned activities with other departmental information such as Information Management/Information Technology.  The process of planning at Health Canada has taken a new direction including the title of its planning document - Departmental Integrated Operational and Function Planning.   

IMSD's first iteration with the Departmental Integrated Operational and Function Planning demonstrated some successes and areas where improvements can be made.   For example, the process allowed Branches, Regions and Agencies to submit their approved project portfolios, supported by Project Concept Documents, which consisted of critical project details including alignment to Health Canada's departmental Report on Plans and Priorities, the Program Activity Architecture, and the draft IM/IT Strategic Plan.  It is anticipated that information will be used to set priorities and identify horizontal opportunities for investments.

As a result of IMSD collaborating on the new process this year, the Directorate has been able to collect and analyze project information in a timelier manner, much earlier than in previous years, thus laying the foundation for enabling strategic decisions at all levels of governance. IMSD reports that there were important lessons learned from this first integrated process and, as such, improvements to the tools and processes should be developed for the next planning cycle.

Strategic Planning

While IMSD has made good progress towards integration, SMB Operations tasked the Information Management Accountability Board (IMAB) to better align the IM/IT investments with key departmental priorities. The Directorate has "drafted" an IM/IT Strategic Plan; however it has yet to be approved. IMAB was given primary responsibility to deliver a project prioritization plan that would align IM/IT resources and provide strategic direction. However, there were many inconsistencies in the individual project scores presented at IMAB in September 2008 and to SMB-Operations in October 2008.    

IMSD noted that during the fall of 2008, the Chief Information Officer in conjunction with the the Co-Chair of IMAB, conducted interviews with all the ADMs in order to define the strategic business needs for IM/IT and to then ensure that the needs identified aligned with the annual planning process. ADM identified priorities were used by IMAB to prioritize and rationalize the number of application development priorities.  In May 2009, the recommendations from IMAB were presented to SMB Operations.  The recommendations were approved and represent Health Canada's first "Plan of Record"- an enterprise approach that records and tracks the prioritized and critical IT initiatives over the lifecycle of the project.

Performance Measurement

Performance measurement indicators are required to measure and evaluate the effectiveness of the Department's investments in IM/IT which assist senior management in making sound decisions.

IMSD has recently developed some performance indicators to measure IT benefits and related service delivery.  However, these indicators are mainly volume metrics.  Currently, there are no financial performance indicators developed to measure the benefits of the Department's IT investments. Development of key financial performance indicators would help evaluate the effectiveness of IM/IT investment decisions.  As Enterprise IT in the Department matures, it is anticipated that the development of performance measurement indicators will evolve. 

Recommendation 2

It is recommended that the Assistant Deputy Minister, Corporate Services Branch:

1. ensures that an integrated planning framework is further refined and used between IMSD and its partners that aligns with the Department Operational Plan;
2. updates the IM/IT Strategic Plan to align key result areas with the Department's priorities; and
3. ensures that IMSD implements financial performance indicators to measure and evaluate the effectiveness of Health Canada's IM/IT investments.

Management Response

Planning Framework

IMSD recognizes the opportunity for continuous improvement towards integrating the planning framework with the Departmental Operational Plan.  As a result, the 2009-10 planning year represented a major step forward for IMSD as they worked to ensure alignment, visibility and strategic execution. However, this is still a transition year in terms of moving to a truly integrated Departmental business information management and technology plan.  Both the Directorate and its partners need to continue to work together in perfecting this process.

Strategic Planning

IMSD is building on the draft 2008-11 Strategic Plan for Information Management and Technology.  At its core will be the "Plan of Record" that establishes departmental strategic IM/IT priorities, as identified at Senior Management Board-Policy. All initiatives on the Plan of Record will be aligned with the departmental priorities and the Departmental Operational Plan which will help ensure consistency between the Directorate's priorities and key results.  The Plan of Record is reported quarterly to the Senior Management Board - Operations, and is then subsequently reported to all Branch executive tables and major working groups. The advent of an Enterprise Architecture Strategy identified by the Deputy Minister Transformation tables for functional business lines (such as regulatory, compliance and enforcement, etc) combined with the efforts of the ADM Advisory Committee for Enterprise Architecture will ensure the continued development of an integrated and strategic approach to IM/IT in Health Canada and it will continue to build on the successes of the last year.

Performance Indicators

The Enterprise Information Technology program has already proven to be a sound decision and investment by the Department. Phase II accomplished significant streamlining and provided immediate cost savings.  The next phase called Enterprise Architecture, will focus on business value and the contributions to business performance that can be made through an Enterprise approach.  One of the key characteristics of this phase, the "Leverage", as described in the business case and its supporting business model, is that IT investments and operation will be in total synch with an integrated Departmental business plan and vision.  It will refine and establish the departmental key performance indicators, linked to the Program Activity Architecture, in the first phase of introduction (2010-2011).  To ensure continuous improvement in Enterprise Information Technology, we will  measure  performance through additional key performance indicators such as the determination and departmental agreement of a unique number of business critical applications with a target reduction of current numbers of applications by 50% or more by 2012-2013, and a reduction of personal and transitory information and data storage (Storage Area Network - SAN) costs through improved governance, training and information accountability of $2 million annually by 2011-2012.

In addition, there will be improved accountability and rationalized office automation tools based on individuals' roles and responsibilities by reducing telecommunication costs in line with business requirements including (number of devices such as land lines, Blackberry, cell phone) and Internet bandwidth of $4 million by 2011-2012 and a reduction in non-standard technology costs of  $2.4 million by 2011-2012.  There will also be capital plans and expenditures linked to Return on Investment (ROI). We will continue to provide high level financial metrics to senior executives and will be developing additional reporting which will be implemented by the end of first quarter of 2010.  These financial performance metrics will indicate cost benefits and service impacts of improved operating efficiencies. Lastly, we will continue to improve the IMSD performance management framework to build on accountability, transparency and value for money.

IMSD will continue to improve on its accountability efforts with improved key performance indicators beginning in 2010 that will form part of regular reporting to SMB OPS, the DG Internal Services and IMAB will include data on: total IT expenditures, IT cost per employee; total IT spending by region; percentage of IT expenditures delivering new functionality; percentage of "lights on" operating costs (including break/fix, depreciation) versus total IT spend; percentage of projects on time, on budget; percentage of applications deployed with external focus (outside the organization); percentage of applications deployed with internal focus (internal administrative focus); percentage of infrastructure standardization projects of total project pool; percentage of projects using common project and others

Shared Services Initiative

Audit Criterion

Information technology supports the organization's business strategy and government-wide objectives.  Common or shared services are used at Health Canada to avoid duplication when such assets and services are available and appropriate. 

Under the Expenditure Review exercise, launched by the Treasury Board in 2004, departments were asked to structure their services in a client-centered manner, to better utilize their operational resources and become more strategic in the delivery of services.  The goal of the Shared Services Initiative (SSI) was to manage information technology resources more effectively, to eliminate duplication and allow departments to achieve a more efficient and cost-effective way of providing services, while ensuring best value.  It also allows departments and agencies to focus on their core programs, instead of focusing on managing their information technology infrastructure. 

Health Canada both receives and delivers information technology services. All of these services are managed through a series of separate service level agreements. While there has been some financial analysis to determine the appropriateness of some shared services with the Government of Canada's information technology service provider, many of these shared services that have been transferred out, have not been rationalized by cost/benefit analysis. Without the full spectrum of financial information, it is difficult to determine if "hosted" services afford the best investment decision.

Recommendation 3

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, complete cost/benefit analysis and implement measures to assess the appropriateness and/or effectiveness for information technology outsourcing of services. 

Management Response

Cost/benefit studies have been performed for Desktop Support Services, the National Service Desk, and Storage prior to entering into Service Level Agreements.  Additionally, to ensure fair pricing and services, IMSD used the Gartner industry benchmarks to negotiate these agreements.

Further to these initial studies, IMSD will undertake year end reviews by March 2010 of all Service Level Agreements (SLAs) to ensure continued benefits and cost savings.   A mid-year review was undertaken and as a result, the agreement for Desktop Support Services was not actioned, the agreement for the National Service Desk was continued with planned cost savings, and the Storage agreement will be terminated.

Additionally, to further ensure savings, IMSD has undertaken a review process of multiple agreements with similar requirements to bundle them for increased savings.

Asset Management

Audit Criterion

Information technology assets should be managed in a manner that ensures good value and efficiency and provides the Department with complete and accurate information for effective investment decision making including a lifecycle approach and periodic verification.

Information technology asset lifecycle management is the process of managing an organization's information technology assets through all stages of their lifecycle - planning, acquisition, deployment, management, support, and disposition.

One of the key deliverables from The Way Forward (TWF) initiative was to develop an information technology asset management program. IMSD has implemented an information technology asset identification tool in conjunction with the development and implementation of a database tool (Asset Centre) to inventory information technology assets.

However, the Asset Centre database is not yet integrated with the procurement and asset modules of the Department's financial system (SAP), nor is the information in Asset Centre being used for information technology investment planning.  In 2008 two separate physical inventory counts were completed.  The first was conducted in-house in January 2008 on all assets and a second inventory of assets over $10K was conducted later in the year.  Although these physical inventory counts were conducted, there has not been a validation exercise to determine the data integrity of the information in the Asset Centre database.   While the information technology asset identification and database tools have not fully matured, the use of these tools is a positive step towards further strengthening information technology asset management in the Department. 

Lastly, information technology lifecycle management could be strengthened if it was linked to a technology plan, and the Department's IM/IT Strategic Plan. As mentioned, integrating an information technology lifecycle approach with a technology plan, will allow management to better understand the total cost of ownership and to determine when and how information technology assets should be acquired, redistributed, or disposed of over time.  

Future integration of information and aligning it with the IM/IT Strategic Plan and the Departmental Operational Plan will allow IMSD to support purchase plans to business goals, collect aggregate information on intended purchases, and negotiate volume discounts.  

Health Canada has a Policy on Asset Management and an Asset Management Standard which set out the framework for managing assets and acquired services. Within these documents there are procedures, roles and responsibilities; however, IMSD may benefit from creating supporting guidance with more specific direction for managing information technology assets.

Interviews and document reviews noted that a lifecycle approach to managing assets was not always followed in a consistent and collaborative manner.  With high staff turnover rates and frequent organizational changes, roles and responsibilities are difficult to determine.  Specifically, it was noted that there is some confusion of roles and responsibilities within the procurement, warehousing and desktop support groups.  Clear roles and responsibilities will facilitate better management of the Department's assets.

Recommendation 4

The Assistant Deputy Minister, Corporate Services Branch should ensure that:

1. a lifecycle approach to managing the Department's information technology  investments  be integrated and aligned to a technology plan and to an IM/IT Strategic Plan; and 
2. IMSD develops its own information technology Asset Management Guide that documents and communicates the roles and responsibilities required for staff to manage information technology assets.

Management Response

IMSD is in the process of reviewing and revising information technology asset management processes, which will be aligned to the IM/IT Strategic Plan and Enterprise Architecture Plan.

An Information Technology asset management guide is under development that will document and communicate all roles and responsibilities required for staff to effectively manage information technology assets following an IT Asset lifecycle management (Physical & financial) approach.  The following governance activities are also currently underway:

• IT Asset planning process, policy and procedures;
• Capital planning and reporting;
• Asset Inventory management;
• Asset tracking management; and
• Integrated Planning and performance reporting

Conclusion 

The implementation of Enterprise information technology has resulted in a substantial positive change in direction.  While Health Canada's IM/IT governance has been strengthened and continues to evolve, IMSD has an opportunity to further streamline and increase the overall effectiveness of the governing bodies.   Effective governance will lend itself to better strategic planning and decision making, including direction related to the use IM/IT resources to achieve Departmental priorities. 

The Department subscribes to a number of information technology services which are provided externally. However, business decisions to transfer services externally should be supported by financial analysis.

IMSD has developed some volume measures to track and evaluate information on information technology benefits and related services.  While the limited information collected provides management with some knowledge on the Department's information technology investment decisions, management would benefit from receiving more substantive financial performance information so that they may better assess the full spectrum of benefits to be derived from its investments in information technology.

IMSD is taking an active lifecycle approach to information technology asset management.  Tools have been put in place to collect data on information technology assets and as these tools evolve, they will provide valuable information for inventory tracking and planning.  Integrating an information technology lifecycle approach with a technology plan, will allow management to better understand the total cost of ownership and to determine when and how information technology assets should be acquired, redistributed, or disposed of over time.  Alignment of all key planning pieces will also support purchase plans to business goals, collect aggregate information on intended purchases, and negotiate volume discounts.  

Appendix A - Lines of Enquiry and Audit Criteria

Lines of Enquiry	Audit Criteria
Does the Department's IM/IT governance structure incorporate stewardship principles and practices that affect the proper and accountable execution of management activities, IM/IT functions and capacity balance?	1. There should be an established and effective governance framework that defines organizational structures, processes, leadership, roles and responsibilities and controls to ensure that enterprise IM/IT investments support and align with Departmental priorities. 2. IM/IT should have a planning framework to ensure transparency, oversight by involving senior management through committees and alignment of IM/IT priorities with organizational needs.  Formal processes and the administration of policies and procedures for all functions should be in place. Performance measures are in place to evaluate the benefits of the Departments investment decisions.
Does the Department manage its technology effectively?	3. IT supports the organization's business strategy and government-wide objectives.  Common or shared services are used at Health Canada to avoid duplication when such assets and services are available and appropriate.
Are IT assets managed in a manner that affords value and efficiency and provides the department with complete and accurate information for effective investment decision making?	4. IT assets should be managed in a manner that ensure good value and efficiency and provides the Department with complete and accurate information for effective investment decision making including a lifecycle approach and periodic verification.

Appendix B - IM/IT Governance Framework

Senior Management Board (SMB)

• The most senior decision making body at Health Canada
• Meeting Frequency: Weekly
• Chair: Deputy Minister

Senior Management Board Sub-committee on Operations (SMB-Ops)

• Approve the IM/IT Strategic Plan, Business Plan, priorities and investments
• Meeting Frequency: Monthly
• Chairs: [ADM-Corporate Services Branch (CSB)] and ADM- HECSB
• ADM level representation

Information Management Accountability Board (IMAB)

• Approve IM/IT strategies, policies, architecture and service levels in support of business requirements
• Meeting Frequency: Monthly
• Co-Chairs:  [CIO & DG-Information Management Services Directorate (IMSD), CSB]; [A/Executive Director, PACPM Centre, Information Management Services Directorate, CSB)]
• DG level representation

Information Management Accountability Board (IMAB)

• IM/IT Business Continuity / Disaster Recovery Committee (BC-DRC)
  • Co Chairs: EX Director-CSB, Dir-IES
  • Membership: Directors & Managers
  • Meeting Frequency: Quarterly
• IM/IT Policies, Standards and Guidelines Working Group
  • Chair: Director STSC- IMSD
  • Membership: Directors, Managers and Analysts
  • Meeting Frequency: Monthly
  • *now to include branch reps
• Enterprise Architecture and Design Steering Committee (EADSC)
  • Executive Director level
  • Internal to IMSD
  • Meeting Frequency: monthly

Enterprise Architecture and Design Steering Committee (EADSC)

• IMSD Results Management/Operations/Oversight Committee
  • Executive Director and Director level
  • Internal to IMSD
  • Meeting Frequency: bi-weekly
• Architecture Review Task Force
  • Executive Director and Director level
  • Internal to IMSD
  • Meeting Frequency: bi-weekly