1 / 23

Presentation to ISACA Ottawa Valley Chapter Richard Brisebois, Principal November 9, 2010

Presentation to ISACA Ottawa Valley Chapter Richard Brisebois, Principal November 9, 2010. Agenda. Background about the OAG Audit objective Scope of the audit CIO Survey results Main findings. Mandate.

virgil
Download Presentation

Presentation to ISACA Ottawa Valley Chapter Richard Brisebois, Principal November 9, 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presentation to ISACA Ottawa Valley Chapter Richard Brisebois, PrincipalNovember 9, 2010

  2. Agenda • Background about the OAG • Audit objective • Scope of the audit • CIO Survey results • Main findings

  3. Mandate The Auditor General Actsets out the duties of the Auditor General and the Commissioner of the Environment and Sustainable Development as they relate to auditing and monitoring of federal departments and agencies.

  4. Work of the the OAG – Four product Lines • Attest audit of financial statements - Government of Canada (Public Accounts) • Attest audits of financial statements - Crowns • Performance audits - departments and agencies • Special examinations – Crowns

  5. Budget and People • Main estimates 2010-11 $85.1 Million • Approximately 635 people (FTE) • Approximately half of professional staff comprise accountants • Other professional staff include: - Engineers - Scientists - Sociologists - Economists - Lawyers - Geologists - Other professionals • Approximately 200 people in the Audit Services Group

  6. Objective of the Aging IT performance audit • To determine whether selected government entities had adequately identified and were managing the risks related to aging IT systems

  7. Scope and approach • Examined the Chief Information OfficerBranch of TBS • Reviewed five organizations • Canada Revenue Agency • Public Works and Government Services Canada • HumanResources and SkillsDevelopment Canada • Royal Canadian Mounted Police • Citizenship and Immigration Canada • Reviewed three critical systems • HRSDC - EmploymentInsurance Program • CRA - PersonalIncomeTax (T1) • PWGSC – Standard Payment System • Conducted a CIO Survey

  8. Definition of Aging IT Systems “Aging information technology (IT) systems refers not only to a system’s age in years but also to issues that affect its sustainability over the long term, such as the availability of software and hardware support and of people with the necessary knowledge and skills to service these systems. The term also relates to a system’s ability to adequately support changing business needs or emerging technologies, such as 24/7 online availability.”

  9. Major FactorsDriving the Modernization of Aging IT Systems • Skills shortage • Vendor support • Regulatorycompliance • Maintenance costs • Access to data • Meeting client expectations • Security • Green IT initiatives • Disaster recovery

  10. CIO Survey • 40 government entities included in the Treasury Board of Canada Secretariat's Chief Information Officer Council

  11. Audit Findings – Departments and Agencies • Organizations have all identified significant risks related to aging IT systems • Aging IT risk management need improvement • Monitoring of aging IT risks is incomplete • Departmental investment plans need to be supported by a funding strategy

  12. Organizations Assessed against Key Criteria

  13. Organizations have all identified significant risks related to aging IT systems • All five entities audited considered Aging IT as a significant risk • Five of the six entities included it in their corporate risk profiles • They stated that if these risks are not addressed in a timely manner, they maynot have the capacity to meet current and future business needs

  14. Aging IT risk management need improvement • CRA and RCMP have bothcompleteddepartmental multi-year investment plan that defines and prioritizesongoing and future investments • HRSDC has a Long—Term Capital Plan but projects are not prioritized and a portfolio view is missing • PWGSC and CIC are furtherbehind and don’t have a departmental multi-year investment plan or a portfolio view

  15. Monitoring of aging IT risks is incomplete • Only CRA fully met this criteria • CRA Management Committee and Resource Investment Management Committeereview all risks and investmentsprojectsregularly • There is an action plan for each risk that outlinesspecificstrategies, keyactivities, deliverables and timelines

  16. Departmental investment plans need to be supported by a funding strategy • Significant funding is likely to be neededacross government to renew aging systems • The shortfall is estimatedat a total of $2 billion in three entities

  17. Audit Findings TBS-CIOB Chief Information OfficerBranch • CIOB is aware that aging of IT systems is an issue • The aging of IT system has not formally identified as an area of importance for the government • There is a need to formulateIT strategic directions or a plan to address these issues on a government-wide level.

  18. Recommendation – Risk Management • Departments should use a department-wide portfolio management approach to ensure that they focus on current and planned IT investments that best contribute to meeting their business objectives, with an acceptable degree of risk and at a reasonable cost. • Departments should develop a multi-year IT investment plan that presents a balanced mix of mandatory, sustaining, and discretionary investments that they require to both sustain existing systems and to improve service delivery.

  19. Recommendation – Risk Monitoring • Departments should develop an action plan for each significant aging IT risk. The plans should include specific strategies, key activities, deliverables, and timelines to manage these risks. These entities should report progress regularly to senior management.

  20. Recommendation – Funding Strategy • Departments should identify an appropriate funding strategy. The funding strategy should present investment options, or scenarios that take into account what source of funding would most likely be available in the five-year planning period.

  21. Recommendation - TBS • The Chief Information Officer Branch (CIOB) of the Treasury Board of Canada Secretariat should exercise its central leadership role by collecting and analyzing relevant information to assess the state of aging IT systems across government. The CIOB should prepare a report on its assessment and the related cost estimates for the government as a whole. In consultation with deputy heads, it should also develop a plan that will set the IT strategic directions for the government to mitigate risks associated with aging IT systems on a sustainable basis.

  22. Questions/Thank You Richard Brisebois, CGA, CISA Office of the Auditor General of Canada Tel: (613)995-3708 Fax: (613)947-9736 240 Sparks Street Ottawa, Ontario, Canada K1A 0G6 www.oag-bvg.gc.ca

More Related