Audit of Information Management of the Federal Budget Process

Audit Report

Prepared by:
Internal Audit Directorate
July 2018

PDF Version - [401 KB]

To access a Portable Document Format (PDF) file you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase on the Internet.

Table of Contents

Executive Summary

Background

Audit Objective and Scope

Approach

Opinion

Statement of Conformance

Detailed Findings and Recommendations

Conclusion

Recommendations, Management Response and Action Plan

Annex A: Audit Criteria

Annex B: Acronyms

Executive Summary

What we examined

The objective of this audit was to provide reasonable assurance that the Department of Finance Canada’s (the Department) management control framework for information management (IM) within the Federal Budget (Budget) preparation process is effective.

The scope of the audit included an assessment of the Department’s management control framework for the handling of information produced during the planning and preparation of the 2017 Budget, and the early planning of the 2018 Budget. Specifically, the audit looked at the collection (creation or receipt), distribution, retention (use and security) and destruction of Budget information.

To assess the framework, we reviewed the governance structures in place (committees, defined roles and responsibilities) and the policies, procedures and tools used to support the management of information from the Budget process. Special attention was given to assess the information technology (IT) access controls in place to safeguard Budget information.

Why it is important

Information is a core asset to the Department. The efficient and effective management of this information is required for the Department to deliver informed policy advice, and to operate as an agile and responsive knowledge-based institution, while protecting its highly sensitive information.

A key deliverable for the Department is the annual Budget for the Government of Canada (Government). The Budget sets out the Government’s fiscal plan and policy priorities. In planning and preparing the Budget, the Department is responsible for a significant amount of highly sensitive information. The Department wants to ensure that it has effective control over all its Budget information. Effective control will help the Department ensure that its key Budget records are properly managed, that the advice it provides is well supported, and that its information and reputation are appropriately safeguarded.

What we found

Overall, we found that the Department has developed a control framework for managing information within the Budget development process; however, this framework is not entirely effective as some areas for improvement were identified.

We found that the Department approved a new departmental Policy on the Management of Information in March 2018. At the time of this audit, the Department was in the process of developing supplementary guidance.

The Department has established clear roles and responsibilities for the Budget process coordination team and for Budget Coordinators. We found that the Economic and Fiscal Policy Branch team, which is responsible for coordinating the Budget process, has led the way in increasing the adoption and use of Budget SharePoint across the Department, thus improving information sharing and collaborative work processes.

We found that information and records from the Budget process are not managed in a manner consistent with Treasury Board (TB) and departmental policies. Some compliance monitoring was being performed, however, we could not find a documented monitoring plan to ensure that the Department is meeting the expectations of the TB Policy on Information Management and the departmental Policy on the Management of Information.

We found that the Department has created guidance for employees on the retention and disposal of certain types of information. However, we identified inconsistencies in the dissemination of this guidance across platforms and media. Some employees are not aware of their responsibilities as per the Department’s Policy on the Management of Information or in the use of SharePoint.

Information management related issues and initiatives are presented to senior committees within the Department. However, we were unable to conclude on the effectiveness of any of these committee deliberations as records of decisions were not produced for two of the three senior management committees.

We found that the Department has a plan to integrate GCDocs[1] on the Department’s open network (*redacted*) to ensure that key records and information are retained, as required. However, we noted that this plan has not yet been implemented. Moreover, we did not find a similar plan for the Department’s *redacted* network.

We found that there are multiple controls in place to safeguard Budget related information, however, they have not had the desired effect, as staff are not consistently following these requirements. Additionally, we found that a key control to access Budget files electronically was not defined.

Kari Swarbrick
Chief Audit Executive

Background

  1. The Audit of Information Management of the Federal Budget Process was conducted in accordance with the Department of Finance Canada’s (the Department) 2017–2018 to 2019–2020 Risk-based Audit Plan that was approved by the Deputy Minister on June 9, 2017.

Information Management

  1. Information management (IM) is a discipline that directs and supports effective and efficient management of information in an organization, from planning to disposal or long-term preservation. The Department produces a vast array of information, including data, documents, graphics, recordings, tweets, and blog posts.
  2. The Department’s 2017–2018 Integrated Business Plan identified information as a core departmental asset. The Department relies on efficient and effective IM to deliver informed policy advice, and operate as an agile and responsive knowledge-based institution, while protecting its highly sensitive institutional information. IM is the responsibility of all employees in the Department and includes document creation, collection, organization, security classification, reuse and sharing, protection as well as the deletion, or destruction of information that does not have business value (i.e., transitory information).

Information Management at Finance

  1. The Deputy Minister is responsible for the effective and well co-ordinated management of information throughout the Department. The Information Management and Technology Division (IMTD), which is managed by the CIO, is responsible for providing effective and innovative information and technology management in support of the Department’s business objectives.
  2. The Department stores its electronic information on two networks: *redacted*, an open network with external internet connectivity and email service; and *redacted*, a segregated network with limited external connectivity. In early 2017, the Department announced its plan to use a software known as SharePoint to manage its electronic information in an effective manner. SharePoint allows users to collaboratively create, share and re-use information across the Department while facilitating document review and approval. Having used a ‘limited functionality’ version of SharePoint in three previous Federal Budget (Budget) development cycles, the Department planned to roll-out SharePoint on *redacted* in June 2017 and on *redacted* network in autumn 2017. In a later phase, the Department planned to connect SharePoint on *redacted* to the Government’s GCdocs[2].

Budget Preparation

  1. A key deliverable for the Department is the preparation of the annual Budget for the Government of Canada. The annual Budget that is tabled in Parliament early each year (usually February or March) sets out the government’s economic and fiscal agenda. The Budget preparation involves the direct input and contribution from all nine branches across the Department.
  2. The Economic and Fiscal Policy Branch (EFP) plays a significant role in regards to Budget IM as it leads the Budget coordination within the Department. All branches, excluding the Corporate Services Branch, have a Budget Coordinator who is responsible for liaising with EFP during the Budget cycle and managing their branch’s internal Budget contributions.
  3. An audit on IM practices of the Budget process is key to assess how branches manage information, and what support exists for policy analysts. Furthermore, recent audits performed by the Office of the Auditor General, in policy areas, have found issues with respect to the availability of information to support policy analysis and related recommendations.

Audit Objective and Scope

Objective

  1. The objective of this audit was to provide reasonable assurance that the Department’s management control framework for information management within the Federal Budget process is adequately applied and effective.

Scope

  1. The scope of the audit included an assessment of the Department’s management control framework for IM, including document management and records management during the 2017 Budget cycle and the beginning of the 2018 Budget cycle.

    The scope did not include assessments of:
  • Policy decisions within Budget documents and/or advice provided to the Minister of Finance by the Department’s branches during the Budget development process;
  • Information Technology (IT) Security infrastructure related to external threats to Budget information, as IT governance and project management is scheduled for review during the fiscal year 2018–19; and
  • Roles and responsibilities of external stakeholders, such as the Office of the Privy Council.

Approach

  1. During the conduct of this audit, we:
  • Reviewed relevant documents such as the Treasury Board (TB) Policy on Information Management and related guidance, the Department’s Policy on the Management of Information and IM guidance and various governance meeting’s records of decisions;
  • Interviewed individuals within all nine branches of the Department, including the CIO and branch Budget Coordinators;
  • Conducted walkthroughs of shared drives and Budget SharePoint file structures; and
  • Conducted data analysis on systems access controls.
  1. Fieldwork for this audit was substantially completed on December 22, 2017. Following the completion of our fieldwork, in March 2018, the Department approved a new departmental Policy on the Management of Information, which was considered in the drafting of this report.

Opinion

  1. Sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion were based on a comparison of the conditions that existed as of the date of the audit against established criteria that were agreed upon with management.
  2. The findings and conclusion are only applicable to the entity examined and for the scope and time period covered by the audit.

Statement of Conformance

  1. The audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the quality assurance and improvement program.

Detailed Findings and Recommendations

Governance

  1. Governance is defined as the combination of processes and structures implemented by an organization to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. We expected the Department to have established adequate and effective governance processes and structures to manage its Budget information. This would include establishing committee and reporting structures, and creating roles and responsibilities to ensure the effective management and monitoring of the Budget information.
  2. The Budget development process is governed primarily by two committees: the Departmental Coordinating Committee (DCC) and the Executive Committee (EXEC). DCC, chaired by an Associate Assistant Deputy Minister (ADM), is a discussion forum for the coordination of departmental priorities with a focus on horizontal implementation and execution. EXEC, chaired by the Deputy Minister (DM), is the Department’s most senior management committee and it is the final level for the approval of matters related to corporate management policy, strategies, stewardship, and recommendations made by other departmental committees. EXEC approves the annual Integrated Information Management and Information Technology Plan and the departmental IM policies and tools.
  3. Records of decisions are important because they promote structure and common understanding among committee members and they drive action. They clarify how, when, why, and by whom decisions were made. Fundamentally, these records support transparency and accountability as they identify who is responsible for specific actions and they form the official records of decisions, which are shared with stakeholders.
  4. We found that no formal records of decisions are taken or prepared for either EXEC or DCC. This lack of information has created problems for members to effectively follow-up on plans and important issues, and to share decisions with stakeholders in the organization. The main reason given for the committees not keeping records of decisions is that members should have a ‘safe’ environment to discuss sensitive issues.
  5. As no formal records of decisions are maintained by EXEC or DCC, we could not review the decisions or approvals of IM policies, tools or strategies for the Budget. Moreover, we are unable to conclude on the effectiveness of any monitoring or oversight over IM of the Budget process.
  6. The Internal Audit Directorate conducted an Audit of Safeguarding of Sensitive Information concurrent with this audit engagement. Both audits identified this same deficiency. A recommendation will be made as part of the Audit of Safeguarding of Sensitive Information; therefore, no recommendations will be made in this audit report.

Information Management Roles and Responsibilities

  1. Defined roles and responsibilities that are documented and communicated to staff, help support accountability and good management. We expected to find that the Department had defined the roles and responsibilities for IM within the Budget development process, and communicated them to each stakeholder.
  2. Within the Department, IM roles and responsibilities are generally divided into two groups of stakeholders. The first group is composed of functional specialists within the Information Management and Technology Division (IMTD). These specialists provide support and guidance to employees to carry out their document management responsibilities. They also provide records management, library, and information architecture services to the entire Department. These services are not unique to the management of information in the Budget process. The second group of stakeholders are employees who create documents and use the information. Employees are responsible for document management for their specific business lines, including the Budget process. The Economic and Fiscal Policy Branch (EFP) coordinates the Budget process and performs a fiscal review of all Budget proposal items. Additionally, all branches, excluding the Corporate Services Branch, have a Budget Coordinator who is responsible for liaising with EFP during the Budget cycle and managing their branch’s internal Budget contributions.
  3. We found that the high-level roles and responsibilities for IM in the Budget process are defined and have been communicated to the stakeholders.

Information Management Policies

  1. Formal policies support the consistent application of IM by employees across the Department. We expected that the Department’s IM policies were aligned with applicable TB policies and that they were defined, documented and communicated to stakeholders.
  2. In March 2018, we found that the Department approved a Policy on the Management of Information. This policy provides a high-level overview of the roles and responsibilities for IM in the Department. The Department is in the process of developing supplementary guides, which will breakdown the specific roles and responsibilities to the user groups. However, the new policy and guidance have not yet been fully communicated to staff.
  3. Periodic monitoring of departmental and governmental policies can ensure compliance with policies and effectiveness of departmental operations. The TB Policy on Information Management requires departments to monitor for compliance against the policy suite. We expected to find that the Department was monitoring compliance against this policy suite.
  4. We found that the Department is partially monitoring compliance against TB policies, specifically only those elements of the policy considered under its Management Accountability Framework assessments. This constitutes only a subset of the TB policy suite requirements.
  5. The departmental Policy on the Management of Information requires IMTD to monitor adherence against TB policies and its own policy. We asked IMTD to provide us with its monitoring plan. However, IMTD could not provide a documented monitoring plan for conducting these assessments.
  6. Gaps in monitoring compliance against policies may put the Department at risk. The Department may not know if it is compliant with policies and this could make it difficult for the Department to measure whether its IM practices are improving.

Recommendation #1

The Chief Information Officer should ensure that:

  • The Department’s Policy on the Management of Information, and the supporting implementation guides are aligned with Treasury Board’s Policy on Information Management and related guidance, and communicated to employees; and
  • A monitoring plan is developed and implemented to ensure departmental compliance against the Treasury Board’s Policy on Information Management and related guidance, and the Department’s Policy on the Management of Information.

Information Management Tools and Practices

  1. Many organizations use tools to aid in the management of information. We expected the Department to have used tools in a systematic and consistent manner to create, track, record and manage its Budget information.
  2. We found that the Department has rolled-out SharePoint across the organization as its front-end document management system. The Department has used a ‘limited functionality’ version of SharePoint (Budget SharePoint) for the last three Budget cycles. We found that while some branches are using Budget SharePoint for the creation of all Budget-related documents, other branches are still not using the tool and they are heavily reliant on the use of shared drives. For some employees and some branches involved in the development of the Budget, there is uncertainty as to when to use SharePoint, Budget SharePoint, or when to rely on the shared drives.
  3. The 2017 roll-out of SharePoint across the Department is the result of a multi-year project. In consultation with all branches, the IM team designed the information architecture for SharePoint. This architecture included how the information would be organized and controlled (e.g., navigation, retention-deletion rules and document access permissions). Some document management rules can be “hard-coded” in SharePoint (e.g., metadata fields related to document type, document security classification, etc.). Other document management rules require that each employee know what practices are expected and performs the required function. As a result, we expected that the Department created guidance documents on how to manage information using SharePoint and shared these documents with all employees.
  4. We found that IMTD created new guidance - with a focus on SharePoint - for employees to help them transition to SharePoint and to better manage their information. This SharePoint guidance is made available on the intranet and presents ‘how-to’ instructions for the new system and responsibilities of employees concerning document management practices. Additionally, IMTD provided SharePoint training to employees throughout summer and fall 2017. In spring 2018, IMTD launched a new approach to communicating IM best practices – accompanied by demonstrations in SharePoint.

Storage of Budget Information

  1. The audit also looked at how analysts are storing the supporting documentation to each Budget ‘2-pager’[3] (e.g., emails with key stakeholders or data analysis). We expected to find that each branch applied a consistent approach to identify what types of documents should be stored and maintained as an official record.
  2. We found that there are significant inconsistencies in how Budget analysts across the Department identify what types of documents should be stored. We even found inconsistencies amongst analysts within the same branch. Some analysts demonstrated an appropriate knowledge of how and where to store these documents, while others did not. For example, some analysts saved key emails and others did not.
  3. We also found that most analysts did not work exclusively on Budget SharePoint. Some analysts worked on their ‘2-pager’ from their personal drive or desktop, only to introduce it into Budget SharePoint at the point of approval.
  4. To address the inconsistent use of the SharePoint tool and to increase IM compliance, an IM Community of Practice (IMCoP) group was formed, which includes representatives from each branch. The IMCoP is currently chaired by a Senior Director from Economic and Fiscal Policy (EFP); the branch responsible for leading the Budget coordination. The IMCoP’s first meeting was held in early 2018. This new group aims to share best practices, to discuss SharePoint issues and possible solutions and to develop guidance with the goal of ensuring a consistent application and approach across the Department.

Recommendation #2

The Assistant Deputy Minister of Economic and Fiscal Policy Branch should lead departmental efforts to ensure that information from the Federal Budget development process is managed in a manner consistent with Treasury Board and departmental information management policies and directives.

Disposition of Information

  1. An important part of good IM in government is knowing when and how to dispose of information or records that no longer have value to the organization. Disposition of information from the Budget development process is required of the Department. We expected to find that employees were disposing of transitory information that is no longer of value to the Department.
  2. We found that there is guidance on the Department’s intranet and SharePoint sites that are to assist employees in identifying information of business value and how it should be managed. The guidance also helps employees in determining when information can be deleted or destroyed. Employees are provided with direction on when to contact Information Functional Specialists. In addition, they are provided with details on the process of sending paper records to the Department’s Corporate Information Center and declaring a digital document a record from within SharePoint.
  3. We found that none of the branches involved in the development of the Budget are consistently or systematically identifying and deleting information at the end of each Budget cycle. Moreover, none of the branches are consistently sending information of business value to Information Functional Specialists to ensure that it is managed as a departmental record. The reasons provided for these inconsistencies included time constraints and a lack of understanding as to the distinction between what information should form a corporate record. We also found that while some document management rules can be hard-coded in SharePoint, rules could not be configured in SharePoint to define departmental records. Employees are expected to be aware of IM practices and to determine the value of information (i.e. corporate information vs transitory information). The future integration of SharePoint and GCdocs will support the management of electronic records in the Department.
  4. A significant risk to the Department for not undertaking proper records identification and disposition is that it creates more demands on employees when Access to Information and Privacy requests are made. In such situations, employees would be required to sort through large volumes of information that may or may not be properly identified, and otherwise could have been deleted or disposed.

Recommendation #3

The Chief Information Officer should lead departmental efforts to ensure that:

  • document management guidance is consistent with the departmental Policy on the Management of Information;
  • document management guidance is provided to all employees across departmental platforms and media; and
  • where possible, hard-coded document management rules are implemented in SharePoint.

Records Management

  1. An electronic document and records management system (EDRMS) enables Government of Canada employees to find, share and collaboratively develop information resources of corporate value, therefore increasing productivity, efficiency and effectiveness of operations. GCdocs is the Government of Canada’s official EDRMS solution to support organizations in meeting their IM obligations, and its implementation is a government-wide priority. Currently, the Department has only implemented SharePoint in *redacted* and *redacted* as a collaboration tool.
  2. We expected that the Department was safeguarding its information, including Budget related information. We also expected that the Department was working to meet the government-wide priorities of GCdocs, in particular that it had a plan to integrate GCdocs on both the *redacted* and *redacted* networks.
  3. We found that the Department has so far implemented SharePoint in *redacted* and *redacted* as its collaboration tool. As for record management, the Department is currently not managing any electronic records within a designated corporate records repository, but is managing paper records as per the policy. However, we found that senior management had approved a strategy to implement SharePoint as its front-end document management and collaboration tool and GCdocs as its back-end tool to ensure proper retention and disposition of its information.
  4. As per the 2017–20 Integrated Information Management and Information Technology Plan, the Department is participating in the SharePoint-GCDOCS Cluster Working Group established to integrate SharePoint and GCdocs and implement at it as a government-wide solution[4]. The plan also includes the integration of SharePoint-GCdocs on the *redacted* network in fiscal year 2018–19. However, there is currently no immediate similar plan for the *redacted* network, which is the network used to store all information related to the Budget.
  5. Furthermore, we found that documents relating to the Budget process have not been sent (as a comprehensive package) by information owners (i.e. creators/originators of the information) to records management for the past several years.

Recommendation #4

The Chief Information Officer should develop options for the Executive Committee’s decision on the strategic direction of the *redacted* network, with consideration to meeting information management requirements.

Recommendation #5

The Assistant Deputy Minister of Economic and Fiscal Policy Branch should ensure that all information of business value from the Budget process is declared as records, and that these records are sent to the Corporate Information Center for records management.

Safeguarding of Budget Information

Security Sweeps and Awareness

  1. Security programs are implemented to protect assets of the organization and to raise awareness of security amongst employees. We expected that the Department would have effective controls in place to safeguard its information, including information related to the Budget.
  2. Guidance on information security and safe handling practices of classified Budget-related information is available to all employees through the Department’s intranet website “InfoSite”. Examples of the guidance provided include: restrictions on the transmission, photocopying and printing of classified Budget-related information; an explanation of the ‘need-to-know’ concept; instruction on how to classify and transport documents; and an overview of the Clean Desk Guidelines.
  3. We also found that the Department has a security sweep program that has been in place since 2013–14. This program was created to raise employees’ awareness of the Department’s Clean Desk Guidelines, which are used to ensure that classified and protected information are never left unattended. On an annual basis, during the Budget development period, the Department’s Security Services Division performs security sweeps on each floor occupied by the Department. To emphasize the importance of information security, Assistant Deputy Ministers are notified of all security sweep incidents[5] (e.g., protected document left on desk, electronic device such as a laptop or tablet not properly secured) involving their employees. After each sweep, the affected employees must retrieve their classified or protected documents (or electronic devices) from their respective Assistant Deputy Minister.
  4. After analysing the data from the security sweeps over the last four years, we found that the number of incidents has increased from year to year (Table 1). A further analysis of this data has found that the rise in incidents was consistent across all branches of the Department. The total number of incidents represents a rate of approximately 5% of all Department staff in 2013–14 to approximately 25% of all staff in 2016–17.
Table 1: Number of Security Sweeps Incidents for Fiscal Years 2013–14 to 2016–17
Fiscal Year 2013–14 2014–15 2015–16 2016–17
Number of Incidents 35 71 148 182
  1. We inquired as to whether the Department has conducted an examination into the root causes of the increased security incident rates and whether a strategy has been prepared to address this increase. We were informed that the Security Services Division has never analyzed or reviewed year-to-year changes, and furthermore that it has not investigated the root cause for the increased rates of non-compliance.
  2. The Internal Audit Directorate performed a Coordinated Audit of Physical Security Access of the James Michael Flaherty Building in 2017, which highlighted weaknesses in the security awareness of employees. While this audit looked at the issue from a different perspective, it came to the same conclusion that insufficient security awareness exists amongst employees. This audit will not duplicate the recommendations from the 2017 audit.

Budget Security

  1. The Department has adopted the security concept known as the ‘need-to-know’ principle. This principle states that even if one has the necessary security clearance to access certain information, one would not be given access to such information unless one has a specific reason to ‘need-to-know’. The use of the ‘need-to-know’ principle is balanced in the Department through the benefits gained from operational collaborations between its branches. To achieve this collaboration under the ‘need-to-know’ principle, the Department has developed two folders in Budget SharePoint: one '*redacted*'[6] and the other '*redacted*'. There is restricted individual access assigned to each folder, as they hold sensitive Budget information and policy branches have access to this information.
  2. Access to Budget folders is provided to individuals by an IT team within IMTD. IMTD receives requests for access and consults a list of designated approvers for Budget folders to ensure that the request is authentic. IMTD provides access to the Budget folders following a documented process. The granted access is also tracked in an Excel document to provide a record of who was given access to what and who approved it. Designated approvers are members of the EFP team, which coordinates the Budget process, and the branch Budget Coordinators. While the process is clear, we could not find any evidence of clearly defined and documented criteria for designated approvers.
  3. Overall, although controls for the safeguarding of information related to Budget information are in place, there remains a weakness; there is no documented access policy which clarifies procedures to follow to approve access to Budget folders.

Recommendation #6

The Assistant Deputy Minister (ADM) Economic and Fiscal Policy, in collaboration with other policy branch ADMs, should develop a documented access policy for Budget SharePoint folders.

Conclusion

The audit concluded that the Department has developed a control framework for managing information within the Budget process. However, it is not entirely effective as some areas for improvement were identified.

Areas requiring management attention include:

  • documenting decision-making processes and record keeping practices for all governance committees throughout the Department;
  • aligning and communicating the departmental Policy on the Management of Information, and the supporting implementation guides and other document management guides;
  • developing and implementing a monitoring plan for the full TB IM policy suite as well as the departmental Policy on the Management of Information;
  • establishing document management rules tailored to the Budget process;
  • providing document management guidance to employees and implementing hard-coded document management rules into SharePoint;
  • establishing a records declaration process as part of the closing of each Budget cycle;
  • developing options for the EXEC’s decision on the strategic direction of the *redacted* network, and for the integration of an electronic document retention and disposition system for the *redacted* network; and
  • developing an ‘access of information’ policy for key Budget SharePoint folders.

Successful implementation of these management actions should help the Department to effectively manage information within the Budget process.

Recommendations, Management Response and Action Plan

Overall Management Response

Management agrees with the findings and the recommendations.

Recommendations, Management Response and Action Plan
Recommendations Management Response and Action Plan

Recommendation 1

The Chief Information Officer should ensure that:

  • The Department’s Policy on the Management of Information, and the supporting implementation guides are aligned with the Treasury Board’s Policy on Information management and related guidance, and communicated to employees; and
  • A monitoring plan is developed and implemented to ensure departmental compliance against the Treasury Board’s Policy on Information Management and related guidance and the Department’s Policy on the Management of Information.

Management Response:

Management agrees with the recommendation. The following background is relevant to the recommendation:

Mandatory Information Management (IM) awareness sessions for all new or returning employees, which highlight IM responsibilities as per the departmental and Government of Canada policies, re-commenced on March 6, 2018.

The approval by senior management of the departmental Policy on the Management of Information was communicated to all staff in the March 26, 2018 issue of the internal newsletter (InfoBulletin) and messaging system (InfoTV) on the same date. This communication included a link to the full text of the policy on the Department's intranet (InfoSite).

The current departmental policy is aligned with the Treasury Board (TB) policies in effect. However, the TB policy suite is undergoing a renewal. It is expected that the current IM and information technology (IT) policies will be further revised and combined as a TB digital policy in 2019.

The IM team does not have elevated rights in document management tools (Federal Budget drives, branch drives, SharePoint Budget or SharePoint) based on the need-to-know principle. This limits capability to monitor compliance of the IM policy suite.

The Chief Information Officer (CIO) is committed to develop a plan to monitor departmental IM compliance taking into consideration the need-to-know principle and possible changes to TB policy direction.

Action Plan:

Issue a mid-year reminder to employees of their IM responsibilities via follow-up messaging on the InfoBulletin and InfoTV, and reinforced throughout the year in ongoing outreach activities.

Develop and publish a series of ever-green guides to assist employees in non-functional specialist roles to fulfill their responsibilities and comply with IM policies.

Develop an IM compliance monitoring plan.

Monitor compliance, per the plan, and report findings to senior management as required.

Lead:

CIO

Target Dates:

2018-06-30 Responsibilities communicated

2018-08-31 Implementation guides published

2018-12-31 Monitoring plan developed

2019-03-31 First report on the monitoring of compliance

Recommendation 2

The Assistant Deputy Minister of Economic and Fiscal Policy Branch should lead departmental efforts to ensure that information from the Federal Budget development process is managed in a manner consistent with Treasury Board and departmental information management policies and directives.

Management Response:

Management agrees with the recommendation. The following background is relevant to the recommendation:

Since Budget 2017, the Economic and Fiscal Policy Branch (EFP), in collaboration with all policy branches, has adopted SharePoint as the primary tool for producing and managing Budget-related information, including defined folder structures, document management responsibilities and collaboration procedures. These efforts have contributed to significant improvements in Budget-related business processes and information management (IM).

Action Plan:

The EFP will communicate appropriate document management practices across the Department of Finance Canada (the Department) for content produced in the context of the annual Budget Process, on the advice of the Information Management and Technology Directorate (IMTD) and consistent with Treasury Board (TB) and departmental IM policies. This includes:

  • what documents are transitory versus corporate;
  • which repository to save/store each Budget-related type of document;
  • when to save a document;
  • tagging conventions;
  • naming conventions;
  • when to create a major version;
  • when it is acceptable to delete transitory documents and minor versions;
  • when to declare a document as a record; and
  • the media of record for each Budget-related type of document.

Lead:

Director, Budget Policy and Analysis, EFP

Target Date:

2018-09-30 Practices communicated as part of a comprehensive Budget coordination training to analysts and managers at the beginning of cycle (i.e., “Budget Bootcamp”)

Recommendation 3

The Chief Information Officer should lead departmental efforts to ensure that:

  • document management guidance is consistent with the departmental Policy on the Management of Information;
  • document management guidance is provided to all employees across department platforms and media; and
  • where possible, hard-coded document management rules are implemented in SharePoint.

Management Response:

Management agrees with the recommendation. The following background is relevant to the recommendation:

The document management pages on the Department's intranet (InfoSite) were redesigned to promote action and learning by taking an employee-centric approach. The first pages were launched on April 16, 2018 with successive releases throughout the spring.

The Department of Finance Canada (the Department) has operated in a "keep everything" culture for many years. Document management rules are seldom configured in business tools and the idea of doing so can meet with resistance to change.

SharePoint is a relatively new business tool for the Department, one of many that a small technical team (Application Team) is expected to support and enhance.

The Chief Information Officer (CIO) is committed to hard-coding document management rules taking into consideration the necessary culture change, limited resources and competing priorities of the technical team. The hard-coding of document management rules is an information management good practice. Users will continue to be consulted and senior management engaged to ensure a balanced approach between the benefits of rules and usability.

See also Recommendation 1 for specifics on employee information management (IM) responsibilities per departmental and TB policies.

Action Plan:

Conduct a review of current document management guidance on the InfoSite and the SharePoint Homepage for:

  • consistency in terminology and direction;
  • accuracy of step-by-step instructions;
  • readability (absence of technical jargon, flow, etc.); and
  • gaps and opportunities for learning.

Develop a new guidance to address any key gaps and priority areas.

Facilitate discussion with the IM Community of Practice and the Economic and Fiscal Policy Branch Budget Process Coordinator – on specifications for document deletion and declaration rules.

Seek senior management endorsement of document management rules in SharePoint.

See also Recommendation 1 for specifics on employee IM responsibilities per departmental and TB policies.

Lead:

CIO

Target Dates:

2018-09-30 Review and edit of existing documentation completed

2018-12-31 New guidance offered or published

2019-03-30 Rules in all SharePoint environments endorsed and configured

Recommendation 4

The Chief Information Officer should develop options for Executive Committee decision on the strategic direction of the *redacted* network, with consideration to meeting information management requirements.

Management Response:

Management agrees with the recommendation. The following background is relevant to the recommendation:

The strategic direction of the information technology (IT) networks, including the strengthening of the security posture of *redacted*, has been an ongoing priority for the Department of Finance Canada (the Department). Cyber security is listed as a key risk in the departmental Corporate Risk Profile. The Information Management and Technology Directorate (IMTD) has implemented multiple projects, including Windows 10 and Office 2016, Government of Canada Secure Remote Access, Managed Secure File Transfer service and GC Secret Infrastructure (GCSI), to increase IT security controls in the FIN environments. IMTD also performed comprehensive security assessments for new applications/services to ensure known vulnerabilities were documented and before the Authority to Operate were granted by the Chief Information Officer (CIO) and the Departmental Security Officer.

IMTD has developed a long-term vision for the *redacted* network with a focus on the classification level of the data, information, and the supporting applications residing in this network. While *redacted* is a relatively new environment, *redacted* is an outdated network with limited technical capability for expansion and Shared Services Canada (SSC) is not mandated to invest in legacy environments. To this end, IMTD implemented SharePoint to address base IM requirements in the *redacted* network as GCdocs is available, as an SSC managed-service, in the GCSI network for the electronic management (retention and disposition) of classified (Secret) information. The Department is aligned with this GC direction and has implemented GCSI kiosks in all policy branches.

IMTD is working to develop options on the strategic direction of the *redacted* network, including the move of non-classified applications from *redacted* to *redacted* and the adoption of GCSI for the Department. The CIO will be consulting with the Workplace Champion and other senior managers to seek input on the proposed strategic direction before engaging departmental governance committees.

Action Plan:

The CIO will present, to the Deputy Minister, his recommendations on the future of the *redacted* network based on a risk assessment and an analysis of the various options, including requirements for records management.

Lead:

Assistant Deputy Minister, Corporate Services Branch and the CIO

Target Dates:

2018-06-30 Finalize draft options analysis document

2018-08-31 Presentation to EXEC after reviews with MAC members

Recommendation 5

The Assistant Deputy Minister of Economic and Fiscal Policy Branch should ensure that all information of business value from the Budget process is declared as records, and that these records are sent to the Corporate Information Center for records management.

Management Response:

Management agrees with the recommendation.

Action Plan:

The Economic and Fiscal Policy Branch (EFP) will explore options, in consultation with the Information Management and Technology Directorate (IMTD), to standardize the key steps taken at the close of the Federal Budget Process (the Budget) to formally declare information of business value for the purpose of digital record-keeping. Such options will be informed by the department-wide implementation of an electronic document and records management system (EDRMS) aligned with the security considerations related to Budget content.

In the interim, EFP, along with the other policy branches involved in the Budget Process, will continue to communicate best practices to content leads on the retention and disposal of Budget-related documents at the end of each cycle, ensuring that documents of business value are retained in a consistent and secure manner.

Lead:

Director, Budget Policy and Analysis, EFP

Target Dates:

2018-12-31 Close-out best practices communicated to content leads

2019-03-31 Develop procedure for digital record-keeping in alignment with planned roll-out of secure EDRMS solution (see recommendation 4)

Recommendation 6

The Assistant Deputy Minister (ADM) Economic and Fiscal Policy, in collaboration with other policy branch ADMs, should develop a documented access policy for Budget SharePoint folders.  

Management Response:

Management agrees with the recommendation.

Action Plan:

The Economic and Fiscal Policy Branch (EFP)'s Budget Policy and Analysis Group, in collaboration with other policy branch Budget Coordinators, will facilitate the development of a documented access policy template for Budget SharePoint folders. Based on this template, each policy branch will develop a documented access policy reflective of its particular business requirements, submit it for ADM approval, and make it available to all analysts involved within their branch.

EFP's Budget Policy and Analysis Group will raise awareness around access policies, role and responsibilities in managing access, and the process to request access each year during the Budget Bootcamp.

In addition, the Information Management and Technology Directorate's well established procedures for granting and tracking access will continue to be in place, as noted in this report.

Lead:

Director, Budget Policy and Analysis, EFP

Target Date:

2018-09-30 Access policy developed and communicated during the Budget Bootcamp

Annex A: Audit Criteria

The following audit criteria were used in the conduct of this audit:

  1. Governance structures, and roles and responsibilities for information management (IM) are defined and assigned throughout the Federal Budget Process.
  2. Departmental IM policies are defined, documented, communicated and aligned with the applicable policies.
  3. Departmental tools used for the Budget Process support IM requirements.
  4. Effective controls exist regarding the safeguarding of information related to the Budget.

Annex B: Acronyms

ADM
Assistant Deputy Minister

CIO
Chief Information Officer

DCC
Departmental Coordinating Committee

EDRMS
Electronic document and records management system

EFP
Economic and Fiscal Policy Branch

EXEC
Executive Committee

*redacted*
The Department’s open access network

*redacted*
The Department’s segregated access network

GCSI
Government of Canada’s Secret Infrastructure

IM
Information Management

IMCoP
Information Management Community of Practice

IMTD
Information Management and Technology Division

IT
Information Technology

MAF
Management Accountability Framework

SSC
Shared Services Canada

TB
Treasury Board


1 GCdocs is the Government of Canada’s standard Electronic Document and Records Management Solution (EDRMS)

2 GCdocs is the Government of Canada’s standard Electronic Document and Records Management Solution (EDRMS)

3 ‘2-pager’ is the name provided to each Budget initiative document. The template is 14 pages long and the completed final version can be well in excess of 14 pages in length.

4 On May 31, 2018, The Government of Canada’s Enterprise Architecture Review Board (GC EARB) endorsed Public Services and Procurement Canada (PSPC) to establish a common Enterprise Managed SharePoint service offering for the Government of Canada.

5 Examples of security incidents include employees not properly securing cabinets, computers, USB keys and protected documents.

6 During Budget 2017, the '*redacted*' folder was called the '*redacted*' folder.