Preparation for Standing Committee on Public Accounts Hearing

Groups 23 and 25

Date: 23 October 2020

Question and answers from previous committee hearing

Ø  Questions related to information technology (IT)

·         Which of your IT systems are at the end of their supported lives, and is there a concern in an age of cybersecurity and cyber espionage?

o   We monitor the aging of our applications via the TIME (tolerate, invest, migrate, eliminate) methodology prescribed by the Treasury Board of Canada Secretariat. Several systems have been identified as being end-of-life and have been included in our 3-year plan for IT investments.

·         Examples of back-end systems that need upgrades

o   Windows server upgrades (2008)

o   Oracle Linux upgrades

o   Database upgrades (Oracle)

o   .NET Core upgrade (Development)

·         Examples of applications that are end-of-life

o   Auditing: auditing working paper file (TeamMate) and report communication application (Controlled Document Interface (CODI))

o   Communications: replace correspondence tracking system

o   Human Resources (HR): applicant tracking system (Monster)

o   Finance: financial system (GX) and product costing

·         Is your IT software behind the private sector’s?

o   We do not currently benchmark our software against the private sector. We are working on implementing enterprise architecture processes that will help us to understand auditor needs and will likely include comparing our target state with private sector firms.

·         Do the weaknesses in your IT systems affect productivity? Has some audit work been affected as a result?

o   We are interested in modernizing our IT systems in order to achieve benefits for our business, which includes improving productivity. We do not have any specific instances in which audit work was affected.

·         Would you be able to get more audits done with more sophisticated, up-to-date IT software?

o   We are interested in modernizing our IT systems in order to achieve benefits for our business, which includes improving productivity. However, technology is only 1 facet of productivity, and it would be premature to state what the impact will be on the number of audits completed. The return on investment for IT software modernization is on average 2 to 3 years after the investment is made.

·         Would you be able to attract more recent graduates if you had the more advanced and current software that they are trained on?

o   We are working on implementing enterprise architecture processes that will help us to understand auditor needs. This will allow us to revisit the current tools and applications available to auditors and determine what changes are needed. We are not in a position to say how this will affect recruiting. However, having more advanced tools may provide an incentive for recent graduates.

·         Do you have contingency plans in the event of a cybersecurity event, based on the current technology you have?

o   Yes, we do have contingency plans and an incident management response plan in place. We have a recovery site that is tested regularly. Work continues in order to strengthen our security posture and improve our resiliency to potential security incidents.

·         The Office of the Auditor General of Canada (OAG) will replace the HR management systems and audit software. What safeguards do you have to ensure you don’t encounter issues such as those that arose with the Phoenix experience?

o   We will follow strong practices to ensure that the HR system meets our needs and is secure. The OAG is also a direct-entry client, where there is no automated link with the pay system.

o   What are you deferring in terms of support services (for example, IT software and security, HR systems) because of lack of funding, and what are the potential consequences (for example, on the security of your computer systems)?

o   Investment decisions are made over a 3-year period. These decisions are being risk managed. For example, we have prioritized the implementation of security software, but the implementation of a new financial system, communications systems, learning management systems, and human capital management systems have been delayed. We have also not been able to fully maintain our legacy systems and have many unsupported systems, which increases security risks. We have also not been able to make investments to modernize our processes and systems (for example, we still rely on manual processes instead of automation, and we do not leverage cloud and open source).

 

 

Departmental plans and departmental results reports

 

2020–21 Departmental Plan

No.

Page

Reference

Question/comment

Answer: Last year (from 2019–20 Departmental Plan, where applicable)

Answer: 2020–21

Key contact

1

 

3

The key risk that the OAG faces is our ability to effectively acquire, develop, and use new technologies and methodologies to keep pace with the changing environment. We recently received the report from the international peer review team that audited the OAG at our request. The peer review team found that our system of quality control was suitably designed and effectively implemented and was impressed overall with the high standard of work done by the OAG. The team also noted the need to address emerging technologies.

 

Managing this risk means that the OAG must invest in its information technology security and architecture, including the modernization of audit tools and emerging technologies. As a result of this investment, the OAG is reducing the number of performance audits that it conducts to remain within

current funding levels.

What is the OAG doing to modernize?


What are the investment needs?

We continue to have legacy systems that are no longer supported or that will be out of support in the short or medium term. Examples include

·         correspondence management software (where we track inquiries from the public)

·         INTRAnet search engine (to search for internal information)

·         IT ticketing system

·         financial system

·         document management system

·         CODI (to secure our electronic documents), which needs to be migrated

·         reports system, which needs to be upgraded

·         editorial services systems (help with audit reporting)

·         OAG learning management system (tracks our employee training)

 

The OAG is focused on modernizing our IT environment and processes.

 

Additional funding was requested to maintain legacy systems (keep the lights on) and to modernize:

·         Maintain operations: An additional 12 IT full-time equivalents were requested in order to address existing staffing shortfalls and maintain existing applications and to support projected increases in employees.

·         Modernize: 14 additional full-time equivalents were requested in order to modernize and find innovative ways of auditing.

·         An additional $3 million in funding was requested for IT over the coming 5 years to update systems and modernize.

 

In 2020–21, the IT budget is $7.56 million and 41 full-time equivalents; however, we are going over this budget by 29 additional full-time equivalents and an additional $3 million in non-salary dollars (mostly going to consultant work).

 

Nadine

2

4

Modernizing the office focuses on improving our tools and use of technology, and our processes and practices.

Where would you say your office is at in term of adapting to new technology?

The OAG has been focusing on modernizing our IT. We are also training staff and creating a modernization working group with a focus on new technologies (such as cloud, data analytics, and blockchain) to audit and use for auditing purposes. The focus has also been to expose staff to these technologies (for example, a pilot project on the Mindbridge data analytics tool). We are also in the process of acquiring a new audit tool that will include disruptive technology.

The OAG is focused on modernizing our IT environment and processes.

 

We have established an innovation unit in a partnership between audit services and IT representatives. This unit aims to modernize audit approaches and the use of new technologies.

 

Enterprise architecture as a process is being implemented, and we are looking at how best to adopt new technologies. 

 

Efforts continue in order to increase digital awareness and the use of new technologies and ways of working (such as, agile and design thinking). We are focusing on upskilling our employees (additional funding request).

 

Nadine

 

2019–20 Departmental Plan

No.

Page

Reference

Question/comment

Answer: Last year

Answer for 2020–21

Key contact

1

6

We need to improve our governance and management of our information technology (IT). We recently completed an IT self-assessment and internal audit, both of which identified that we had not maintained our IT security controls well enough. We also need to renew the IT infrastructure that supports our audits.

 

a) What improvements do you need?

 

From the 2017–18 Q&A (answer from Nadine):

 

a) What improvements?

 

We need to renew our older IT and manage our security risks related to our IT systems. For example, our older technologies are presenting some connectivity issues in the regions. Another example is our HR system. It is an older technology, which is presenting both an operational and security risk.

 

We also have to prepare for the new IT policies that are in force as of 1 April 2018. For example, there is a new requirement for a cloud-first approach.

 

 

The OAG is focused on modernizing our IT environment and processes.

 

Older technology is being updated. For example, progress was made to

·         update and replace networking equipment

·         improve connectivity for regional offices

·         increase network bandwidth  

·         replace firewalls and the virtual private network (VPN) with an interim solution

·         deploy new human resources and timesheet systems

·         update the data storage system

 

In addition, there are plans that include modernization initiatives, such as adopting a modern Human Capital Management System (HCMS), a modern financial system, and content management system, as well as adopting data analytics capabilities.

 

We are also working to align with the strategic direction of the Government of Canada, including the use of cloud services first.

 

Nadine

 

 

 

b) You received $8 million—Is that enough to implement your IT plan?

b) You received $8 million—is that enough to implement your IT plan?

 

We will continue our work on security compliance for tier 1 applications and systems (for example, implementing security tools, self-assessment) and address some key support and maintenance gaps (for example access and account management, maintaining tier 1 application and systems compliance, and working on resolving key technical issues with tier 1 systems). We will also replace some critical end-of-life applications and systems (HR and timesheet system, data storage system, and VPN/firewall).

 

We will not be able to complete the security self-assessment for all remaining (70+) applications (all tier 2 and tier 3 applications and systems)

The $8 million previously received was invested to address critical end-of-life applications and systems (HR and timesheet system, data storage system, and VPN/firewall). We are also in the process of implementing important security tools.

 

Additional funding was requested in order to maintain legacy systems for existing operations and to modernize.

 

Nadine

 

4

In addition, we are facing the potential failure of some of our IT systems, with an immediate need to replace our human resource management system.

Is the $8 million sufficient to cover this? What IT systems could potentially fail?

From the 2017–18 Q&A (answer from Erin, Alain, and Nadine):

 

Is the $8 million sufficient to cover this?

 

Refer to Q1-b.

 

What IT systems could potentially fail?

 

Legacy systems that are no longer supported or that will be out of support in the short or medium term. In addition, systems or infrastructure that no longer meet the ever-increasing security requirements of the Government of Canada, such as

·         HR system

·         time tracking system at the core of our audit management and operations

·         correspondence management software (where we track inquiries from the public)

·         INTRAnet search engine (to search for internal information)

·         IT ticketing system

·         financial system

·         firewall/VPN

·         document management system

·         CODI (to secure our electronic documents), which needs to be migrated

·         reports system, which needs to be upgraded

·         editorial services systems (which help with audit reporting)

·         OAG learning management system (which tracks our employee training)

 

Systems that need to be implemented as they fail to meet current or new business needs or would favour a major cost savings:

·         Network components need to be updated and bandwidth augmented to serve new applications.

·         Internet Protocol telephony would allow long-term savings compared with our current telephone system.

·         Data analytics tools are required to absorb the amount of data our auditors now need to review. 

·         Current environmental petition system used by citizens is currently paper-based.

·         INTRAnet platform.

·         Entities database (to store knowledge and information from departments).

·         Internal database systems need to be replaced and modernized (need an integrated and accurate data model). 

 

In summary, we have several factors that contribute to the revamping of our systems and infrastructure: old legacy systems, systems that don’t meet new security requirements, systems that no longer meet business requirements, new technology that provides cost savings in the long run, becoming cloud-ready, and so on.

·         Examples of back-end systems that need upgrades:

o   Windows server upgrades (2008)

o   Oracle Linux upgrades

o   Database upgrades (Oracle)

o   .NET Core upgrade (Development)

·         Examples of applications that are end-of-life:

o   auditing: auditing working paper file (TeamMate) and report communication application (CODI)

o   communications: correspondence tracking system

o   HR: applicant tracking system (Monster)

o   finance: financial system (GX) and product costing

 

Nadine

 

 

In 2019–20, we will complete the replacement of our human resource management systems, begin to replace our audit management software, and finalize a detailed IT maintenance and operations plan.

 

However, some IT systems that will be at the end of their supported lives in 2019–20 will not be replaced until 2021–22, and our  management of IT security risk will not be reduced to an acceptable level until at least 2021.

 

We will also not be able to invest in new technologies or audit approaches that are necessary to prepare the OAG for the future.

Examples of investments in new technologies that would be needed? Impact on your business?

Examples of investments in new technologies that would be needed? Impact on your business?

 

Systems that need to be implemented as they fail to meet current or new business needs or would favour a major cost savings:

·         Network components need to be updated and bandwidth augmented to serve new applications and increase connectivity with the regions and prepare for cloud implementation.

·         Internet Protocol telephony would allow long-term savings compared with our current telephone system.

·         Data analytics tools are required to absorb the amount of data our auditors now need to review and bring efficiencies to corporate services groups. 

·         INTRAnet platform.

·         Entities database (to store knowledge and information from departments).

·         Internal database systems need to be replaced and modernized (need an integrated and accurate data model).

·         Cloud.

·         Blockchain.

·         Artificial intelligence (AI).

 

In summary, we have several factors that contribute to the revamping of our systems and infrastructure: old legacy systems, systems that don’t meet new security requirements, systems that no longer meet business requirements, new technology that provides cost savings in the long run, becoming cloud ready, and so on.

 

New technologies are being made available, such as

·         Power BI for data analysis

·         collaboration tools, including BlackBerry dynamics and Microsoft Teams

 

New systems are also needed, such as a new HR system, financial system, learning management system, data analytics tools, and automation tools.

 

The innovation unit is also investigating the use of technologies such as

·         mobile applications for both Android and iOS

·         microservices and containers

·         voice assistants, like Siri and Hey Google

·         Azure Cognitive Services (AI / machine learning)

 

Nadine

 

 

 

 

 

 

 

2

6

We need to improve our governance and management of our information technology (IT). We recently completed an IT self-assessment and internal audit, both of which identified that we had not maintained our IT security controls well enough. We also need to renew the IT infrastructure that supports our audits.

 

 

 

 

 

 

What is missing in your IT security controls?

 

What is missing in your IT security controls?

 

Our IT security self-assessment found that we do not have the measures in place for our systems to be safeguarded at an acceptable risk level. We looked at 17 families of controls based on guidance from the centre (Canadian Security Establishment). Currently, for our tier 1 systems, 90% of the primary IT security controls are in place (202/224 tasks identified in action plan now completed). For our other systems, there is a calendar in place that extends to 2020 to conduct self-assessments and implement action plans. 

Security

The OAG’s cybersecurity risk remains at an unacceptable level, but activities are underway to resolve the most significant gaps by the end of the fiscal year (March 2021) and be at an acceptable level of risk by December 2021.

 

Nadine

2

6

In 2019–20, we will complete the replacement of our human resource management systems, begin to replace our audit management software, and finalize a detailed IT maintenance and operations plan.

 

However, some IT systems that will be at the end of their supported lives in 2019–20 will not be

replaced until 2021–22, and our  management of IT security risk will not be reduced to an acceptable level until at least 2021.

 

We will also not be able to invest in new technologies or audit approaches that are necessary to prepare the Office for the future.

What is an acceptable level? How far are you from being at an acceptable level?

 

 

 

What is an acceptable level? How far are you from being at an acceptable level?

Our IT security self-assessment for critical systems revealed that we were not managing security risks at a level acceptable to the OAG. We did our annual assessment based on Treasury Board of Canada Secretariat and Canadian Security Establishment guidance (ITSG‑33 controls) and chose a particular security profile in order to test our controls. We are currently conducting a self-assessment of all of our systems that has revealed that we are not managing risks at a level acceptable to the OAG. We have a staggered plan that will get us to an acceptable level by 2021.

 

 

Security

The OAG’s cybersecurity risk remains at an unacceptable level, but activities are underway to resolve the most significant gaps by the end of the fiscal year (March 2021) and be at an acceptable level of risk by December 2021.

The OAG is making significant investments to address cybersecurity risks.

The OAG employs the ITSG-33 controls developed by the Government of Canada to manage these risks, which mirror those provided by the US National Institute of Standards and Technology (NIST) and the NIST Cybersecurity Framework.

The long-term objective is to complete this investment and move to a sustainable management program of maintaining an acceptable risk posture at a balanced cost.

 

Nadine

2018–19 Departmental Results Report

No.

Page

Reference

Question/comment

Answer: Last year

Answer: 202021

Key contact

1

6

We have been working to implement both the plan we developed last year to reduce our information technology (IT) security risk and the roadmap we prepared to maintain and update our IT systems. We advanced the replacement of our human resource management systems, which we will complete in the

2019–20 fiscal year. Although we made progress on some projects for IT security, we do not expect to reduce our risk to an acceptable level until at least 2021, because of funding pressures. Similarly, we have had to postpone other IT projects until the 2019–20 fiscal year and beyond, also because of

funding pressure.

 

See above

See above

See above

Nadine

2

49

Some IT security and applications projects were not completed, owing to a lack of resources. One of four financial audit efficiency projects was not complete.

What projects were delayed?

N/A

Projects delayed for this fiscal year (2020–21) include 4 projects that will move into next year, including the audit working paper file replacement and C2 replacement, the data program management, and the security self‑assessment.

 

This list of projects that were delayed because of a lack of resources in 2018–19 includes

·         time sheet renewal

·         HR management information system (HRMIS)

·         VPN and main firewall

·         Network Access control (NAC)

·         survey tool

·         business data model

·         OAG client connect

Nadine

2017–18 Departmental Results Report

No.

Page

Reference

Question/comment

Answer: Last year

Answer: 2020–21

Key contact

 

7 –exhibit 1

IT Roadmap and multi-year IT security self-assessment plan

 

 

What are those?

 

What progress has been made in implementing the roadmap and the IT security plan?

The IT Roadmap is a tool that provides the OAG with a holistic view of all OAG systems and applications. It is used to select the investments that will maximize the use of our IT capacity while minimizing risk and addressing the highest business value first.

 

Features of the tool include

·         a mapping of the recommended renewal and replacement lifecycle for each application and system

·         forecasted costs, IT developer capacity and business capacity to renew or replace according to lifecycle

·         indicators to help decisionmakers, such as end-of-life, manual process replacements, pilots, and so on

 

Business processes supported by the tool include

·         strategic planning and prioritization of projects based on risk, capacity, and business need

·         transparent and informed consultation with the business, aligning IT priorities with business imperatives

·         short-term planning, such as work plans, annual and quarterly budget reviews, and so on

·         medium-term planning, such as 3- to 5-year investment plans and risk management plans

·         compliance, risk, and security assessments

·         enterprise architecture planning and design

·         procurement planning

·         IT competencies development plan and succession planning

 

The IT Roadmap was completed in 2017 and is currently used to support the processes listed above.

 

Pursuant to Treasury Board policy, the OAG must conduct an annual assessment of its IT security program and practices to monitor compliance with government and departmental security policies and standards using the IT Security Self‑Assessment methodology and guidance developed by the Treasury Board of Canada Secretariat and the Canadian Security Establishment.

 

The purpose of an IT Security self‑assessment is to help identify IT security deficiencies and recognize and implement remedial action. On the basis of the results of the self-assessment, departments must develop or update their IT security action plan and determine the resources required to implement it. The OAG IT Security Self-Assessment Plan was developed following our IT security self-assessment on OAG critical systems. We have implemented 98% of the plan related to our assessment of OAG critical systems. The 2% that still needs to be implemented is the acquisition of a new monitoring tool and the completion of our security architecture. For the other OAG systems, we will be conducting self‑assessments and developing implementation plans that will be staggered for the next 3 years.

 

We continue to leverage tools such as the roadmap, and we have moved to align with Treasury Board of Canada Secretariat direction and are conducting annual aging assessments on applications based on the recommended TIME methodology. This analysis is a primary input to the 3-year plan. Processes are also being revisited including project management, IT investment planning, and performance management.

 

Nadine

 

9

… we noted that we are facing the potential failure of some of our IT systems…

 

Both the IT security plan and the new HR management system will require additional resources to complete, some of which we expect to come from the Budget 2018 increase to our funding.

 

 

Elaborate on which systems and potential impact on OAG’s operations

 

 

Elaborate on additional funding received and the extent to which it was used for IT security and HR systems.

Which systems and potential impacts on OAG’s operations

 

We need to renew our older IT and manage our security risks related to our IT systems. For example, our older technologies are presenting some connectivity issues in the regions. Another example is our HR system. It is an older technology, which is presenting both an operational and security risk.

 

Other systems that are no longer supported or that will be out of support in the short or medium term, or that no longer meet the security requirements, are as follows:

 

·         HR system (as mentioned above)

·         time tracking system (this is at the core of our audit management and operations) (addressed 2018–19)

·         correspondence management software

·         INTRAnet search engine

·         C2 (IT ticketing system), for 2021–22

·         financial system—for?

·         VPN (addressed 2018–19)

·         firewall (addressed 2018–19)

·         CODI (document management system)

·         editorial services systems

·         OAG learning management system (to track our employee training)

 

Additional funding received and the extent to which it was used for IT security and HR system

Additional funding is being used to continue our work on security assessment and implementing our action plans. Additional funding is also being used to replace some critical end-of-life applications and systems (HR and timesheet system, data storage system, and VPN/firewall).

 

It is important to note that we will continue to have a resource deficit as a result of at-risk applications and systems (increased support requirements due to systems not being adequately maintained, properly tested, inadequate knowledge transfer as staff retire), services will continue to degrade as more resources are redirected to support and maintain aging systems (business process automation, corporate reporting, and so on), and we will not be able to deliver 60% of the projects recommended on the applications and systems roadmap (other end-of-life systems, systems required for treasury board compliance, and so on) or invest in new technologies such as disruptive technologies.

See above

Nadine