Review of Statistics Canada's Governance with Shared Services Canada

November 18, 2014
Project Number: 80590-83

Executive Summary

The landscape for Information Technology (IT) has changed for Statistics Canada since 2011. The introduction of Shared Services Canada (SSC) transferred ownership of IT infrastructure and telecommunications from 43 departments and agencies, including Statistics Canada, to SSC. This change has resulted in an increased dependence on a third party for the provision of these services and has required Statistics Canada, specifically IT Branch, to work with a newly established service provider to maintain stable IT services while managing the ambitious change agenda of transformation set out by TBS and SSC. While Statistics Canada recognizes and supports the Government of Canada Modernization Agenda, there have been challenges, as SSC's mandate, priorities and timelines are not necessarily aligned with those of Statistics Canada.

With the transfer of the control over these services to SSC, there are increased risks affecting Statistics Canada's ability to meet its operational requirements, including the 2016 Census. Additionally, as an organization which collects and maintains sensitive information about individuals and businesses, the introduction of SSC has increased Statistics Canada's inherent risk in relation to the security of sensitive statistical information. With these risks in mind, the Internal Audit Division has conducted a review to identify and assess the current governance structure in place to manage and oversee the relationship between SSC and Statistics Canada.

The objectives of this engagement were to proactively examine the governance framework, risk management program and control activities in place relative to the management of the relationship between Statistics Canada and SSC, as the outsourced service provider of IT infrastructure services, and to provide recommendations for management's consideration in order to improve the current management control framework.

This review was conducted by Internal Audit Division in accordance with the Government of Canada's Policy on Internal Audit.

Key Findings

Given the inherent risks created with the introduction of SSC, a governance framework has been established by Statistics Canada to oversee the relationship with SSC, including escalation mechanisms. While this governance framework is in place and operating, it is not formally documented to ensure roles and responsibilities are understood between the two departments. Within Statistics Canada, internal governance mechanisms have been enhanced to ensure an efficient and effective approach to identifying and escalating issues.

A risk management framework has been established and is being maintained to document and proactively mitigate the risks, to the extent possible, associated with SSC's responsibilities in managing key elements of Statistics Canada's IT infrastructure and telecommunications systems.

Although governance and risk management frameworks are in place to oversee the relationship with SSC, as this relationship matures, internal processes should be reviewed and updated to include consideration of the impact(s) of the relationship with SSC on key processes.

Overall Conclusion

Statistics Canada has taken a proactive approach in working with SSC. The governance structure, although undocumented, ensures that Statistics Canada is in the best position to have its voice heard and to mitigate the risk associated with its loss of control over its IT infrastructure and telecommunications. Representatives within SSC highlighted that the engagement by Statistics Canada and their proactive approach to dialogue on issues is considered a leading practice and has been used as a case study with other partner organizations.

Conformance with Professional Standards

The review was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Sufficient and appropriate procedures have been conducted and evidence gathered to support the accuracy of the findings and conclusions in this report. The findings and conclusions are based on a comparison of the conditions, as they existed at the time, against pre-established review criteria. The findings and conclusions are applicable to the entity examined and for the scope and time period covered by the review.

Patrice Prud'homme
Chief Audit Executive

Introduction

Background

Shared Services Canada (SSC) was created in 2011 with the mandate to fundamentally transform how the Government manages its Information Technology (IT) infrastructure. Per its mandate, SSC currently delivers email, data centre and telecommunication services to 43 federal departments and agencies, including Statistics Canada. The creation of SSC brought together people, technology resources and assets from the 43 federal departments. As of August 2011, 157 IT employees transferred from Statistics Canada to SSC in order to provide the above noted services.

SSC's Report on Plans and Priorities for 2013-14 outlines that they will continue to renew the Government of Canada's IT infrastructure focusing on the procurement of a single email solution, enhancing IT security across the Government of Canada, and finalizing its consolidation strategies for data centres and networks.

Specifically affecting Statistics Canada, SSC has initially focused on the centralization of email services, data centres and networks. With the transfer of the control over these services to SSC, there are increased risks affecting Statistics Canada's ability to meet its operational and service delivery requirements, including the 2016 Census. As SSC establishes itself to provide these services to 43 departments, Statistics Canada has faced challenges in getting attention, responsiveness and priority from SSC. Additionally, as an organization which collects and maintains sensitive, confidential information about individuals and businesses, the introduction of SSC has increased Statistics Canada's inherent risk in relation to the security of sensitive statistical information.

With these risks in mind and now that two full years have passed since the inception of SSC, Statistics Canada's Internal Audit Division conducted a review engagement to identify and assess the current governance structures in place to manage and oversee the relationship between SSC and Statistics Canada. This review is being conducted to assess the governance framework, risk management mechanisms and control activities in place within Statistics Canada, with the intent to recommend opportunities for improvement as Statistics Canada works towards the achievement of their strategic objectives with a new reality of outsourced IT infrastructure support.

Review Objectives

The objectives of this engagement were to proactively examine the governance framework, risk management program and control activities in place relative to the management of the relationship between Statistics Canada and SSC, as the outsourced service provider of IT infrastructure services, and to provide recommendations for management's consideration to improve the current management control framework.

Scope

The scope of the engagement included a review of:

  • The governance framework in place to manage the relationship with SSC;
  • The sufficiency and adequacy of the risk management program developed to mitigate the risks associated with the introduction of SSC; and
  • The appropriateness of the control activities established to ensure that Statistics Canada's needs are being met given the changes in control over Statistics Canada's IT infrastructure.

The governance, risk management and control activities relative to Statistics Canada's relationship with SSC were assessed based on evidence provided during the period from January to April 2014.

Approach and methodology

The review engagement included gaining an understanding of the key risks associated with the transfer of services to SSC and the existing governance control frameworks, risk management approaches and control activities that were designed and implemented to mitigate the identified risks associated with SSC. This was achieved through the conduct of a comprehensive review and analysis of relevant documentation, including relevant guidelines, risk management and performance reporting, organization charts, etc., and the conduct of interviews with key management and staff from IT, Census program, other stakeholders within Statistics Canada and, as required, key contacts at SSC.

This review was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing.

Authority

This engagement was conducted under the authority of Statistics Canada's integrated Risk-Based Audit and Evaluation Plan 2013/14 to 2017/18, approved by the Departmental Audit Committee.

Findings, Recommendations and Management Responses

Objectives: To proactively examine the governance framework, risk management program and control activities in place relative to the management of the relationship between Statistics Canada and SSC, as the outsourced service provider of IT infrastructure services and to provide recommendations in order to improve the current management control framework.

Governance Framework to Oversee the Relationship with SSC

A governance framework has been established by Statistics Canada to oversee the relationship with SSC. While this governance framework is in place and operating, it is not formally documented to ensure roles and responsibilities are understood between the two departments.

Statistics Canada's internal governance mechanisms have been enhanced to ensure an efficient and effective approach to identifying and escalating issues.

In situations where the service provider is an external entity, a robust governance framework is essential to the management of the relationship. This governance structure should be documented and have in place adequate mechanisms to communicate the organization's plans and priorities to the service provider and have an effective method for the escalation of issues to ensure operational objectives are met.

Effective oversight bodies have been established; however the governance framework between Statistics Canada and Shared Services Canada has not been formally documented

Management at Statistics Canada has recognized the need to manage the relationship with Shared Services Canada (SSC) in order to effectively work with the new organization and as a result, a formal governance framework has been established in which Statistics Canada has regular meetings with the SSC counterparts to discuss departmental priorities and requirements and proactively address concerns or issues.

Governance bodies with membership from both Statistics Canada and Shared Services Canada have been created at various levels. The current structure consists of meetings between Statistics Canada and Shared Services Canada at several levels. At the senior management level, Assistant Deputy Ministers at both departments meet regularly and the Deputy Ministers meet on an as needed basis, to discuss the risk environment and significant elements of the relationship including critical projects and administrative issues. The Director General (DG) of the Industry Portfolio at SSC and the Chief Information Officer (CIO) at Statistics Canada meet monthly to discuss ongoing projects and issues and at the director level, meetings occur weekly between the Director of Information Technology at Statistics Canada and the Director of Network and Security at SSC, and the Director of the Client Relationship unit (SSC) to discuss day-to-day operational issues.

At the working level, Statistics Canada created a liaison position to coordinate and manage interactions with SSC. An Assistant Director of Information Technology Operations Division was named as the Liaison Officer for Statistics Canada in April 2013. Within this context, he takes part in the operational level meetings between Statistics Canada and SSC and works directly with the SSC Relationship Manager to prioritize needs and resolve issues as they arise and to act as a single point of contact for the communication of needs and issues to SSC.

Additionally for large-scale projects such as the Census, project level governance structures have been established. Integrated project teams which are comprised of both Statistics Canada and SSC employees report to a joint management/steering committee about project related progress and issues. On-going concerns are also communicated to the Statistics Canada Liaison Officer to be addressed within the larger Statistics Canada/Shared Services Canada governance framework.

Statistics Canada and Shared Services Canada Governance Structure for Relationship Management
Deputy Ministers Level
  • Annual and Adhoc Meetings
  • Minutes taken
Assistant Deputy Minister /
Assistant Chief Statistian Corporate Services
  • Every 6 weeks
  • Minutes taken
Director General /
Chief information Officer (STC)
  • Monthly
  • Register of action items
Director Level
  • Weekly
  • Register of action items
Operations – STC Liaison and SSC operations
and SSC Client Relationship Manager
  • Multiply times per week
  • Discussions of emerging operational issues
Large Scale Projects – STC Liaison
Officer and Integrated Project teams
  • Regularly as required by project
  • Reports to Steering Committee

Relative to telecommunications, a separate governance process has been established. The Director of Corporate Support Services (CSSD) at Statistics Canada and the Chief of Telecommunications at Statistics Canada discuss day-to-day operational issues with the Director of Telephony at SSC. More specifically, the Director of Corporate Support Services at Statistics Canada liaises regularly (bi-weekly) with the SSC telephony team to address operational issues that arise. Should any issues require escalation; the Director of CSSD will address them at the operational meeting between SSC and Statistics Canada. If required, any additional escalation of issues would follow the same governance structure set up for IT infrastructure.

The review noted that there had been some challenges with the telecommunications governance mechanism; however, with changes in SSC representatives, this mechanism seems to be working better and Statistics Canada representatives believe that the responses they have been receiving take into consideration Statistics Canada's operating environment. In an attempt to increase the visibility of telecommunication needs and issues, the governance structure in place for IT infrastructure has been expanded to include telephony issues and the Statistics Canada Director of Corporate Support Services has been invited to the weekly operational meetings to highlight or escalate any telephony issues since January 2014.

Although governance frameworks are in place for IT and Telephony between Statistics Canada and Shared Services Canada, no formal documentation of the governance framework is in place and roles and responsibilities, escalation protocols and decision making authorities have not been formally established between the two departments. As a result, instances have occurred in which modifications to IT environment were not appropriately authorized and required subsequent intervention and resolution. In the absence of formal documentation, there is an increased risk that decisions could be made relative to SSC activities that have not been appropriately authorized and are not aligned to the priorities of the organization.

Statistics Canada's internal governance structure is used to communicate and address concerns with SSC

In order to manage the relationship with SSC and to meet the needs and expectations of SSC, Statistics Canada has enhanced its internal committee structure and escalation process to address issues with SSC. The review noted that at the senior management level that the Assistant Chief Statistician (ACS) of Corporate Services may escalate issues related to SSC to the Executive Management Board at Statistics Canada to ensure issues are addressed in a timely manner.

Other internal Statistic Canada committees that are used to help address issues and aid in the management of the relationship with SSC include:

  • Field Information Technology Managers (FITM) – Issues related to IT and SSC are identified and discussed at FITM meetings. These meetings are attended by the Statistics Canada Liaison Officer who includes items on the issues log for discussion with SSC at the regular meetings. These meetings help ensure issues identified are addressed and solutions documented.
  • Informatics Committee – This committee considers impacts of SSC changes on Statistics Canada's operations. If an infrastructure incident has occurred, an incident report is generated with recommendations; this report is escalated to the Informatics Committee or Security Coordination Committee for oversight.
  • Corporate Business Architecture (CBA) Committee – This committee is represented by most DGs within Statistics Canada and examines key transformational projects. If there are issues with SSC, they are escalated to the ACS level to ensure they are brought to the attention of SSC.

Additionally, an Infrastructure Gatekeeping Committee has been established to prioritize and approve the short-term infrastructure requests to be processed by SSC. While being overseen by the Liaison Officer at Statistics Canada, this committee does not have a formal mandate or formal delegated authority for decision making.

Internal governance committees within Statistics Canada have adapted processes to ensure issues related to the IT and telecommunications with SSC are logged, addressed and monitored.

Considerations for management:

It is management's responsibility to determine the appropriateness of control activities and to implement corrective measures if deemed necessary. Potential considerations outlined below should not be considered formal recommendations, but should facilitate discussions related to the adaptation of internal control activities that reflect new IT and telecommunications realities.

  • The governance framework between Statistics Canada and SSC should be formally documented. Over the long-term this should be formalized in an overall Memorandum of Understanding (MOU) or Service Level Agreement (SLA). In the absence of these more joint mechanisms, Statistics Canada should document the governance framework and the associated levels of authority for decision-making so that the governance, escalation and decision making authority relative to IT infrastructure and telecommunications is communicated and understood by stakeholders within Statistics Canada.

Risk Management

A risk management framework has been established and is being monitored to document and proactively mitigate the risks, associated with SSC's responsibilities in managing key elements of Statistics Canada's IT infrastructure and telecommunications systems.

An effective risk management framework includes formal risk management and institutionalized practices that enable management to assess, mitigate and monitor the internal and external risk environments.

The risk management framework in place works to proactively mitigate the risks associated with SSC as an external service supplier

Statistics Canada has recognized that there is an increased risk to the successful delivery of its programs given the responsibility and control that Shared Services Canada has over Statistics Canada's IT infrastructure and telecommunications system and the dependence the organization has on these elements. At the highest level within Statistics Canada, risks associated with the relationship with SSC have been reflected within the existing Corporate Risk Profile (2012 – 2014). These risks have been specifically reflected in Risk #2 – Loss of Reputation and Public Trust. This corporate risk highlights the heightened potential threat of breach of Statistics Canada's informatics infrastructure with the creation of SSC. High level mitigation action plans have been identified including: establishing SLAs with SSC, coordination with SSC's IT infrastructure roadmap to ensure Statistics Canada needs and priorities are reflected and monitoring of the informatics infrastructure through quality reviews, evaluations and business continuity plans.

During the course of the review, additional risk management activities were identified relative to the management of the relationship between SSC and Statistics Canada. These activities include:

  • Each program develops and maintains a risk register as part of the corporate risk planning exercise. The 2013 Informatics Branch Risk Register has highlighted SSC as a risk – specifically S10 – Interdependency – External. Specified mitigation strategies and action plans include establishing an SSC-Statistics Canada project plan to manage the government-wide change agenda (relative to IT infrastructure) and ensuring that SSC understands Statistics Canada priorities and that they have been factored into the whole of government initiatives.
  • Corporate Support Services completes a risk register as part of the risk planning exercise. Since the ownership of telephony services moved over to SSC, external risks impact the Corporate Support Services program. The 2013 risk register identifies external dependencies as medium risk. However, the only mitigation strategy specified to address risks associated with SSC is, "to put in place a software maintenance contract SLA with IT and touchpoints in SSC."
  • Project related risks involving SSC are documented and escalated as part of the overall project governance. For example, due to its size and complexity, the Census project has its own risk register; of which, the risks associated with the reliance on SSC has been identified. Another example of specific project-related risks is the Space Optimization Project– Workplace 2.0). Meeting minutes from the project team have confirmed that risks and issues (including those relative to SSC's role) are discussed and documented and escalated if required.
  • Minutes of the FITM committee meetings demonstrate that risks associated with SSC/Statistics Canada IT infrastructure are being highlighted to the Statistics Canada Liaison Officer for inclusion on the issues log for discussion with SSC and as necessary, escalation within Statistics Canada.

All ongoing operational issues and risks are expected to be communicated to the Statistics Canada Liaison Officer. This includes project-related issues unless the project has a dedicated SSC Project Manager (i.e. Census). However, if a project has been assigned a dedicated SSC Project Manager, there is a mechanism within SSC for the Relationship Manager to maintain awareness of project status and issues for discussion with Statistics Canada as part of the regular meetings, as necessary. For telecommunications, although there is a separate point of contact for discussions and issue resolution on a daily basis, should escalation be required, the issue is to be brought to the attention of the Statistics Canada Liaison Officer.

Having a single point of contact for documenting, communicating and escalating issues relative to the relationship with SSC (i.e. the Statistics Canada Liaison Officer) is a good practice and ensures that the existing governance structure and risk management approach work as intended. The Liaison Officer, in consultation with programs, determines when and if escalation of an issue is required. This ensures a consistent approach with respect to the escalation of issues.

Control Activities

Key internal businesses processes have not been reviewed and updated to include consideration of the impacts of SSC as the external service provider.

In a sound internal control environment, control activities should be integrated into business practices to manage risks associated with the services delivered by external parties to ensure the organization can meet its strategic and operational objectives.

Some Key internal processes have not been adapted to take into consideration the introduction of an external service provider

With the introduction of SSC and its responsibility for the IT infrastructure and telecommunications systems in place within Statistics Canada, internal business processes have been impacted and require updating to include the need to address SSC processes and priorities. The review identified the following processes that should be considered for revision to ensure the organization takes into consideration the responsibilities and authorities transferred to SSC:

Long-Term Planning:

The Integrated Strategic Planning Process (ISPP) is an annual six step process that begins with a review of the strategic planning priorities and concludes with the allocation of resources for approved projects. Typically, projects that result from this process are transformative in nature and include an IT component. Within this IT component, an IT infrastructure or telecommunications impact is likely (i.e. server capacity) and therefore, these projects require the involvement of SSC.

The ISPP does not currently incorporate a mechanism to share the long-term plan and investment decisions with SSC for consideration of impact, alignment with Government of Canada (GoC) priorities and the consideration of realistic time horizons given GoC initiatives/Other Government Departments (OGD) initiatives and limited resources within SSC. Although Statistics Canada management noted that they have provided SSC senior managers with Statistics Canada's Integrated Plan, SSC CRM representatives stated that they do not have timely insight into Statistics Canada's long-term plan, which limits SSC's ability to consider Statistics Canada's requirements in the SSC long-term planning process. This elevates the risk that Statistics Canada's investment plans, resource allocation decisions and established timeframes for projects requiring IT infrastructure will not be aligned with SSC plans and priorities, which could potentially impact the ability for SSC to support the initiative or meet the project timelines.

Project Management:

The departmental guidance for project management is the Departmental Project Management Framework (DPMF) which is a set of standard project management processes, templates and tools to be used throughout a project's life cycle to initiate, plan, execute, control and close a project. All projects valued at over $150,000 are expected to follow the DPMF. Similar to the ISPP, the majority of projects that follow this process have an IT component and involve an IT infrastructure or telecommunications element.

Currently, based on discussions with SSC's CRM representatives, this framework does not incorporate or take into consideration the gating process in place within SSC. Specifically, in order for SSC to support a project (assuming there is an IT infrastructure or telecommunications component), information should be provided as early as possible to SSC so they can submit it to the SSC Project Execution Committee for approval.

Although continuing to mature and subject to change, SSC has developed templates for use by their customer departments to communicate their needs. Historically, when Statistics Canada had control over its own IT infrastructure, the organization could define the IT infrastructure solution. However, SSC expects clients to only submit their business requirements and SSC will determine the optimal solution. This change in process impacted the Census program, whose representatives provided SSC with IT documentation based on what they used for the previous Census. SSC would not accept this and requested they complete their business requirements (consistent with other requests) and that SSC would determine the solution, creating delays in the process.

Without aligning the existing project management/gating process (including tools and templates) within Statistics Canada to the SSC gating process, delays may be experienced and projects put on hold while SSC puts the IT component of projects through its own approval process.

Short-Term Infrastructure Needs Assessment:

Consistent with the communication of Statistics Canada's long-term planning needs to SSC, timely communication of short-term, operational infrastructure needs has been requested by SSC. As a result, within the operational management of the relationship with SSC, process changes have been made to ensure consistent, timely short-term (one-year) operational requirements are being communicated to SSC. For fiscal 2014/15, the Liaison Officer within Statistics Canada initiated a process where he requested that upcoming year operational requirements be identified and documented by all IT Field Managers in a standard template. This template was then consolidated and reviewed for any duplication. This final document is being shared with SSC for information and planning purposes. This change in process and provision of short-term infrastructure requirements was noted as a leading practice by SSC.

In addition to communication of short-term needs, the process to request in-year infrastructure (not previously approved by SSC) has also been modified. All current requests for infrastructure are initiated through the Statistics Canada Portal (service request system). Once the service request is identified as an infrastructure need, it is automatically forwarded to the Statistics Canada Liaison Officer. These requests are consolidated and prioritized by the newly established Gatekeeping Committee. Once prioritized, the Liaison Officer provides the listing to SSC for action. The current arrangement with SSC is that a service request is closed before a new one is opened. However, if the request is of a critical nature, it will be forwarded to the Liaison Officer who will release if for immediate action by SSC. This change in process for fiscal 2014/15 is supporting SSC's ability to efficiently plan and coordinate infrastructure needs of their partner departments over the short-term.

Incident Management/Change Management:

In spring 2014, Statistics Canada began the implementation of an information technology incident management framework for issues relating to SSC. This framework builds upon the 2011 framework and now addresses the role that SSC plays in Information technology. The framework is intended to standardize the prioritization and escalation of IT incidents within the organization in order to restore normal service operation as quickly as possible and to minimize the impact on business operations of Statistics Canada's mission critical programs and key service areas. This framework does not include desk-top related issues or existing application and systems maintenance. The framework outlines the roles and responsibilities for the Incident Coordinator Team whose membership consists of representatives from both the program areas as well as IT staff who develop action plans to address incidents. The Director of ITOD is responsible for ensuring timely follow-up on recommendations.

With respect to IT application change management, Statistics Canada uses the Jira change, issue and risk tracking tool to manage IT application changes. However, it was noted during interviews that program areas have created their own processes to determine how and when this tool is used, or when IT personnel should be consulted. For infrastructure changes, SSC has implemented a Change Advisory Board and STC program representatives have been invited to attend, although it was noted that it was unclear if Statistics Canada has a role in the decision making or is there for information purposes only.

Given the creation of SSC as a single point of contact for all infrastructure needs and the decentralized nature of Statistics Canada, without standardized IT change management processes aligned to SSC's needs/processes, there is an increased risk that infrastructure decisions will be made and actioned without the appropriate authority and assessment of impact on the organization prior to implementation.

Additionally, the review noted that for telecommunications, all service requests and telecommunications issues are being forwarded to SSC. Interviews noted that it is not clear what responsibilities remain within Statistics Canada for telecommunications. As a result, it is unclear which requests should be actioned by Statistics Canada representatives (i.e. password resets for voicemail and cell phones) and those that require escalation to SSC.

Opportunities to Enhance Service

Given that the introduction of SSC has required Statistics Canada to work with a new service provider, one element of a successful relationship is continuous improvement. This can be achieved in different ways including active engagement with the service provider as well as sharing practices and experiences internally.

Recognizing that SSC has been assigned a significant GoC mandate for transformation and that Shared Services Canada supports 43 departments, the CIO at Statistics Canada has been proactive in volunteering to participate in CIO Committees and GoC initiative working groups (i.e. network transformation, evaluation of e-mail technology) to ensure Statistics Canada's voice is heard at the table. As participant, the CIO is kept up to date on decisions made on these initiatives and is able to identify potential impacts on Statistics Canada.

Although the governance structure within Statistics Canada has multiple touch points with SSC representatives on an ongoing basis, opportunities exist to enhance the current governance structures by periodically soliciting from within Statistics Canada and at SSC lessons learned or best practices for managing the relationship with SSC to ensure that approaches and techniques that are working well are known to areas.

Considerations for management:

It is management's responsibility to determine the appropriateness of control activities and to implement corrective measures if deemed necessary. Potential considerations outlined below should not be considered formal recommendations, but should facilitate discussions related to the adaptation of internal control activities that reflect new IT and telecommunications realities.

  • The current long-term planning process is reviewed to incorporate the consideration of the impact of proposed projects / priorities on SSC through the communication and engagement of SSC in the process in order to confirm that the priorities and time horizons are aligned to SSC's expectations and capacity.
  • Statistics Canada's DPMF is reviewed and revised to align the existing gating process with SSC's gating process – when the project has an IT infrastructure component. This would include the early identification of an IT infrastructure component so that SSC can be engaged as early as possible and can initiate its own gating process, minimizing delays to Statistics Canada projects. Further, the project management guidance should be reviewed to ensure that information needs/format of SSC requirements are reflected (i.e. template, level of detail) to avoid inefficiencies and time delays.
  • Formal Agency-wide IT change management processes (including assignment of roles and responsibilities between SSC and Statistics Canada) are defined and implemented which align with the processes and definitions in place within SSC.
  • The existing governance framework incorporates a formal process to periodically solicit lessons learned/best practices from within Statistics Canada and SSC for purposes of collaborating and sharing this information to encourage continuous improvement of the relationship.

Appendices

Appendix A: Review Objectives
Control Objective / Core Controls / Criteria Sub-Criteria
1) Proactively examine the governance framework, risk management program and control activities in place relative to the management of the relationship between Statistics Canada and SSC, as the outsourced service provider of IT infrastructure services and to provide recommendations in order to improve the current management control framework.
1.1 Effective oversight bodies are established. (G-1) A formal governance framework is in place to manage the relationship with SSC.

The formal governance framework is appropriate given Statistics Canada's mandate and the role of SSC.

The governance framework is communicated and understood by all stakeholders within Statistics Canada.

Evidence is in place to demonstrate use of the existing governance framework.
1.2 Management identifies the risks that may preclude the achievement of its objectives. (RM-2) A risk management framework has been established and is being maintained to document and proactively mitigate the risks associated with SSC managing key elements of Statistics Canada's IT infrastructure.
1.3 Management identifies and assesses the existing controls that are in place to manage its risks. (RM-3)

1.4 The organization leverages, where appropriate, collaborative opportunities to enhance service. (CFS-3)
Key processes and approaches are being tailored and revised to allow Statistics Canada to continue to achieve its mandate while being reliant on SSC to provide key IT infrastructure services.
Appendix B: Acronyms
Acronym Description
ACS Assistant Chief Statistician
ADM Assistant Deputy Minister
CBA Corporate Business Architecture
CFO Chief Financial Officer
CIO Chief Information Officer
CS Chief Statistician
DAC Departmental Audit Committee
DG Director General
DM Deputy Minister
DPMF Departmental Project Management Framework
FITM Field Information Technology Managers
GoC Government of Canada
IIA Institute of Internal Auditors
IPT Integrated Project Teams
ISPP Integrated Strategic Planning Process
IT Information Technology
MOU Memorandum of Understanding
OGD Other Government Department
SLA Service Level Agreement
SSC Shared Services Canada
Statistics Canada Statistics Canada