ARCHIVED - Audit of the Financial Management Control Framework – IT Purchases

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

ARCHIVED - Audit of the Financial Management Control Framework – IT Purchases (PDF, 133 KB)

1.0 Executive Summary and Conclusion

Audit objective

The overall objective of this audit was to provide assurance on the adequacy of NRC’s financial management control framework in supporting management decisions regarding IT purchases in compliance with relevant governmental and NRC policies, directives and guidelines.

Why is this important

Information Technology (IT) is an essential component in delivering NRC and Government of Canada strategies and programs for the benefit of citizens, businesses, taxpayers and employees. An adequate financial management framework is crucial in ensuring effective and sustainable management of IT resources across NRC.

Audit opinion and conclusion

We found that overall NRC has established an adequate financial management control framework for IT purchases in compliance with Government of Canada policies and directives. This conclusion is largely due to recent improvements undertaken by NRC management with the implementation of a project-based business model and strengthened financial management model.

Over the course of the audit, the operating context of NRC changed. Following the Order-in-Council by the Government of Canada on August 4, 2011 establishing Shared Services Canada, NRC no longer has financial management authorities for data center, networks, telecommunications and server infrastructure services thus resulting in lower financial management risk. The audit opinion, conclusion and recommendations take these changes into account.

Significant strengths were found with respect to the overall governance framework. Opportunities for further strengthening of the framework include completion of recent initiatives around life cycle management and establishing monitoring processes and responsibilities to ensure the new, improved framework is consistently complied with.

Our detailed review of the purchasing transactions identified certain areas of concern regarding former IBPs’ understanding of the old financial management framework for IT expenditures resulting in its inconsistent application across NRC. Most of those areas are addressed by recent improvements to NRC’s financial management model and consolidated common services; the following recommendations address the remaining areas requiring improvement.

Elements of Control Environment Examined in the Audit
Overall Governance Framework Strong
Governance Roles and Responsibilities Adequate
Financial Management Policies and Tools Adequate
Financial Risk Management Adequate
Financial Signing Authorities Adequate
Segregation of Duties Adequate
Financial Systems Controls / IT Systems Adequate
Training Adequate

Summary of Recommendations

  1. NRC Finance Branch should define roles and responsibilities for establishing a monitoring process for the implementation of the new financial management framework for IT expenditures for adequate resource management. [Priority: MODERATE]

    Management Response:

    When Shared Services Canada (SSC) and Information Technology and Security Services (ITSS) have both fully defined and implemented the financial management framework for IT expenditures, Finance Branch will establish a monitoring process for IT expenditures for adequate resource management and for ensuring adherence to the IT financial management framework established by SSC and ITSS.

    Dependent on the date of full implementation of the financial management framework for IT expenditures by SSC and ITSS, the monitoring process is expected to be fully implemented during fiscal year 2012-13

  2. NRC Information Technology and Security Services should finalize current initiatives related to developing standard workstation roll-outs and implement full life cycle management for distributed computing equipment in order to ensure effective and efficient resource management. [Priority: MODERATE]

    Management Response:

    ITSS is committed to moving forward with consolidating and standardizing NRC’s desktop environments. ITSS is in the process of developing the hardware and software standards for workstations and these standards. Any workstations rolled out after September 2012 will conform to the standard. A survey of age and configuration of existing workstations has been completed and ITSS is now in a position to implement full life cycle management for distributed computing equipment.

    Full implementation of hardware and software standards for workstations is expected by September 2012.

Statement of assurance

In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon by management. The opinion is applicable only to the entity examined.

Alexandra Dagger, Chief Audit Executive

NRC Audit Team Members:

Irina Nikolova, F.C.C.A, CIA, CISA
Andy Lang, B.Com
Allison Bush, BA

Appendix: Potential Overall Ratings

Management Attention Required

significant issues exist that require management’s attention.

Needs Improvement

some areas of practices / processes are in compliance with Government of Canada and NRC laws, regulations, policies and directives pertaining to management of IT purchases but many deficiencies exist.

Adequate

most of the areas of practices / processes are in compliance with Government of Canada and NRC laws, regulations, policies and directives pertaining to management of IT purchases but there are opportunities for continuous improvement.

Strong

all areas of practices / processes are in compliance with Government of Canada and NRC laws, regulations, policies and directives pertaining to management of IT purchases. No areas for improvement were identified.

Date modified: