Audit of IT Service Management

Audit and Evaluation Branch
Natural Resources Canada

Presented to the Departmental Audit Committee (DAC)
February 7, 2024

In 2024, the Internal Audit of IT Service Management was conducted to assess the overall effectiveness of the governance, the adequacy of processes and controls, and the effective management of human resources to support delivery of IT services throughout the department.

The Department is taking action to address the audit recommendations.

Pursuant to Section 16 (2) (c) of the Access to Information Act, some of the content of the audit report has been redacted.

NRCan has thoroughly weighed the public interest for disclosure against the need to ensure the security of departmental assets and national interests in making its decision.

Table of Contents

• Executive Summary
  • Introduction
  • Strengths
  • Areas for Improvement
  • Internal Audit Conclusion and Opinion
  • Statement of Conformance
• Introduction
  • Audit Purpose and Objectives
  • Audit Considerations
  • Scope
  • Approach and Methodology
  • Criteria
• Findings and Recommendations
  • ITSM Governance
  • Business Processes and Tools to Support ITSM
  • IT Workforce Management
• Appendix A – Audit Criteria

Executive Summary

Introduction

The Treasury Board (TB) Policy on Service and Digital (PSD) and its directive serve as an integrated set of rules that articulate how Government of Canada organizations are expected to manage service delivery, information and data, information technology, and cyber security in the digital era. Through the PSD, it is expected that service delivery, business and program innovation are enabled by technology and data. It is also expected that service design and delivery is client-centric by design. A service, in the context of the PSD, is defined as a provision of a specific final output that addresses one or more needs of an intended recipient and contributes to the achievement of an outcome.^{Footnote 1}

IT Service Management (ITSM) is the set of practices that an IT function follows to address the IT needs of the organization. The set of practices includes identifying the IT needs of the organization, designing and delivering IT services to address the needs, and ongoing monitoring to ensure the needs are being met and the IT services are continuing to improve. ITSM also enables good relationships with stakeholders^{Footnote 2} through understanding of stakeholder needs, transparency, and continual engagement.

At NRCan, the management of IT occurs at various levels throughout the department. Specifically, the delivery of IT services occurs at the enterprise level and at the sector level. At the enterprise level, the Chief Information Officer Branch (CIOB) of the Corporate Management and Services Sector (CMSS) is responsible for managing and delivering enterprise IT services including desktop management, application development, client & Shared Services Canada (SSC) management, data analytics & cloud management, information management, IMT planning, IT infrastructure, and information management (IM) Policy & Governance.

While all sectors rely on enterprise IT services to a certain extent, some sectors also have their own teams to manage and deliver IT services specific to their needs. For example, five of the nine sectors have their own workforce that provide IT services within their sectors. NRCan also has several Critical Business Applications and Services (CBAS) systems, which fall under the responsibilities of the programs within the Strategic Policy and Innovation Sector (SPIS), Canadian Forest Service (CFS), and Lands and Minerals Sector (LMS). CBAS has complex IT requirements including the operation of satellite receiving stations and sensor networks. Many of the IT Services provided by CBAS are performed by subject area experts (SAE), however they also require engagement with SSC for data center access and nation-wide network management.

The objective of this audit was to assess the overall effectiveness of the governance, the adequacy of processes and controls, and the effective management of human resources to support delivery of IT services throughout the department.

Strengths

Overall, the Department has business processes and tools in place to support the delivery of IT services. There are processes in place to track IT expenditures, both at the enterprise level and within sectors, which can indirectly provide information on the scope of IT assets throughout the department. [REDACTED] to help manage IT assets throughout their lifecycle.

Areas for Improvement

There is a need to strengthen ITSM governance through the development of internal ITSM policy instruments that include clearly defined roles and responsibilities for key stakeholders at the enterprise and sector level and a performance management framework to enable continuous improvement for IT services. There is also a need to leverage governance committees to provide oversight on ITSM. Additional work is required to strengthen business processes for [REDACTED], IT service requirements, and IT workforce.

Some of the challenges faced by NRCan in effectively managing its IT services are linked to contributing factors such as competing priorities and resourcing constraints as well as the complexity of governance in a decentralized IT environment. There is also the added complexity of sectors having unique IT requirements to support their science and research, which are more difficult to address with standard or common IT solutions.

The impacts of not addressing these areas for improvement include limiting the Department’s ability to effectively implement IT service management and strategically integrate the management of IT throughout the department, increasing the likelihood of duplication of efforts, increased costs, and non-compliance with TB policy instruments.

Internal Audit Conclusion and Opinion

In my opinion, the Department has business processes and tools to support the delivery of IT services. However, a number of improvements are required to strengthen existing governance structures and businesses processes to effectively implement IT service management in a decentralized model, and strategically integrate the management of IT throughout the department. Additional opportunities exist to strengthen HR planning activities to identify the skills, knowledge, and capacity required to meet the business needs. These improvements would ensure that IT services enable value creation and support the department in delivering on its objectives.

Statement of Conformance

In my professional judgement as Chief Audit and Evaluation Executive, the audit conforms with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit, as supported by the results of the Quality Assurance and Improvement Program.

Michel Gould, MBA, CPA, CIA

Chief Audit and Evaluation Executive

February 7, 2024

Acknowledgements

The audit team would like to thank those individuals who contributed to this project and, particularly employees who provided insights and comments as part of this audit.

Introduction

What is IT Service Management?

IT infrastructure library (ITIL), which is a recognized industry framework for service management, defines IT service management as a set of specialized organizational capabilities for enabling value for customers in the form of IT services.^{Footnote 3} It encompasses a collection of IT policies and processes throughout the organization aimed at delivering effective and efficient IT services to meet the business needs of an organization. ITIL has a service value system (SVS) that illustrates how various components and activities of organization should work together to facilitate value creation through IT-enabled services.

Figure 1: The diagram below illustrates ITIL’s SVS.

Text Version

ITIL (Information Technology Infrastructure Library) Service Value System
This diagram represents how various components and activities of an organization should work together to facilitate value creation through IT-enabled services.

The five elements of the Service Value System include ITIL guiding principles; governance, the service value chain, practices, and continual improvement.

Opportunity/demand is an input into the Service Value System, with the value generation as the outcome. The Service Value Chain is in the middle of the of the System.

The TB Policy on Service and Digital (PSD) and its directive, which came into effective on April 1, 2020, serve as an integrated set of rules that articulate how Government of Canada organizations are expected to manage service delivery, information and data, information technology, and cyber security in the digital era. Through the PSD, it is expected that service delivery, business and program innovation are enabled by technology and data. It is also expected that service design and delivery is client-centric by design. A service, in the context of the PSD, is defined as a provision of a specific final output that addresses one or more needs of an intended recipient and contributes to the achievement of an outcome.^{Footnote 4}

Why is IT Service Management Important?

IT Service Management (ITSM) connects with many functions of the organization and should enable integrated decision making throughout the department. ITSM includes the planning, improvement, design, and delivery of services. A service offering is designed to address the needs of a target consumer group and may include goods, access to resources, and service actions^{Footnote 5}. Goods involve the transfer of ownership or responsibility to a consumer, such as the provisioning of devices to new employees. Access to resources involves granting or licensing of a resource with agreed limitations, such as provisioning network access. Service actions are provided by a provider to a consumer to address their needs, such as, user support. Mature ITSM enables each of these activities to support one another. ITSM also enables good relationships with stakeholders through understanding of stakeholder needs, transparency, and continual engagement.

The PSD requires governance to be established by the deputy head to ensure the integrated management of service, information, data, IT, and cyber security. The PSD also requires deputy heads to ensure services are reviewed to identify opportunities for improvement. The TB Directive on Service and Digital (DSD) requires the Chief Information Officer (CIO) of the department be responsible for developing and maintaining departmental IT management practices and processes, while prioritizing IT asset management, the IT service catalogue and IT service costing and pricing, as appropriate.

At the Government of Canada level, the Secretary of the Treasury Board of Canada Secretariat (TBS) is responsible for establishing and chairing a senior-level body that is responsible for providing advice and recommendations, in support of the Government of Canada’s priorities and the Government of Canada Digital Standards, regarding strategic direction for the management of external and internal enterprise services, and prioritization of Government of Canada demand for IT shared services and assets.

The CIO of Canada is responsible for providing advice to the Secretary and President of TBS. The CIO of Canada is also responsible for facilitating innovation and experimentation in service design and delivery, and approving an annual, forward-looking three-year enterprise-wide plan that establishes the strategic direction for the integrated management of service, information, data, IT, and cyber security and ensuring the plan includes a progress report on how it was implemented in the previous year.

ITSM at NRCan

In delivering its mandate to enhance the responsible development and use of Canada’s natural resources and the competitiveness of Canada’s natural resources products, Natural Resources Canada (“NRCan” or “the Department”) is reliant on various IT systems and processes. Accordingly, the effective management of IT services throughout the department is essential to program and service delivery.

At NRCan, the management of IT occurs at various levels throughout the department. Specifically, the delivery of IT services occurs at the enterprise level and at the sector level.

At the enterprise level, the Chief Information Officer Branch (CIOB) of the Corporate Management and Services Sector (CMSS) is responsible for managing and delivering enterprise IT services including desktop management, application development, client & Shared Services Canada (SSC) management, data analytics & cloud management, information management, IMT planning, IT infrastructure, Finance, Administration & human resources (HR), and information management (IM) Policy & Governance.

While all sectors rely on the enterprise IT services to a certain extent some sectors also have their own teams to manage and deliver IT services specific to their needs. For example, five of the nine sectors have their own workforce that provide IT services within their sectors. NRCan also has several Critical Business Applications and Services (CBAS) systems, which fall under the responsibilities of the programs within the Strategic Policy and Innovation Sector (SPIS), Canadian Forest Service (CFS), and Lands and Minerals Sector (LMS). CBAS has complex IT requirements including the operation of satellite receiving stations and sensor networks. Many of the IT Services provided by CBAS are performed by subject area experts (SAE), however they also require engagement with SSC for data center access and nation-wide network management.

Sector	IT Capability
Canadian Forest Service (CFS)	The sector IT workforce provides IT services including IT infrastructure and application services to meet sector business needs. The sector provides critical business applications and services (CBAS). As of March 2023, there are 19 staffed IT resources within the sector.
Communications and Portfolio Sector (CPS)	The sector IT workforce provides IT services including web publishing (intranet and external website), Canada.ca template use and implementation guidance, and review of web content for Web Content Accessibility Guidelines (WCAG) 2.0 compliance. As of March 2023, there are 10 staffed IT resources.
Energy Efficiency and Technology Sector (EETS)	The sector has IT resources that provide IT services for Office of Energy Efficiency (OEE). OEE has an IT service catalogue in progress. As of March 2023, there are 46 staffed IT resources.
Energy Systems Sector (ESS)	The sector currently does not have dedicated IT resources within the sector.
Fuels Sector (FS)	The sector currently does not have dedicated IT resources within the sector.
Nòkwewashk	The sector currently does not have dedicated IT resources within the sector.
Lands and Minerals Sector (LMS)	The sector has IT services that are managed at the branch level. Of seven the branches, there are five with IT resources to provide IT services. The sector provides critical business applications and services (CBAS). As of March 2022, there are 32 staffed IT resources of 49 IT positions.
Office of the Chief Scientist (OCS)	The sector currently does not have dedicated IT resources within the sector.
Strategic Policy and Innovation Sector (SPIS)/Canada Centre for Mapping and Earth Observation (CCMEO)	The sector has 31 IT positions, 22 of which are staffed. The sector provides critical business applications and services (CBAS). One branch (CCMEO) has developed a microservices Framework to allow tools to be easily shared within the sector. There is also a service catalogue under development which includes IT services.

The audit was included in the 2022-2027 Integrated Audit and Evaluation Plan, approved by the Deputy Minister on May 9, 2022.

Audit Purpose and Objectives

The objective of this audit was to assess the overall effectiveness of the governance, the adequacy of processes and controls, and the effective management of human resources to support delivery of IT services throughout the department.

Specifically, the audit assessed whether:

• Governance mechanisms, are in place to direct and oversee IT services;
• IT service business processes and controls are designed to enable and continuously improve IT service delivery; and
• IT human resource management practices are in place to ensure that the Department has the right people with the appropriate skills and knowledge to support IT service needs.

Audit Considerations

A risk-based approach was used in establishing the objectives, scope, and approach for this audit engagement. A summary of the key underlying risk areas that could impact the effective management and delivery of IT services across the department, identified during planning, include:

• Governance mechanisms to direct and oversee IT services, such as clearly defined roles, responsibilities, and authorities to optimize IT service delivery throughout the department^{Footnote 6}, and oversight mechanisms to monitor the implementation of IT service activities;
• IT service business processes and controls to enable and continuously improve IT service delivery; and
• IT human resource management practices to ensure that the department has the right people with the appropriate skills and knowledge to support IT service needs.^{Footnote 7}

Scope

The scope of the audit focused primarily on department-wide IT service management, including activities implemented at the enterprise and sector levels. This includes collection of policies and practices implemented by enterprise IT to support corporate objectives and needs, and to support sectors in delivering on their objectives. It also includes the collection of policies and practices implemented within the sectors to integrate with CIOB and deliver sector specific IT services.

The scope of the audit examined the risk considerations summarized above in relation to how IT services and supporting activities of the organization work together to enable value creation. Specifically, the audit considered components of the ITIL Service Value System, including governance, planning, engaging, designing/transitioning, obtaining/building, delivering/supporting, continuous improvement, along with the supporting ITIL practices.

The audit examined IT service management activities that were in place as of March 2023.

The results of previous advisory, audit, and evaluation projects on related topics were considered where deemed relevant to inform the audit and reduce duplication of efforts.

The audit did not examine specific activities or processes related to IT security as there is an upcoming audit of cybersecurity expected to be performed in fiscal year 2023-24.

[REDACTED]

Approach and Methodology

The approach and methodology followed the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and the Government of Canada’s Policy on Internal Audit. These standards require that the audit be planned and performed in such a way as to obtain reasonable assurance that audit objectives are achieved. The audit included tests considered necessary to provide such assurance. Internal auditors performed the audit with independence and objectivity as defined by the International Standards for the Professional Practice of Internal Auditing.

The audit included the following key tasks:

• Interviews with key CIOB personnel and sector representatives supporting delivery of IT services;
• Review and analysis of selected key documents, business processes, and communication materials; and
• Walkthroughs of key IT service management processes.

The audit criteria were developed based on relevant processes under COBIT 5 as well as the TB PSD. The conduct phase of this audit was substantially completed in May 2023.

Criteria

Please refer to Appendix A for the detailed audit criteria. The criteria guided the audit fieldwork and formed the basis for the overall audit conclusion.

Findings and Recommendations

ITSM Governance

Summary Finding

The Department has a number of oversight structures that are in place to support the management of IT. However, opportunities to strengthen ITSM governance were identified, including:

• Roles and responsibilities for directing, overseeing, and delivering IT services, and for ensuring compliance with relevant TB policies have not been fully established and assigned to specific positions and governance structures.
• ITSM policy instruments, such as departmental directives, standards, procedures, or guidance have not been fully developed and implemented.
• Mechanisms to measure and manage IT service management performance have not been fully developed and implemented.
• Roles and responsibilities of sectors providing IT services are not communicated.
• Guidance for sectors providing IT services did not exist.
• There was limited implementation of IT service management mechanisms, including but not limited to, service catalogues, service inventories, and service standards, among the sectors that provide IT services.

Supporting Observations

It is expected that governance mechanisms to guide, provide oversight, advise, challenge, and make decisions, are in place for ITSM. The audit examined whether roles, responsibilities, and accountabilities of key stakeholders for directing, overseeing, and carrying out IT services are clearly defined to support the integrated management of IT services throughout the department. Further, the audit examined whether complete and approved policies, directives, and guidance for managing IT services throughout the department are developed and implemented. Additionally, the audit examined whether performance standards for IT services are defined and whether mechanisms for measuring performance against set standards are implemented and used to identify opportunities for IT service improvement.

Roles, responsibilities, and accountabilities

At the departmental level, several governance bodies are in place to support the management of IT throughout the department. There are committees that support and oversee the management of IT; this includes the IT Operations Committee (IT Ops) and the Director General (DG) Information Management and Technology Committee (IMTC). The structures supporting IT also include the CIO and the Assistant Deputy Minister (ADM), who is the senior designated official for service. While there is governance in place to oversee and support the management of IT, they have broader mandates and do not specifically address ITSM.

Roles and responsibilities of IT service design and delivery should be clearly defined at both the enterprise level and the sector level. However, the audit found that roles and responsibilities of the designated official pertaining to IT service inventory, service design and service delivery at the enterprise level are not clearly identified, documented, or communicated. Within NRCan’s decentralized model for the management of IT, some sectors manage their own IT services within their sectors to meet their IT needs. The audit noted that five of nine sectors have Information Technology Management Committees established. However, the roles and responsibilities of IT service design and delivery within most sectors are not clearly defined. Overall, the audit found that there was an unclear delineation of the roles and responsibilities between enterprise and sector specific IT service delivery. Additionally, there are limited mechanisms to oversee and ensure accountability for adhering to TB requirements for service delivery and to manage IT service performance.

Policies and procedures

The audit found that the department has limited policy instruments in place to guide and direct IT service management. The current NRCan Directive on IT System Development, which came into effect on July 31, 2010, does not reflect the requirements in TB PSD. Enterprise level IT services have change management policies, access management policies, an IT Project Management Framework, a Major Incident Management Plan, and enterprise level IT Service Catalogue with service request procedures in support of IT service management. However, there are no formally documented guidance and business processes and controls at both the enterprise level and sector level, including IT asset management policies, IT requirement management policies, IT services measurement and reporting procedures and enterprise IT solution standards.

Performance management framework

The audit found that enterprise IT does not have fully defined performance targets for the scope of IT services it provides to the department. The audit team noted that a draft IT service catalogue was being developed, which included performance targets, specifically expected delivery timelines. Other service level expectations were not identified and included in the performance targets. Within the sectors, performance targets were also not well defined or monitored. three out of five sectors that have IT workforce to deliver IT services did not have performance standards or mechanisms to measure and monitor IT service performance.

Risk and Impact

Unclear roles, responsibilities, and accountabilities for the management of IT services may limit the Department’s ability to effectively implement IT service management and strategically integrate the management of IT throughout the department, increasing the likelihood of duplication of efforts, increased costs, and non- compliance with TB policy instruments. The lack of guidance and policy instruments may also limit the ability of NRCan to adopt an integrated approach to managing IT service delivery and may make it difficult to monitor and enforce compliance to relevant TB policies across the department. Finally, a lack of a framework to define and measure IT service performance may hinder the department’s ability effectively identify gaps and opportunities to continuously improve its IT services.

Recommendations

Recommendation 1: It is recommended that the ADM of CMSS develop internal IT service management policy instruments (i.e. directives, standards, guidance) specific to NRCan’s decentralized IT structure in order to support the Department in ensuring compliance to the PSD. These policy instruments should include:

1. Clearly defined roles and responsibilities of individuals involved with IT service management and delivery with clear delineation between enterprise and sector specific IT service management roles and responsibilities under the PSD;
2. A performance management framework for IT services at the enterprise and sector levels to enable continuous improvement by identifying, monitoring, tracking, and reviewing service delivery performance targets to ensure they meet business needs; and
3. Clearly defined roles and responsibilities for departmental committees in place to provide oversight on sector compliance to TB and departmental policy instruments developed in support of IT service management.

Recommendation 2: It is recommended that ADMs of sectors that provide IT services, with support and guidance from ADM of CMSS, develop a performance management framework for IT services to enable continuous improvement by identifying, monitoring, tracking, and reviewing service delivery performance targets to ensure they meet business needs.

Management Response and Action Plan

Management agrees with Recommendation #1.

CMSS Management agrees. In response to Recommendation 1 we will work on defining a collective vision and accompanying roadmap/strategy on our ITSM evolution within NRCAN that incorporates feedback from sectors.

Position responsible: CIO, CMSS

Timing: 3-6 months

Conduct vision session: By end of Q1 2024

Articulate roadmap and associated governance: By end of Q2, 2024

A: CMSS Management agrees.

In response to Recommendation 1a, we will put in place a governance policy instrument that defines the hybrid IT service model where CIOB is responsible for enterprise, shared services, and sectors are responsible to support their own business portfolio applications. This will include specific descriptions on what defines a central vs portfolio service. Additionally, we will define roles around supporting enterprise vs portfolio services and roles to bridge the gap and ensure there is collaboration between sectors and CIOB along with the associated responsibilities.

CIOB will also propose a reorganization of central services to reduce service duplication and enhance our ability to meet our mandate around security, resilience, and other IT enterprise services that CIOB is ultimately accountable for.

Position responsible: CIO

Timing: Q3 2024

B: CMSS Management agrees

In response to recommendation 1b, we will publish a reporting dashboard to make service key performance indicators (KPIs) easily available to sector clients. This will be reviewed with sectors biannually.

CIOB will build a common framework out of the visioning session so that contextually specific goals that are relevant to sectors are measured. This will ensure that CIOB is improving services that matter for sectors and improve their ability to deliver their services in turn.

Strategic goals will be measured via KPIs, and these will be continuously monitored to ensure relevance. This will be done in collaboration with sectors.

Position responsible: CIO

Timing: Q4 2024

C: CMSS Management agrees

In response to recommendation 1c, these roles will be incorporated in the policy suite on service management and the detailed description of the hybrid model of IT where there will be a bridging role defined to work with sectors to facilitate the compliance to organizational requirements.

Position responsible: CIO

Timing: Q3 2024

Management agrees with Recommendation #2.

CMSS Management agrees. In response to Recommendation 2, we will commit to providing resources and support to this endeavour. CIOB will provide consultation on best practices for IT service delivery as well as advice on how to integrate their services within the overall governance for IT service delivery at NRCan. Specifically, CIOB will aim to facilitate the integration of services to ensure that NRCan’s IT service delivery is effective and efficient for the enterprise as well as each sector.

Position responsible: CIO

LMS Management agrees with the recommendation to enhance the performance management of IT services by establishing a robust framework that enables continuous improvement in service delivery, aligning with business needs.

In response to Recommendation 2, we propose the following action plan:

1. Strengthen the existing LMS IT governance structure through the creation of an LMS IT Service Management Governance Committee representing all branches of LMS.
2. Develop a sector performance management framework, tailored to the unique needs of our IT services.

• Define KPIs to effectively measure and evaluate service delivery.
• Introduce monitoring mechanisms to track and assess performance against established targets.

Position responsible: All LMS branches

Timing: March 2025

CPS Management agrees. In response to Recommendation 2, the CPS Web Publishing team already has established service level standards related to the management of the NRCan Internal and External Websites.

These standards take into account the varying degrees of complexity associated with the work of the web publishing team and are periodically updated, as needed.

These standards are shared with the broader departmental web governance committee for their awareness.

The performance/standard framework is already in place and actively used by the team. It will continue to be monitored and updated as needed to reflect the most current state of affairs.

CPS proposes the following actions to ensure continuous improvement in service delivery in conjunction with business needs. This includes not only monitoring service levels but also the overall health of the website based on the various updates requested.

1. Strengthen the existing service stats with regular monitoring and benchmark levels to determine necessary process updates and improvement recommendations.

Position responsible: CPS Web Manager

Timing: Q2 (September) 2024-25 and Q4 (March) 2024-25

2. Review and set benchmark indicators/levels where applicable and ensure monitoring and assessment processes are in place to review and action.

Position responsible: CPS Web Manager

Timing: Q1 (June) 2024-25 and Q3 (December) 2024-25

3. Review Web dashboards for problem areas related to accessibility, plain language, etc., identify the pages and set service level standards for corrections with the various sectors/content owners.

Position responsible: CPS Web Manager

Timing: [REDACTED]

CFS management agrees with the recommendation to enhance the performance management of IT services with support from CMSS/CIOB.

In response to Recommendation 2, we propose the following action plan:

1. What will be implemented:

• Development of performance management framework tailored for IT services in association with CMSS.
• Key elements include performance targets, KPIs, regular reviews, and feedback mechanisms.

2. How it will be implemented:

• Initial Assessment: Identify current service delivery capabilities and gaps.
• Framework Development: Collaborate with CMSS or CIOB IT representatives, IT Leads network and CFS regions to establish performance targets and KPIs. Seek review and approval through CFS- IM-IT governance committee meetings.
• Training and Communication: Ensure all team members understand the new framework. Work with CMSS/CIOB IT to repurpose existing training and communications materials for the sector.
• Implementation: Roll out the framework in phases.
• Ongoing Review and Adjustment: Regularly review performance data and adjust targets and processes as needed.

3. Monitoring Processes:

• Regular performance reviews (quarterly) as a part of management oversight, discussions in IT Leads meetings and sharing findings in CFS IM-IT committee meetings.
• Feedback sessions with IT service users.
• Assess framework effectiveness and compliance regularly.

4. Dependencies

• Dependency on CFS regional resources and CMSS/CIOB resources for collaboration to achieve milestones.
• This entire process is dependent on guidance, and support from CMSS/CIOB representatives.

Position responsible: Director General POIB

Timing:

• Align with CMSS activities and timelines.
• All the processes will be developed in accordance with the guidelines established by CMSS.
• Project initiation depends on the CMSS leadership and guidelines.

EETS Management agrees with the recommendation to enhance the performance management of IT services by establishing a robust framework that enables continuous improvement in service delivery, aligning with business needs.

To address Recommendation 2, we propose the following action plan:

As a basis, the OEE IM/IT division already tracks all service delivery using [REDACTED].

KPIs can be identified with the data that is already tracked. If gaps in data collection are identified through this exercise, then this additional data can also be tracked.

Key performance objectives can then be identified by senior management. Objectives can be to maintain or improve specific KPIs.

Once KPIs and objectives are identified and tracked, regular (quarterly) reporting on IT service delivery can be provided to OEE and EETS senior management via a dashboard report. The report can provide a comparison of results against established service delivery performance objectives.

Presently EETS IT services are all conducted within the OEE IM/IT division. As new services are developed either within that division or by other EETS branches, they will be incorporate into the performance management framework.

SPI

The concept of microservices is central to future IT developments at the Canada Centre for Mapping and Earth Observation (CCMEO). To support this, CCMEO Developed a microservices architecture and framework to be used to guide the development of microservices across various stakeholder groups.

Position Responsible: CCMEO’s Geobase division

Timing: This Framework is now complete and is the base of CCMEO new production environment since 2023.

A proposal from SPI/CCMEO, LMS/Geological Survey of Canada, CFS, and OCS was presented at NRCan ePMB in 2021. All deliverables were tracked by NRCan Project management as defined by the ePMB process. All performance indicators were reported by the project team to the Board.

Business Processes and Tools to Support ITSM

Summary Finding

ITSM includes a number of processes aimed to efficiently and effectively deliver IT services. The audit found that some foundational business processes and tools to support the delivery of IT services needed to be strengthened. Specifically, the following opportunities for improvement were noted:

• [REDACTED]
• Ongoing processes to identify, track, prioritize IT service requirements, and subsequently manage the IT service catalogue are not fully implemented.
• Processes and tools to manage IT service requests are not optimally deployed to ensure the service desk is the main channel for tactical and operational engagement^{Footnote 8}.

Supporting Observations

[REDACTED]

[REDACTED]

[REDACTED]

[REDACTED]

[REDACTED]

IT service requirements and service level management

Based on best practices in the industry, the design and delivery of IT services should be built on the requirements of the users. The audit found that Enterprise IT Service Management initiated a process to engage with each sector and solicit the sector specific IT requirements as well as obtain feedback on challenges with IT services being experienced by the sector. The stated goal of the exercise was to help inform and refine the service catalogue and to establish sector delivery agreements to help better manage the delivery of IT services. While this work was started, the sector delivery agreements reflecting the requirements remain in draft and there are no plans to finalize the work and have the agreements signed at the ADM level. At the sector level, requirements are identified in different ways depending on the sectors. The audit noted that IT requirements are often handled in an ad-hoc manner. For example, ad-hoc working groups may be established to address specific timebound requirements or are sometimes gated by the documentation provided through the Project Management Office. There were limited processes identifying roles and responsibilities of those who identify, review, and track service requirements at the sector level.

Enterprise IT Service Management was also in the process of developing its service catalogue, which included the inventory of IT services they provide to the department along with service details, the service requesting process, and expected timeline. Within most sectors that provide IT services, the audit noted service catalogues were not being used to define and manage IT services. Five of the nine sectors have their own IT services supported by an IT workforce and of those sectors, two have an IT service catalogue in draft, and one has a service catalogue but does not include IT services.

Service request management

Service request management allows the department to effectively perform service reviews, continuous improvement, collect user requirements, identity potential trends or problems that need to be addressed, and provides visibility to the user on fulfilment status. [REDACTED] to provide a channel for users to submit IT service requests, and for Enterprise IT Service Management to track and respond to the requests. [REDACTED] are not centrally managed but rather involve direct requests to the areas within enterprise IT service management. This relies on tacit knowledge and the relationships built between Enterprise IT Service Management and sector users, which can be lost through organizational turnover. [REDACTED]. Within the sectors that provided IT services, the audit noted the mechanisms to request services were primarily informal and central processes to manage and respond to service requests were not in place.

When deployed optimally and used effectively, ITSM tools to support service request management can provide data to support service reviews and identify areas of continuous improvement (e.g., average response times improvement). At the enterprise level, although the Service Desk tracked service performance by using [REDACTED] statistics on a weekly basis and conducted formal review monthly, there is no formal process outlining how IT service delivery is monitored to inform service level management and continuous improvement. Although there is some effort to collect feedback from users within the sectors that provide IT services, their service targets are not well defined, and there are limited mechanisms to track IT service delivery against IT service targets.

Risk and Impact

[REDACTED]

Without a process to identify, track, prioritize, and manage IT service requirements, the quality of services will be impacted. Furthermore, without a consolidated view of the IT requirements from an enterprise perspective and within sectors, the department’s ability to determine its required capacity is hindered. The observed gaps within the department’s service request management can impact the overall quality of service fulfilment.

Recommendations

Recommendation 3: [REDACTED]

Recommendation 4: It is recommended that the ADM of CMSS implement a continuous improvement approach that identifies and manages enterprise IT service requirements and ensures that the design and delivery of enterprise IT services reflect user requirements.

Recommendation 5: It is recommended that the ADM of CMSS ensure the department's ITSM tool is optimally deployed to support the management of the full inventory of enterprise IT services, and where feasible, the sector level IT services.

Recommendation 6: It is recommended that that ADMs of sectors that provide IT services, with support and guidance from ADM of CMSS, develop formally documented IT service inventories and processes to manage sector specific IT service requirements, service request management, service performance standards, and service reviews.

Management Response and Action Plan

Management Response and Action Plan from CMSS and the sectors that provide IT services (LMS, CPS, CFS, EETS, and SPIS).

Management agrees with recommendation #3

[REDACTED]

Position responsible CIO, all sectors

Timing: 2-4 years, Q1 2028

Management agrees with recommendation #4

CMSS Management agrees. In response to Recommendation 4, and in conjunction with recommendations 1 and 2, the BRM team can work to establish priorities and success measures with sectors using sector service profiles detailing MOUs, issue and challenge trackers, services and success measures. These can be reviewed regularly in order to provide feedback on how we can continue to improve.

This will build on the existing Service Delivery Agreements but will instead be structured to focus on strategic goals, KPIs from our shared vision and prioritization, project workplans, etc.

Position Responsible: CIO

Timing: Q2 2025 (this will take a longer time given the number of resources we have, could change if more resources could be placed here)

Management agrees with recommendation #5

CMSS Management agrees. [REDACTED]

Processes exist so that other teams are able to do the same.

We will continue to add services as required. Key areas include IT Project Intake, application support, IT procurement).

Position Responsible: CIO

Timing: by mid 2025.

Management agrees with recommendation #6

CMSS Management agrees – we can support and provide guidance. CIOB can provide guidance on what should be offered within sectors and close to the business lines, and how these can be integrated with enterprise services.

LMS Management agrees with the recommendation to establish formally documented IT service inventories and processes for effective management of sector-specific IT service requirements.

In response to Recommendation 6, we propose the following action plan:

1. Compile a comprehensive inventory of IT services and functions so they may be captured for any necessary service reviews.
2. Where applicable, work closely with the ADM of CMSS to develop and document formalized processes for managing IT service requests, including clear workflows and escalation procedures.

Position responsible: All LMS branches

Timing: March 2025

CPS Management agrees.

In response to Recommendation 6, CPS will continue to report in on its IT Services through the departmental IT Service Inventory Exercise, led by CIOB and maintains its list internally as well.

Regarding the specific IT services offered by our sector, the Web Publishing team already has mechanisms in place to track service requests and performance.

[REDACTED]

[REDACTED]

In addition to this, the Web Communications team in conjunction with the Internal Communications team will be developing an Intranet Policy to guide the use of NRCan’s Intranet site The Source to ensure that NRCan sectors are aware of the requirements and processes that govern the use of that site.

Position responsible:
CPS Manager of Web Communications
CPS Manager of Internal Communications

All sector directors required to report in on IT Service needs (related to the Service Inventory List)

Timing: The items listed in the response above are all currently in place and will continue to be utilised to support CPS’ IT work.

For the development of the Intranet Policy, the teams are aiming to have this in place by the end of the 2024/2025 fiscal year.

CFS Management agrees that to ensure quality IT service provision to the sector, there is a need to develop formally documented IT service inventory and processes. Setting up this IT service inventory and processes in a cohesive way across NRCan will require leadership, guidance, and support from CMSS/CIOB and collaboration with the NRCan sectors delivering IT services.

In response to Recommendation 6, we propose the following action plan:

1. What will be implemented:

An inventory of all IT services and processes offered including what is offered by CMSS/CIOB IT and what CFS can offer as a sector in collaboration with other NRCan science sectors (e.g., LMS, EETS, etc.). This may include tools and/or processes for managing service requests, performance standards, and service reviews. This would require support and coordination through CMSS/CIOB IT to coordinate all internal and sector input.

2. How it will be implemented:

Requires support and guidance from CMSS/CIOB

• Inventory Creation: Catalog all existing IT services and processes.
• Documentation and Standardization: Formalize service descriptions, request management procedures, and performance standards.
• Training and Dissemination: Educate IT staff and users on the new documentation and processes.
• Integration with Existing Systems: Ensure the new documentation is integrated with current IT service management tools.

3. Monitoring Processes:
   • Service performance reviews against documented standards.
   • User feedback collection to identify areas for improvement.
   • Continuous updates to the inventory and documentation based on new services or changes in existing services.
4. Risks and Dependencies

• There is a large dependency on CFS regional resources and CMSS/CIOB resources for collaboration to achieve milestones.
• Large portions of this process are dependent on leadership, guidance, and support from CMSS/CIOB
• The overall process may be impacted by lack of resources within CFS, this can be considered as medium risk.

Position responsible: Director General POIB

Timing:

Align with CMSS activities and timelines.

All the processes will be developed in accordance with the guidelines established by CMSS.

Project initiation depends on the CMSS leadership and guidelines.

EETS Management agrees with the recommendation to establish formally documented IT service inventories and processes for effective management of sector-specific IT service requirements.

To address Recommendation 6, we propose the following action plan:

OEE IM/IT division can complete the already started work to compile a comprehensive inventory of IT services and functions.

Once communicated, OEE programs and business areas will be engaged and made aware of the IT service inventory.

Coordinate the service delivery inventory with the CIO Branch to eliminate any duplication.

As OEE IM/IT or other EETS branches bring new services online, they will be incorporated into the inventory and communicated and coordinated with CIO Branch as appropriate.

SPI

The CCMEO service catalog was finalized in October 2023. CCMEO’s Geobase division is responsible for its maintenance and to provide periodic updates to CMSS as required.

IT Workforce Management

Summary Finding

The audit found that some human resource planning activities are carried out as part of the regular integrated human resource planning process, however, opportunities to strengthen IT workforce management processes were noted. Specifically, IT workforce management planning processes within both Enterprise IT Service Management and sectors that have their own IT service delivery did not include a long-term focus. Limited processes were in place to identify the skills, knowledge, and capacity required to meet the business needs.

Supporting Observations

The audit examined whether the department implemented IT workforce management processes to ensure the departmental IT service requirements are identified and used to inform the knowledge, skills, and capacity required to meet its business needs. The audit also examined whether Enterprise IT Service Management provides functional leadership within the department on the development and sustainability of the IT workforce through talent management and professional development.

Effective IT workforce management processes help ensure that the IT services required by the business are met in alignment with performance expectations. With advances of technology such as cloud computing, artificial intelligence, quantum computing, etc., the need to build and sustain knowledge and skills within the IT workforce is critical. The audit noted that there were IT workforce plans at both the enterprise level and the sector level. At the enterprise level, a Service Desk Staffing Strategy was recently proposed as an enterprise strategy to build and sustain the required knowledge and skills to establish a properly staffed service-model. At the sector level, some sectors have also developed plans to ensure that IT employees within the sector obtain the necessary training to maintain required IT skillsets, knowledge, and competencies. However, talent management and professional development was primarily performed ad-hoc. There were limited processes to identify the IT resource requirements and gaps in IT resource capacity at both enterprise level and sector level.

Risk and Impact

Ineffective professional development programs targeting to build and sustain the required talent could lead to missed opportunities which in turn could lead to higher turnover and challenges with recruiting.

Recommendations

Recommendation 7: The ADM of CMSS, in consultation with all Sectors, should lead the development and implementation of IT workforce planning to ensure IT resource capacity requirements are understood, documented, and validated and that there are appropriate plans in place to build and sustain the required IT knowledge and skills for the scope of enterprise IT services.

Management Response and Action Plan

Management agrees with Recommendation #7.

CMSS Management agrees. In response to Recommendation 7, we can use performance reporting on service response times, along with IT work planning to understand capacity issues and risks better. Once CIOB has more information from steps completed above, CIOB will be better positioned to understand upcoming workload required to support NRCan and its sectors. This information will be used in our HR Staff Planning Management meetings to inform staffing options and strategies including pools, recruitment plans.

CIOB will create a regular strategic HR management meeting to review current needs and address staffing by service offering.

A regular meeting with HR on this along with appropriate documentation should be established to monitor risks and help plan for future needs.

Position responsible: CIO

Timing: Q2 2025

Appendix A – Audit Criteria

The audit criteria were developed based on relevant processes under COBIT 5 as well as the Treasury Board Policy on Service and Digital (PSD).

The following audit criteria were used to conduct the audit:

Audit Sub-Objectives	Audit Criteria
Audit Sub-Objective 1: To determine whether governance mechanisms are implemented and are carried out to direct and oversee IT services.	1.1 It is expected that roles, responsibilities, and authorities to direct, oversee, and carry out IT service delivery throughout the Department have been clearly defined and communicated to key departmental stakeholders. (COBIT 5 EDM01: Ensure Governance Framework Setting and Maintenance; TB Policy on Service and Digital section(s) 4.1.3.1, 4.1.3.2, 4.1.3.3, 4.1.3.5, 4.1.3.6, 4.1.3.7, 4.4.2.3, 4.4.2.6)
	1.2 It is expected that the Department has developed and implemented ancillary departmental policies and guidance to achieve the objectives of the TB policy suite related to IT service management. (COBIT 5 EDM01: Ensure Governance Framework Setting and Maintenance; TB Policy on Service and Digital section(s) 4.1.3.6)
	1.3 It is expected that adequate mechanisms have been implemented to oversee the implementation of IT service activities across the Department to ensure they are achieving expected results and are in compliance with applicable policy instruments. (COBIT 5 MEA01: Monitor, Evaluate and Assess Performance and Conformance; COBIT 5 MEA01: Monitor, Evaluate and Assess Compliance with External Requirements; TB Policy on Service and Digital section(s) 4.1.3.7, 4.6.1.1, 4.6.1.2, 4.6.1.3)
	1.4 It is expected that adequate practices to gather and measure IT service performance have been implemented and provide relevant information to help governance functions direct and monitor IT service quality. (COBIT 5 EDM05 Ensure Stakeholder Transparency; TB Policy on Service and Digital section(s) 4.2.1.4)
Audit Sub-Objective 2: To determine whether IT service business processes and controls to enable and continuously improve IT service delivery are adequate.	2.1 It is expected that there is an established department-wide IT asset management framework that consists of processes, systems, and controls to adequately manage IT assets in support of IT service delivery. (COBIT 5 BAI09: Manage Assets; TB Policy on Service and Digital section(s) 4.4.2.3)
	2.2 It is expected that there is an established department-wide framework that consists of processes, systems, and controls to adequately elicit, define, track, and respond to IT service requirements. (COBIT 5 BAI02: Manage Requirements Definition; TB Policy on Service and Digital section(s) 4.1.3.7, 4.2.1.1, 4.2.1.2, 4.2.1.3, 4.4.2.1, 4.4.2.1, 4.4.2.2)
	2.3 It is expected that there is an established department-wide framework that consists of processes, systems, and controls to adequately respond to, resolve, and continuously improve IT service request and incident management. (COBIT 5 DSS02: Manage Service Requests and Incidents; TB Policy on Service and Digital section(s) 4.1.3.8, 4.2.1.1, 4.2.1.2, 4.2.1.3, 4.2.1.4, 4.2.1.5, 4.4.2.1, 4.4.2.2, 4.4.2.3, 4.4.2.5, 4.4.2.6, 4.4.2.8)
Audit Sub-Objective 3: To determine whether IT human resource management practices are implemented and carried out to ensure that the department has the right people with the appropriate skills and knowledge to support IT service needs.	3.1 It is expected that the Department’s needs with respect to the necessary competencies, capacity, and professional development in support of IT service delivery throughout the Department are identified and addressed. (COBIT 5 APO07: Manage Human Resources; TB Policy on Service and Digital section(s) 4.5.2.1, 4.5.2.2)