Introduction

Background

7.1 The Government of Canada requires reliable and functioning information technology systems for delivering its services to the public. Many of these systems need to be modernized. They include computer applications (software programs) and infrastructure, such as hardware and data centres. Some systems have been in use since the early 1960s and are at risk of failure. That could disrupt, for example, the delivery of Old Age Security, Canada Pension Plan, or Employment Insurance benefits or the issuing of income tax refunds.

7.2 As early as 1999, the government identified its aging systems as a significant issue (Exhibit 7.1). Addressing the issue could involve retiring old and outdated information technology systems, improving those systems, or introducing new systems to deliver services to Canadians. It could also involve adopting cloud‑based^{Definition 1} solutions.

7.3 Treasury Board of Canada Secretariat. Within the secretariat, the Office of the Chief Information Officer of Canada provides overall leadership for information technology and for service and digital transformation across the federal government. It also gathers and reports on the state of departments’ and agencies’ applications, prioritizes the government’s demand for information technology shared services and assets, and monitors and oversees modernization projects throughout the government.

7.4 Shared Services Canada. This department is responsible for delivering and supporting cost‑effective, secure, and reliable information technology infrastructure, such as networks, data centres, modern tools, and client‑centric digital services—particularly to 45 partner departments and agencies in the federal government (referred to as “departments and agencies” in this report). Shared Services Canada is also responsible for the consolidation, management, and modernization of the government’s information technology infrastructure, including both aging legacy data centres and modern enterprise data centres serving the entire government.

Focus of the audit

7.5 This audit focused on whether the Treasury Board of Canada Secretariat and Shared Services Canada, as lead organizations, supported the efficient and effective modernization of information technology for departments and agencies.

7.6 We examined the progress made to modernize the applications and infrastructure used by departments and agencies. We also looked at the lead organizations’ plans and procedures in place to support, fund, and oversee the modernization initiatives of departments and agencies.

7.7 To better understand the effect of information technology modernization on departments and agencies, we also sent a survey to the chief information officers of these departments and agencies. We did not examine specific initiatives. We also released a separate audit report in October 2023 on a major modernization initiative, the Benefits Delivery Modernization programme at Employment and Social Development Canada.

7.8 This audit is important because departments and agencies are maintaining old and outdated applications and relying on old and outdated infrastructure. The failure of these systems would significantly affect the government’s delivery of services to Canadians. The old systems require extensive, costly operational support, and they need the support of personnel with knowledge of and expertise on these systems. The 2 lead organizations are responsible for supporting these departments and agencies and for helping them address gaps and challenges in their efforts to modernize their information technology systems, mitigate risks of failure, and avoid significant cost increases in the future.

7.9 More details about the audit objective, scope, approach, and criteria are in About the Audit at the end of this report.

Findings and Recommendations

Two thirds of applications were in poor health, and progress on modernizing infrastructure was slow

7.10 This finding matters because information technology systems are essential for delivering many of the government’s critical services to Canadians. According to the Treasury Board of Canada Secretariat, an application in poor health is, for example, an application that is in poor technical condition and may be running on an older infrastructure, have limited support from the vendor, have limited capacity to integrate with other systems, and have security vulnerabilities. These applications pose a risk of failure and require increased maintenance that is expensive. Employment and Social Development Canada’s Benefits Delivery Modernization programme provides an example of the need to take action on replacing old applications that are in poor health.

7.11 The slow progress in modernizing some infrastructure (such as old data centres) also poses several risks, including the possibility of

• system failures, which could significantly disrupt the delivery of services to the public
• increased operating costs
• security vulnerabilities

7.12 In response to our 2010 report on aging information technology systems, the Treasury Board of Canada Secretariat deployed an Application Portfolio Management system to formalize the collection and management of information related to the government’s information technology applications. The system’s primary objective is to provide an overarching view of the government’s information technology applications, including the risks resulting from aging information technology and security vulnerabilities. The system also monitors and tracks the health of departmental and agency applications.

7.13 At least annually, and more frequently as needed, departments and agencies must enter into the system new or updated information about their applications, including operational support costs and related information. The secretariat uses the data to generate an overall health score of these departments’ and agencies’ applications, which it reports annually. This score, in the form of a percentage, represents the number of healthy applications out of the total number of applications.

7.14 In continuing to close the aging legacy data centres Shared Services Canada launched the Workload Migration Program in 2018 with the objective of moving applications being stored in these old data centres to more modern and stable hosting environments, such as new government data centres or the cloud. Shared Services Canada is responsible for managing and modernizing the government’s information technology infrastructure, including the data centres, while departments and agencies are responsible for managing and modernizing their applications hosted in those data centres. An expected benefit of the program is that it will provide departments and agencies with a more robust and secure environment for managing, upgrading, or modernizing information technology applications.

Very slow progress on modernizing applications over the last 5 years

7.15 We found that from 2019 to 2023, departments and agencies made very slow progress on modernizing their applications. Using the data that these departments and agencies entered into the Treasury Board of Canada Secretariat’s Application Portfolio Management system, we reviewed the annual overall health score of about 7,500 applications for that 5‑year period. We found that there was no significant improvement over the period.

7.16 In 2023, the secretariat set a target: 60% of applications to be healthy by 2030. We found that from 2019 to 2023, the percentage of healthy applications increased marginally from 33% to 38% (Exhibit 7.2). That rate of increase amounted to approximately 1 percentage point per year. Continuing at this pace would mean that 45% of applications would be healthy by 2030, far lower than the secretariat’s target of 60%. To achieve the 60% target by 2030, the percentage would need to increase by more than 3 percentage points every year. And even if that target were achieved by 2030, 40% of applications would then still be in poor health, 31 years after the government first identified aging information technology as a significant issue.

7.17 According to the secretariat, an application is mission‑critical if it supports a critical service that could affect the health, safety, security, or economic well‑being of Canadians or the effective functioning of the government as a whole. We reviewed the health score of the 1,480 applications designated as mission‑critical from 2019 to 2023. During that period, the percentage of healthy mission‑critical applications increased from 50% to 62%. However, this meant that at the time of our audit, 38% of mission‑critical applications (that is, 562 of the 1,480 applications) were still in poor health.

7.18 Delays in modernizing applications can significantly affect operations, costs, and other efforts, such as migrating to new or modernized infrastructure. In our 2010 report on aging information technology systems, we noted that Employment and Social Development Canada (then called Human Resources and Skills Development Canada) acknowledged a high risk that its mission‑critical information technology systems would not be able to support the delivery of programs, such as Employment Insurance.

7.19 Thirteen years after our 2010 report, the information technology system supporting the Employment Insurance program still had not been modernized. In our report on the Benefits Delivery Modernization programme, also released in October 2023, we found that current plans called for modernizing and transforming the Employment Insurance program, including its information technology system, with a completion date of 2028 at the earliest.

7.20 The Treasury Board of Canada Secretariat should consult with departments and agencies to determine and establish realistic targets and timelines for modernizing applications in poor health. The targets and timelines should be based on a documented methodology that considers factors such as priorities, the critical importance of applications, and the availability of skilled personnel and funding for departments and agencies.

The secretariat’s response. Agreed.

See Recommendations and Responses at the end of this report for detailed responses.

Slow progress in modernizing applications affecting the closure of legacy data centres

7.21 We found that Shared Services Canada was aware of the risks related to aging information technology infrastructure, and it developed action plans to address the infrastructure modernization needs of departments and agencies. In the 2018–19 fiscal year, for example, the department established a program and started prioritizing and investing in the repair and replacement of critical hardware infrastructure identified under its Operational Risk Program.

7.22 We found that Shared Services Canada made some progress on modernizing the government’s information technology infrastructure, which was accelerated by the coronavirus disease (COVID‑19)^{Definition 2} pandemic:

• To address changes in work practices, the department rapidly modernized and improved the government’s network infrastructure, including by expanding its remote access capacity.
• To support Employment and Social Development Canada, it expedited the transition of the 1‑800‑O‑Canada contact centre to a new remote operation model. This enabled Canadians to continue to obtain assistance and guidance on federal government services during the pandemic when call volumes were at an all‑time high.

These efforts accelerated the shift toward providing more online services to Canadians and also supported the needs of government employees working from home.

7.23 However, we found that as of March 2023, work had not proceeded for 65% of the approximately 4,500 applications that departments and agencies had earmarked for modernization, including the migration to new or modernized infrastructure, such as data centres, and no schedule was in place for performing this work. As a result of the delays in modernizing applications (see paragraphs 7.15 to 7.19), as of March 2023, Shared Services Canada had not closed 280 out of the 720 data centres it had identified for closure. In our 2015 report on information technology shared services, we noted that Shared Services Canada had set a target of closing nearly all of its data centres identified for closure by 2020. The department informed us that it depends on departments and agencies to first modernize their applications before it can make progress on closing the remaining legacy data centres.

7.24 We also found that Shared Services Canada, with departments and agencies, had not analyzed the financial effects of operating legacy applications and infrastructure, including the delayed migration of such applications to new supporting infrastructure. This is important because such an analysis would provide decision makers with a clear understanding of the related risks and financial costs of not modernizing in a timely manner.

7.25 Shared Services Canada should

• analyze the financial and non‑financial effects of continuing to operate legacy applications and infrastructure instead of migrating modernized applications to new or modernized infrastructure
• in coordination with the Treasury Board of Canada Secretariat and departments and agencies, undertake a review and prioritization exercise (including estimated timelines and budget) to modernize and migrate legacy applications to new supporting infrastructure and close the remaining legacy data centres

The department’s response. Agreed.

See Recommendations and Responses at the end of this report for detailed responses.

The Treasury Board of Canada Secretariat did not provide sufficient leadership for modernizing systems

7.26 This finding matters because departments and agencies rely on information technology systems, many of which are in poor health and require increased maintenance and resources. At the same time, the number of personnel with knowledge of and expertise on outdated and unsupported technology is diminishing. In some cases, the systems no longer have vendor support, which increases security risks, such as unauthorized access to information technology systems. All these factors add to the departments’ and agencies’ costs of relying on outdated systems.

7.27 Information technology modernization is an undertaking of considerable size, scope, and complexity. It also requires significant funding and associated resources that departments and agencies may not have. For all these reasons, strong and informed leadership, oversight, and appropriate funding from central agencies are essential for successful modernization.

7.28 Under the Policy on Service and Digital and various plans, including Canada’s Digital Ambition 2022 and Shared Services Canada 3.0: An Enterprise Approach, the Treasury Board of Canada Secretariat and Shared Services Canada are responsible for leading and supporting departments and agencies in their efforts to modernize their systems.

7.29 In response to our 2010 report on aging information technology systems, the secretariat committed to developing a strategic direction and supporting guidance that would help departments and agencies continually update mission‑critical information technology systems. In its response to our report, the secretariat undertook to table a government‑wide strategy for information technology modernization by March 2012.

7.30 Within the secretariat, the Chief Information Officer of Canada is responsible for overseeing high‑risk, complex, digitally enabled projects through the secretariat’s oversight and enablement program. The program’s primary objective is to monitor progress throughout the life cycle of selected information technology projects, including modernization projects. The program also aims to ensure that high‑risk digital investments are well managed throughout the project life cycle, increasing the probability of achieving the intended business outcomes.

7.31 The 2016–20 Government of Canada Information Technology Strategic Plan, prepared by the secretariat, stated that chronic underinvestment to replace aging information technology systems had put at risk the government’s ability to deliver essential services to Canadians. In 2017, the secretariat and Shared Services Canada committed to developing a sustainable funding model that would address information technology infrastructure renewal and sustainability.

More than 24 years without a strategy to assess and address the needs for systems modernization

7.32 We found that 24 years after the government first identified aging information technology as a significant issue, the Treasury Board of Canada Secretariat did not have a strategy or detailed plan for moving forward with a consistent and common approach to modernizing old information technology systems. The secretariat did not complete and table the government‑wide strategy for modernization by March 2012, despite its promise to do so in its response to our 2010 report.

7.33 In October 2022, the secretariat started drafting a strategy and plan for remediating risks, such as the potential failure of critical and aging systems and the shortage of skilled resources. At the time of our audit, the draft had not been finalized or approved and did not contain specific implementation timelines.

7.34 Shared Services Canada developed strategies, such as the 2020 information technologyIT Asset Recapitalization Strategy and the 2021 Network and Security Strategy. The department also assessed the need for modernizing the government’s information technology infrastructure. However, the department did not have a strategy developed in coordination with the secretariat that addressed infrastructure modernization needs in departments and agencies as a whole.

7.35 The Deputy Minister Committee on Enterprise Planning and Priorities, led by the secretariat, provides advice and recommendations on the relevance and prioritization of information technology projects, including information technology modernization projects, to the Chief Information Officer of Canada. We found that since its creation in 2015, the committee had largely focused on annually reviewing and prioritizing the resource needs for only approximately 25 information technology projects out of the approximately 3,400 proposed as part of this process. We also noted that over the last 2 fiscal years, the selected information technology projects of only 22 out of 45 partner departments and agencies were considered as a priority by the committee. This meant that a key governance mechanism in place to support the government’s modernization efforts had been largely ineffective because it focused on a limited number of projects and did not support the common goal of modernizing information technology systems for departments and agencies. In our survey of chief information officers, about 40% said that their departments and agencies were not involved when information technology modernization projects were prioritized. For example, smaller departments and agencies said that they faced challenges in advancing their initiatives as the projects of larger departments and agencies were prioritized.

7.36 Both the secretariat and Shared Services Canada have recognized that there are significant challenges in moving forward with information technology modernization, including underinvestment and the lack of personnel with specialized skills. For example, the secretariat told us that the lack of such personnel, as well as senior department and agency officials’ limited exposure and experience with information technology projects, had slowed the pace of modernization. In April 2023, the Treasury Board issued a Directive on Digital Talent. This directive aims to promote cooperation between federal departments and agencies and the secretariat to advance government‑wide recruitment and training to ensure that employees get the information technology skills needed to perform their work. However, the directive will take time to implement and will require the secretariat’s support, particularly for information technology modernization efforts.

7.37 In coordination with Shared Services Canada and in consultation with departments and agencies, the Treasury Board of Canada Secretariat should finalize and implement a comprehensive strategy for addressing the information technology modernization needs of departments and agencies. The strategy should

• identify and control the costs of maintaining legacy information technology systems
• estimate the costs and time frame for modernizing or decommissioning information technology systems
• re‑evaluate the governance mechanisms in place for prioritizing information technology systems that are to be modernized
• address the scarcity of personnel with the needed skills to support information technology modernization
• improve senior department and agency officials’ knowledge and understanding of information technology projects

The secretariat’s response. Agreed.

See Recommendations and Responses at the end of this report for detailed responses.

Incomplete and unverified data for assessing application modernization needs

7.38 We found that departments and agencies did not always provide complete and accurate information about their applications and that the Treasury Board of Canada Secretariat did not verify the accuracy and completeness of the data entered into the Application Portfolio Management system. The secretariat also did not follow up with these departments and agencies to correct inaccurate or incomplete information. The Application Portfolio Management system lacked controls for ensuring that information was entered on a timely basis, was accurate, and was complete.

7.39 We found that on average, departments and agencies had not assessed the health of close to 12% of the government’s approximately 7,500 applications from 2019 to 2023. This meant that inaccurate or incomplete information from these departments and agencies served as the basis for the overall health assessments of the government’s applications. This is important because the secretariat and Shared Services Canada relied on this information when deciding which applications were in need of modernization.

7.40 We also found that the Application Portfolio Management system did not retain historical data. Whenever new data was entered, it overwrote the existing data. Consequently, the secretariat could not efficiently and effectively analyze trends and changes in data or perform other types of multi‑year analysis.

7.41 In 2021, using data in the Application Portfolio Management system, the secretariat estimated that about $496 million in funding was required to modernize applications in poor health. However, the secretariat informed us that this was a low estimate and that funding needs were likely to be significantly higher. The estimate was low partly because departments and agencies entered inaccurate or incomplete data into the system. For example, in 2017, Employment and Social Development Canada estimated that modernizing and transforming the Benefits Delivery Modernization programme would cost $1.7 billion, but in November 2022, an external third‑party review estimated that the costs could increase to between $2.7 and $3.4 billion, largely because of the underestimation of initial costs and inflation.

7.42 During our audit, the secretariat informed us that it was upgrading the Application Portfolio Management system partly to address these issues. The secretariat expected to begin implementing a new version of the program in late 2024 at the earliest.

Limited oversight by the Treasury Board of Canada Secretariat of most modernization projects

7.43 The Treasury Board of Canada Secretariat had a mechanism in place for overseeing high‑risk information technology projects. It selected projects for oversight by assessing criteria such as the project’s complexity and risk, the number of stakeholders, the magnitude of costs, and the changes in project performance. However, we found that the secretariat received limited project information from departments and agencies for making its assessment. The secretariat also did not receive a complete list of all information technology projects from departments and agencies. Consequently, the secretariat had limited ability to accurately identify and select high‑risk projects for oversight.

7.44 We also found that as of May 2023, the secretariat monitored only 22 high‑risk information technology projects (planned costs of approximately $5.1 billion) out of the approximately 2,100 active projects (total planned costs of approximately $44 billion) reported by departments and agencies. This included projects to develop new applications and infrastructure and to modernize applications in poor health. The secretariat told us that it had limited monitoring capacity and could oversee only about 15 to 25 high‑risk projects at one time.

7.45 Central agency oversight is important. At the time, some information technology projects that did not undergo adequate central oversight incurred significant costs and encountered long delays. A major example is the failure of the Phoenix pay system project (Exhibit 7.3).

7.46 For the projects that it monitored, the Office of the Chief Information Officer of Canada made effective recommendations about how to deal with ongoing challenges related to scope, schedule, and costs. For example, the office recommended substantial adjustments to the Canada Border Services Agency’s Assessment and Revenue Management project and Employment and Social Development Canada’s Benefits Delivery Modernization programme.

7.47 The Treasury Board of Canada Secretariat should consult with departments and agencies to determine the tools and resources it needs to support government information technology projects, including appropriate funding. The secretariat should

• request and gather accurate and complete data on the status of information technology projects undertaken by departments and agencies
• identify high‑risk information technology projects undertaken by departments and agencies, including modernization projects
• increase its capacity and oversee all high‑risk government information technology projects

The secretariat’s response. Agreed.

See Recommendations and Responses at the end of this report for detailed responses.

Limited and inflexible funding approaches for modernization

7.48 We found that the Treasury Board of Canada Secretariat did not have a funding approach that addressed funding for both the immediate and longer‑term modernization needs of departments and agencies. This is important because federal government organizations may lack adequate funding to modernize their systems and address their future needs. Of the chief information officers who answered our survey, 77% told us that their departments or agencies did not have sufficient funding to meet their modernization needs. For example, chief information officers from smaller federal departments or agencies stated that they often faced complex modernization needs that would require a significant proportion of their overall budgets, as well as skilled personnel they did not have.

7.49 In the absence of a funding approach that addresses modernization needs, individual departments and agencies could fund their modernization initiatives through their existing financial allocations. This method provided limited incentive for organizations to modernize their systems because it involved drawing on funding that had been intended for other purposes, such as for the delivery of client‑centred services.

7.50 Departments and agencies could also seek additional or new funding from the Treasury Board for their modernization needs. However, it takes months to prepare and process a funding submission. This is important because, while waiting for the new funding submission to be prepared, processed, and approved, the department or agency continues to incur costs related to the maintenance of old and outdated systems and heightens the risks of system failures.

7.51 According to 86% of chief information officers who answered our survey, the available mechanisms for funding modernization projects were not timely. Almost 83% also told us that they were not satisfied with the available mechanisms for funding modernization projects. Some officers stated that the funding mechanisms available to them provided only a portion of the funding needed to modernize their applications. The funding that they received was for a specific year, even though modernization projects may extend over multiple years.

7.52 The Treasury Board of Canada Secretariat, in consultation with relevant stakeholders, should revise current funding mechanisms or develop new funding mechanisms to help departments and agencies modernize their information systems. The revised or new funding mechanisms should

• be timely, adaptable, and efficient and consider the immediate and future modernization needs of departments and agencies, including considering information technology modernization projects that span multiple years
• centralize the control and management of allotted funding to help prioritize and coordinate information technology modernization spending
• require departments and agencies receiving funding to regularly report back on their information technology modernization efforts and results

The secretariat’s response. Agreed.

See Recommendations and Responses at the end of this report for detailed responses.

Conclusion

7.53 We concluded that the Treasury Board of Canada Secretariat and Shared Services Canada did not sufficiently lead or support the efficient and effective modernization of information technology systems for departments and agencies.

7.54 The secretariat and Shared Services Canada need to act promptly to help departments and agencies support their information technology modernization needs and also help them address the costs of relying on outdated systems and reduce the risk of system failures.

7.55 Finally, departments and agencies need to regularly and promptly provide accurate and complete information about their applications. This will help the Treasury Board of Canada Secretariat and Shared Services Canada make better decisions about which systems are in greatest need of modernization.