2023 Reports 5 to 9 of the Auditor General of Canada to the Parliament of CanadaReport 7—Modernizing Information Technology Systems
Independent Auditor’s Report
Table of Contents
- Introduction
- Findings and Recommendations
- Two thirds of applications were in poor health, and progress on modernizing infrastructure was slow
- The Treasury Board of Canada Secretariat did not provide sufficient leadership for modernizing systems
- More than 24 years without a strategy to assess and address the needs for systems modernization
- Incomplete and unverified data for assessing application modernization needs
- Limited oversight by the Treasury Board of Canada Secretariat of most modernization projects
- Limited and inflexible funding approaches for modernization
- Conclusion
- About the Audit
- Recommendations and Responses
- Exhibits:
- 7.1—Key dates in the government’s efforts to modernize its information technology systems
- 7.2—The health of departments’ and agencies’ information technology applications increased only marginally from 2019 to 2023
- 7.3—Lack of oversight contributed significantly to the failure of the Phoenix pay system project
Introduction
Background
7.1 The Government of Canada requires reliable and functioning information technology systems for delivering its services to the public. Many of these systems need to be modernized. They include computer applications (software programs) and infrastructure, such as hardware and data centres. Some systems have been in use since the early 1960s and are at risk of failure. That could disrupt, for example, the delivery of Old Age Security, Canada Pension Plan, or Employment Insurance benefits or the issuing of income tax refunds.
7.2 As early as 1999, the government identified its aging systems as a significant issue (Exhibit 7.1). Addressing the issue could involve retiring old and outdated information technology systems, improving those systems, or introducing new systems to deliver services to Canadians. It could also involve adopting cloud‑basedDefinition 1 solutions.
Exhibit 7.1—Key dates in the government’s efforts to modernize its information technology systems
1999 |
The government identifies the deterioration or obsolescence of computer hardware and software as a significant issue. |
2005 |
A Treasury Board of Canada Secretariat study notes that the government underinvests in up‑to‑date hardware and software. |
2010 |
The Treasury Board of Canada Secretariat agrees with an Auditor General of Canada report on aging information technology systems that the secretariat had not formally identified aging information technology as an area of importance for the government. |
2011 |
Shared Services Canada is created and given responsibility for modernizing and consolidating information technology infrastructure across the federal government. |
2012 |
The Treasury Board of Canada Secretariat requests departments and agencies to provide an inventory of information technology systems, risk assessments, and plans for addressing risks. |
2013 |
The Treasury Board of Canada Secretariat introduces the Application Portfolio Management system to monitor and track the state of applications within federal departments and agencies. |
2018 |
The Government of Canada’s updated Cloud Adoption Strategy directs federal departments and agencies to consider the cloud as the preferred option for delivering information technology services. Shared Services Canada introduces its Workload Migration Program, with the objective of moving the government’s applications from older (“legacy”) data centres to modern facilities. |
2021 |
The Government of Canada’s Digital Operations Strategic Plan: 2021–2024 focuses on modernizing the way the government replaces, builds, and manages major information technology systems. |
2022 |
Canada’s Digital Ambition 2022 sets out a path for addressing the challenges of digital modernization within the government. |
2023 |
The updated Cloud Adoption Strategy sets out the principle of “cloud smart,” asking departments and agencies to consider the most appropriate and relevant hosting model for an application. |
Source: Various sources from the Government of Canada
7.3 Treasury Board of Canada Secretariat. Within the secretariat, the Office of the Chief Information Officer of Canada provides overall leadership for information technology and for service and digital transformation across the federal government. It also gathers and reports on the state of departments’ and agencies’ applications, prioritizes the government’s demand for information technology shared services and assets, and monitors and oversees modernization projects throughout the government.
7.4 Shared Services Canada. This department is responsible for delivering and supporting cost‑effective, secure, and reliable information technology infrastructure, such as networks, data centres, modern tools, and client‑centric digital services—particularly to 45 partner departments and agencies in the federal government (referred to as “departments and agencies” in this report). Shared Services Canada is also responsible for the consolidation, management, and modernization of the government’s information technology infrastructure, including both aging legacy data centres and modern enterprise data centres serving the entire government.
Focus of the audit
7.5 This audit focused on whether the Treasury Board of Canada Secretariat and Shared Services Canada, as lead organizations, supported the efficient and effective modernization of information technology for departments and agencies.
7.6 We examined the progress made to modernize the applications and infrastructure used by departments and agencies. We also looked at the lead organizations’ plans and procedures in place to support, fund, and oversee the modernization initiatives of departments and agencies.
7.7 To better understand the effect of information technology modernization on departments and agencies, we also sent a survey to the chief information officers of these departments and agencies. We did not examine specific initiatives. We also released a separate audit report in October 2023 on a major modernization initiative, the Benefits Delivery Modernization programme at Employment and Social Development Canada.
7.8 This audit is important because departments and agencies are maintaining old and outdated applications and relying on old and outdated infrastructure. The failure of these systems would significantly affect the government’s delivery of services to Canadians. The old systems require extensive, costly operational support, and they need the support of personnel with knowledge of and expertise on these systems. The 2 lead organizations are responsible for supporting these departments and agencies and for helping them address gaps and challenges in their efforts to modernize their information technology systems, mitigate risks of failure, and avoid significant cost increases in the future.
7.9 More details about the audit objective, scope, approach, and criteria are in About the Audit at the end of this report.
Findings and Recommendations
Two thirds of applications were in poor health, and progress on modernizing infrastructure was slow
7.10 This finding matters because information technology systems are essential for delivering many of the government’s critical services to Canadians. According to the Treasury Board of Canada Secretariat, an application in poor health is, for example, an application that is in poor technical condition and may be running on an older infrastructure, have limited support from the vendor, have limited capacity to integrate with other systems, and have security vulnerabilities. These applications pose a risk of failure and require increased maintenance that is expensive. Employment and Social Development Canada’s Benefits Delivery Modernization programme provides an example of the need to take action on replacing old applications that are in poor health.
7.11 The slow progress in modernizing some infrastructure (such as old data centres) also poses several risks, including the possibility of
- system failures, which could significantly disrupt the delivery of services to the public
- increased operating costs
- security vulnerabilities
7.12 In response to our 2010 report on aging information technology systems, the Treasury Board of Canada Secretariat deployed an Application Portfolio Management system to formalize the collection and management of information related to the government’s information technology applications. The system’s primary objective is to provide an overarching view of the government’s information technology applications, including the risks resulting from aging information technology and security vulnerabilities. The system also monitors and tracks the health of departmental and agency applications.
7.13 At least annually, and more frequently as needed, departments and agencies must enter into the system new or updated information about their applications, including operational support costs and related information. The secretariat uses the data to generate an overall health score of these departments’ and agencies’ applications, which it reports annually. This score, in the form of a percentage, represents the number of healthy applications out of the total number of applications.
7.14 In continuing to close the aging legacy data centres Shared Services Canada launched the Workload Migration Program in 2018 with the objective of moving applications being stored in these old data centres to more modern and stable hosting environments, such as new government data centres or the cloud. Shared Services Canada is responsible for managing and modernizing the government’s information technology infrastructure, including the data centres, while departments and agencies are responsible for managing and modernizing their applications hosted in those data centres. An expected benefit of the program is that it will provide departments and agencies with a more robust and secure environment for managing, upgrading, or modernizing information technology applications.
Very slow progress on modernizing applications over the last 5 years
7.15 We found that from 2019 to 2023, departments and agencies made very slow progress on modernizing their applications. Using the data that these departments and agencies entered into the Treasury Board of Canada Secretariat’s Application Portfolio Management system, we reviewed the annual overall health score of about 7,500 applications for that 5‑year period. We found that there was no significant improvement over the period.
7.16 In 2023, the secretariat set a target: 60% of applications to be healthy by 2030. We found that from 2019 to 2023, the percentage of healthy applications increased marginally from 33% to 38% (Exhibit 7.2). That rate of increase amounted to approximately 1 percentage point per year. Continuing at this pace would mean that 45% of applications would be healthy by 2030, far lower than the secretariat’s target of 60%. To achieve the 60% target by 2030, the percentage would need to increase by more than 3 percentage points every year. And even if that target were achieved by 2030, 40% of applications would then still be in poor health, 31 years after the government first identified aging information technology as a significant issue.
Exhibit 7.2—The health of departments’ and agencies’ information technology applications increased only marginally from 2019 to 2023
Source: Based on data from the Treasury Board of Canada Secretariat
Exhibit 7.2—text version
This line graph shows that the percentage of departments’ and agencies’ healthy information technology applications grew only marginally from 33% in 2019 to 38% in 2023. These percentages are below the target of 60% of applications to be healthy by 2030.
The percentages of healthy applications from 2019 to 2023 are as follows:
Year | Health |
---|---|
2019 | 33% |
2020 | 36% |
2021 | 35% |
2022 | 37% |
2023 | 38% |
7.17 According to the secretariat, an application is mission‑critical if it supports a critical service that could affect the health, safety, security, or economic well‑being of Canadians or the effective functioning of the government as a whole. We reviewed the health score of the 1,480 applications designated as mission‑critical from 2019 to 2023. During that period, the percentage of healthy mission‑critical applications increased from 50% to 62%. However, this meant that at the time of our audit, 38% of mission‑critical applications (that is, 562 of the 1,480 applications) were still in poor health.
7.18 Delays in modernizing applications can significantly affect operations, costs, and other efforts, such as migrating to new or modernized infrastructure. In our 2010 report on aging information technology systems, we noted that Employment and Social Development Canada (then called Human Resources and Skills Development Canada) acknowledged a high risk that its mission‑critical information technology systems would not be able to support the delivery of programs, such as Employment Insurance.
7.19 Thirteen years after our 2010 report, the information technology system supporting the Employment Insurance program still had not been modernized. In our report on the Benefits Delivery Modernization programme, also released in October 2023, we found that current plans called for modernizing and transforming the Employment Insurance program, including its information technology system, with a completion date of 2028 at the earliest.
7.20 The Treasury Board of Canada Secretariat should consult with departments and agencies to determine and establish realistic targets and timelines for modernizing applications in poor health. The targets and timelines should be based on a documented methodology that considers factors such as priorities, the critical importance of applications, and the availability of skilled personnel and funding for departments and agencies.
The secretariat’s response. Agreed.
See Recommendations and Responses at the end of this report for detailed responses.
Slow progress in modernizing applications affecting the closure of legacy data centres
7.21 We found that Shared Services Canada was aware of the risks related to aging information technology infrastructure, and it developed action plans to address the infrastructure modernization needs of departments and agencies. In the 2018–19 fiscal year, for example, the department established a program and started prioritizing and investing in the repair and replacement of critical hardware infrastructure identified under its Operational Risk Program.
7.22 We found that Shared Services Canada made some progress on modernizing the government’s information technology infrastructure, which was accelerated by the coronavirus disease (COVID‑19)Definition 2 pandemic:
- To address changes in work practices, the department rapidly modernized and improved the government’s network infrastructure, including by expanding its remote access capacity.
- To support Employment and Social Development Canada, it expedited the transition of the 1‑800‑O‑Canada contact centre to a new remote operation model. This enabled Canadians to continue to obtain assistance and guidance on federal government services during the pandemic when call volumes were at an all‑time high.
These efforts accelerated the shift toward providing more online services to Canadians and also supported the needs of government employees working from home.
7.23 However, we found that as of March 2023, work had not proceeded for 65% of the approximately 4,500 applications that departments and agencies had earmarked for modernization, including the migration to new or modernized infrastructure, such as data centres, and no schedule was in place for performing this work. As a result of the delays in modernizing applications (see paragraphs 7.15 to 7.19), as of March 2023, Shared Services Canada had not closed 280 out of the 720 data centres it had identified for closure. In our 2015 report on information technology shared services, we noted that Shared Services Canada had set a target of closing nearly all of its data centres identified for closure by 2020. The department informed us that it depends on departments and agencies to first modernize their applications before it can make progress on closing the remaining legacy data centres.
7.24 We also found that Shared Services Canada, with departments and agencies, had not analyzed the financial effects of operating legacy applications and infrastructure, including the delayed migration of such applications to new supporting infrastructure. This is important because such an analysis would provide decision makers with a clear understanding of the related risks and financial costs of not modernizing in a timely manner.
7.25 Shared Services Canada should
- analyze the financial and non‑financial effects of continuing to operate legacy applications and infrastructure instead of migrating modernized applications to new or modernized infrastructure
- in coordination with the Treasury Board of Canada Secretariat and departments and agencies, undertake a review and prioritization exercise (including estimated timelines and budget) to modernize and migrate legacy applications to new supporting infrastructure and close the remaining legacy data centres
The department’s response. Agreed.
See Recommendations and Responses at the end of this report for detailed responses.
The Treasury Board of Canada Secretariat did not provide sufficient leadership for modernizing systems
7.26 This finding matters because departments and agencies rely on information technology systems, many of which are in poor health and require increased maintenance and resources. At the same time, the number of personnel with knowledge of and expertise on outdated and unsupported technology is diminishing. In some cases, the systems no longer have vendor support, which increases security risks, such as unauthorized access to information technology systems. All these factors add to the departments’ and agencies’ costs of relying on outdated systems.
7.27 Information technology modernization is an undertaking of considerable size, scope, and complexity. It also requires significant funding and associated resources that departments and agencies may not have. For all these reasons, strong and informed leadership, oversight, and appropriate funding from central agencies are essential for successful modernization.
7.28 Under the Policy on Service and Digital and various plans, including Canada’s Digital Ambition 2022 and Shared Services Canada 3.0: An Enterprise Approach, the Treasury Board of Canada Secretariat and Shared Services Canada are responsible for leading and supporting departments and agencies in their efforts to modernize their systems.
7.29 In response to our 2010 report on aging information technology systems, the secretariat committed to developing a strategic direction and supporting guidance that would help departments and agencies continually update mission‑critical information technology systems. In its response to our report, the secretariat undertook to table a government‑wide strategy for information technology modernization by March 2012.
7.30 Within the secretariat, the Chief Information Officer of Canada is responsible for overseeing high‑risk, complex, digitally enabled projects through the secretariat’s oversight and enablement program. The program’s primary objective is to monitor progress throughout the life cycle of selected information technology projects, including modernization projects. The program also aims to ensure that high‑risk digital investments are well managed throughout the project life cycle, increasing the probability of achieving the intended business outcomes.
7.31 The 2016–20 Government of Canada Information Technology Strategic Plan, prepared by the secretariat, stated that chronic underinvestment to replace aging information technology systems had put at risk the government’s ability to deliver essential services to Canadians. In 2017, the secretariat and Shared Services Canada committed to developing a sustainable funding model that would address information technology infrastructure renewal and sustainability.
More than 24 years without a strategy to assess and address the needs for systems modernization
7.32 We found that 24 years after the government first identified aging information technology as a significant issue, the Treasury Board of Canada Secretariat did not have a strategy or detailed plan for moving forward with a consistent and common approach to modernizing old information technology systems. The secretariat did not complete and table the government‑wide strategy for modernization by March 2012, despite its promise to do so in its response to our 2010 report.
7.33 In October 2022, the secretariat started drafting a strategy and plan for remediating risks, such as the potential failure of critical and aging systems and the shortage of skilled resources. At the time of our audit, the draft had not been finalized or approved and did not contain specific implementation timelines.
7.34 Shared Services Canada developed strategies, such as the 2020 information technologyIT Asset Recapitalization Strategy and the 2021 Network and Security Strategy. The department also assessed the need for modernizing the government’s information technology infrastructure. However, the department did not have a strategy developed in coordination with the secretariat that addressed infrastructure modernization needs in departments and agencies as a whole.
7.35 The Deputy Minister Committee on Enterprise Planning and Priorities, led by the secretariat, provides advice and recommendations on the relevance and prioritization of information technology projects, including information technology modernization projects, to the Chief Information Officer of Canada. We found that since its creation in 2015, the committee had largely focused on annually reviewing and prioritizing the resource needs for only approximately 25 information technology projects out of the approximately 3,400 proposed as part of this process. We also noted that over the last 2 fiscal years, the selected information technology projects of only 22 out of 45 partner departments and agencies were considered as a priority by the committee. This meant that a key governance mechanism in place to support the government’s modernization efforts had been largely ineffective because it focused on a limited number of projects and did not support the common goal of modernizing information technology systems for departments and agencies. In our survey of chief information officers, about 40% said that their departments and agencies were not involved when information technology modernization projects were prioritized. For example, smaller departments and agencies said that they faced challenges in advancing their initiatives as the projects of larger departments and agencies were prioritized.
7.36 Both the secretariat and Shared Services Canada have recognized that there are significant challenges in moving forward with information technology modernization, including underinvestment and the lack of personnel with specialized skills. For example, the secretariat told us that the lack of such personnel, as well as senior department and agency officials’ limited exposure and experience with information technology projects, had slowed the pace of modernization. In April 2023, the Treasury Board issued a Directive on Digital Talent. This directive aims to promote cooperation between federal departments and agencies and the secretariat to advance government‑wide recruitment and training to ensure that employees get the information technology skills needed to perform their work. However, the directive will take time to implement and will require the secretariat’s support, particularly for information technology modernization efforts.
7.37 In coordination with Shared Services Canada and in consultation with departments and agencies, the Treasury Board of Canada Secretariat should finalize and implement a comprehensive strategy for addressing the information technology modernization needs of departments and agencies. The strategy should
- identify and control the costs of maintaining legacy information technology systems
- estimate the costs and time frame for modernizing or decommissioning information technology systems
- re‑evaluate the governance mechanisms in place for prioritizing information technology systems that are to be modernized
- address the scarcity of personnel with the needed skills to support information technology modernization
- improve senior department and agency officials’ knowledge and understanding of information technology projects
The secretariat’s response. Agreed.
See Recommendations and Responses at the end of this report for detailed responses.
Incomplete and unverified data for assessing application modernization needs
7.38 We found that departments and agencies did not always provide complete and accurate information about their applications and that the Treasury Board of Canada Secretariat did not verify the accuracy and completeness of the data entered into the Application Portfolio Management system. The secretariat also did not follow up with these departments and agencies to correct inaccurate or incomplete information. The Application Portfolio Management system lacked controls for ensuring that information was entered on a timely basis, was accurate, and was complete.
7.39 We found that on average, departments and agencies had not assessed the health of close to 12% of the government’s approximately 7,500 applications from 2019 to 2023. This meant that inaccurate or incomplete information from these departments and agencies served as the basis for the overall health assessments of the government’s applications. This is important because the secretariat and Shared Services Canada relied on this information when deciding which applications were in need of modernization.
7.40 We also found that the Application Portfolio Management system did not retain historical data. Whenever new data was entered, it overwrote the existing data. Consequently, the secretariat could not efficiently and effectively analyze trends and changes in data or perform other types of multi‑year analysis.
7.41 In 2021, using data in the Application Portfolio Management system, the secretariat estimated that about $496 million in funding was required to modernize applications in poor health. However, the secretariat informed us that this was a low estimate and that funding needs were likely to be significantly higher. The estimate was low partly because departments and agencies entered inaccurate or incomplete data into the system. For example, in 2017, Employment and Social Development Canada estimated that modernizing and transforming the Benefits Delivery Modernization programme would cost $1.7 billion, but in November 2022, an external third‑party review estimated that the costs could increase to between $2.7 and $3.4 billion, largely because of the underestimation of initial costs and inflation.
7.42 During our audit, the secretariat informed us that it was upgrading the Application Portfolio Management system partly to address these issues. The secretariat expected to begin implementing a new version of the program in late 2024 at the earliest.
Limited oversight by the Treasury Board of Canada Secretariat of most modernization projects
7.43 The Treasury Board of Canada Secretariat had a mechanism in place for overseeing high‑risk information technology projects. It selected projects for oversight by assessing criteria such as the project’s complexity and risk, the number of stakeholders, the magnitude of costs, and the changes in project performance. However, we found that the secretariat received limited project information from departments and agencies for making its assessment. The secretariat also did not receive a complete list of all information technology projects from departments and agencies. Consequently, the secretariat had limited ability to accurately identify and select high‑risk projects for oversight.
7.44 We also found that as of May 2023, the secretariat monitored only 22 high‑risk information technology projects (planned costs of approximately $5.1 billion) out of the approximately 2,100 active projects (total planned costs of approximately $44 billion) reported by departments and agencies. This included projects to develop new applications and infrastructure and to modernize applications in poor health. The secretariat told us that it had limited monitoring capacity and could oversee only about 15 to 25 high‑risk projects at one time.
7.45 Central agency oversight is important. At the time, some information technology projects that did not undergo adequate central oversight incurred significant costs and encountered long delays. A major example is the failure of the Phoenix pay system project (Exhibit 7.3).
Exhibit 7.3—Lack of oversight contributed significantly to the failure of the Phoenix pay system project
The Phoenix pay system project is an example of what can go wrong when an information technology modernization project has little oversight.
In our 2018 report on building and implementing the Phoenix pay system, we found that project executives prioritized meeting project schedules and budgets over other critical elements, such as functionality and security. We also found that project executives did not provide a complete picture of the project’s risks when briefing senior officials. The lack of independent oversight contributed to the project’s failure.
This resulted in significant costs to the federal government and affected tens of thousands of employees. While the project’s total implementation cost is not yet known, the government spent more than $2.6 billion as of April 2022 to further support and stabilize the pay system and to correct pay file errors. The project also did not produce the expected efficiency and cost benefits. In its 2023 budget, the government allocated about $1 billion to the end of the 2024–25 fiscal year for additional work to address pay errors.
Source: 2018 Spring Reports of the Auditor General of Canada, Report 1—Building and Implementing the Phoenix Pay System; 2018–19 to 2021–22 departmental results reports, Treasury Board of Canada Secretariat; and Budget 2023, Government of Canada
7.46 For the projects that it monitored, the Office of the Chief Information Officer of Canada made effective recommendations about how to deal with ongoing challenges related to scope, schedule, and costs. For example, the office recommended substantial adjustments to the Canada Border Services Agency’s Assessment and Revenue Management project and Employment and Social Development Canada’s Benefits Delivery Modernization programme.
7.47 The Treasury Board of Canada Secretariat should consult with departments and agencies to determine the tools and resources it needs to support government information technology projects, including appropriate funding. The secretariat should
- request and gather accurate and complete data on the status of information technology projects undertaken by departments and agencies
- identify high‑risk information technology projects undertaken by departments and agencies, including modernization projects
- increase its capacity and oversee all high‑risk government information technology projects
The secretariat’s response. Agreed.
See Recommendations and Responses at the end of this report for detailed responses.
Limited and inflexible funding approaches for modernization
7.48 We found that the Treasury Board of Canada Secretariat did not have a funding approach that addressed funding for both the immediate and longer‑term modernization needs of departments and agencies. This is important because federal government organizations may lack adequate funding to modernize their systems and address their future needs. Of the chief information officers who answered our survey, 77% told us that their departments or agencies did not have sufficient funding to meet their modernization needs. For example, chief information officers from smaller federal departments or agencies stated that they often faced complex modernization needs that would require a significant proportion of their overall budgets, as well as skilled personnel they did not have.
7.49 In the absence of a funding approach that addresses modernization needs, individual departments and agencies could fund their modernization initiatives through their existing financial allocations. This method provided limited incentive for organizations to modernize their systems because it involved drawing on funding that had been intended for other purposes, such as for the delivery of client‑centred services.
7.50 Departments and agencies could also seek additional or new funding from the Treasury Board for their modernization needs. However, it takes months to prepare and process a funding submission. This is important because, while waiting for the new funding submission to be prepared, processed, and approved, the department or agency continues to incur costs related to the maintenance of old and outdated systems and heightens the risks of system failures.
7.51 According to 86% of chief information officers who answered our survey, the available mechanisms for funding modernization projects were not timely. Almost 83% also told us that they were not satisfied with the available mechanisms for funding modernization projects. Some officers stated that the funding mechanisms available to them provided only a portion of the funding needed to modernize their applications. The funding that they received was for a specific year, even though modernization projects may extend over multiple years.
7.52 The Treasury Board of Canada Secretariat, in consultation with relevant stakeholders, should revise current funding mechanisms or develop new funding mechanisms to help departments and agencies modernize their information systems. The revised or new funding mechanisms should
- be timely, adaptable, and efficient and consider the immediate and future modernization needs of departments and agencies, including considering information technology modernization projects that span multiple years
- centralize the control and management of allotted funding to help prioritize and coordinate information technology modernization spending
- require departments and agencies receiving funding to regularly report back on their information technology modernization efforts and results
The secretariat’s response. Agreed.
See Recommendations and Responses at the end of this report for detailed responses.
Conclusion
7.53 We concluded that the Treasury Board of Canada Secretariat and Shared Services Canada did not sufficiently lead or support the efficient and effective modernization of information technology systems for departments and agencies.
7.54 The secretariat and Shared Services Canada need to act promptly to help departments and agencies support their information technology modernization needs and also help them address the costs of relying on outdated systems and reduce the risk of system failures.
7.55 Finally, departments and agencies need to regularly and promptly provide accurate and complete information about their applications. This will help the Treasury Board of Canada Secretariat and Shared Services Canada make better decisions about which systems are in greatest need of modernization.
About the Audit
This independent assurance report was prepared by the Office of the Auditor General of Canada on modernizing information technology systems. Our responsibility was to provide objective information, advice, and assurance to assist Parliament in its scrutiny of the government’s management of resources and programs and to conclude on whether the Treasury Board of Canada Secretariat and Shared Services Canada complied in all significant respects with the applicable criteria.
All work in this audit was performed to a reasonable level of assurance in accordance with the Canadian Standard on Assurance Engagements (CSAE) 3001—Direct Engagements, set out by the Chartered Professional Accountants of Canada (CPA Canada) in the CPA Canada Handbook—Assurance.
The Office of the Auditor General of Canada applies the Canadian Standard on Quality Management 1—Quality Management for Firms That Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements. This standard requires our office to design, implement, and operate a system of quality management, including policies or procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements.
In conducting the audit work, we complied with the independence and other ethical requirements of the relevant rules of professional conduct applicable to the practice of public accounting in Canada, which are founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behaviour.
In accordance with our regular audit process, we obtained the following from entity management:
- confirmation of management’s responsibility for the subject under audit
- acknowledgement of the suitability of the criteria used in the audit
- confirmation that all known information that has been requested, or that could affect the findings or audit conclusion, has been provided
- confirmation that the audit report is factually accurate
Audit objective
The objective of this audit was to determine whether the Treasury Board of Canada Secretariat and Shared Services Canada led and supported the efficient and effective modernization of information technology systems across government.
Scope and approach
For this audit, we consulted with selected federal departments and agencies or sought to learn about their experiences. We also conducted a survey of chief information officers from the partner departments or agencies that received mandated information technology infrastructure services from Shared Services Canada. The goal of the survey was to better understand chief information officers’ perspectives with respect to information technology modernization. Two of the partner departments and agencies did not have a chief information officer. We sent out questionnaires to the other 43 and received 35 responses, for a total response rate of approximately 81%.
Our audit work included reviewing plans, strategies, policies, and guidelines; interviewing relevant department and agency officials; and conducting data analyses on the state of applications across government and how the government prioritizes the demand for information technology modernization:
- We examined the existence of strategies and plans to address the government’s information technology modernization needs, including funding, and strategies and plans to manage information technology technical debt.
- We reviewed the overall governance, monitoring, and oversight functions of lead organizations to support the effective modernization of government information technology initiatives.
- We examined the government’s framework for prioritizing information technology investments and the demand from partner departments and agencies for support of these investments.
- We obtained data from the Treasury Board of Canada Secretariat’s Application Portfolio Management system for the period from 18 January 2019 to 24 February 2023 and analyzed information related to the health of the partner departments’ and agencies’ information technology applications.
We did not examine specific information technology modernization initiatives currently led by federal departments and agencies. A separate audit released in October 2023 examined an example of a major information technology modernization initiative, the Benefits Delivery Modernization programme, and its progress.
Criteria
We used the following criteria to conclude against our audit objective:
Criteria | Sources |
---|---|
Effective decision making in the prioritizing and funding of government information technology modernization initiatives is established. The Treasury Board of Canada Secretariat and Shared Services Canada are informed of information technology systems in need of modernization (information technology technical debt), including expected magnitude of costs and risks for modernization. Information technology systems in need of modernization are prioritized. Based on a prioritized listing, a funding strategy for information technology modernization is established to fulfill the needs of departments and agencies. The Treasury Board of Canada Secretariat supports the adoption of existing Government of Canada enterprise solutions in information technology modernization. |
|
The Treasury Board of Canada Secretariat measures the progress and results of information technology modernization across the government. It effectively monitors and oversees information technology modernization initiatives across government. It measures progress to address information technology technical debt accumulated across government. It monitors the health of government information technology applications. |
|
Shared Services Canada, as service provider of information technology infrastructure, supports effective and efficient information technology modernization initiatives across government. It makes progress on information technology infrastructure modernization. It effectively supports, prioritizes, and coordinates information technology modernization initiatives of departments and agencies. |
|
Period covered by the audit
The audit covered the period from 1 April 2022 to 31 May 2023. This is the period to which the audit conclusion applies. However, to gain a more complete understanding of the subject matter of the audit, we also examined certain matters that preceded the start date of this period.
Date of the report
We obtained sufficient and appropriate audit evidence on which to base our conclusion on 25 August 2023, in Ottawa, Canada.
Audit team
This audit was completed by a multidisciplinary team from across the Office of the Auditor General of Canada led by Jean Goulet, Principal. The principal has overall responsibility for audit quality, including conducting the audit in accordance with professional standards, applicable legal and regulatory requirements, and the office’s policies and system of quality management.
Recommendations and Responses
In the following table, the paragraph number preceding the recommendation indicates the location of the recommendation in the report.
Recommendation | Response |
---|---|
7.20 The Treasury Board of Canada Secretariat should consult with departments and agencies to determine and establish realistic targets and timelines for modernizing applications in poor health. The targets and timelines should be based on a documented methodology that considers factors such as priorities, the critical importance of applications, and the availability of skilled personnel and funding for departments and agencies. |
The Treasury Board of Canada Secretariat’s response. Agreed. The Treasury Board of Canada Secretariat has already begun consultations with departments to update methodologies and data to develop a comprehensive view of application health. Beginning in 2024–25, the secretariat will work with departments to determine targets and timelines for addressing unhealthy applications, including modernization where appropriate. |
7.25 Shared Services Canada should
|
Shared Services Canada’s response. Agreed. Shared Services Canada will undertake an impact analysis focused on legacy technology as a whole, including applications and supporting infrastructure. This analysis will be the foundation upon which Shared Services Canada will engage partners on the planning and prioritization of workload modernization. The department proposes to utilize the Workload Migration Program methodology to develop business cases for the strategic closure of data centres, when it is cost‑effective and aligned with the modernization agendas of partners. This methodology represents a concerted approach to modernization that has proven to be effective and sensitive to the complexity of these initiatives. |
7.37 In coordination with Shared Services Canada and in consultation with departments and agencies, the Treasury Board of Canada Secretariat should finalize and implement a comprehensive strategy for addressing the information technology modernization needs of departments and agencies. The strategy should
|
The Treasury Board of Canada Secretariat’s response. Agreed. The Treasury Board of Canada Secretariat has already begun work in coordination with Shared Services Canada and departments to define a strategy to address information technology modernization across government, particularly in relation to governance and funding models for improving and modernizing legacy information technology systems. The strategy will include options analysis and investment scenarios for information technology modernization and decommissioning of legacy systems, based on available funding sources. In 2024–25, the secretariat will continue this work to consider options for identifying and controlling legacy information technology systems costs. The secretariat will also review existing frameworks and mechanisms for the prioritization of departmental plans for shared information technology services and include considerations for small departments and agencies, as well as improve engagement of departmental senior officials in the planning and prioritization process to increase knowledge and understanding of information technology projects and modernization strategies. |
7.47 The Treasury Board of Canada Secretariat should consult with departments and agencies to determine the tools and resources it needs to support government information technology projects, including appropriate funding. The secretariat should
|
The Treasury Board of Canada Secretariat’s response. Agreed. In 2023–24, the Treasury Board of Canada Secretariat will consult with departments on the capabilities, resources, and funding needed for the secretariat to support government information technology projects including information technology modernization efforts. This would include a more fulsome approach for the collection, management, and analysis of departmental data on information technology systems, planned investments, projects, and modernization activities. A revised risk framework that allows for the effective identification and monitoring of all high‑risk Government of Canada information technology projects would be used. Input from the consultation will support determination of a timeline for fully acting on this recommendation. |
7.52 The Treasury Board of Canada Secretariat, in consultation with relevant stakeholders, should revise current funding mechanisms or develop new funding mechanisms to help departments and agencies modernize their information systems. The revised or new funding mechanisms should
|
The Treasury Board of Canada Secretariat’s response. Agreed. The Treasury Board of Canada Secretariat has already begun work, in consultation with relevant stakeholders, to define a strategy to address information technology modernization across government, including funding models and mechanisms for modernizing legacy information technology systems. The strategy and funding model seek to address current and future modernization needs and will include timely and adaptable governance mechanisms to support departments and shared services organizations in efficient delivery. An option for consideration in the proposed model will include centralized control and management of modernization investment funding and regular departmental reporting on progress and results. |