information technology asset management
DESCRIPTION
TRANSCRIPT
AAUUDDIITT RREEPPOORRTT
INFORMATION TECHNOLOGY ASSET MANAGEMENT
Audit Services Division
June 2009
Approved by Chief Public Health Officer
on June 25, 2009
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada June 2009
Table of Contents
EXECUTIVE SUMMARY ....................................................................................................................................... 1
BACKGROUND........................................................................................................................................................ 3
AUDIT OBJECTIVES.............................................................................................................................................. 3
SCOPE OF AUDIT ................................................................................................................................................... 4
APPROACH AND METHODOLOGY................................................................................................................... 4
AUDIT FINDINGS AND RECOMMENDATIONS .............................................................................................. 4
MANAGEMENT FRAMEWORK AND ACCOUNTABILITY.............................................................................................. 4 IT Asset Management Framework ..................................................................................................................... 5 IT Asset Policies and Procedures ...................................................................................................................... 7 IT Asset Processes ............................................................................................................................................. 8 Specific IT Asset Policy – Keeping IT Assets Current ....................................................................................... 9
OPERATIONAL ACTIVITIES .................................................................................................................................... 10 Acquisition Process.......................................................................................................................................... 10 Receiving and Warehousing ............................................................................................................................ 12 Systems for Recording Inventory ..................................................................................................................... 13 Surplus and Asset Disposal.............................................................................................................................. 16 Recuperation of IT Assets on Departure.......................................................................................................... 18
ACCRUAL ACCOUNTING........................................................................................................................................ 18
CONCLUSION........................................................................................................................................................ 23
APPENDIX A – AUDIT CRITERIA..................................................................................................................... 24
APPENDIX B – MANAGEMENT ACTION PLAN............................................................................................ 27
APPENDIX C – LIST OF ACRONYMS............................................................................................................... 35
Cat: HP5-83/2-2009E-PDF ISBN: 978-1-100-12886-3
Information Technology Asset Management
Executive Summary
1. The overall objective of the audit was to provide Public Health Agency of Canada (PHAC or the Agency) management with an assessment on whether the Agency’s Information Technology (IT) assets are being managed with due regard to economy and efficiency. This audit was conducted from January to June 2009.
2. The audit was PHAC-wide in scope and covered the IT asset management
strategies and activities within the Agency from April 1, 2007 to March 31, 2009. This audit did not examine the controls of IT assets physical security due time constraint and significance.
Management Framework and Accountability
3. The Agency does not yet have an IT asset management framework in place. We have noted that roles and responsibilities for managing and controlling IT assets are unclear and the accountability is scattered across PHAC.
4. Agency-specific IT asset management policies and procedures providing
necessary linkages between management's objectives and materiel operations have not been developed.
5. IT asset management processes are neither well-organized nor well-
documented. 6. Planning for necessary infrastructure hardware and software is well done. 7. Planning for desktop and laptop replacement is reactive because as noted in
paragraph 10 below, PHAC does not have a reliable inventory system for such hardware and does not have a formal desktop/laptop replacement policy. Consequently, Information Management/Information Technology (IM/IT) depends on the availability of lapsing year-end funds to initiate its desktop/laptop replacement actions.
Operational Activities
8. The Agency follows the Public Works and Government Services Canada procurement guidelines and takes advantage of volume discounts when available.
Audit Services Division – Public Health Agency of Canada 1 June 2009
Information Technology Asset Management
9. The receiving processes ensure that equipment received complied with the purchase order, are inventory tagged and tombstone data is recorded in the inventory systems.
10. Several automated processes and systems are used to produce inventories.
The diversity of automated systems prevents the Agency from producing comprehensive, complete, reliable and accurate hardware and software inventories.
11. The Agency does not have standard and common processes, templates, and
systems to control the hardware and software licenses.
12. In December 2008, the National Capital Region IM/IT assigned a dedicated Project Manager to reengineer its IT asset management processes and implement new software products.
Accrual Accounting
13. PHAC does not have either the controls or information to properly record its IT assets in compliance with either Treasury Board Accounting Standards or generally accepted accounting principles.
Conclusion
14. PHAC’s IT assets are not well managed or controlled. In order to rectify this situation, PHAC needs to assign responsibility for the management and control of IT assets to the Chief Information Officer, which may delegate certain processes to operational areas as appropriate. Further, the Chief Information Officer, the Director of Assets and Materiel Management and the Chief Financial Officer need to develop and implement an appropriate management and control framework for IT assets within a reasonable period of time.
Management Response
15. The Agency’s management agrees with our findings and recommendations and a management action plan are presented in Appendix B.
Audit Services Division – Public Health Agency of Canada 2 June 2009
Information Technology Asset Management
Background
16. It is important that Public Health Agency of Canada (PHAC or the Agency) achieve optimum economy and efficiency in acquiring, using and disposing of Information Technology (IT) assets. These assets are essential to enable PHAC to achieve its strategic goals. Significant resources, both human and financial, are required to manage IT assets effectively.
17. IT assets encompass desktop and laptop computers (commercial or
scientific), display screens, mid-range computers and servers, networked printers, and telecommunication equipment such as routers and switches. It also refers to Commercial off-the-shelf software and licenses.
18. IT asset management includes a number of related functions, such as
planning, acquiring, receiving, warehousing, recording, tracking, surplussing and disposing of IT assets.
19. PHAC IT assets are to be properly used to support the Agency’s programs,
operations and activities and be consistent with the established government priorities and the Agency’s business plans.
20. Over the last twenty years, there have been significant advances in best
practices for managing IT assets and in measuring and reporting on their performance. We have considered these advances in developing our recommendations for improvement.
Audit Objectives
21. The objectives for this audit were:
To assess the appropriateness of planning, policies, processes and internal controls designed to ensure that: • the investment in IT assets supports the achievement of PHAC’s strategic
objectives; and • IT assets are managed with due regard to economy and efficiency. In
this regard, the audit focused primarily on standardization, purchasing (including assessing prioritization processes and policies designed to keep systems current), and disposal of IT assets.
To assess the appropriateness of accounting procedures and internal controls used to record the costs of IT assets, and to facilitate the reliable reporting of IT assets in the Agency’s Financial Statements.
Audit Services Division – Public Health Agency of Canada 3 June 2009
Information Technology Asset Management
Scope of Audit
22. The audit was PHAC-wide in scope and covered the IT asset management strategies and activities within the Agency from April 1, 2007 to March 31, 2009. This audit did not examine the controls for physical security of IT assets due time constraint and significance.
Approach and Methodology
23. This audit was conducted in accordance with the Treasury Board (TB) Policy on Internal Audit and the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing, except that no external assessment was performed to demonstrate that PHAC’s internal audit function complied with the IIA Standards and Code of Ethics.
24. The audit criteria presented in Appendix A were based on relevant TB
policies. The audit team used a combination of audit methodologies, including:
• interviewing a total of 27 Agency managers and key personnel directly or
indirectly responsible for IT assets, and requesting documentary evidence as required;
• reviewing documents (policies, documented procedures and practices, reports, business cases, etc.) related to IT asset management operational activities at the Agency;
• conducting site visits to the National Microbiology Laboratory (NML) and the Manitoba/Saskatchewan regional office; and
• examining a sample of procurement documents for IT expenses reported in the accounting records in financial year (FY) 2007-08.
25. The audit was conducted from January to June 2009.
Audit Findings and Recommendations
Management Framework and Accountability
26. TB Policy on Management of Materiel holds the deputy heads responsible for ensuring that: a materiel management framework is in place that reflects an integrated approach to risk management; provides relevant performance information; sets out clear accountability and decision-making regimes that are consistent with organizational resources and capacity; and supports timely, informed materiel management decisions and the strategic outcomes of departmental programs.
Audit Services Division – Public Health Agency of Canada 4 June 2009
Information Technology Asset Management
27. An IT asset management framework is a control structure set up by a department or agency to operationalize the TB policy direction to efficiently manage its IT asset and associated responsibilities in a sustainable and financially responsible manner.
28. At a minimum, an IT asset management framework consists of appropriate
accountability and decision-making structures, clearly communicated authorities, segregated responsibilities, appropriate policies and practices, and appropriate management, financial, and materiel information systems that support informed decision-making and allows for adequate performance monitoring.
IT Asset Management Framework
29. The Agency does not yet have an IT asset management framework in place. We have noted that roles and responsibilities for managing and controlling IT assets are unclear and the accountability for IT assets is scattered across PHAC.
30. The Chief Information Officer (CIO). The CIO’s work description dated
June 13, 2008 indicates the CIO is responsible for all PHAC Information Management and Information Technology (IM/IT) activities and services, including IT assets. However, scientific projects/activities with IT components are managed within the program areas with little engagement of the CIO. The CIO manages mainly PHAC IT assets residing on the Health Canada (HC) corporate network.
31. NML. NML’s Procurement and Materiel Management unit reports to the
NML’s Director of Business Operations Division. It delivers materiel management support and services for the Canadian Science Centre for Human and Animal Health (CSCHAH), and the Winnipeg IM/IT group. More specifically, this unit provides:
• procurement services to staff located at the CSCHAH and to some extent
(IT purchases higher than $5,000) to NML; and • shipping and receiving, inventory control including System Application
Products (SAP) data entry, warehousing and asset disposal services to all PHAC employees located in Winnipeg.
32. Purchases under $5,000 are completed by the Programs Services group
within NML.
Audit Services Division – Public Health Agency of Canada 5 June 2009
Information Technology Asset Management
33. In terms of IT services, NML continues to fund and be responsible for the support of four Local Area Networks that are not connected to the corporate network, namely:
• the Building Controls-Building Security Network; • the Bioinformatics Network; • the Operations Centre Audio Visual (AV) Network; and • the Science Network: The Network (including servers) is jointly managed
by PHAC Corporate IM/IT and HC IM/IT.
34. In addition, there is significant infrastructure purchased by the Canadian Network for Public Health Intelligence (CNPHI) Development group which is funded by the NML. CNPHI development and production infrastructure is hosted on the Science Network and managed by the CNPHI Development group. About 2,500 users within PHAC external partner organizations connect to CNPHI using the Science Network's Internet connection which is being managed by PHAC IM/IT.
35. These NML networks contain many IT assets such as servers, desktops,
routers and switches, storage area network and telecommunication equipment.
36. HC-PHAC Memorandum of Understanding (MOU). We noted that the
March 31, 2005 MOU has not been reviewed and updated to reflect the Agency’s new environment, and evolving technology. The MOU states that HC responsibilities related to Asset Management include the development of policies, assistance during the procurement of goods, management of assets and inventory, and disposal of assets through Crown Assets. Examples of responsibilities are the management of Microsoft licences (Office Suite and Windows), the procurement of IT assets using the Departmental Individual Standing Offer (DISO) vehicle, and the disposal of IT assets to Public Works and Government Services Canada (PWGSC) Crown Asset and the Industry Canada Computers for Schools Program.
37. Regional Offices. In the six PHAC regional offices, the IT asset functions
are mainly provided by two distinct entities. The Winnipeg IM/IT group provides the planning, acquisition, receiving and inventory services while the HC Information Management Services Directorate staff located near each regional office, installs, hardware and software, transfers and moves IT hardware, and disposes and surplus equipment.
Conclusion
38. While the CIO has been assigned responsibility for managing IT assets, in
Audit Services Division – Public Health Agency of Canada 6 June 2009
Information Technology Asset Management
actual terms, the CIO has not been empowered to act on this authority. As a result IT asset management is fragmented and inconsistent across the Agency.
39. For example, the existence of “islands of IT asset management” outside the
purview of the CIO exposes PHAC to increased risk that IT assets may be poorly managed. Furthermore, it impedes the ability of the CIO to ensure that all IT assets are being used to support the Agency’s strategic objectives.
40. Additional risks linked to the disempowerment of the CIO include:
• inability to achieve efficient and effective structured accountability and
control of all IT assets, and • inability to establish a unique management control framework related
Agency-wide IT assets.
41. The need for one PHAC IT asset management framework is made even more important because of the geographic dispersal of IT assets across Canada.
Recommendations
42. PHAC Executive Committee should affirm the authority and responsibility of the Chief Information Officer to manage and control Information Technology assets. This authority should be effectively communicated throughout PHAC.
43. The Chief Information Officer should, in cooperation with the Chief Financial
Officer, develop and implement an appropriate Information Technology asset management framework. The framework should be consistent with Treasury Board policy and good industry practices.
44. PHAC Executive Committee should ensure that appropriate financial and
human resources are provided to the Chief Information Officer to support the success of its Information Technology asset management strategy and to support the ongoing operational Information Technology asset life cycle activities.
IT Asset Policies and Procedures
45. The following three sections comment on some specific IT Asset policies, procedures and processes that would be encompassed by the IT asset management framework discussed in the previous section.
Audit Services Division – Public Health Agency of Canada 7 June 2009
Information Technology Asset Management
46. Agency-specific policies and procedures providing necessary linkages between management's objectives and materiel operations have not been developed to manage IT assets. The Agency’s IT asset management function operates within the framework of HC’s policy. The policies have not been updated by the Agency nor does the Agency currently have an inventory of the specific policies it has adopted.
47. It is important to note that the Assets and Materiel Management (AMM)
Division responsible for the materiel management function was created approximately a year ago. AMM is currently completing a corporate policy document related to Asset Management based on central Agencies’ policies, including those that were originally created by HC.
48. The absence of such fundamental management structures has created an
accountability vacuum within the Agency relating to the management of IT assets such as:
• the Agency does not keep track of all its IT assets in SAP; • the inventory systems are not systematically identifying the surplus and
disposed items; • the transfer of assets between locations or individual is not always
recorded in the inventory; • an inventory tag is not always attached on every asset; and • the inventory information is not regularly validated with a physical count.
49. A further consequence of not having documented policies and procedures is
the loss of corporate memory when experienced employees leave the Agency and the lack of an important framework to guide new employees who join the Agency.
Recommendation
50. The Chief Information Officer should develop, seek approval for and communicate an appropriate suite of Information Technology asset management policies, practices, procedures and processes in compliance with the Agency Asset Management policy under development.
IT Asset Processes
51. Numerous processes and procedures required to manage the IT assets are generally neither documented nor integrated on a common platform. We noted different processes, tools and systems to manage IT assets. Significant differences were noted between the processes in place at NML, Winnipeg IM/IT and NCR IM/IT.
Audit Services Division – Public Health Agency of Canada 8 June 2009
Information Technology Asset Management
52. In December 2008, IM/IT assigned a dedicated Project manager to review the whole IT asset processes, leverage what had already been implemented by HC, and subsequently assess the feasibility of having a unique instance for its asset tracking and reporting method.
53. We concluded that current processes in place across the Agency were
fragmented, not always documented and not based on the same platform. Additional information is provided under the section Operational Activities.
Recommendation
54. The Chief Information Officer should reengineer all processes across the Agency to manage all Information Technology assets.
Specific IT Asset Policy – Keeping IT Assets Current
55. Within the framework and suite of policies and procedures discussed above, there should be a policy on keeping IT assets current as part of supporting PHAC’s strategic objectives. This section explores PHAC’s current approach to this issue and makes further recommendations with respect to the need for this specific policy.
56. The CIO does an appropriate job of planning for the acquisition and upgrade
of infrastructure IT assets. The impact of new IT application systems that will be rolled in to the network, the current performance of the network, planned expansion of the network, and necessary hardware and software upgrades to infrastructure assets are all analyzed in determining the best approach to keeping these important IT assets current.
57. However, PHAC does not have a formal replacement policy for end user
computing (desktops, laptops, peripherals, etc). The CIO understands the importance of having such a policy, but PHAC has never allocated sufficient resources to allow such a policy to be implemented. As a result, the CIO does its best, on an ad hoc basis, to keep IT assets current by using year end funds that would otherwise lapse. In our view, this is not a sustainable practice and is inconsistent with the long-term interests of PHAC.
58. As part of this ad hoc process, CIO developed several justification
documents to demonstrate the need to modernize a portion of PHAC hardware and software portfolio. However, none of the justifications were the result of a rigorous collection of user requirements.
59. They do, however, take into consideration such factors as the growth of the
Agency workforce, the aging of some equipment, the increase in the number
Audit Services Division – Public Health Agency of Canada 9 June 2009
Information Technology Asset Management
of support calls to repair the equipment, equipment no longer covered by warranty, requirements related to new operational projects and the necessity to upgrade software due to lack of support of older version by suppliers.
60. The following factors should be considered in developing an IT asset
replacement policy:
• changes in end user requirements; • defining a minimum standard that is acceptable to PHAC; • availability of vendor support; • ability to meet PHAC’s need to take full advantage of current productivity
tools; • impact of obsolete equipment on PHAC’s ability to meet strategic
objectives; and • availability of funds for an evergreen policy.
Recommendations
61. The Chief Information Officer should develop a recommended Information Technology asset replacement policy that meets the strategic needs of PHAC in an economical and effective manner. An estimate of required funding to implement the policy should accompany the recommendation to the Resources Planning Management Committee.
62. PHAC Executive Committee should explicitly document the rationale for its
decision to implement or modify the recommended policy so that the decision can be placed in context with PHAC’s tolerance for operational and Information Technology risks.
Operational Activities
Acquisition Process
63. The Agency acquisition processes comply with TB and PWGSC rules and regulations. IT assets are acquired by using PWGSC negotiated standing offers. Standing offers are agreements between PHAC, HC and potential suppliers for the supply of specified IT assets. They outline the terms and conditions applying to future requirements to be ordered on an "as and when required" basis. There are many types of standing offers and the type used depends on the geographical area involved (i.e. regional or Canada-wide). The PHAC or HC standing offers include the negotiated hardware and software standards including, individual components of IT hardware, and software assets.
Audit Services Division – Public Health Agency of Canada 10 June 2009
Information Technology Asset Management
64. Several policies and guidelines exist to document rules and regulations relative to the acquisition of tangible assets. Our assessment of current practices revealed that they comply with the established policies or guidelines.
65. For major IT asset expenditures such as computers, IM/IT used the Request
for Volume Discount (RVD) method as it provides the best value to the Crown and provides for continued replacement of computer equipment through bulk-buy arrangements with suppliers.
66. The IT asset acquisition methods being used by NML and Winnipeg IM/IT
Directorate vary slightly but comply with the established guidelines.
67. Whenever NML wishes to acquire its own IT assets, the NML Manager Program Services transmits the acquisition request to the Winnipeg - IM/IT Chief of Informatics, Laboratories and Regions. Once approved, it is transmitted to the NCR - IM/IT, IT/Chief, IT Operations Supports for further approval and processing.
68. Within NCR, the majority of IT acquisitions (except the ones using credit
cards) are centralized in IM/IT. Business and IT managers send their IT acquisition requests to their respective cost centre managers and then the acquisition requests are forwarded to the Administration Officer responsible for processing the IM/IT acquisition transactions.
69. Both groups involved in the acquisition process follow the policy and
guidelines established by PWGSC by using the right mechanisms (RVD, National Master Standing Offer, Departmental Individual Standing Offer (DISO), Standing Offer, etc.) and following the right guidelines and procedures.
70. For software acquisition, the same processes are followed by NML and IM/IT
except that the HC Enterprise Hardware Software Management (EHSM) has the final approval over the acquisition as opposed to the PHAC IM/IT group. Up to February 27, 2009, IM/IT relied on the HC EHSM group to acquire software specified in the DISO. However, as of March 1, 2009, HC dismantled this group. Considering that PHAC was not given the authority to process its own software purchases using the HC DISO, PHAC needs to negotiate this authority with PWGSC. In the interim, HC agreed to continue offering the software purchases using the DISO services.
71. By using the standing offers acquisition methods, PHAC ensures that
established standards are followed, however, there are circumstances where users can purchase their own IT assets. These situations mainly occur when
Audit Services Division – Public Health Agency of Canada 11 June 2009
Information Technology Asset Management
the IM/IT in-stock inventory of IT assets acquired with year-end funds is depleted. Considering that IM/IT does not have additional funds to buy new IT assets, user groups requiring additional IT assets become autonomous and buy their own assets.
72. The risk associated to the individual acquisition process is that users might
not systematically validate the IT asset technical components with IM/IT and deviate from the established IT standards.
73. We concluded that the acquisition process for IT assets complied with
Government of Canada policies.
Receiving and Warehousing
74. We noted that received equipment that complied with the purchase orders, are inventory tagged and tombstone data is recorded in the inventory systems. Different receiving methods are in place within PHAC depending on the work location.
75. Prior to the 2008-09 Request for Volume Discount (RVD) acquisition process
(February-March 2009) IT hardware assets that were bulk-purchased were all received and processed by IM/IT representatives located in NCR. Upon receipt, the IM/IT staff verify the purchase orders, tag the new equipment with a unique inventory number, record the information in the Asset Management Application (AMA) system (not SAP), store the new equipment in the NCR-IM/IT mini ired-cage warehouse or at the rented All Continent warehouse location depending on the volume of items received, and ship new assets to any user sites (NCR, NML or regions) on request. When users receive their new hardware, they call the Helpdesk Support Group requesting the installation of the new hardware. At the installation time, the IM/IT captures additional information and uses it to update the inventory system.
76. In February 2009, IM/IT put out a request for proposal (RFP) for a $500,000
RVD to acquire new IT assets. The RFP stated that the winning supplier will be expected to place an inventory tag on each item and configure each IT asset as specified by IM/IT. It will store the IT assets on its premises until a request is received to ship the assets to a specified information for each IT asset to NCR - IM/IT for recording in the inventory system. It is expected that these new procedures will significantly reduce PHAC’s administrative workload and improve the reliability of inventory records.
77. Older hardware returned to the warehouse for surplus are stored in the
warehouse and the IT asset status code is flagged as “surplus” in the
Audit Services Division – Public Health Agency of Canada 12 June 2009
Information Technology Asset Management
inventory database. When the IT assets are disposed of, the IT asset status code is identified as “inactive”.
78. Berry Road Warehouse in Winnipeg. The Berry Road warehouse in
Winnipeg provides central receiving and warehousing services to the NML and the Manitoba/Saskatchewan Regional Office. All goods received (except specimens) are processed at the warehouse. IT assets are checked against purchase orders. The IT assets are then tagged with a unique inventory number and the asset information is recorded in the SAP financial system. It is then delivered to users or stored in the warehouse awaiting a request to deliver the equipment to specific users. The Warehouse Manager ensures that all in/out movements of IT assets are tracked in the inventory system.
79. When surplus equipment is received at the Berry Road warehouse, the SAP
inventory information is updated to indicate that the IT asset is inactive. However, an inventory list of surplus IT assets on hand is not maintained.
80. When users receive their new hardware, a Helpdesk Support call is made
requesting the hardware to be configured and installed on the network. At this time, additional information is captured by IM/IT, and the information is transmitted to the warehouse staff to update the SAP inventory system.
81. NCR. In NCR, users control a few wired-cage warehouses located in
basements of buildings. They store surplus or IT assets awaiting disposal.
82. Our analysis of current process led us to conclude that the receiving of IT assets is the foundation of IT asset inventory. With the new RVD process, IM/IT put in place more efficient processes to ensure that IT assets are inventoried while decreasing its workload, asset manipulation, and operational costs.
Systems for Recording Inventory
83. Several automated systems (SAP, HP Asset Centre, and various Spreadsheets) are used to record inventory information for hardware and software. As noted previously, the Agency is unable to produce comprehensive, complete, reliable and accurate inventories of its IT assets. The purpose of this section is to provide a more in-depth analysis of the current situation.
84. Hardware Inventory Winnipeg. In Winnipeg, the Berry Warehouse Support
Group maintains the IT hardware information in the SAP system. It records the tombstone asset information when assets are received and updates it
Audit Services Division – Public Health Agency of Canada 13 June 2009
Information Technology Asset Management
when IM/IT staff provides them with information concerning the location and the movement of the IT assets.
85. Hardware Inventory in NCR. In the summer of 2006, IM/IT developed an
in-house IT asset tracking system entitled AMA. Information on end user IT assets in the NCR were recorded in this system.
86. While the AMA system provided basic information, it did not provide the
functionality provided by modern off-the-shelf software. The data in AMA was inconsistent and as of March 6, 2009, AMA was abandoned and replaced by the HP Asset Centre system, part of HP Openview family of software.
87. The HP Asset Centre is a database containing the information on IT assets.
It includes several IT asset management functions such as contract management, procurement, software management, financial information, etc. The Asset Centre database contains information on IT assets. In addition to tombstone information on each asset, it can manage variable information that needs to be managed such as movement of asset between offices, surplus and disposal.
88. To produce its hardware inventory, IM/IT intends to use the new HP
Enterprise Discovery software part of HP Openview family of software. This is a powerful Web-based software tool that, when installed on the network, scans the network to detect all IT hardware and software assets, updates the Asset Centre database with the current asset information, and flags variances. Asset inventories are then produced using the HP Asset Centre database.
89. The anticipated benefits of adopting the HP Openview software are
numerous. One of the highest anticipated benefits is the timeliness of information provided by the automated HP Enterprise Discovery capabilities. It will provide the most benefit to PHAC by automatically and accurately detecting IT asset changes. With further process implementation effort and data management effort by PHAC, the Enterprise Discovery engine can track hardware movement through a programmed reconciliation process. Commercial off-the-shelf software applications can be identified, located, and software license compliance can be monitored.
90. However, as of May 2009, IM/IT does not have access or control of all PHAC
networks. NML established and maintains four separate networks namely the:
• Science Network;
Audit Services Division – Public Health Agency of Canada 14 June 2009
Information Technology Asset Management
• BioInformatics Network; • Building Controls-Building Security Network; and • Operations Centre Audio Visual (AV) Network.
91. Consequently, unless connections are established to link all PHAC current
networks, IM/IT is not in a position to produce a comprehensive inventory of all IT assets.
92. In December 2008, NCR IM/IT assigned a dedicated Project Manager to
reengineer its IT asset management processes and implement the new HP software products. No internal processes for HP software products existed prior to a Project Manager being assigned to focus on this area. Existing processes focused on manual processes or on disparate databases being used to track IT assets. However, the in-house expertise on the HP software is limited at PHAC considering that both HP software are housed, managed, maintained, updated and supported by HC staff. PHAC staff has had limited exposure to the new HP products and until recently, relied on HC expertise to use the system. Unfortunately for PHAC, at the beginning of March 2009, HC ended the support of its long term contractors to further enhance and maintain the current HP software leaving only two internal staff with the responsibility to manage and support the systems.
93. The introduction of HP Asset Centre added to the complexity to manage IT
asset as the Agency supports two major distinct systems used to maintain its IT asset inventory.
94. We concluded that by replacing the AMA system by the HP Asset Centre
system, IM/IT gained much functionality to manage its assets. However, to produce a comprehensive inventory of all PHAC-wide IT hardware and software assets, IM/IT needs to develop and document a clear strategy.
95. Considering that all five PHAC networks are not all inter-connected there is a
risk that a comprehensive inventory of IT assets will not be produced.
96. Inventory of Software. Various PHAC groups (NCR-IM/IT Desktop Support, NCR-IM/IT Network Management, AMM, or IM/IT Winnipeg) use different methods/tools to track software inventory using Microsoft (MS) Excel spreadsheets, MS-Access databases, in addition to simple paper-based records. Information is not shared or consistent across inventory systems.
97. Within PHAC, there are two types of licenses; hardware and software
related. The audit attempted to examine the processes associated to the management of software. However, due to the multitude of software licenses
Audit Services Division – Public Health Agency of Canada 15 June 2009
Information Technology Asset Management
in place (probably in excess of fifty) and the diversity of processes involved, we did not undertake a detailed examination.
98. Up to February 27, 2009 the HC EHSM provided the acquisition and
inventory services for the Microsoft products, acquire software specified in the DISO, and produce the inventory of Microsoft Windows and Microsoft MS Office licenses. However, as of March 1, 2009, HC dismantled this group and PHAC negotiated with HC the continuity of these services until PHAC negotiates with PWGSC its own authority to purchase software using the HC DISO.
99. The analysis of license inventory reports demonstrated the absence of
standard and common processes, templates, and systems to control the licenses.
Conclusion
100. The management of software licenses is one of the highest risks (if not the highest) and challenges for IT asset management. Its management processes have to be rigorously controlled to ensure that contractual limitations are thoroughly complied with and not infringed. Otherwise, consequences such as financial and reputational could be experienced. Considering the high level of risk, control processes needs to be reengineered.
Recommendation
101. The Chief Information Officer should develop and implement a comprehensive strategy to manage and control the hardware and software inventories for all PHAC Information Technology assets.
Surplus and Asset Disposal
102. Surplus IT assets are stored at the Winnipeg Berry warehouse or the NCR mini-warehouses awaiting data purging. In compliance with the TB Directive on Disposal of Surplus Material, the surplus IT assets are purged from their data prior to shipping them to HC. This process is not systematically done for desktops and laptops that were not purchased by IM/IT. When IM/IT Desktop Support staff replaces older desktops, laptops or servers, these are sent to the warehouse awaiting data purification.
103. When the Winnipeg Berry warehouse receives older equipment, they are
flagged as surplus in the SAP system. Consequently, these surplus hardware are no longer included in any active inventory list. However, a list
Audit Services Division – Public Health Agency of Canada 16 June 2009
Information Technology Asset Management
of surplus IT assets is not produced and is not available. In compliance with the Directive on Disposal of Surplus Material, the Agency offers all its surplus personal computers, laptops, and other IT equipment to the Industry Canada Computers for Schools Program. Prior to disposing of these equipment, the Warehouse staff initiates a data purification process to backup all data on a corporate electronic folder prior to removing this data from the computer hard drives and memory. When schools decline the surplus equipment, then they are sent to PWGSC, Crown Assets.
104. The IM/IT staff collects the older desktops and laptops when they replace
them with newer ones and store them in their mini-warehouse. When equipment is sent to the mini-warehouse, the asset is not identified as surplus in the inventory system. Like Winnipeg, surplus equipment are kept in storage until the volume of surplus equipment becomes important enough to initiating the data backup of all information contained on the equipment and the sanitizing of data from hard disks and memory. Then the equipment is disposed of by offering them to schools first, and sending them to Crown Assets when schools refuse them.
105. For surplus IT assets that are controlled by users (such as printers, and
some laptops), equipment might be sent to their own mini-warehouses awaiting disposal. This equipment is not identified as surplus in the inventory system. The audit was unable to confirm whether this surplus equipment was sanitized prior to disposing of them.
106. When data is not removed from desktops, laptops or servers prior to
disposing of them, security risks occur:
• compromise the privacy and security of information; • PHAC ‘s reputation might be attacked when data is found on PHAC
surplus equipment; and • the inventory list might contain surplus equipment when assets are not
identified as surplus in the inventory database.
107. We concluded that risks exist that surplus equipment was disposed of prior to backing up and sanitizing data from hard disks and memory.
Recommendations
108. All surplus Information Technology assets should be sent to Information Management/Information Technology to ensure that data is backed-up and sanitized prior to disposing of them to Crown Assets or Health Canada.
Audit Services Division – Public Health Agency of Canada 17 June 2009
Information Technology Asset Management
109. Information Technology assets that are sent to surplus should be identified as surplus in the inventory database.
Recuperation of IT Assets on Departure
110. Considering the state of the hardware inventory, PHAC does not have the assurance that all assets are recuperated when staff or contractors leave the organization.
111. As previously outlined in this report, PHAC’s hardware inventory is not
accurate. Furthermore, we noted that some IT assets were purchased by users and have not been inventory tagged or recorded in an inventory system. These hardware equipment have been lent to staff for home or office usage and no record exists to demonstrate that these staff have possession of these assets.
112. The absence of tracking information on assets that have been lent to staff
creates opportunities for losing the asset. 113. We concluded that current inventory processes did not provide the
assurance that all PHAC’s asset will be recuperated when an employee or a contractor leaves the organization.
Recommendation
114. The Chief Information Officer should implement tracking systems for Information Technology assets lent to staff.
Accrual Accounting
115. The Agency has not yet completed a suite of policies and procedures that address accounting for capital assets. As stated earlier in this report, the Agency’s IT asset management function operates within the framework of HC’s assets management policy, which also provides information on the accounting for capital assets.
116. Furthermore, we also noted in this report that the AMM is currently
developing a PHAC corporate policy document related to Asset Management.
117. TB policies and standards require departments to establish procedures to
account for their capital assets, namely to:
Audit Services Division – Public Health Agency of Canada 18 June 2009
Information Technology Asset Management
• ensure all costs required to make a capital asset operational have been recorded in the value of the assets; and
• ensure to differentiate between betterments, which are capitalized, and repairs and maintenance, which are expensed.
118. TB and Generally Accepted Accounting Principles (GAAP) define capital
assets generally as any asset which has been acquired, constructed or developed with the intention of being used on a continuous basis and is not intended for resale in the ordinary course of business. Capital assets also include betterments, which are expenditures enhancing the service potential of the asset.
119. TB also requires departments to capitalize the following costs related to
software:
• direct internal and external costs related to application development and implementation activities such as design of software configuration, coding, installation to hardware, training specific to implementation, etc.;
• one-off licensing fee in order to use the software; and • upgrades and enhancements, which are defined as modifications to
enable the software to perform tasks that it was previously incapable of performing.
120. Finally, TB and GAAP require departments to use consistent criteria in
determining whether particular costs represent capital assets or current period expenses.
121. The Agency’s continuing process of creating itself as a stand-alone agency
since 2004 accounts in part for the absence to date of PHAC policies and procedures for IT assets.
Threshold Value
122. Consistent with TB guidelines, PHAC’s accounting policy is to capitalize IT hardware and software acquisitions that have a useful life in excess of one year and a unit cost greater than or equal to $10,000.
123. TB policy allows departments to establish a lower threshold than $10,000.
In addition, it may also establish a lower and/or varying lower threshold for different asset classes but these must be consistent from year to year.
124. To date, the Agency has not documented its rationale for utilizing the
standard TB approach nor made a formal assessment as to whether it might be more appropriate to vary the TB approach as permitted by TB.
Audit Services Division – Public Health Agency of Canada 19 June 2009
Information Technology Asset Management
Whole Asset vs. Component Approach
125. Capital assets can be recorded using the whole asset or component approach. The whole asset approach considers an asset as an assembly of connected parts as one asset. The component approach sees each of the parts as an asset to be capitalized individually. Both approaches are equally acceptable under TB standards.
126. Interviews indicated that the Agency uses the component approach.
However, once again there has been no analysis to determine whether this is the best approach for PHAC and there is no formal policy to approving the approach chosen.
Identifying Capital Costs
127. An Asset Master Record (AMR) is supposed to be created for all capital assets prior to committing funds for the acquisition or development of the capital asset. Capitalization and amortization of capital assets are based on the AMR files and, therefore the integrity of the AMR files is critical for proper accrual accounting. The capturing of this information assists the Agency in preparing its Statement of Financial Position.
128. Interviews indicated that the creation of an AMR is a shared responsibility
within PHAC (NCR, laboratories and regions) and HC. The Cost Centre Manager (CCM) obtains an AMR number from the following functional authorities:
• Assets and Materiel Management Division for NCR and the Laboratory
for Foodborne Zoonoses (including the two satellite laboratories); • Financial Policy, Operations, and Systems Division in Winnipeg for NML
and the Winnipeg/Saskatchewan region; and • HC Regional Senior Financial Officer for PHAC’s other regional offices.
129. The Asset Accounting module of SAP automatically requests an AMR
number when a CCM enters a code using a capital asset account in SAP. However, SAP does not have a built in control to detect capital purchases that have erroneously been recorded as period expenses.
130. The Agency’s unaudited financial statements provide the following
information on the IT capital assets for the year ended March 31, 2008 (as explained on Table 1).
Audit Services Division – Public Health Agency of Canada 20 June 2009
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada 21 June 2009
Table 1 – IT Capital Assets for the FY 2007-08
131. In FY 2007-08, IT purchases 1 totalling $10.6 million were recorded in
various IT expense accounts in SAP. An analysis of 28 purchases amounting to $3.9 million (having a unit cost greater than or equal to $10,000) revealed the following:
• 25% of these expenses by dollar value ($968,307) should have been
recorded as IT capital assets (as explained in Table 2); • 4% of these expenses by dollar value ($174,436) should have been
recorded as leasehold improvements; and • there was no documented evidence to support the accounting treatment
chosen.
Table 2 – IT Expenses That Should Have Been Capitalized in FY 2007-08
Type of Asset Amount Computer equipment $ 495,146 Computer software 159,500 One-off licensing fee in order to use a software 313,661 Total
$ 968,307
132. The current decentralization structure of the Agency accounts in part for the:
• roles and responsibilities not being clearly articulated; • significant number of CCMs involved in IT purchases; • lack of integration of the financial and materiel management systems; • lack of central coordination for managing AMR files, and for providing
functional direction and guidelines; and • possible lack of consulting from CCMs with AMM and IM/IT for advice
concerning capital asset identification.
1 Excludes direct internal and external costs related to application development and implementation activities such as
design of software configuration. These costs (i.e. payroll and payroll related costs, professional fees, etc.) could not be identified in SAP because as noted in paragraphs 132, 133 and 134.
Capital Assets April 1, 2007 Cost
Acquisitions March 31, 2008 Cost
Accumulated Amortization
Net Book Value
Computer equipment $ 3,074,332 $ 76,494 $ 3,150,826 $ 2,552,891 $ 597,935Computer software 1,042,061 35,110 1,077,171 925,483 151,688 Total $ 4,116,393 $ 111,604 $ 4,227,997
$ 3,478,374 $ 749,623
Information Technology Asset Management
133. Further, in our view, the following items add to the complexity of the asset
capitalization process:
• asset capitalization procedures are not sufficiently explicit on how they are to be interpreted from a policy perspective by the CCMs;
• lack of guidance on distinguishing between betterments or repairs and maintenance;
• compliance with TB policies and standards may not be well understood; • improper or absence of validation of financial coding when CCMs sign
Section 34 of the FAA; • possible lack of awareness of TB policies and standards and HC’s assets
management policy; • lack of a suitably rigorous process for identifying costs to be capitalized
that can withstand audit (i.e. time records, review and approval of costs charged by management of the project, etc.);
• absence of monitoring to ensure that assets processes are well understood and complied with; and
• no physical verification of asset holdings.
134. In the absence of detailed written policies and procedures, there is an undue risk CCM’s will continue to inconsistently account for, record and report IT assets. This inconsistency impacts adversely the integrity of the AMR files and the accuracy of the Agency’s Financial Statements and Public Accounts submissions.
135. Many of the recommendations made previously in this report will improve the
control over the reporting of IT assets. The following are additional recommendations intended to address reporting of IT assets specifically.
Recommendations
136. The Director, Assets and Materiel Management and the Chief Financial
Officer should complete, seek approval for and communicate the Asset Management Policy to include detailed procedures and guidance to properly account for Information Technology assets. Policy, procedures and guidance should be consistent with Treasury Board relevant policies and standards on capital assets and software, and generally accepted accounting principles.
137. The Director, Assets and Materiel Management should monitor compliance
with the policy by conducting regular reviews and annual physical asset inventory count.
Audit Services Division – Public Health Agency of Canada 22 June 2009
Information Technology Asset Management
138. The Chief Financial Officer should perform a review of the Information Technology expenses for the last financial year in order to identify unrecorded Information Technology assets.
Conclusion
139. PHAC’s IT assets are not well managed or controlled. In order to rectify this situation, PHAC needs to assign responsibility for the management and control of IT assets to the CIO, who may delegate certain processes to operational areas as appropriate. Further, the CIO, the Director of AMM and the Chief Financial Officer (CFO) need to develop and implement an appropriate management and control framework for IT assets within a reasonable period of time.
Acknowledgments
140. We wish to express our appreciation for the cooperation and assistance afforded to the audit team by management and staff during the course of this audit.
Audit Services Division – Public Health Agency of Canada 23 June 2009
Information Technology Asset Management
Appendix A – Audit Criteria Objective 1 To assess to appropriateness of planning processes and Public Health Agency of Canada policies, procedures and internal controls designed to ensure that:
• The investment in IT assets supports the achievement of PHAC’s strategic objectives; and
• IT assets are managed with due regard to economy and efficiency. In this regard, the audit will focus primarily on standardization, purchasing (including assessing prioritization processes and policies designed to keep systems current), and disposal.
Criteria Management Framework and Accountability IT Asset Management Framework A management framework for the IT assets has been developed, is in place and meets the needs of the Agency. a. Responsibility, authority, and accountability for IT asset management have been
clearly established. b. An IT manager has been appointed and given responsibility to co-ordinate and
direct the implementation of the IT portion of the government Materiel Management Policy.
IT Asset Policies, Procedures and Processes Policies and processes are in place to manage the IT asset life management cycle. a. The Agency uses the TB policy manuals and/or has developed its own IT asset
management manual and/or set of procedures. b. Agency’s IT asset policies are based on TB policy documents. c. Processes have been developed, documented, and are used to manage the IT
asset life cycle.
Audit Services Division – Public Health Agency of Canada 24 June 2009
Information Technology Asset Management
Specific IT Asset Policy – Keeping IT Assets Current IT asset requirements are assessed and planned. a. IT asset needs are assessed in relation to program administration and
operational requirements. b. IT asset requirements are identified and defined in terms of performance
specifications. c. Use of IT asset resources is forecast, and major items are assessed and ranked
in terms of program and operational requirements. d. An IT replacement policy and guidelines are used to ensure that the IT asset
inventory remains adequate and its performance remains adequate. Operational Activities Acquisition Process Acquisition of IT asset, whether by the Agency or PWGSC, is economical, efficient and effective. a. Standards have been developed, documented, and followed when acquiring IT
hardware and software. b. Methods of meeting IT asset requirements are analyzed, and the best options
chosen. c. Selection of IT asset to be acquired is based on requirements assessments and
performance specifications. d. Acquisition transactions are planned and executed based on service levels
established in relation to lead time, quality, reliability, delivery or performance. Receiving and Warehousing The operation, utilization and storage of IT asset are efficient, effective and timely. a. The allocation, distribution, and scheduled use of IT asset are based on program
or operational needs and requirements assessment reallocations are made in cases of under-utilization.
b. Delivery of IT asset is followed-up (where necessary) and goods are inspected on delivery to ensure that IT asset received is the materiel contracted for.
Audit Services Division – Public Health Agency of Canada 25 June 2009
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada 26 June 2009
Systems for Recording Inventory The operation, utilization and storage of IT asset are efficient, effective and timely. a. Records are maintained, using automated information systems where practical
and cost-effective, to track inventory and to monitor costs, utilization including the level of IT asset turnover, losses, and equipment performance.
b. The management of IT software licenses is efficient and ensure compliance to existing license agreement.
Surplus and Asset Disposal Replacement and disposal of IT asset are economic and efficient. a. Opportunities are identified for the reallocation or disposal of excess IT asset
materiel. b. Surplus IT asset which is no longer needed is disposed of, as well as the
storage space that becomes redundant. c. IT asset is disposed and replaced at optimum time in the life-cycle to ensure that
maximum benefits are achieved. Recuperation of IT Assets on Departure The operation, utilization and storage of IT asset are efficient, effective and timely. a. IT assets loaned to staff and contractors are recuperated when people leave
the organization Objective 2 To assess the appropriateness of accounting procedures and internal controls used to record the costs of IT assets, and to facilitate the reliable reporting of IT assets in the Agency’s Financial Statements. Criteria Accrual Accounting Appropriate procedures are in place for accounting IT assets, based on relevant TB policies and standards on capital assets and software, and generally accepted accounting principles.
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada June 2009
27
Appendix B – Management Action Plan
Recommendations
Management Response
Officer of Prime Interest
Target Date
Information Technology Asset Management Framework 42. PHAC Executive Committee should affirm
the authority and responsibility of the Chief Information Officer to manage and control Information Technology assets. This authority should be effectively communicated throughout PHAC.
43. The Chief Information Officer should, in
cooperation with the Chief Financial Officer, develop and implement an appropriate Information Technology asset management framework. The framework should be consistent with Treasury Board policy and good industry practices.
44. PHAC Executive Committee should ensure
that appropriate financial and human resources are provided to the Chief Information Officer to support the success of its Information Technology asset management strategy and to support the ongoing operational Information Technology
Agree. The Executive Committee (EC) will affirm the authority and responsibility of the Chief Information Officer (CIO) to manage and control Agency-wide IT assets. Agree. An IT asset management framework will be developed and presented to IM/IT Management Committee (MC) for endorsement/approval. Based on recommendation from 42, roles and responsibilities will be adjusted accordingly. Agree. The EC based on PHAC priorities and available resources will provide the financial and human resources to the CIO to support the success of its IT asset management strategy and the ongoing operational IT asset life cycle activities.
Senior Assistant Deputy Minister (SADM) CIO and Chief Financial Officer (CFO) SADM
July 2009 Draft by April 2010 September 2009
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada June 2009
28
Recommendations
Management Response
Officer of Prime Interest
Target Date
asset life cycle activities. Information Technology Asset Policies and Procedures 50. The Chief Information Officer should
develop, seek approval for and communicate an appropriate suite of Information Technology asset management policies, practices, procedures and processes in compliance with the Agency Asset Management policy under development.
Agree. a) IM/IT is in the process of developing and documenting a suite of IT asset management protocols, processes and procedures for IT asset management and will store these documents in a central repository. b) The Office of the Chief Information Officer (OCIO) will seek endorsement of Agency-wide IT asset management processes, procedures and protocols. c) Upon endorsement, the OCIO will communicate appropriate new practices to Officers of Prime Interest (OPI) identified in the PHAC IT asset management framework.
CIO CIO CIO
Started in October 2008 and targeted for completion December 2009. February 2010 Starting May 2010
Information Technology Asset Processes 54. The Chief Information Officer should
reengineer all processes across the Agency to manage all Information Technology assets.
Agree. a) IM/IT will standardize asset management procedures understanding the unique requirements of the centralized warehousing infrastructure established in Winnipeg for the National Microbiology Laboratory and the
CIO
February 2010
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada June 2009
29
Recommendations
Management Response
Officer of Prime Interest
Target Date
decentralized infrastructure used in the National Capital Region and Regional locations. b) Procedures will be established to manage and track priority IT assets as defined below, while the Offices of Prime Interest identified in the PHAC IT asset management framework will be responsible for non-priority IT assets. Definition of priority IT assets: • network connected servers; • network connected routers; • network connected switches • Blackberrys; • network connected desktops; • network connected laptops; • desktop/laptop software; • server software; • hardware and software maintenance
contracts; and • network connected printers Items not included as priority IT assets include remote site workstations, work-at-home PC’s, “unmanaged” software, desktop peripherals (keyboards, mice,
CIO
May 2010
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada June 2009
30
Recommendations
Management Response
Officer of Prime Interest
Target Date
etc.), local printers, other attractive assets. The implementation of standardized procedures will be dependent upon endorsement of an IT Asset Management Framework and the required operational funding to sustain centralized management and tracking.
Specific Information Technology Asset Policy – Keeping Information Technology Assets Current 61. The Chief Information Officer should develop
a recommended Information Technology asset replacement policy that meets the strategic needs of PHAC in an economical and effective manner. An estimate of required funding to implement the policy should accompany the recommendation to the Resource Planning Management Committee.
62. PHAC Executive Committee should explicitly
document the rationale for its decision to implement or modify the recommended policy so that the decision can be placed in context with PHAC’s tolerance for operational and Information Technology
Agree. The IM/IT Directorate will develop two separate evergreening strategies to accommodate acquisition and replacement of: (a) attractive assets, and; (b) capital assets. The evergreening strategies will be presented to IM/IT MC for endorsement and Resource Planning Management Committee (RPMC) for approval and funding consideration. Agree. The EC will document the rationale for its decision to implement or modify the recommended policy so that the decision can be placed in context with PHAC’s tolerance for operational and IT risks.
CIO SADM
November 2009 December 2009
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada June 2009
31
Recommendations
Management Response
Officer of Prime Interest
Target Date
risks.
Systems for Recording Inventory 101. The Chief Information Officer should develop
and implement a comprehensive strategy to manage and control the hardware and software inventories for all PHAC Information Technology assets.
Agree. IM/IT will implement a strategy to manage and control hardware and software inventories acquired, managed and/or controlled by IM/IT. These strategies will have the capability to be leveraged Agency-wide pending endorsement/approval of a PHAC IT asset management framework and required resources and funding to carry out the work. The comprehensive strategy will include SAP for financial management and tracking (acquisition, depreciation) of IT assets while a complimentary system will be used for IT asset lifecycle management (acquisition, deployment, operation, replacement/disposal) of IT assets. The asset lifecycle management system will manage and track priority IT assets (see paragraph 54 for definition of priority
CIO
Strategy Completed Full implementation targeted for May 2010.
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada June 2009
32
Recommendations
Management Response
Officer of Prime Interest
Target Date
IT assets) while the combination of SAP and the Offices of Prime Interest will be used to manage non-priority IT assets.
Surplus and Asset Disposal 108. All surplus Information Technology assets
should be sent to Information Management/Information Technology to ensure that data is backed-up and sanitized prior to disposing of them to Crown Assets or Health Canada.
109. Information Technology assets that are sent
to surplus should be identified as surplus in the inventory database.
Agree. A process will be documented and implemented to ensure all surplus IT assets are sent to the IM/IT so that data is backed-up and sanitized prior to transfer to Crown Assets or HC for disposition. Agree. IM/IT will implement measures to reconcile surplused assets managed by/or route through IM/IT. These assets will be tagged as surplus and recorded in an inventory database.
CIO CIO
August 2009 September 2009
Recuperation of Information Technology Assets on Departure 114. The Chief Information Officer should
implement tracking systems for Information Technology assets lent to staff.
Agree. A process, including a proposed system, will be developed to track IT assets lent to staff. The solution will be presented to IM/IT MC for endorsement and subsequent approval by RPMC. A system to track these items will be dependant upon approval of an IT asset management framework and associated
CIO
June 2010
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada June 2009
33
Recommendations
Management Response
Officer of Prime Interest
Target Date
funding for system implementation, licensing and resources to support tracking and monitoring of these assets.
Accrual Accounting 136. The Director, Assets and Materiel
Management and the Chief Financial Officer should complete, seek approval for and communicate the Asset Management Policy to include detailed procedures and guidance to properly account for Information Technology capital assets. Policy, procedures and guidance should be consistent with Treasury Board relevant policies and standards on capital assets and software, and generally accepted accounting principles.
137. The Director, Assets and Materiel
Agree. a) Obtain approval for PHAC Asset Management Policy, which outlines requirements for identifying all capital assets valued over $10,000 and centralizes creation of asset master records to the PHAC Assets and Materiel Management (AMM) division, from PHAC Public Health and Policy Committee. b) Integrate capital asset requirements into procurement training. c) Develop capital assets procedures/guidance document to complement PHAC Assets Management Policy. d) Launch of materiel management intranet site and formal implementation of policy and procedures. Agree. a) Complete of annual Capital
Dir, AMM Dir, AMM Dir, AMM and CFO Dir, AMM and CFO Dir, AMM
May 27, 2009 July 2, 2009 August 30, 2009 August 30, 2009 November 30,
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada June 2009
34
Recommendations
Management Response
Officer of Prime Interest
Target Date
Management should monitor compliance with the policy by conducting regular reviews and annual physical asset inventory count.
138. The Chief Financial Officer should perform a
review of the Information Technology expenses for the last financial year in order to identify unrecorded Information Technology capital assets.
Asset Inventory Verification for assets valued over $10,000. b) Implement a semi-annual asset inventory reports to cost centre managers Agree. FY 2008-09 Information Technology expenses exceeding $10,000 will be reviewed to identify potential unrecorded capital assets
Dir, AMM CFO
2009 July 31, 2009 October 31, 2009
Information Technology Asset Management
Audit Services Division – Public Health Agency of Canada 35 June 2009
Appendix C – List of Acronyms
Agency Public Health Agency of Canada AMA Asset Management Application AMM Assets and Materiel Management AMR Asset Management Record number CCM Cost Centre Manager CIO Chief Financial Officer CFO Chief Financial Officer CNPHI Canadian Network for Public Health Intelligence CSCHAH Canadian Science Centre for Human and Animal Health DISO Departmental Individual Standing Offer EC Executive Committee EHSM Enterprise Hardware Software Management FY Financial Year GAAP Generally Accepted Accounting Principles HC Health Canada HP Hewlett Packard IM/IT Information Management/Information Technology Directorate IT Information Technology MC Management Committee MOU Memorandum of Understanding MS Microsoft NCR National Capital Region NML National Microbiology Laboratory OCIO Office of the Chief Information Officer OPI Officer of Prime Interest PHAC Public Health Agency of Canada PWGSC Public Works and Government Services Canada RPMC Resources Planning Management Committee RVD Request for Volume Discount SADM Senior Assistant Deputy Minister SAP System Applications Products, the Agency central financial
system TB Treasury Board