Follow-up Audit of IT Asset Management

Executive Summary

Background

Information technology (IT) plays an important role in CNSC operations, and represents an essential component of the organization’s strategy to increase productivity and enhance mandated services for the benefit of citizens, businesses and employees. Over the past four years, following an increase in the number of full-time staff members, the CNSC has made several investments in IT hardware and software.

In July 2012, the Office of Values and Ethics completed and reported the results of its Audit of IT Asset Management. The CNSC management reported on their action plans for eight of the audit’s nine recommendations (recommendation #5 was rendered obsolete, following the implementation of a single IT inventory mechanism).

Given the importance of the 2012 Audit of IT Asset Management, the Audit Committee requested that a follow-up audit be conducted immediately, to assess the adequacy of management action plans.

Objectives and scope

The follow-up audit’s objectives were to determine if management had implemented management action plans (MAPs), and if the desired results were achieved with respect to the 2012 Audit of IT Asset Management.

The scope of the follow-up included a review of the eight outstanding MAPs resulting from the 2012 Audit of IT Asset Management (the obsolete recommendation requiring no further action). The follow-up focused on IT asset management activities for the period from July 2012 to October 15, 2012.

Approach

The audit included the following:

• a review of relevant CNSC procedures governing the IT asset management activities
• interviews with various CNSC employees involved in IT asset management activities

Conclusion

The follow-up audit concluded that the CNSC has completed seven of their eight MAPs addressing recommendations of the 2012 Audit of IT Asset Management, and the last remaining MAP is ongoing. Several processes, procedures and improvement initiatives have been put in place. Together, these actions are expected to strengthen management controls that govern IT asset management activities.

1. Introduction

1.1. Background

Information technology (IT) plays an important role in CNSC operations, and represents an essential component of the organization’s strategy to increase productivity and enhance mandated services for the benefit of citizens, businesses and employees. Over the past four years, following an increase in the number of full-time staff members, the CNSC has made several investments in IT hardware and software.

The Information Management and Technology Directorate (IMTD) is responsible for managing the CNSC’s investments in IT assets. IMTD’s objectives for asset management are to ensure:

• that IT assets meet program needs as well as operational requirements
• value for money in IT assets
• that procurement activities stand the test of public scrutiny in matters of prudence and integrity, encourage competition, and reflect fairness in the spending of public funds.

An independent examination of the accuracy and completeness of the IT inventory and records was proposed to management, and is part of the approved Risk-Based Audit Plan for 2011–14.

In July 2012, the Office of Audit and Ethics completed and reported the results of its Audit of IT Asset Management which included nine recommendations for improving the CNSC’s IT asset management practices. The CNSC management reported on their action plans for eight of the audit’s nine recommendations (recommendation #5 was rendered obsolete, following the implementation of a single IT inventory mechanism).

1.2. Objectives and scope

The follow-up audit’s objectives were to determine if management had implemented management action plans (MAPs), and if the desired results were achieved with respect to the 2012 Audit of IT Asset Management.

The scope of the follow-up included a review of the eight outstanding MAPs resulting from the 2012 Audit of IT Asset Management (recommendation 5 requiring no further action). The new audit focused on IT asset management activities for the period from July 2012 to October 15, 2012.

1.3. Analysis of risks

Given the importance of the 2012 Audit of IT Asset Management, the Audit Committee requested that a follow-up audit be conducted immediately, to assess the adequacy of management action plans.

1.4. Audit criteria

The follow-up audit examined the CNSC’s actions taken in response to recommendations made in the 2012 Audit of IT Asset Management to determine if the corrective actions had been completed.

1.5. Approach and methodology

The approach for the follow-up audit consisted of reviewing the relevant CNSC procedures governing IT asset management activities and interviewing various CNSC employees involved in these activities.

The methodology for the follow-up audit included:

• gathering evidence to ensure that the management action plans are implemented
• interviews with selected individuals from IMTD
• reviews of updated IT asset management processes, policies and standards, along with reviews of newly implemented procedures and limited testing of IT inventory
• assessment of the adequacy of processes and internal controls in place, and whether the reported situations have improved

1.6. Statement of assurance

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada. A practice inspection has not been conducted.

2. Observations

The follow-up audit examined the outstanding MAPs resulting from the 2012 Audit of IT Asset Management to determine if the corrective actions had been completed.

2.1. 2012 audit recommendation 1: Governance structure

2012 Management action plan:

IMTD agrees with the recommendation. IMTD has developed a new policy instrument (IT Asset Management Directive), along with detailed procedures. These documents summarize the roles and responsibilities of staff involved in asset management. IMTD employees responsible for IT asset management are being trained on the procedures, and the new directive will be communicated to all CNSC staff, once approved.

Follow-up audit observation:

The audit found that the IT Asset Management Directive was approved by senior management on August 16, 2012. The directive is divided into two parts: the first part specifies IT asset management requirements for employees, and the second part establishes the roles and requirements for IMTD. The new directive was communicated to the entire staff in August 2012, through the CNSC’s intranet site (BORIS).

IT asset assignment and tracking procedures were approved by the IMTD Director General (DG) on September 24, 2012. These procedures have been communicated within IMTD Client Service Division (CSD).

The IT Asset Management Directive and the assignment and tracking procedures have been posted on BORIS. IMTD is also drafting additional procedural and guidance for the IM/IT intranet, to provide additional assistance to end-users.

Conclusion:

The audit concludes that the new IT Asset Management Directive and the IT Asset Assignment and Tracking Procedures document the roles and responsibilities of staff involved in asset management. The directive and procedures documents were communicated within IMTD and employees responsible for IT asset management have been trained on the procedures.

Status: Completed.

2.2. 2012 audit recommendation 2: Acquisition, replacement and disposal of assets - Planning

2012 Management action plan:

IMTD agrees with the recommendation. IMTD has developed a lifecycle plan that reflects current requirements for asset replacement, and has also streamlined processes for ongoing lifecycle planning. Funding for the lifecycle plan will be included in the IMTD baseline budget, on an ongoing basis. Procurement of assets, in accordance with the plan, will take place on a quarterly basis.

Follow-up audit observation:

The audit found that an IT asset lifecycle plan has been developed and approved by the DG IMTD. The plan is adequate. It can be strengthened by the addition of some elements of a more comprehensive nature, such as financial analysis and estimated expenditures for the plan’s scheduled IT asset replacements.

The audit noted that the documented plan outlines a four-year lifecycle for laptops and desktops (servers are not included the plan, as these will be the responsibility of Shared Services Canada). The audit also found that asset management staff has developed a quarterly schedule for the anticipated quantity of laptops and desktops required over the next three years (to March 2016), based on current inventories.

The DG IMTD advised that the lifecycle plan’s proposed base of replenishing CNSC’s laptop and desktops over a four-year period is consistent with practices and funding that have been in place in previous years. The audit concludes that while the lifecycle plan is adequate, it could be improved by including a rationale for the four-year base.

Interviews with the DG IMTD noted that the lifecycle approach is not expected to have a major budget impact in terms of increasing or decreasing the planned amounts required to maintain these IT assets. The DG IMTD advised that in his discussions with the CNSC’s finance division, it was agreed that planned expenditures will be allocated to IMTD in the CNSC budget at the beginning of the 2013–14 fiscal year.

Finally, the audit noted that the DG IMTD reviewed the IT lifecycle plan (to address suggestions provided by the audit team) and has approved it. The plan was to be presented to the Vice-President, Corporate Services Branch and Chief Financial Officer (VP CSB) in November 2012, as part of normal reviews of the CNSC IT budget.

The VP CSB indicated to the audit team that he reviewed the plan and is in agreement with it. He also stated that the DG IMTD has the delegated authority to manage, monitor and report (as appropriate) on the implementation of the plan. He noted that both he and the finance team review the plan at the beginning of each fiscal year. Further the plan is updated (as required) during the quarterly financial reviews, and any adjustments or financial pressures to the plan are revealed and reported to the Management Committee (MC).

Conclusion:

An IT asset lifecycle plan has been developed and approved by DG IMTD. It has been communicated inside the IMTD. The VP CSB will ensure that the plan is communicated to appropriate CNSC stakeholders (e.g., finance division and MC).

Status: Completed.

2.3. 2012 audit recommendation 3: Acquisition, replacement and disposal of assets – Disposal of hardware

2012 Management action plan:

IMTD agrees with the recommendation, and has developed procedures and forms for asset disposition.

Follow-up audit observation:

The audit found that the IT Asset Management Directive adequately addresses the transfer, disposal and write-off of IT assets. The disposition process is documented in the IT Asset Assignment and Tracking Procedures.

Surplus assets are being tracked by IMTD using an asset tracking spreadsheet. The audit concludes that the procedures for tracking and processing surplus assets are clearly defined in the IT Asset Assignment and Tracking Procedures. While adequate, the new directive and procedures could be improved by clearly defining the criteria for declaring an IT asset as surplus.

The IMTD disposition procedures have been strengthened by increased segregation of duties of IMTD staff, by separating assets held for disposal in a secured area, as well as by requiring oversight and approval of all dispositions by the Director General of IMTD. The process has also been communicated to the Client Service Division (CSD) within IMTD.

The audit noted that the DG IMTD addressed the suggestions provided by the audit team, by strengthening the definition of surplus assets within the IT Asset Assignment and Tracking Procedures and better documenting IMTD’s role in the write-off process.

Conclusion:

The processes for declaring an asset surplus and disposing of surplus assets have been sufficiently documented in the IT Asset Management Directive and the IT Asset Assignment and Tracking Procedures.

Status: Completed.

2.4. 2012 audit recommendation 4: Management of IT assets – Monitoring and tracking of software

2012 Management action plan:

IMTD agrees with the recommendation. The directorate has merged the two systems currently used for tracking hardware inventory into a single tracking tool, and has also consolidated its software tracking. All this information is consolidated into two spreadsheets. IMTD will also procure and implement an asset management software solution during the 2012–13 fiscal year, at which time both hardware and software tracking will be merged.

Follow-up audit observation:

The audit found that IMTD has consolidated hardware and software onto two spreadsheets (note: hardware includes both capital and non-capital IT assets). This data is managed by CSD and can only be modified by the asset management officer (all other users are limited to read-only access).

The current system is used to record and track all movement of hardware, software and audio-visual assets. The information contained in the database is used for lifecycle planning, asset verification and asset management. IMTD acknowledges that, while the current system has functional limitations, it does meet existing needs.

IMTD advised that it will continue its efforts to purchase and implement a commercial asset management product, although procurement and implementation will not be completed in 2012–13. The audit team understands that the project now aims for an implementation date during the summer of 2013.

Conclusion:

The implementation of a new IT asset management system has been delayed from March 31, 2013 until the summer of 2013. In the interim, Excel spreadsheets will continue to be used to maintain hardware and software inventory.

Status: Open.

2.5. 2012 audit recommendation 6: Management of IT assets – Verification and reconciliation

2012 Management action plan:

IMTD has implemented a scheduled verification process that will, on an ongoing basis, verify the existence of IT assets. A full verification of assets will take place on an annual basis. The IMTD loaner pool will be verified on a monthly basis.

Follow-up audit observation:

The audit found that an IT asset monitoring and validation process has been implemented, and validations are currently ongoing. IMTD has completed asset verifications at Bruce Power and Darlington, and all assets were accounted for. Asset verifications were planned for National Capital Region in November 2012, and  CNSC staff was notified about this upcoming exercise.

The current asset verification program includes identifying assets according to the asset management listing, and having each end-user sign an inventory sheet for the equipment at their workstation.

CSD planned to conduct its first software verifications in late 2012. The audit also found that the loaner pool for laptops is being maintained and approved on a monthly basis.

The audit noted that the DG IMTD addressed the audit team’s recommendations by revising the IT Asset Assignment and Tracking Procedures, to include the monitoring and validation process and to include reference to the laptop loaner pool processes.

Conclusion:

An IT asset monitoring and validation process has been implemented, and validations are currently ongoing.

Status: Completed.

2.6. 2012 audit recommendation 7: Management of IT assets – Physical asset identification

2012 Management action plan:

IMTD agrees with the recommendation. IMTD has implemented a documented process for assigning asset numbers to IT assets.

Follow-up audit observation:

The audit found that the IT Asset Assignment and Tracking Procedures document the process for assigning asset numbers to IT assets.

Assets are tagged as soon as they are received. The audit confirmed the presence of tags on assets in storage locations. Once the goods are received, the asset management group creates an install ticket, using the Technical Support Centre (TSC) ticketing system. TSC completes the install, obtains sign-off by the end-user accountable for the IT assets, and then closes the install ticket.

The process for assigning numbers to IT assets Audit testing indicates that the process appears to be well understood and followed.

Conclusion:

IMTD has implemented a documented process for assigning asset numbers to IT assets.

Status: Completed.

2.7. 2012 audit recommendation 8: Management of IT assets – Safeguarding of assets and storage of IT assets

2012 Management action plan:

IMTD agrees with the recommendation. IMTD has reviewed physical space layout and developed procedures, in order to ensure that IT assets are secured, and that the storage of new IT assets is separated from the storage of IT assets that are designated for disposal.

Follow-up audit observation:

The audit found that physical security of IT assets is in place at Slater (Storage and Tech rooms) and Telesat (Tech rooms) locations. Camera, access card and alarm systems were observed. Laptops for training and loaner pools are locked. Separate caged areas were observed for assets designated for disposal.

IMTD staff was aware of these security procedures, although at the time of the audit they had not been documented. IMTD has since amended the IT Asset Assignment and Tracking Procedures to provide a description of the security protocols for each area.

Conclusion:

The new procedures have been developed and physical space layout has been redesigned to ensure that IT assets are secured. New IT assets are stored separately from IT assets designated for disposal.

Status: Completed.

2.8. 2012 audit recommendation 9: Audiovisual equipment

2012 Management action plan:

IMTD agrees with the recommendation. IMTD has developed and implemented procedures to ensure that audio-video equipment is tracked using assigned asset numbers.

Follow-up audit observation:

The audit found that the IT Asset Assignment and Tracking Procedures outline and establish proper roles, responsibilities and activities for the management of audiovisual equipment. All audiovisual equipment is defined as “items to be tagged” in Appendix A of the Information Technology Asset Assignment and Tracking Procedures document.

There are no additional procedures for audiovisual equipment. All audiovisual equipment is tagged and included in the master asset inventory spreadsheet. Televisions/monitors are bolted to the walls, and there are cameras on all floors.

The audit team also conducted spot-checks of the audiovisual equipment recorded in the master asset inventory spreadsheet for the committee rooms on the 3rd and 14th floors.

Conclusion:

The audit concludes that all audiovisual equipment is managed through the same procedures as other IT assets. These assets are tracked using assigned asset numbers.

Status: Completed.

3. Overall Conclusion

The audit concluded that the CNSC has completed seven of the eight MAPs addressing the recommendations of the 2012 Audit of IT Asset Management, and the remaining MAP is ongoing. Several processes, procedures and improvement initiatives have been put in place. Together, these measures are expected to strengthen the management controls that govern IT asset management activities at the CNSC.

Appendix 1: Status of Management Action Plans

2012 Audit Recommendation	2012 Management Action Plan	Status
Recommendation 1: Governance structure The IMTD Director General should define, document and communicate the roles and responsibilities of staff responsible for IT asset management.	IMTD agrees with the recommendation. IMTD has developed a new policy instrument (IT Asset Management Directive), along with detailed procedures. These documents summarize the roles and responsibilities of staff involved in asset management. IMTD employees responsible for IT asset management are being trained on the procedures, and the new directive will be communicated to all CNSC staff, once approved.	Completed
Recommendation 2: Acquisition, replacement and disposal of assets – Planning The IMTD Director General should develop and communicate a lifecycle plan, to ensure that the division is managing the full lifecycle of IT assets in conformity with the required policies. The plan should include a notional budget, set up at the beginning of the year, to address lifecycle management needs. This would provide the basis for funding requests.	IMTD agrees with the recommendation. IMTD has developed a lifecycle plan that reflects current requirements for asset replacement, and has also streamlined processes for ongoing lifecycle planning. Funding for the lifecycle plan will be included in the IMTD baseline budget, on an ongoing basis. Procurement of assets, in accordance with the plan, will take place on a quarterly basis.	Completed
Recommendation 3: Acquisition, replacement and disposal of assets – Disposal of hardware The IMTD Director General should formally document the process for declaring an asset as surplus, as well as the disposition process.	IMTD agrees with the recommendation, and has developed procedures and forms for asset disposition.	Completed
Recommendation 4: Management of IT assets – Monitoring and tracking of software The IMTD Director General should implement one tracking tool for hardware and software inventory, which would enable IMTD to efficiently track all IT assets.	IMTD agrees with the recommendation. IMTD has merged the two systems currently used for tracking hardware inventory into a single tracking tool, and has consolidated its software tracking. All this information is consolidated into two spreadsheets. IMTD will also procure and implement an asset management software solution during the 2012–13 fiscal year, at which time both hardware and software tracking will be merged	Open
Recommendation 6: Management of IT assets – Verification and reconciliation The IMTD Director General should implement a scheduled verification process, to verify the existence of IT assets.	IMTD has implemented a scheduled verification process that will, on an ongoing basis, verify the existence of IT assets. A full verification of assets will take place on an annual basis. The IMTD loaner pool will be verified on a monthly basis.	Completed
Recommendation 7: Management of IT assets – Physical asset identification The IMTD Director General should implement a documented process for assigning asset numbers to IT assets.	IMTD agrees with the recommendation. IMTD has implemented a documented process for assigning asset numbers to IT assets.	Completed
Recommendation 8: Management of IT assets – Safeguarding assets and storage of IT assets The IMTD Director General should ensure that all IT assets are secured. Management should separate the storage of new IT assets from IT assets that are designated for disposal.	IMTD agrees with the recommendation. IMTD has reviewed physical space layout and developed procedures, in order to ensure that IT assets are secured, and that the storage of new IT assets is separated from the storage of IT assets that are designated for disposal.	Completed
Recommendation 8: Audiovisual equipment The IMTD Director General should develop and implement a process to track the location of the audio-video equipment, using the asset numbers assigned to this equipment.	IMTD agrees with the recommendation. IMTD has developed and implemented procedures to ensure that audio-video equipment is tracked using assigned asset numbers.	Completed