Audit of Recordkeeping Transformation
December 11, 2015
Table of Contents
- Acronyms Used in this Report
- 1.0 Introduction
- 2.0 Audit Conclusion
- 3.0 Audit Findings and Recommendations
- 4.0 Management Response
- 5.0 Management Action Plan
Acronyms Used in this Report
|ADM-CSB||Assistant Deputy Minister, Corporate Services Branch|
|CISD||Corporate Information Services Division|
|GC||Government of Canada|
|GCDOCS||*see note below|
|IRBV||Information Resources of Business Value|
|OCG||Office of the Comptroller General|
|PCO||Privy Council Office|
|PWGSC||Public Works and Government Services|
|RKTS||Recordkeeping Transformation Strategy|
|RDIMS||Records, Documents Information Management System|
|TBS||Treasury Board Secretariat|
Note - GCDOCS is the name applied by the Government of Canada to its enterprise documents and information management solution. This solution is also identified in this report by the name “Content Server 2010” which is the name given to this solution by the software vendor OpenText.
This Audit of Recordkeeping Transformation was approved by the Clerk for completion in 2015-16 as part of the 2014-15 to 2016-17 Risk-Based Audit Plan for the Privy Council Office (PCO).
The overall objective of this audit was to provide assurance on the effective implementation of PCO’s Recordkeeping Transformation Strategy (RKTS) and the implementation of PCO’s commitments made in response to the Office of Comptroller General’s (OCG) 2011 Horizontal Internal Audit of Electronic Recordkeeping in Large Departments and Agencies. This overall objective included a review of PCO’s self-assessment of compliance to the Treasury Board (TB) Directive on Recordkeeping which was submitted to TB Secretariat (TBS) as required.
The scope of the audit included recordkeeping transformation activities in the Department that occurred after the approval of the RKTS in July 2011 up to the start of the audit in March 2015. Consistent with the nature of the RKTS, the audit was department-wide in nature and included operational and oversight controls used for the identification of information resources of business value, protection and risk mitigation, recordkeeping tools and methodologies, recordkeeping practices, and awareness and training. Audit testing was limited to recordkeeping transformation activities conducted during the in-scope period of the audit. Within this scope, the audit was comprised of the following five (5) lines of enquiry:
- Policy and Governance;
- People and Capacity;
- Information Architecture;
- Information Management Tools and Applications; and
- Information Management Service Delivery.
1.4.1 The Government of Canada's Information Management Strategy
The Government of Canada’s (GC) 2010 Information Management (IM) Strategy sets out four (4) strategic goals in support of the GC’s vision for a coordinated approach to the effective enterprise level management of information assets. The four strategic goals associated with this GC Strategy are:
Government of Canada's Enterprise IM Framework:
Text version IM Vision graphic
- Policy and Governance - A fully implemented set of policy instruments supporting information management outcomes, defined accountabilities, and enterprise information management governance.
- People and Capacity - A highly-skilled GC workforce that achieves information management outcomes by applying the appropriate information management policy instruments.
- Enterprise Information Architecture - A fully documented and sustainable set of information architecture services, principles, methods, standards and processes that respond to the information needs of the GC enterprise.
- IM Tools and Applications - Enterprise information management tools that fully support the business user and that are compliant with the information architecture.
The TB Policy on Information Management supports the GC’s IM Strategy by promoting efficient and effective information management to support program and service delivery; informed decision making; accountability, transparency, and collaboration; and the preservation/access to information and records. This Policy is directly supported by TB’s Directive on Recordkeeping and its Directive on Information Management Roles and Responsibilities. It is further supported by Standards regarding Metadata and Electronic Document and Records Management Systems.
When introduced in June 2009, the GC Directive on Recordkeeping contained new requirements for records management in the following key areas:
- Identification of information resources of business value (IRBV);
- Protection and risk mitigation;
- Recordkeeping tools and methodologies (e.g., classification structures, repositories and ongoing disposition, etc.);
- Recordkeeping practices; and
- Awareness and training.
1.4.2 PCO's Record Keeping Transformation Strategy
In order to comply with the TB Directive on Recordkeeping, PCO prepared and adopted a three-year Recordkeeping Transformation Strategy to set out the measures that would guide the Department in this endeavor. The RKTS was developed by the Corporate Services Branch and was approved by PCO’s Executive Committee in July 2011. In addition to establishing four strategic objectives which mirror the GC’s strategic goals, the RKTS set out PCO’s ultimate goal which is collectively articulated in the bullets below - these statements were referred to in the RKTS as PCO’s Recordkeeping Transformation Vision:
- PCO’s business processes are defined and documented; and the infrastructure is in place to support them electronically;
- The resulting information resources of business value are systematically captured in electronic recordkeeping repositories and recordkeeping is initiated at the point of creation; and
- PCO integrates effective recordkeeping practices in its day-to-day business operations so that IRBVs are available for use as strategic assets by PCO stakeholders to facilitate decision making and the efficient delivery of PCO programs and services, and for ongoing preservation in PCO’s recordkeeping system.
Since 2011, the Corporate Information Services Division (CISD) of PCO’s Corporate Services Branch has taken a variety of steps in support of RKTS objectives. These include among other things establishment of policies, directives and guidance; identification of IRBVs; and documentation of processes and manuals.
1.4.3 OCG Horizontal Internal Audit of Recordkeeping in Large Departments and Agencies
In September 2011, the OCG published the results of their Horizontal Internal Audit of Electronic Recordkeeping in Large Departments and Agencies. The objective of this audit was to determine whether large departments and agencies were fulfilling the requirements of the TB Information Management Policy Suite, with particular focus on electronic recordkeeping. PCO was included in the audit.
The recommendations resulting from this OCG horizontal audit included such matters as the identification of IRBVs, development of formal processes and policies, and delivery of training. With these recommendations having been addressed within PCO’s RKTS, the Department’s commitments in response to the OCG’s audit recommendations have been effectively integrated within the implementation of PCO’s RKTS.
1.5 Approach and Methodology
During audit planning, the risks to recordkeeping at PCO were identified and assessed. Based on this risk assessment, the audit focused on: the completion of the RKTS, compliance with the TB Directive on Recordkeeping, awareness and training, the identification of records of business value, recordkeeping accountabilities, and recordkeeping applications and tools. The audit team then developed an audit plan which included audit criteria sourced from TB policies, directives and guidelines and obtained management concurrence with these criteria.
The audit’s examination phase consisted of a review of key outputs produced by CISD through the implementation of the RKTS as well as other relevant recordkeeping documents. Audit testing was conducted on the identified records of business value and metadata related to InfoXpress to assess the extent that these elements of the RKTS were completed and conform with TB requirements. A review was conducted of the Recordkeeping Accountability Tool and interviews were conducted with CISD personnel who were either integrally involved in the implementation of the RKTS or who have a critical role in ongoing recordkeeping operations.
Audit findings were developed and validated with CISD, and a draft report was prepared and provided to the Assistant Deputy Minister, Corporate Services Branch (ADM-CSB) for response and for development of a management action plan to address the audit’s recommendations (see Section 5.0). Draft audit reports, including management’s action plans, are tabled at PCO’s Audit Committee for review and acceptance, after which they are jointly recommended by the Chief Audit Executive and the Chair of the Audit Committee to the Clerk of the Privy Council for formal approval.
1.6 Statement of Conformance
In my professional opinion as Chief Audit Executive, this audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of PCO’s quality assurance and improvement program.
Original signed by:
Chief Audit Executive
2.0 Audit Conclusion
PCO implemented the vast majority of its Recordkeeping Transformation Strategy by March 2015, with ongoing transformation activities having subsequently moved the Department closer to full RKTS implementation. Further, PCO’s required self-assessment of compliance with the Treasury Board Directive on Recordkeeping that was submitted to Treasury Board Secretariat was confirmed by this audit. The audit also confirmed that PCO has followed through on the majority of its commitments in relation to recommendations in the Office of the Comptroller General’s Horizontal Internal Audit of Electronic Recordkeeping in Large Departments and Agencies. However, the audit noted opportunities for improvement in the areas of information management training and awareness.
3.0 Audit Findings and Recommendations
3.1 Policy and Governance
3.1.1 PCO has a governance structure in place to effectively support an IM strategy and IM outcomes
IM governance is integrated within PCO’s corporate management governance structure. The lead governance body is the PCO Executive Committee which is chaired by the Clerk. Executive Committee reviews the overall management of the Department and exercises decision making over, among other things, strategic IM and Information Technology (IT) issues.
PCO’s Corporate Management Advisory Committee is the primary entity supporting Executive Committee. Through the provision of advice and recommendations to Executive Committee and/or the ADM-CSB, this committee provides strategic leadership and direction for, among other things, corporate level IM and IT matters. Any matter related to the overall management of the Department that requires a formal approval is to be brought to the Executive Committee.
The Departmental Audit Committee also plays an oversight role in PCO’s governance structure as an advisory body to the Clerk. In addition to the annual briefings and updates to the Executive Committee, the ADM-CSB, in her capacity as the Information Management Senior Official, provides periodic briefings and updates to the Audit Committee.
PCO’s governance structure provided effective support to CISD during the implementation of the RKTS. The audit team reviewed periodic status reports and progress updates that were provided by CISD to Corporate Management Advisory Committee. Status updates and progress reports were also provided to Audit Committee and to Executive Committee for information. Approvals were sought from Executive Committee to adjust direction of the RKTS as needed.
3.1.2 PCO has a set of policy instruments supporting recordkeeping and information management outcomes, defined accountabilities and information architecture governance
PCO’s senior management has established an IM Policy and put monitoring and reporting processes in place. There are clear accountabilities for information management. Under the requirements of the policy, the ADM-CSB, in her capacity as the Information Management Senior Official, has overall responsibility for the effective management of information within the Department. The policy provides for a governance and accountability structure to provide oversight and direction for the management of information within the Department.
The policy requires all employees and workers to be “...responsible for applying information management principles, standards and practices in the performance of their duties...” and “...for documenting their activities and decisions within official information repositories.”
Also, the policy mandates Managers to be “...responsible for ensuring employees and workers understand and apply effective information management in day-to-day operations, for assigning information management responsibilities and for making information management training and awareness available to their employees.”
3.1.3 PCO's recordkeeping policies and procedures are consistent with relevant Government of Canada requirements including the TBS Directive on Recordkeeping
The audit identified that implementation of the RKTS included the development of a set of policy instruments to define and support PCO’s approach to IM management, including outcomes and accountabilities. Specifically, CISD established a new Policy on Information Management which came into effect on January 1, 2014. This new policy sets out PCO’s objectives, policy requirements, and accountabilities related to IM.
Further, the PCO Directive on Recordkeeping was issued by the ADM-CSB in her capacity as the Department’s Information Management Senior Official pursuant to the Department’s Policy on Information Management. This PCO Directive supports the governance and accountability processes outlined by the Department’s Policy on Information Management. Specifically, it sets out key recordkeeping processes including: the identification, capture, and retention of IRBVs; the use of metadata; and the conversion of records from paper format to electronic format.
The effective management of information within PCO was further supported when CISD established a Logic Model and Performance Measurement Framework document. Developed in response to the OCG Horizontal Internal Audit of Electronic Recordkeeping in Large Departments and Agencies, this document sets out the key departmental outcomes related to recordkeeping including:
- Improved information stewardship in PCO;
- Improved effectiveness of IM within PCO;
- Improved IM accountability, transparency, and collaboration within PCO;
- Increased action by PCO management and staff reinforcing the need for good information and recordkeeping programs;
- Increased transfer of PCO information to external stakeholders; and
- Increased access by PCO management and staff to the IM infrastructure needed to apply IM practices.
The audit team conducted a thorough review of the PCO policy instruments developed during the implementation of the RKTS and found that they were well aligned with relevant TB requirements including the TB Policy on IM and its Directive on Recordkeeping.
3.2 People and Capacity
PCO has established a suite of IM training sessions which help employees understand their IM roles and responsibilities and how to use PCO’s information systems. However, audit results indicate some training information and materials are out of date and should be updated, while opportunities still exist to provide IM training to employees who have not yet had this training.
Audit results show that CISD provides training to its staff to enhance their capacity and expertise. Training programs and courses were provided to CISD personnel to prepare them for certification and enhance their capacity to execute the RKTS. Also, during the implementation of the RKTS, the Information Management Policy section was re-organized with a view to ensuring that positions were staffed with personnel with the required qualifications.
At the departmental level, CISD provides IM training sessions which help employees understand their IM roles and responsibilities. CISD tracks who attends these in-house training sessions. Classroom sessions on InfoXpress are delivered on a regular basis in a dedicated training room equipped with computers.
Mandatory group training sessions on how to manage email per the GC Standard on Email Management and applicable PCO policies and directives are also held regularly for all new employees and for employees with email accounts over 1.5 gigabytes in size. This training is also available to any other interested PCO employees on an optional basis. Monthly reports on attendance at the mandatory sessions are sent to Assistant Secretaries and Business Unit Coordinators within PCO’s various business units. The content of these email management training sessions was reviewed and updated following publication of this Standard in January 2015. In addition, there is a “Step-by-Step Guide to Managing your Emails” readily available on the PCO Intranet as well as other relevant materials and guidelines on managing e-mails as information resources of business value.
CISD also provides group training sessions on an as-requested basis that are designed to improve awareness and understanding of information management policies, directives and best practices. Detailed training and information materials which provide guidance on recordkeeping responsibilities and on how to use InfoXpress are also readily available on the department’s Intranet site.
The training activities and materials described above are benefiting PCO and its employees. However, audit results indicate there is further opportunity to update some training materials (e.g. PCO’s document entitled A Recordkeeping Guide for PCO Employees) to reflect: the January 2014 roll-out of PCO’s Policy on Information Management and Directive on Recordkeeping; and as appropriate, the subsequent establishment of IRBV matrices (see section 3.3.1 below).
- PCO’s Chief Information Officer should ensure that IM training information and materials are updated as required, and by working with PCO management, that IM training is provided to any PCO employees who have not yet had this training to ensure they understand their IM and recordkeeping roles and responsibilities.
3.3 Information Architecture
3.3.1 PCO has undertaken and has almost completed a process for the identification of Information Resources of Business Value
A critical element of the RKTS was the identification of IRBVs. To undertake this exercise, CISD followed a multi-phased approach that included establishing an ad hoc working group comprised of representatives from each major PCO organizational unit. The outputs of this process were a series of IRBV matrices and related Recordkeeping Accountability Instruments. An IRBV matrix was completed for each major organizational unit within PCO which specifies that unit’s IRBVs, the business processes to which those IRBVs relate, the accountable record keepers in that unit, and record retention periods and storage locations. Similarly, the Recordkeeping Accountability Instruments that were developed for each unit set out the accountabilities of the unit and CISD for managing, protecting, storing, classifying, retaining and disposing of IRBVs.
The audit team tested the IRBV matrices to validate that the identification of resources of business value has been completed. Testing confirmed these matrices have been completed for all major PCO organizational units by the TBS March 31, 2015 deadline with the exception of Cabinet Confidences. Audit results suggest that the IRBV matrix for the Cabinet Confidences business unit was almost complete and would require additional validation with branch staff before it would be finalized.1
3.3.2 Additional work is required to support the organization and description of IRBVs
Responsibilities related to the organization and descriptions of IRBVs are set out in the key PCO policy instruments. The PCO Policy on Information Management sets out general requirements related to the creation, organization, and the accessing and maintenance of IRBVs, while the PCO Directive on Recordkeeping sets out the requirements for the storage, maintenance, and protection of records. More specifically, managers are responsible to implement procedures within their business processes to capture records of business value in repositories designated by the Information Management Senior Official. All records are to be arranged and organized using a standard classification structure maintained by CISD, and standard metadata maintained by CISD is to be used to describe the content, context, and structure of the record.
During testing, the audit team noted that mandatory fields that must be completed when creating an InfoXpress file can sometimes be auto-populated based on default settings (except the “Title” field). One example is the “Type” field which describes the business record being created/stored. Whether or not key mandatory fields are auto-populated, the ability to select different options for each of the key mandatory fields creates an inherent risk that records could be classified incorrectly by their originators and therefore that records management personnel might not be able to rely on the associated metadata when managing PCO’s records. Communications, training and awareness are seen as the most effective ways to deal with this potential variability.
3.4 Information Management Tools and Applications
PCO’s information management system (RDIMS) enables the Department to meet its information management and recordkeeping responsibilities. However, in keeping with the direction of the GC IM Strategy, PCO has been steadily advancing its state of readiness to adopt the new IM system GCDOCS when it becomes available to the Department. Audit results indicate the steady advances made to date have positioned PCO well for an eventual migration to GCDOCS.
PCO uses the Records, Documents Information Management System (RDIMS - otherwise known as InfoXpress) as its information management and recordkeeping system. InfoXpress enables PCO to meet its information management and recordkeeping responsibilities. Employees using InfoXpress are supported by some of the training sessions discussed in section 3.2 above.
The TB IM Policy Suite outlines as one of its expected results having mechanisms in place to ensure the continuous and effective management of information. The Government of Canada has been steadily moving in the direction of adopting the GCDOCS information management system. To this end, prior to establishing its RKTS in 2011, PCO conducted its own requirements exercise and determined that Content Server 2010 (GCDOCS) would best support full electronic recordkeeping within the Department. Various benefits and improvements are expected from GCDOCS including enabling automated disposition of records, supporting metadata requirements for electronic recordkeeping, and facilitating integration with a new correspondence management system.
PCO has been preparing itself since 2010-11 for the migration to GCDOCS. The Department has adopted both an InfoXpress Modernization Strategy (which contained an associated training strategy) and a change management strategy. Additionally, InfoXpress support staff have been trained on GCDOCS and received certification from the software vendor (OpenText Corporation).
When PCO established its RKTS in 2011, it was anticipated the Department would comply with the Government of Canada strategy (which was being led by TBS and PWGSC) and would obtain access to GCDOCS via one of various departments serving as an application service provider. This application service provider model was ultimately not successful, and PWGSC is now the sole application service provider for GCDOCS at the “Unclassified” and “Protected B” levels while TBS is serving as the application service provider for “Secret” level GCDOCS.
Since 2014-15, PCO has been working with TBS in its application service provider role on plans for upgrading the Department’s Secret-level recordkeeping systems. Management has indicated that TBS has now established the GCDOCS environment for PCO while PCO has been revising its File Classification Structure to better align it with the GC file classification structure for GCDOCS. Management has also indicated that PCO is using the results of its RKTS implementation (e.g., IRBV identification, retention schedules, and a new disposition authority) to analyze documents currently held in InfoXpress and make recommendations to document “owners” regarding retention or disposal. This is largely a manual process that is also intended to reduce the amount of data to be migrated to GCDOCS.
In 2014-15, in relation to the “Protected B” service, PCO indicated to PWGSC its intent to migrate to GCDOCS and submitted a completed GCDOCS readiness assessment, a requirement that is to be in place before migration can occur. CISD reports that a response has not been received and that the “Protected B” service is not yet available from PWGSC. It is uncertain when this service may become available to PCO.
In the interim, PCO is using InfoXpress as its IM and recordkeeping system while it continues to move forward with recordkeeping transformation activities. By implementing its RKTS to the current level, PCO has steadily advanced its state of readiness for GCDOCS. The Department has also been actively monitoring relevant developments at a government-wide level. To ensure PCO maintains its current posture, the Chief Information Officer is engaged in ongoing talks with her counterparts at TBS and PWGSC, and with other key stakeholder organizations.
3.5 Information Management Service Delivery
3.5.1 PCO is compliant with the vast majority of the Government of Canada's recordkeeping requirements
Through the implementation of the RKTS, PCO has made strides in ensuring that its recordkeeping practices facilitate timely and appropriate decision-making and delivery of efficient services in all strategic and operational areas of the Department. As required by TBS, CISD conducted a self-assessment of PCO’s compliance with the TB Directive on Recordkeeping using a Recordkeeping Assessment Tool provided by TBS to various government departments. PCO’s self-assessment results, which indicated a 93% compliance rate, were submitted to TBS and considered during TBS’s Management Accountability Framework assessment of PCO. TBS raised no concerns in its assessment of this area of PCO.
The audit team reviewed PCO’s self-assessment and concurred with its results, but noted that disposition processes for most of the IRBV matrices had not yet been established. CISD had duly noted this in the respective IRBV matrices it had created. Although retention schedules had been established (largely based on historic retention schedules), CISD was waiting to receive its Records Disposition Authority from Library and Archives Canada before establishing the required disposition processes.
PCO completed its IRBV matrices by TBS’s March 2015 deadline and received its Records Disposition Authority from Library and Archives Canada on April 9, 2015. As such, CISD was then in a position to establish disposition plans for IRBVs to ensure disposition activities would occur as required. CISD has developed and is implementing a Disposition Plan for 2015-16.
3.5.2 Further to implementing its RKTS, PCO is launching a pilot project to digitize the process used to create briefing notes from the Office of Legal Operations/Counsel to the Prime Minister
The Government of Canada is committed to greater use of electronic systems for managing its data and information as evidenced by the TB Policy on Information Management which states that “Deputy heads are responsible for ensuring that electronic systems are the preferred means of creating, using, and managing information.”
In response to this objective, PCO acknowledged in its RKTS that “...the implementation of the new functionality in InfoXpress will be a key success factor in enabling PCO to adopt electronic business processes broadly following 2014”.
In keeping with the spirit underlying PCO’s RKTS, CISD undertook a digitization project across 2013 to 2015 whereby a significant amount of paper based records, the majority of which were classified Secret, were scanned for electronic retention.
CISD is also collaborating with the Office of Legal Operations/Counsel to launch a pilot project to digitize the process used to create briefing notes from that office to the Prime Minister. This pilot project builds on the reference in the RKTS which noted that operational units had expressed increased desire to adopt electronic work processes and approvals. The intent of the pilot is to incorporate digital recordkeeping into the existing paper-based process and, at the end of the pilot, to determine if/how similar projects could be successfully applied in other areas of the Department. This project could play a valuable role as a proof of concept for how PCO might move forward with the implementation of more e-based rather than paper-based business processes.
3.6 Subsequent Events
Subsequent to the audit’s scope period, PCO has developed various e-business projects and initiatives which build on the implementation of the RKTS.
PCO recognizes that one of the keys to managing digital records successfully lies in building recordkeeping steps into business processes. The Clerk’s Destination 2020 initiative noted a move towards having “...technology supporting a paperless environment wherever feasible” 2. To that end, PCO has undertaken two e-business process projects (see below) which occurred subsequent to the scope period of this audit.
It must be noted that because these projects and initiatives occurred outside the scope of this audit, they were not subjected to any audit tests or other procedures during the conduct of the audit. As such, they are only included here for information purposes as a demonstration of the Department’s movement towards the adoption of an increasing number of e-business processes.
The Department is working on a “PCO 2015 - 2018 IM/IT Integrated Strategy” which, if formally adopted, would establish among other things the premise for increasing the Department’s IM/IT effectiveness and value by enhancing the use of electronic information management systems. In line with the view expressed in PCO’s Destination 2020 of having “...technology supporting a paperless environment wherever feasible,” there are other ongoing efforts which are moving PCO closer to the use of electronic systems as the preferred means of creating, using and managing information. Two of these, as mentioned above, include: E-TRANSITION - an initiative recently used to provide Transition Books in electronic format, and E-CABINET- a study on how to use modern technologies to deliver relevant information to decision-makers. Additionally, PCO is working on E-BRIEFINGS - a study on how to provide briefing notes using electronic means.
4.0 Management Response
Management accepts this report and will oversee the implementation of its recommendation.
5.0 Management Action Plan
Audit of Recordkeeping Transformation
|Recommendation||Response and Planned Actions||Responsibility||Due Date|
|PCO’s Chief Information Officer should ensure that IM training information and materials are updated as required, and by working with PCO management, that IM training is provided to any PCO employees who have not yet had this training to ensure they understand their IM and recordkeeping roles and responsibilities.||Management agrees with the recommendation and will update the training material and provide the ADM of Corporate Services a report with which PCO employees have not yet had their training and a recommended plan to provide their training within 6 months. Furthermore, the training will be continuous and will evolve over time to address organizational needs and changing technologies.||CIO||Report and Plan - February 2016|
- Upon completion of the examination phase of the audit, CISD indicated that two new business units, i.e., Blueprint 2020 National Secretariat and the Central Innovation Hub have also been added to PCO's organizational set-up. Matrices will be developed for these units accordingly.
- See PCO Destination 2020 Pg. 7.
- Date Modified: