Public Accounts Committee on June 18th, 2007

That's fine, Chair. Thank you.

Mr. Chair, we are pleased to be here today to meet with your committee to discuss chapter 3, on large information technology projects. Accompanying me today are Doug Timmins, Assistant Auditor General, and Richard Brisebois, Audit Principal.

Over the past six years the federal government has embarked on many large information technology projects. These large projects are no longer about introducing new computer hardware or systems but rather improving the quality and efficiency of public services. The recognition that there are increasingly complex IT issues that cross departmental boundaries has resulted in horizontal initiatives, such as government online and the secure channel.

During this audit, we attempted to determine whether the Treasury Board of Canada Secretariat had adequately fulfilled its challenge and oversight responsibilities for the large IT projects in our sample. However, the government denied us access to information we needed, stating that most of the information and analysis that it collected and prepared was a Cabinet confidence that could not be disclosed to us.

As a result, we were unable to conclude whether the Treasury Board of Canada Secretariat had carried a proper challenge and oversight role for these projects. However, I am pleased to report that since we completed the audit, our access to this information has been clarified by a new order in council.

In the last three years the federal government has approved funding totalling $8.7 billion for new business projects with significant use of information technology. Individual departments are responsible for managing their projects, but the Treasury Board of Canada Secretariat plays a central role in ensuring that IT projects fit the government's priorities and follow sound management principles.

Overall, the government has made limited progress since our last audit of IT projects in 1997. The federal government still experiences difficulty in managing large information technology projects, despite the existence of a framework of best practices for managing them that dates back to 1998.

We examined a sample of seven large IT projects from four perspectives, governance, business case, organizational capacity, and project management. The seven projects were the global case management system of Citizenship and Immigration Canada; the secure channel of Public Works and Government Services Canada and the Treasury Board Secretariat; the expenditure management information system of the Secretariat; the integrated revenue collections of the Canada Revenue Agency; the 2006 census online of Statistics Canada; AgConnex of Agriculture and Agri-food Canada; and My Account, My Business Account of the Canada Revenue Agency.

The audit found that only two of the seven large IT projects examined—2006 Census online and my account, my business account—met all the criteria for well-managed projects. It is also important to note that these were smaller projects with development timelines of less than three years.

Five of the projects were allowed to proceed with a business case that was incomplete or out of date or contained information that could not be supported. Four of the projects examined were undertaken even though departments lacked either the appropriate skills and experience to manage the projects or the capacity to use the system to improve the way they deliver their programs.

The quality of governance varied widely from project to project. In four projects we found that governance responsibilities were not carried out adequately because key issues that had impact on project performance were either not reported or not resolved.

The persistence of these longstanding problems is extremely troubling, not only because they involve large public investments but also because of lost opportunities to improve business practices and service delivery to Canadians. The government has agreed with all our recommendations, and indicates that it is making improvements in managing large IT projects. The committee may wish to ask the government for a more specific action plan with precise timelines for government action.

That concludes our opening statement, Mr. Chair. We would be pleased to answer any questions the committee members may have.

Thank you, Mr. Chair.

Thank you for the invitation to appear before your committee to discuss the Auditor General's chapter on large information technology projects.

I'd like to introduce the government officials joining me today. I have with me Mr. Alexander, who is the deputy chief information officer of the Government of Canada, and Mr. Poole, who is the chief executive officer of the information technology services branch at Public Works and Government Services Canada.

As you know, Mr. Chair, the government has taken an explicit direction to strengthen accountability and management practices across the public sector. To that end, we welcome the Auditor General's recommendations to improve the management of IT projects, and we are taking action to address her concerns. Furthermore, the Auditor General's recommendations will contribute to the work that is already under way, which I'd now like to outline.

In order to properly position our action plan, I would like to first outline the role of the federal CIO. The role has four components, which are defined as policy, practices, a challenge role, and monitoring.

The first element of our role is policy. Under the authority of Treasury Board ministers, we develop policy instruments that both direct and guide departments when they undertake projects. These instruments serve to clearly explain what is expected of departments and agencies. When developing these policy instruments, we consult with the broad community to ensure that the policies are practical and can be implemented by departments. We also use the management accountability framework to assess departmental compliance with our policies.

In terms of the second element, we establish and share practices related to the management of IT-enabled projects. The enhanced management framework for IT-enabled projects outlines best practices in areas such as risk management, project governance, and project monitoring.

The third element of our role is the challenge function. We review and make recommendations to ministers on departmental and government-wide IT-enabled projects. When departments seek Treasury Board authority or funding for IT-enabled projects, we review with departments their Treasury Board submissions. This review is designed to ensure that they have followed the relevant policies and can demonstrate that they have the necessary evidence of good project planning and oversight in place.

Finally, for projects that are deemed to be higher-risk or particularly sensitive, the CIO branch implements a monitoring regime that allows us to track progress on a regular basis. This allows early warnings to be raised if major issues are encountered, so that proper action can be taken to address these issues.

Those are the four elements of our role. Departments and their deputies are ultimately responsible and accountable for the development and implementation of projects in their departments and for following Treasury Board management policies.

I should note that in certain cases when a project is being developed for government-wide use, such as the secure channel, the chief information officer branch will work across departments to consolidate a broad range of requirements.

I'd like to take a moment and turn to our action plan, which is in line with the four elements of our role.

Part one of our action plan is focused on the policies. As part of a review of all management policies, known as “policy suite renewal”, we are developing new directives, one on management of IT-enabled projects and another on IT investment planning.

Part two of the action plan focuses on practices and will see further improvements to our enhanced management framework, which was first developed in 1995. Departments have been directed to follow this framework when undertaking IT-enabled projects.

I would like to share with you one of the highlights of our efforts to improve the enhanced management framework. Under the framework, we are developing a new capacity assessment tool that departments must complete to determine their readiness to proceed with a project. This assessment includes a review of the department's internal skills to conduct the project, as well as of the ability of the department to accept the business transformation that comes with the project—in other words, to make full use of the new solution.

Part three of the action plan is focused on our challenge role. To improve departments' abilities to prepare for Treasury Board submissions, we are redesigning and updating our process for reviewing these submissions. Increased clarity in what is expected by the secretariat will improve the quality of the challenge process and ensure that departments and agencies are focusing on the right critical issues as they prepare to launch projects and seek Treasury Board ministerial approvals.

The last part of our action plan is focused on the monitoring role. Projects of a given scale and level of complexity will also be required to have independent third-party assessments done at key milestones. This will ensure that management has an independent perspective as to the health of the project. These assessments will also follow standardized techniques to ensure consistency and reliability of the reviews and guidance provided.

In conclusion, we welcome the Auditor General's recommendations to improve the management of IT projects. We are committed to implementing changes to the policies and to taking corrective actions to address these issues, as outlined in our action plan. We know these measures will help to strengthen management practices across government and ensure greater accountability and value for money. We are prepared to speak to the target dates of the action plan in far more detail.

Mr. Chairman, this concludes my remarks.

Thank you very much, Mr. Chairman, members of the committee.

My name is Steven Poole. I am the CEO of ITSB in Public Works.

I'm here today to assist the Treasury Board Secretariat in addressing chapter 3 of the AG's November 2006 report on large IT projects, particularly secure channel.

Mr. Chairman, I will spend only a few minutes to summarize our involvement in secure channel, the centrepiece of Canada's common information technology infrastructure.

As committee members know, the goal of secure channel is to provide Canadians and Canadian businesses with secure, responsive, and private access to Government of Canada online programs and services. Public Works has been responsible for delivery of the technical requirements since June 1999. The architecture and management of the secure channel project was fully transferred to our department in December 2003.

Governance of the project was shared with the Treasury Board Secretariat throughout, with TBS accountable for strategic governance and Public Works accountable for internal project governance.

A significant investment is required to build a secure common infrastructure that protects the integrity of Canadians' information. This approach is more cost-effective than allowing government departments to build and maintain separate infrastructures. Our estimates in Treasury Board submissions as early as June 2001 were close to the actual costs. In 2006, Public Works negotiated a long-term contract with the service provider, which further reduced the estimated cost. The contract was assessed “an excellent deal” by Forrester, an independent technology market and research company.

In essence, to operate secure channel going forward will cost less than $3 per Canadian per year. We recognize that these are significant costs, and that's why Public Works benchmarked these costs to ensure that they were in line with industry averages.

Mr. Chairman, Canadians are concerned about identity theft and have stated that they do not want their personal information at risk. We are serious about protecting Canadians from security breaches. Secure channel has won a number of national awards, including the Canadian information productivity awards in 2005 and in 2006. In fact, at the international level, the project was instrumental in Canada being rated for five consecutive years, by the international research firm Accenture, as number one among 22 countries for its e-government performance.

We take very seriously the comments by the AG in her report. Though the AG noted that the initial take-up of the secure channel was below projections, I am pleased to say that today Canadians have embraced secure channel in unprecedented numbers. In fact, over five million e-passes, which are used to manage individual credentials, have been issued to citizens to date, including census 2006 online, with more than six million business transactions last year. The growth rate for secure channel has been very significant, and demand rose by 200% from 2005 to 2006.

In terms of tangible outcomes, 95% of federal government organizations use at least one secure channel service to enable their online applications; 61 government programs are using e-pass; over 54,000 businesses use Service Canada's record of employment, which has reduced their business transaction time from days to minutes; Foreign Affairs' passport online helped issue over 310,000 passports; Canadian Forces online recruiting is also going strong, with over 178,000 business transactions since they started their program in October 2005.

While the AG did not audit the privacy and security aspects of secure channel, parliamentarians should know that it is providing the best security and privacy protection available to sustain the integrity and trust of the Canadian public. In fact, in 2006 we had millions of security-related alarms that were addressed without a single compromise of our systems.

The AG noted the challenges of delivering these horizontal projects across many departments and agencies. She noted that “The federal government has recognized that there are complex IT issues that cross departmental boundaries”. We have seen that complexity first-hand.

I am pleased to note that secure channel received full marks for project management, as evidenced by its ever-growing success in enabling other projects, such as the two projects in the report that received perfect marks, namely, Statistics Canada census online and the Canada Revenue Agency's “My Account”.

Mr. Chairman and members of the committee, I welcome your questions.

Thank you, Mr. Chair.

In the framework that has been established for the Government of Canada, the Treasury Board Secretariat plays a major challenge role for all these large IT projects. As I noted in my opening statement, we tried to assess that challenge and supervision role, but we were denied access to those documents on the basis that they were cabinet confidences of a nature that we could not see. That has been resolved since. So we were unable to assess how well the Treasury Board Secretariat was carrying out that challenge role.

What we did find in many of the documents, and you can refer to page 26 of our report, was that one of the most significant weaknesses was the lack of a good business case to explain why the project was needed, what the costs would be, and what the ultimate outcomes were. I'll point, for example, to the secure channel. There was no robust business case to explain why the government would eventually spend $400 million to build a secure channel and to explain who was going to use it. There was much temporary funding given over time. In fact, at one point there was even funding given to close the project down that was used to keep it going. So it's about the robustness of a business case.

Perhaps outside firms could help in developing those business cases, but we would certainly expect the Treasury Board Secretariat to play that really significant challenge and supervision role. And we were unable to assess the extent to which they did that.

In the case of the secure challenge, there were, I think, 11 submissions to the Treasury Board, all for temporary funding. We raised this issue, actually, several years ago. Given the size of the project, one would expect to have funding in place for the life of the project and to have a good business case. Who was going to use it? Why were they going to use it? And was there a commitment for these other departments to actually be using it?

Thank you.

As you know, government online was part of a bigger initiative by the government called Connecting Canadians, and as we look at that, the secure channel was a clear component piece to enable government online to achieve its outcomes. So, as Mr. Poole indicated in his opening statements, secure channel was a broad component piece to enable what we call GOL, government online. Government online was required to make 130 of the most commonly used services available to Canadians.

So the business case behind the secure channel, as an enabler, really relied on enabling those 130 transactions that required the types of networks and the type of security that are available through the secure channel. One of the challenges had been, at the time, in 2003, that the departments had identified those services but hadn't clearly identified perhaps the volume of activity that would come through the secure channel.

There was also, as you point out, a question from the Auditor General, at the time, in terms of sustainability. So funding had been made available through government online to develop the secure channel, but then the question was, at what point would we go into a long-term sustainable model. I think the questions of governance really focus in on the question of the long-term sustainable model, and the funding for the secure channel basically wrapped up—

We finished in June of 2006, but some of the projects would have gone back. Secure channel, for instance, started in 1999. So some of those projects would have been over several years.

No, we have not seen that.

That business case has been developed. It was passed to Treasury Board Secretariat and has been approved. My colleagues can comment. It's the latest business case.