Public Accounts Committee on June 1st, 2010

Thank you, Mr. Chair.

We thank you for this opportunity to discuss the results of our audit of aging information technology systems. As you mentioned, I am joined today by Nancy Cheng, Assistant Auditor General, who is responsible for this audit.

The federal government relies on information technology systems to deliver programs and services to Canadians. Many of these systems are aging and several are at risk of breaking down. While systems are currently working, a breakdown could have severe consequences. At worst, some government programs and services could no longer be delivered to Canadians. The renewal and modernization of IT systems can take many years as well as significant investments that must be planned and budgeted for over the long term.

As part of this audit we looked at five government entities with the largest information technology expenditures to determine whether they have adequately identified and managed the risks related to aging IT systems. The audit also examined whether the Chief Information Officer Branch of the Treasury Board of Canada Secretariat has determined if aging information technology systems is an area of importance to the government as a whole and the extent to which it has provided direction or leadership in developing government-wide responses to address the related risks.

We looked at three major systems that deliver essential services to Canadians—the employment insurance program, the personal income tax and benefits return administration system, and the standard payment system. We also surveyed 40 chief information officers of departments and agencies in the federal government that accounted for more than 95% of spending on information technology. The survey of CIOs indicated that aging information technology was a significant risk.

The five organizations we audited have all identified aging IT systems as a major risk. They have taken some steps but most of them have not gone far enough to manage that risk. Organizations need to manage their IT systems as a portfolio and prioritize investment projects according to risk and impact on program delivery. They also need to prepare a multi-year investment plan and a funding strategy to meet the investment requirements.

The funding requirements to address aging IT risks can be significant. Three of the five organizations that have developed multi-year investments plans, that being the Canada Revenue Agency, HRSDC, and the RCMP, have identified significant shortfalls in the funding available to modernize their critical information systems and technology infrastructure. These organizations alone have estimated the funding shortfall at $2 billion.

We found that the chief information officer branch of the Treasury Board of Canada Secretariat has been aware that aging IT poses significant government-wide risks for over a decade; however, it has not formally identified the issue as an area of importance for the government. Furthermore, it has not established or implemented government-wide strategic directions to address the issue. We recommended that the chief information officer prepare a report on the state of aging IT systems across government and develop a plan to address it.

Mr. Chair, PWGSC and HRSDC have shared with us a copy of their management action plan. If fully implemented, these plans should address the concerns that we raised in our report. As well, the committee may wish to ask the chief information officer what she intends to do about this issue.

Mr. Chair, this concludes my opening remarks. We would be pleased to answer any questions that committee members may have.

Thank you.

Thank you, Mr. Chairman. I would like to thank you for having invited us to appear before the committee with regard to chapter 1 of the Auditor General's spring report, which deals with the aging information technology systems of the Government of Canada.

As you pointed out, I am here with my colleague Ms. Corinne Charette, the Chief Information Officer of the Government of Canada. Ms. Charette is responsible for the Chief Information Officer Branch in the Treasury Board Secretariat, which provides strategic direction and leadership in the areas of information management and information technology for the Government of Canada.

I would like to start by thanking the Auditor General for her work on the issue related to the risks and aging of IT systems.

When Ms. Fraser appeared before your committee in April to speak about her report, she remarked that this was the first time her office had looked at how the government as a whole was managing the risk of aging IT systems. Her report made us recognize that we haven't taken a government-wide perspective on the risks posed by aging IT systems.

I would submit that this is not surprising, in part given our accountability structure. This is a structure where deputy heads are responsible for managing all aspects of their operations, including their enabling IT systems and infrastructure to deliver on their legislative mandates. When it comes to IT systems, each deputy head has the responsibility to identify their IT plans, development, maintenance, and investment needs. They also develop and implement IT spending decisions and ensure appropriate ongoing measurement of their IT performance.

As a central agency, the Treasury Board of Canada Secretariat isn't there to tell departments how to manage their organizations. Rather, we are responsible for establishing overall government-wide strategic direction for information technology through policies and policy instruments. We also support capacity development and the coordination of efforts and initiatives as required. We do this in consultation with departments. We also monitor compliance of the policy instruments and we play a challenge function in relation to new IT investments.

The secretariat also plays an important enabling role. We support all departments and agencies in implementing the government's information management and information technology strategies. We do this through collaboration, tools and guidance. However, I do not want to give you the impression that we have not taken into account risks related to information technology systems.

That is why, until now, we have looked at the risk of departmental IT systems on a case-by-case basis, and we have worked with departments on renewing critical systems, such as those regarding pensions, pay, employment insurance, case management, and others.

Ms. Fraser, the Auditor General, has encouraged us, in her report, to adopt a more Canada-wide perspective. In response to Ms. Fraser's report, we have committed to assess the state of IT systems across government. Our action plan sets out how we will do this. The first step is to collect and analyze relevant information. Our assessment will be completed by April 2011. Based on this information, the secretariat will provide guidance and direction to all departments in setting their technology investment priorities. All departments will be strongly encouraged to have a plan in place by April 2012.

Our objective is to work with departments so as to not simply replace existing systems with new ones. We want to work with departments to identify mission-critical systems and to identify common systems and platforms where consolidation could reduce overlap and duplication, where possible. Through this process the goal is to enhance effectiveness and find efficiencies, ensure that departmental legislative and business requirements are met, and improve service delivery to Canadians. To do this well, it will take some time.

The timing of this assessment aligns also with the administrative services review announced in budget 2010. Through this review we will be looking to streamline and standardize business processes, which are important steps, before we look at replacing aging systems.

IT systems are not an end in themselves. They support departmental mandates and government priorities. Movement towards streamlined and standardized business processes and platforms should mean we'll have fewer systems to replace and to maintain.

All of this work is vital to ensuring that IT systems in the government are effective and that they have the capacity to meet current and future business needs. We look forward to working with departments and agencies on this important field.

Corinne and I would be pleased to take your questions.

Thank you, Mr. Chairman.

I am pleased to be here today to represent Human Resources and Skills Development Canada and to discuss and provide additional insights with respect to the recommendations laid out in chapter 1 of the Spring 2010 Report of the Auditor General of Canada.

First, let me say that HRSDC agrees with the recommendations put forth in the Auditor General's report concerning aging IT. I want to assure you that meeting the Government of Canada's commitments to Canadians is the department's first priority. Ensuring timely and accurate payments to Canadians, as well as the protection and security of the information entrusted to us by Canadians, is a priority for HRSDC.

We take our responsibilities very seriously. The EI, CPP, and OAS programs represent $80 billion annually in social benefits to Canadians, representing 85% of all Government of Canada payments to citizens. These payments all rely on technology. So a modern IT infrastructure is critical to the sustainability of the delivery of programs and services to Canadians.

While there are definitely areas that require some attention, let me reassure the committee that Canadians are not at risk. There have been no IT failures as a result of aging IT infrastructure that have impacted payments to Canadians.

When we speak about our IT infrastructure, it is important to understand that this is an ongoing process, similar to regular maintenance on a vehicle. Have we ensured the right level of maintenance on our IT infrastructure over the years? Perhaps not. However, I want to assure you that our IT systems are not in danger of collapsing. Our applications are stable. The department is proud to cite a 98% availability for its systems. No systems, government or otherwise, have an uptime of 100%.

I should also point out that the volume increases experienced over the last two years have been unprecedented. During this period, the EI system consistently delivered benefits to Canadians in need.

It is important to mention that over the last few years, we have been working towards refreshing our IT assets, and we continue to do so. For example, over the past three fiscal years the department has invested some $120 million to modernize its technology.

In the fall of 2007, existing mainframe computers were replaced with the next generation of mainframes. This replacement provided a newer technological platform and business continuity for ensuring continued delivery of essential services and benefits to Canadians.

Last year a multi-year project resulted in a fully modernized system to support Canada Pension Plan benefit delivery, eliminating two legacy applications. Implemented in May 2009, the new system has processed over 600,000 new CPP benefits and issued over 45 million CPP benefit payments for seniors, the disabled, and survivors.

In 2009-10, in response to the economic action plan, components that posed imminent risk to the continuity of business operations were replaced.

However, there is still much work to be done. As I said earlier, HRSDC agrees with all the recommendations in the Auditor General's report. HRSDC knows that it needs to make a concerted effort to address issues that are looming on the horizon with respect to our aging IT. We are developing a comprehensive plan to address the recommendations in the Auditor General's report. We need to position these efforts in the broader context of the department, and we need to plan for better ongoing maintenance going forward.

We are adopting a portfolio-wide approach for the management of IT, integrated into our five-year IM/IT strategic plan. Fully integrated into our strategic plan will be risk identification, mitigation strategies, and controls to ensure that we effectively manage any risks.

Linked to that, we are working on a multi-year investment plan. Specific attention will be paid to the full economic life cycle of IT assets and to establishing indicators that will support us in assessing the risks associated with our technology assets. This investment plan will also include a prioritization of what elements need to be addressed first in modernizing the department's IT infrastructure.

The level of financial investment required will be determined as part of our strategic plan, linked to the broader business plan for the department. In developing the funding strategy to support our investment plan, we need to be particularly cognizant of the fiscal realities facing the country and HRSDC.

In conclusion, it is important that I express HRSDC's commitment to Canadians and the programs and services that we deliver. Because of that, the issues identified in the audit are taken very seriously. What we have done to date, coupled with our future plans, are important steps in addressing what was identified by the Auditor General.

I'm happy to answer any questions you may have.

Thank you.

Thank you, Mr. Chairman.

I am very pleased to have this opportunity to appear before this committee with Mr. John Rath-Wilson, Chief Operating Officer, to discuss the Auditor General's report on aging information technology systems and her recommendations.

Let me begin by saying that after thorough analysis, PWGSC accepts all of the Auditor General's recommendations related to the management of risk associated with aging information technology systems.

PWGSC's Information Technology Services Branch—or ITSB—has a dual function: to both manage our own department's information management and information technology, IM\IT, services and to deliver the Government of Canada's common IT infrastructure services, while acting on Treasury Board Secretariat Government of Canada-wide IM\IT strategic direction and policy.

Conscious of its critical role, ITSB has developed and continues to implement risk mitigation strategies related to its mission-critical systems.

As you know, the department's goal is to excel in government operations by providing high-quality programs and services that meet the needs of federal organizations and ensure sound stewardship on behalf of Canadians. I am proud to state that during the 2009-10 fiscal year, we achieved a record of infrastructure availability for our mission-critical systems of 99.7%. This is beyond our expectations.

These services are supported by IT systems, and it is important to note that none of our critical systems have ever experienced or caused a business failure.

We are pleased that the AG acknowledged that PWGSC has many of the required planning and monitoring elements already in place. She identified three recommendations that are specific to our department. The first recommendation calls for the implementation of a department-wide portfolio management approach. PWGSC has enhanced its IT governance to ensure it provides effective oversight of its IT portfolio, including maintaining an organized and prioritized inventory of all assets. Specifically, the new framework, which will be implemented over the next twelve months, will enable the department to use a consistent value and risk assessment process when deciding on investment for IT systems within program priorities.

The second recommendation calls for the development of a multi-year IT investment plan. In fact, by the time the Auditor General's report was released in April, PWGSC had already developed the first iteration of its five-year plan for information management and information technology.

In bringing together several existing components of our planning process, we examine mandatory and discretionary investment to improve overall service delivery and ensure that existing systems can be sustained.

Public Works has successfully managed a number of IT-enabled business projects under our current management approach. I know that in previous audits, Public Works has received positive marks for its project management capacity and capability.

Each year we have invested in maintaining our infrastructure. Over the past three years, we've increased our capacity and developed a multi-year rust-out plan. For example, we've invested $9 million in 2009-10 against our department's five-year plan. We have invested $29 million through Treasury Board funding for program integrity. This fully addressed critical IT infrastructure rust-out issues that were identified in 2007 and 2008.

In addition, ITSB is engaged in every major Public Works transformation project and investment, including $220 million for the pension modernization project; $192 million for the pay system modernization project, which will be completed in 2015-16; and $50 million in a new financial system aligned with the Treasury Board policy on the stewardship of financial management systems.

Also in support of our overall plan, we have established a central IT investment modernization fund to address other maintenance and evolution issues associated with legacy systems. As you can see, the department has various activities under way that will contribute to the success of our overall plan.

The third recommendation calls for the development of an action plan for managing risks related to aging IT systems.

We are pleased that the Auditor General has recognized Public Works' effort in identifying the risks associated with aging IT systems, and also recognizes that we have been diligent in submitting IT risks to our departmental risk officers.

Public Works has made significant progress in monitoring risks and is positioning itself to manage ongoing strategic and operational risks more proactively. The department is finalizing its operational risk profile and refreshing its corporate risk profile, both of which cite aging IT systems and their related applications as key risks. These profiles will better position Public Works to develop risk response strategies, to monitor and report on risk, and to identify emerging risks associated with IT infrastructure.

Semi-annual progress reports will be delivered to senior management while this strategy is being implemented.

Mr. Chair, ensuring the integrity of our critical systems is a top priority for PWGSC, and statistics indicate that we have achieved a high level of stability. For example, our standard payment system processed over 270 million payments last fiscal year, without system interruptions; and our print operations are ISO9001-certified, and we issue and distribute more than 100 million cheques and other documents per year. It is equally important to note that none of PWGSC's critical systems have ever caused a business failure, nor resulted in a disruption to business, due to our robust disaster recovery capability.

In fact, we rarely fall below our published performance targets. Meanwhile, we continue to witness that IT is enabling more and more government services and programs, so we will continue to aim for our best in service performance and evolution. I would be pleased to answer your questions. Thank you.

Thank you Mr. Chair.

My name is Borys Koba, and I am the chief information officer at Citizenship and Immigration Canada. I appreciate the opportunity to provide opening remarks to this committee on this subject.

Citizenship and Immigration Canada has accepted the three specific recommendations directed to it in the OAG report, and an action plan has been provided against each of those recommendations. I would like to point out that in paragraph 1.46 of the OAG report, there is an acknowledgement that, and I quote, “CIC has completed a comprehensive review of its IT infrastructure; however, it has not reviewed its applications at the same level.”

CIC agrees with this assessment, and, at a high level, CIC's plan is to do the following: (a) develop a more detailed inventory of CIC's application systems, including information on items such as the current technology environment and options for system rationalization; (b) integrate the information on application systems and IT infrastructure using a portfolio management approach, which will include an integrated risk assessment as well as criteria for the prioritization of investment decision-making; and (c) refine and extend existing departmental planning processes. CIC has completed an integrated corporate plan for 2010-11 that reflects departmental business priorities. One of the components of this document is the IT investment plan, which will be extended into a multi-year IT investment plan over this coming year.

Mr. Chair, for a number of years, the cornerstone of CIC's long-term strategy for its aging IT application systems has been the development and implementation of the global case management system. I am extremely pleased to indicate that exactly one week ago, on May 25, GCMS release two was put into production operation for the citizenship line of business, on plan.

The next major step is the implementation of GCMS release two to the first mission, Port of Spain, on June 30, to support the immigration lines of business. GCMS is planning to complete implementation in all missions by March 31, 2011.

With this success, CIC is now able to start more detailed planning for additional functionality, to support business requirements, and for decommissioning many of the current legacy systems.

CIC has continued to invest annually in IT infrastructure upgrades based on technology evolution and technology aging. In the application system area, in addition to the investments made in GCMS, CIC has been investing in updating specific legacy systems, usually based on risk and the costs associated with technological obsolescence.

Some examples over the past five years include updates to the technology environment in the Montreal call centre, which cost over $4 million; re-platforming of the case processing centre application, at over $1.5 million; and current upgrades to the departmental HR and financial systems, at over $1 million. It is recognized that these investment decisions, while necessary, have been made on an individual basis. Hence, we have the plan to develop an integrated portfolio approach, as recommended by the Office of the Auditor General.

My final remarks deal with the current legacy systems, especially the operational ones. They continue to operate at a very high level of availability and continue to be updated to respond to changing business requirements, such as the recent imposition of visa requirements for Mexico, the special processing in support of the Olympic Games, and the information system requirements in support of the Haiti crisis.

In summary, CIC accepts the OAG recommendations and believes the action plan will allow us to significantly improve the decision-making process related to IT investments and associated risks in the department.

Thank you, Mr. Chair.

Thank you, Mr. Chairman.

As chief information officer, I am responsible for the IT strategies and plans for the Canada Revenue Agency and the maintenance and development of all national infrastructure and applications in support of CRA's program delivery in its various lines of business. This role includes risk management with regard to the sustainability of infrastructure and applications as raised in chapter 1 of the Auditor General's spring 2010 report, in which the CRA's personal tax and benefit systems were reviewed.

The CRA data centres are the largest in the Government of Canada, hosting more than 450 applications, processing 4.5 million transactions per hour, and managing almost 6,000 terabytes of data storage. They also host all Canada Border Services Agency's infrastructure.

The CRA has an excellent track record for executing large re-engineering projects to ensure long-term sustainability: for example, in 2000, the implementation of the corporate tax redesign for $180 million over five years; in 2003, implementation of the other levies system to replace the old excise commercial system, $20 million over two years; and in 2007, implementation of the redesigned GST/HST system, which cost $200 million over five years. These re-engineering projects were undertaken to address the technical sustainability of these solutions as well as to modernize financial controls and improve services through enhanced functionality.

The personal tax and benefit systems reviewed in this audit were developed in the 1980s and 1990s respectively. They form the largest suite of applications in the CRA, comprised of 31 million lines of code that undergo hundreds of system changes every year in response to legislative changes and service improvements.

CRA is vigilant in keeping these systems running and makes every effort to ensure that quality services are available for Canadians to file their taxes and receive benefits. Re-engineering these systems is in the planning phase and will take a significant investment and several years to complete. We are currently engaged in discussions with central agencies regarding funding to initiate this work.

To monitor and plan for infrastructure sustainability, the CRA creates an annual asset management plan for each technology platform, managing within the custodial budget allocated for infrastructure maintenance. In addition, an annual information technology infrastructure investment plan is tabled to the chief financial officer of the agency, identifying longer-term financial pressures that do not fit within the custodial budget over a 10-year planning window for inclusion in the priority setting of the agency strategic investment plan.

For application sustainability, we conduct an annual review of the sustainability status of each application from the perspective of system architecture, maintainability of operations, and business needs. The priority setting that is the outcome from this process then drives sustainability fund allocation within our application sustainability plan.

The CRA thanks the Auditor General for her report and findings.

And I thank you, Mr. Chair, for providing the opportunity to appear here today and to answer any questions the committee members may have.

Thank you, Mr. Chair, and honourable members.

As the chief information officer of the Royal Canadian Mounted Police, I am pleased to have this opportunity to provide you with more information on the RCMP's information technology systems in response to the 2010 Report of the Auditor General.

I am accompanied today by Brendan Dunne, one of the directors general within the CIO sector and responsible for business solutions.

The RCMP's chief information officer sector supports operational policing by providing members and partners in the Canadian law enforcement community with the technology they need to record, share, and communicate essential police information. The chief information officer sector supports a broad range of applications and systems. These include operational systems, mobile communications tools such as radios, and administrative systems.

The 2010 Report of the Auditor General recognized the RCMP for assessing aging IT risks, for establishing strategies to manage those risks, and for following a portfolio approach. The RCMP accepts the findings and recommendations of this report. I would like to provide an update on the actions taken to address the Auditor General's two key recommendations for the RCMP.

The first recommendation for the RCMP is to develop an action plan for each significant aging IT risk and report regularly on aging IT risks to senior management. The RCMP has made enhancements to its established risk management processes to ensure IT assets are adequately protected and could be recovered or replaced in accordance with organizational priorities. Applying the existing and improved risk management methodology to each aging IT risk will enable the RCMP to develop an action plan for each one.

The RCMP has integrated IM/IT program risk reporting into the corporate governance process. The CIO first reported on this to the RCMP senior management on March 24, 2010. As well, the CIO strategic review council, which is responsible for prioritization and decision-making surrounding IT investment planning within the RCMP, will begin reporting to RCMP's senior executive committee on a regular basis this fiscal year.

The second recommendation for the RCMP is to prioritize IT investments based on the priorities of the organization in order to develop an overall funding strategy. By ensuring that IT risks are incorporated into organizational prioritization and investment processes at the senior management level, the RCMP will be able to develop a corporate funding reallocation strategy. This strategy, to be developed for the 2011-12 fiscal year, will prioritize and baseline all RCMP program activities, including IT.

In recent years, the RCMP has made several investments in critical enhancements and system replacements, including $130 million investment in the Canadian Police Information Centre in 2005, and $111 million investment between 2002 and 2009 in a police records and occurrence system and the police records information management environment to replace the RCMP's legacy system. The RCMP has also invested $22 million in the national integrated interagency information system, which is scheduled for completion this June. This system allows police and federal agencies to access and share appropriate police occurrence information.

Uniquely within the RCMP, radio systems fall under the mandate of the chief information officer. In order to ensure police officer and public safety, the RCMP has taken proactive measures towards national evergreening and modernization of the radio systems. The most significant expenses in radio system evergreening include user equipment, followed by infrastructure updates to enhance the system's capacity.

Some significant investments in radio systems in the past 10 years include $180 million invested in radio modernization projects. These projects include a $55-million project in British Columbia since 2001; $47 million invested in Saskatchewan between 2001 and 2009; $21 million in Newfoundland from 2001 to 2010; $23 million for the creation of a national emergency stock from 2002 to 2010; and $13 million in Ontario, including infrastructure updates to be used for the G8 and G20 summit.

Over the past 20 years, the RCMP has also invested $30 million in the development and modernization of the RCMP's radio dispatch system, which is used in every province and territory.

Within the next five years, the RCMP plans to modernize radio communications in Prince Edward Island, Nova Scotia, and New Brunswick under the maritime radio communications initiative.

As you can see, the RCMP has taken many steps to enhance processes and systems to meet operational requirements. We will continue to monitor, identify, and address IT risks and priorities.

I would like to thank you for allowing me the opportunity to speak with you. I would be pleased to answer any questions you may have.

Thank you, Mr. Chair.

To answer the member's question, yes, the CRA has identified which projects constitute that large sum of investment required to ensure sustainability. It breaks down largely between the information slip reporting system, at $180 million; the individual tax system, at least $215 million, most likely more; the T3 trust system, $120 million to build a system; and the benefits system, a minimum of $60 million.

All these investments are made to assure sustainability. We've never suggested that we would undertake all these projects at one time. Our tendency has been, as evidenced through the previous re-engineering projects we've done, to take on a project and execute over three to five years, starting the next project a year or so before the one we're working on ends.

This isn't a five-year problem for us, it's a 20-year problem for us, especially with regard to the T1 system. Individual taxes represent an enormous system.

Thank you very much. Yes, we do know what to do with those funds, but as my colleague from Revenue Canada said, it is still a long-term process.

I mentioned earlier in my opening remarks that a lot of the work we need to do to refresh our infrastructure is like the maintenance on a vehicle. It's actually more like trying to fuel an airplane in flight. We cannot stop processing payments, ensuring that Canadians receive their benefits, while we upgrade both our infrastructure--the platforms that these systems run on--and the applications.

We do have in place an application modernization project that is working towards clearly identifying every area of the infrastructure, as well as the applications that we need to work on, in order to do a complete refresh, but as my colleague has already indicated, this will take a number of years.

So in answer to your question, if you were to give us that money today, we would not be able to spend it all in one year. We could not affect the operations to that degree. It has to be done in a planned, methodical way over a period of time.

Yes, absolutely. Since we have already identified the risks, because we have already invested $120 million over the last three years, we already know which infrastructure components present a priority risk and we would invest in that environment, yes.

Thank you for the questions.

I'll look at it in a couple of sectors. The first one is the systems that we need to replace or modernize immediately in order to ensure that police officers have the ability to communicate and share information. As I indicated in my opening remarks, in the last number of years, we've invested quite heavily in the Canadian Police Information Centre renewal and the systems that allow police officers to share information, and the building of a system--the N-III project--that allows agencies and police officers to look into each other's areas.

We're looking forward to the modernization of our radio systems. We have in place a multi-year program plan to work with the provinces to improve their radio systems, many of which we've worked on in the last number of years, and many that we have cued up to work on in the upcoming years.

To help us prioritize those over the next number of years, between the next three to five years, we look to the policing community and the provinces and territories. As well, we are using a strategic review council within the RCMP to ensure that the CIO sector is actually responding to the operational needs of the RCMP and its law enforcement partners.

Thank you, Mr. Chair.

I just wanted to clarify that the figures come from the plans prepared by the departments and agencies. During our audit, we checked whether those organizations had prepared a long-term plan, by identifying the priorities and the critical systems and infrastructures. We noted that three out of five had done it. Those are the cost estimates that they prepared themselves.

Our concern is that the funds that come from the current budget aren't sufficient to meet the future needs. It is therefore important that there be a plan to fund those projects that the departments themselves identify as critical.