Management of Resources

Expectation (a): Financial Management – The Board must assure itself that the Agency has and follows the appropriate control framework for the management of its financial resources.

Key Questions 1: Does the Agency ensure the sound management of the financial authorities provided by Parliament?

Response

• The Agency does not exceed the spending authorities provided by Parliament.
• Allocation of the Agency's budget is based on the functional model (HQ functionally driven and regionally administered) and is divided into operations, strategic investments, and spending of revenues (cost recovery).
• Functional branches allocate their budgets across headquarters and the five regions at the sub-sub-activity (SSA) level based on negotiated work plans. The regions then allocate budgets (resources) to field offices and determine the appropriate resource mix (operating budget flexibility).
• Once budgets are negotiated and set, they cannot be exceeded at the control points (i.e., the 12 headquarter branches and 5 regions). The functional budget management tables provide a forum through which headquarter and regional branch budgets are established for the next fiscal year and plans and priorities are set for future fiscal years. They are held in late February/early March and provide an opportunity for open and transparent discussions concerning work plans from both a resource level and outputs/commitments perspective.
• Updated multi-year budget allocations are issued on a quarterly basis and include changes in funding resulting from new Treasury Board submissions, Resource and Investment Management Committee (RIMC) recommendations, Agency Management Committee (AMC) decisions (including banking days, which are generally held twice a year), as well as workload transfers.
• The Board receives a resource management report on a quarterly basis.
  • The report facilitates the effective management of resources by providing detailed information on the Agency's utilization of financial resources, including variance explanations, forecasts, historical comparisons, and, where appropriate, recommendations on how significant variances and/or emerging funding pressures should be addressed in the context of the Agency's broader resource management strategy.
  • The preparation of the report includes a multi-dimensional corporate oversight challenge function (at the branch/regional level with Assistant Commissioner sign-off, and at the Agency level by the Finance and Administration Branch with the Chief Financial Officer's sign-off) to ensure the accuracy and completeness of the information and to support the Agency's commitment to transparency and accountability.
• The Annual Report includes financial statements that have been audited by the Auditor General and reviewed and approved by the Board.
• For fiscal 2008-2009, the CRA received an unqualified opinion on its audited financial statements for both agency and administered activities.
• In their management letter, further to their audit of the 2008-09 financial statements, the Office of the Auditor General (OAG) is reporting only four issues. Management has developed action plans to address these issues.
• CRA also received an unqualified opinion on the Statement of Income and Capital Taxes Payable to the Provinces and Territories (TCA) for the 2007 taxation year.
• In support of the Government's requirement to strengthen accountability and increase transparency under the Federal Accountability Act, CRA has developed a draft policy framework on Financial Management and Corporate Finance that will be submitted to the Board for approval in March 2010.
• CRA continues to strengthen and develop financial management capacity by enhancing efforts for recruitment, retention, and training strategies for staff. For example:
  • The Financial Officer (FI) Apprenticeship Program (FIAP) was established in April 2009 for the recruitment of post-secondary graduates with a university degree in the financial disciplines, or those eligible to obtain an accounting designation. FIAP comprises a two-year program of rotational assignments within the Agency, intended to provide hands-on experience, complemented by an educational component. The program's initial selection process was conducted in July 2009, leading to the creation of a unilingual pool of qualified candidates in December 2009 and a bilingual pool that is projected for February 2010 once second language evaluation testing has been completed.
  • There is continued leverage of e-learning products in order to provide cost-efficient training throughout the Agency, allowing users to proceed at their own pace while providing detailed guidance that is always readily available:
    • An e-learning product guiding users on how to use the Agency's costing template to estimate program costs was posted on the Agency's InfoZone July 2009, while a second product demonstrating the use of business intelligence software to access and analyze CRA cost data was posted in September 2009.
    • The Resource Management Fundamentals e-learning product, to guide the Agency financial community through the full range of Resource Management activities like resource investment, budgeting and costing, is in final developmental and testing stages with a projected launch date of April 2010.
• CRA issued its second Canadian Institute of Chartered Accountants (CICA) Handbook Section 5970 Report on the design and implementation of internal controls related to T-2 business processes and systems to provincial and territorial officials.
  • The report includes information on controls that help ensure that the recording and reporting of transactions are consistent with the terms of the Tax Collection Agreement (TCA).

Sources of Evidence

• Quarterly Resource Management Reports (Financials)
• 2009-2010 Performance Targets Report
• 2008-2009 Annual Report
• RIMC process
• Internal audits and evaluations
• Auditor General reports
• Minutes of the Board Resource Committee meetings
• Minutes of the Audit Committee meetings
• Audit Committee Charter
• Audited Financial Statements for the year ended March 31, 2009
• OAG Management Letter
• CRA Annual Report
• TCA Statement 2007
• The Commissioner's Annual Reports to the Governments of the Provinces and Territories
• Report on the CRA's Controls relating to the Corporation Income Tax Program – Canadian Institute of Chartered Accountants Handbook Section 5970
• Report as at Nov. 30/08

Key Questions 2: Does the CRA have the appropriate processes and internal controls to ensure that tax assessed and collected on behalf of the provinces and territories is reported accurately, completely, and in a timely manner?

Response

• In its second CICA Section 5970 report, the CRA discloses certain issues related to user access, segregation of duties, and the management of legislative changes and identifies its action plans to strengthen the controls concerned. The Auditor General's report (Section 1 of the s. 5970 report) states that except for these issues, the controls are suitably designed to achieve the stated control objectives. In the s. 5970 report, CRA management states its belief that the residual risk that these issues would lead to a material error in the TCA-related financial information is low.
• The Auditor General's report also notes that, except for the fact that CRA's controls description does not include control objectives and procedures related to its activities in the areas of compliance research and the development and implementation of compliance strategies, the description presents fairly the relevant aspects of the CRA's controls that have been placed in operation as at November 30, 2008. The CRA believes that controls related to compliance programs are outside the scope of financial reporting under the TCAs. Attempts to resolve the difference of opinion between the CRA and OAG on this point have been unsuccessful to date. Both parties will examine this issue further, including through consultations with provincial finance ministry officials and with representatives of the provincial auditors general, with a view to reaching a resolution in time for the next audit, currently expected to cover CRA's controls relating to the Personal Income Tax Program (T1) as at November 30, 2010.

Key Questions 3: Does the Agency have appropriate programs to assess the effectiveness of its financial control systems and procedures and to address identified control weaknesses?

Response

• A new Chief Financial Officer (CFO) was appointed in 2009-2010.
• The CRA has two significant multi-year initiatives aimed at assessing the effectiveness of its internal controls over financial reporting: CICA Section 5970 reporting under tax collection agreements and Chief Executive Officer (CEO)/Chief Financial Officer (CFO) certification of internal controls.
• During the February 2009-February 2010 period, the TCA-5970 work was focused on controls over reporting to provinces on personal income tax and the CEO/CFO certification work was focused on an assessment of the effectiveness of the CRA`s entity-level controls over financial reporting.
• The CFO presented a positive report on the entity-level control assessment to the Audit Committee of the Board in December 2009; the overall conclusion was that the CRA has a strong system of entity level controls, which supports the achievement of all relevant control objectives included in the Committee of Senior Officials (COSO) framework.

Sources of Evidence

• October 5, 2009 Project Update to the CEO/CFO Certification Steering Committee
• Report on the Results of the Assessment of Entity Level Controls and the Risk Assessment of Business Process Controls
• Detailed Entity Level Control Workbook with a list of controls objectives and controls, descriptions of the work performed and the conclusions reached
• Financial Monitoring Framework Issue Sheets 2009
• 2008-2009 OAG Report to the Audit Committee
• 2008-2009 Annual Report, variance analyses to the Board
• Central Financial Management Reporting System trial balance, monthly financial statements, tax sharing statements, fiscal monitor and revenue reports
• 2009-2010 Reports on Plans and Priorities
• OAG management letter, internal audit reports

Key Questions 4: How is the Agency improving the quality of its financial reporting?

Response

• In 2009-2010 the CRA continued to strengthen its financial reporting through new functionality introduced as part of the Corporate Administrative Systems (CAS) sustainability project, specifically the development and implementation of the following functionality:
  • The Multiple Spending Authority initiative provides the CRA with automated system spending controls and the flexibility to ensure expenditures are captured by authority in the financial system of record, necessary to facilitate the new CRA Capital Vote effective April 1, 2010.
  • The Project System initiative provides CRA with a single integrated project management solution to monitor and report on major investment projects.
• CRA also continues to develop a consistent and reliable framework, within which the possibility of incomplete or inaccurate accounting and reporting of financial results can be assessed, minimized, or pre-empted through the timely monitoring of key indicators of risk.
• During the last year, monitoring activities were expanded to include excise revenues in addition to current activities that included personal income tax, corporate income tax, trust revenues and non-residents tax withholding tax revenues.
• Furthermore, enhancements were made to the revenue analysis that allowed for more elaborate and specific explanations of changes from year to year.
• Canadian Generally Accepted Accounting Principles for the Public Sector are regularly reviewed to ensure financial statements are in accordance with current standards.
• Annual variance analysis and financial statements analysis are reviewed by management and provided to the Board of Management.
• Summary financial statements are prepared and analyzed on a monthly basis.
• Monthly variance analyses are reviewed by management.
• Future oriented financial statements are prepared annually. The goal of this exercise is to forecast our financial results two years into the future.
• Financial reporting is improved through the implementation of recommendations by the Office of the Auditor General (OAG) and/or as a result of internal audits.

Key Questions 5: How is the Agency trending with regard to its Annual Expenditure Plan versus actual expenditures?

Response

• The 2009-2010 fiscal year marks the fifth year of measuring performance accountability based on the 5% variance threshold. In 2008-09 all HQ branch and regional year-end expenditures were within 5% of their Q2 Annual Expenditure Plans. It is expected that the situation will be similar in 2009-2010.
• In 2008-2009 the Agency's year-end financial flexibility represented 3.7% of the approved authority. In 2009-2010 the Agency's projected year-end financial flexibility at Q2 was 1.9% of the approved authority and is anticipated to grow to be in the same range as prior years.

Sources of Evidence

• Quarterly Resource Management Reports (Financials)

Expectation (b): Project Management – The Board must assure itself that investment decisions are reflective of corporate priorities and that possible future funding pressures are identified.

Key Questions 1: Does the Agency's project management framework support effective decision-making oversight, monitoring and review?

Response

• The Resource and Investment Management Committee (RIMC) is mandated to establish budget priorities and requirements according to the Corporate Business Plan, oversee the allocation and control of Agency financial resources, and oversee the management and progress of major investment projects.
• The RIMC Secretariat performs the corporate challenge function in assessing project proposals, facilitating awareness and understanding of the RIMC process, and providing the necessary tools for project management such as updated guidelines, templates, and training material in accordance with the CRA Project Management Policy.
• Major strategic investment projects that have been reviewed by RIMC and received approval from Agency Management Committee (AMC), and that have lifecycle development costs that are expected to exceed the threshold of $20 million, continue to be referred to the Board for review and approval of the governance structure, the monitoring framework, and the planned expenditures. For the period under review, the précisfor two new projects were approved by the Board: Corporate Administrative Systems (CAS) Sustainability and Provincial Sales Tax Administration Reform (PSTAR), bringing the number of Board-monitored projects up to six. Once in execution, oversight of these projects is performed by the Board through the quarterly Major Project Investment Portfolio Dashboard which assesses the project's scope, schedule and cost.

Sources of Evidence

• RIMC/AMC reports, minutes
• RIMC mandate, administrative procedures and documentation guidelines.
• Information session and online course (Computer-Based Training) provided to project teams on the RIMC approval processes
• Reviewed by the Board:
  • Board Resource Committee minutes
  • CRA Corporate Business Plan
  • Project précis
  • Major Project Investment Portfolio Dashboards

Key Questions 2: How do the Agency's cost tracking and reporting practices demonstrate effective management of project resources and project performance?

Response

• The Major Project Investment Dashboards are provided to the Board quarterly for Agency projects with life cycle costs that exceed $20M. The number of projects providing dashboards to the Board was expanded from four to six during 2009-2010, to include the CAS Renewal Project and the PSTAR Project. The purpose of the dashboard is to provide an overall report on the status of the project with regard to cost, scope, and schedule, which are key elements within a project management framework. These dashboards provide timely updates to Agency management and the Board on scope, schedule and cost and aid in making more timely and effective decisions when required. In addition, the dashboard provides a means of communicating project specific or general investment portfolio issues to the Board. These elements together support effective decision-making oversight, monitoring, and review.
• The following provides an assessment of the status and performance of the six projects that were subject to Board oversight during 2009-2010, based on the dashboards submitted in March 2009, June 2009, September 2009, and December 2009:
  • Compliance Systems Redesign: the project proceeded on schedule within the approved scope and costs. There has been some redistribution of certain elements between deliverables. However, there will be no overall impact on scope, schedule, or cost. Overall Performance Assessment for 2009-2010: Schedule: Green; Scope: Green; and Cost: Green
• Corporate Taxes Administration for Ontario (CTAO): the project has proceeded on schedule, and within the approved budget and scope. An anticipated lapse of $17 million in 2009-2010 has been identified, resulting from prior year carry-forwards, and will provide financial flexibility to cover any CTAO or other Agency-related requirements that may arise in the current year. Overall Performance Assessment for 2009-2010: Schedule: Green; Scope: Green; and Cost: Green
• Individual Identification Renewal: the project has proceeded on schedule. Due to unforeseen complexities associated with system changes, there were adjustments made to non essential elements of the project's scope and related costs, which were approved by Agency management in October. These changes do not materially change the overall project costs or scope. Overall Performance Assessment for 2009-2010: Schedule: Green; Scope: Green; and Cost: Green
• Integrated Revenue Collections: the project has proceeded on schedule and within the approved budget and scope. Overall Performance Assessment for 2009-2010:Schedule: Green; Scope: Green; and Cost: Green
• Corporate Administrative System Sustainability (CAS): the project has reallocated/re-profiled funding between deliverables/years and has identified additional funding pressures. The project continues to be monitored closely as it is still in the process of completing a Detailed Planning Report for Releases 4 and 5; this report is due to be presented to the RIMC / AMC in March 2010. Overall Performance Assessment for 2009-2010: Schedule: Green; Scope: Green; and Cost: Green
• Provincial Sales Tax Administration Reform (PSTAR): this new project, funded through a TB submission, is to ensure that the CRA will have the necessary systems, and processes in place to effectively implement the new Harmonized Sales Tax (HST) for the provinces of Ontario and British Columbia on July 1, 2010. The first quarterly dashboard will be presented in March 2010. Overall Performance Assessment for 2009-2010: Schedule: Green; Scope: Green; and Cost: Green

Sources of Evidence

• Reviewed by the Board:
  • Project précis
  • Major Project Investment Portfolio Dashboards

Key Questions 3: Are Agency project related investment decisions reflective of corporate priorities and assured of secure funding?

Response

• The Agency introduced a formalized investment planning process, the Strategic Investment Plan (SIP), in May 2009, thereby enhancing the Resource Investment Management Committee's (RIMC) investment spending oversight and allowing for an efficient and effective use of resources. A priority ranking model was used to assess the proposed investment requirements for a 10 year period, which will help senior management ensure that any available investment funding is allocated in a manner that best supports strategic priorities, outcomes, and enterprise risk mitigation strategies. The Agency's first Strategic Investment Plan identified a number of critical high-value projects that will soon be brought forward for consideration by senior management. While most of these project proposals are only at the conceptual stage at this time, and the exact scope, timing, and cost of each remains to be confirmed, the SIP clearly reflects the magnitude and nature of the investment challenges faced by the CRA. This addresses a next step identified in the BoMOF – Assessment of Performance 2008-2009.
• The current level of resources is not sufficient to fund all the investment proposals included in the SIP. The CRA has therefore initiated discussions with officials in the central agencies to request that its budget be augmented. The outcome of this request is expected in early 2010-2011.
• The methodology supporting the priority ranking and the SIP will be updated on an annual basis to ensure that Agency resources are put toward the most critical areas of need and in a manner that clearly supports program outcomes and government priorities, while addressing the highest risks facing CRA.
• Starting in FY 2010-2011, the Canada Revenue Agency's Estimates will include a new Capital Vote, constituted from existing resources, which will fund the on-going purchase and construction of capital assets. The Capital Vote budget amount established for 2010-2011 is $136M and was determined through an Agency-wide assessment of capital requirements that began in August 2009. As part of the 2010-2011 Annual Reference Level Update (ARLU) in December 2009, these amounts were transferred from existing operating resources to the new Capital Vote on a three-year planning horizon. The implementation of a Capital Vote will, in part, support the recently created Strategic Investment Plan by strengthening the monitoring and control exercised over the CRA's capital investments in the future.
• The Agency's IT projects are internally executed. Its Information Technology Branch represents one of its strengths.

Sources of Evidence

• Strategic Investment Plan (presented in September 2009 to the Board for information and discussion)

Expectation (c): Asset Management – The Board must assure itself that accommodation needs and non-IT assets with an individual value of more than $10K are well-managed.

Key Questions 1: Does the Agency appropriately monitor and report non-IT assets with an individual value of more than $10K?

Response

• Requirements for materiel are assessed and planned using a life-cycle management approach.
• The CRA has a five-year fleet capital replacement plan, and a yearly fleet annual report is produced.
• A thorough review and analysis of existing fleet management policy instruments have been completed, and the revised policy instruments are in place.
• Capital assets (greater than $10K) are tracked and depreciated through the Corporate Administrative Systems (CAS).
• The CRA has a year-end certification process that validates the existence and value of the Agency's assets at March 31.
• All assets identified as having a purchase value of $10,000 or more are deemed to be capital and are reported as such in the Agency's Financial Statements and in the Public Accounts. No other reporting is done regarding CRA assets.
• Bi-annual reviews are done of all capital assets to ensure accuracy of the information contained in CAS.
• Quarterly reviews are done of all new capital asset purchases to ensure the information captured in the asset master record in CAS is complete and accurate.
• Monthly reviews are done of the expenses accounts in order to identify purchases over $10K that should have been captured as capital assets.

Sources of Evidence

• Finance and Administration manual chapters on Accounting for Capital Assets, Accounting for Capital Leases, and Fleet Management
• CAS Module 546 – Purchase Requisitions for Assets
• Fleet Annual Reports

Key Questions 1: Are real property investments based on long-term accommodation plans that take account of business priorities, risks and program needs?

Response

• Real Property investments are identified in the Agency's annually updated Long-Term Accommodation Investment Plan (LTAIP), which provides:
  • An assessment of the short, medium, and long-term impacts of government-wide and Agency priorities and program requirements on national accommodation needs; and
  • Strategic direction for planning and managing CRA's accommodation portfolio investments over a five year period.

Sources of Evidence

• Long-Term Accommodation Investment Plan

Expectation (d): Procurement – The Board must assure itself that the Agency's procurement activities comply with legislative and policy requirements and represent an effective and cost-efficient means of acquiring necessary goods and services.

Key Questions 1: How does the Agency ensure transparency and integrity in its procurement activities?

Response

• The CRA conducts procurement in a fair, open, transparent, and cost-effective manner and in accordance with CRA policies, codes of conduct, and government obligations and uses the Government Electronic Tendering System to advertise its competitive contracting requirements. In order to give equal access to opportunities to do business with the CRA, achieve best value, and comply with trade agreement obligations, the majority of CRA contracts are awarded as the result of a competitive process. Fifty-eight percent of new contracts were awarded competitively based on the Q3 report.
• The Procurement Ombudsman addressed the Board in December 2009 and noted that the CRA has strong procurement practices in place and was cited as a best practice in the Office of the Procurement Ombudsman 2008-2009 Annual Report.
• The Quarterly Contracting Report to the Board of Management is one of the many tools that the Agency uses to ensure that government obligations and CRA policies are adhered to.
  • This report is used to provide an analysis of the CRA's procurement activity, as well as the trends in the solicitation procedures (like sole source, tender, call-ups) on a quarterly basis. Information on both the number of competitive and sole source contracts and the number of After the Fact contracts with a year over year comparison is also included. (Q3 report is available, if required.)
  • Some trends indicated in the Q3 2009-2010 YTD report include:
    • E-procurement transactions as a percentage of all business transaction volumes has increased by 1.25%, while their dollar value as a percentage of all business dollar value has increased by 52%.
    • After the Fact contracts as a percentage of all contracting activities is down by 54%.
    • Sole source contracts awarded as a percentage of all contracts awarded decreased by 4%.
• All information technology (IT)-related contracts and non pre-approved amendments over $1million are reviewed by the IT Procurement Strategy Committee, an AC-level committee.
• All non-IT contracts and non pre-approved amendments over $1million are reviewed by the Finance and Administration (F&A) Branch Management Committee, chaired by the Agency's Chief Finance Officer (CFO).
• AMC is sent periodic reports on contracting and is briefed on all contracts and amendments estimated at over $1million.
• The Quarterly Proactive Disclosure Report publishes all contracts and cumulative amendments over $10K. The report is available on the Agency's Internet site.
• The procurement profile is reported annually to Public Works and Government Services Canada (PWGSC)-Treasury Board Secretariat (TBS) for the Government of Canada (GoC) Purchasing Activity Report.
• Contract Award Notices (CANs) are posted (procurements over $25K subject to trade agreements). They are posted on the Government of Canada's tendering system MERX.
• The Compliance and Program Review Section (independent of the Contracting Division) reviews all procurement activities requiring approval at the level of Assistant Director, Contracting, and above to ensure adherence to legislative and policy requirements. In addition, Compliance and Program Review conducts annual targeted, ad-hoc, and random compliance reviews of contracting files.

Sources of Evidence

• Procurement policy and supporting policy instruments
• CRA Contracts Directive
• Quarterly Contracting Report (for 2009-2010, Q1 and Q2 reports have been presented to the Board; Q3 will be presented in March)
• Quarterly Proactive Disclosure Report
• Procurement Oversight Committee's Terms of Reference
• Office of the Procurement Ombudsman 2008-2009 Annual Report

Key Questions 2: What processes are in place to ensure procurement activities yield best value in return for amounts disbursed?

Response

• The use of the Agency's e-procurement catalogues, which are supported by a government acquisition card, results in significant savings. In accordance with TBS estimates, the cost associated with supporting these types of transactions is only 8% of the cost of using traditional procurement contracts such as local purchase orders. As of the third quarter (Q3) of 2009-2010, year-to-date (YTD) e-procurement represents 96% of the total number of transactions.
• The Q3 2009-2010 YTD non e-procurement and non-acquisition card purchases (that is, contracts and other arrangements) totalled $163 million and represent 81.9% of total Q3 YTD business dollar volume. The Agency's procurement expertise and resources focus on these transactions.
• By focusing the use of CRA's procurement officer activities on high dollar, high risk transactions (contracts), while automating low dollar, low risk transactions (e-procurement), the Agency is ensuring best value in return for amounts disbursed.
• In addition, 71 strategic sourcing arrangements (a commodity-based approach that takes advantage of volumetrics) are currently in place and, as of Q3 2009-2010, they represent 40% of total transactions. In contrast, the number of arrangements last year was 59; however, the percentage of total transactions is unchanged as of Q3.
• A 2008 internal audit confirmed the cost effectiveness of e-procurement and acquisition card purchasing processes while also noting control deficiencies. The action plans based on the audit's recommendations are complete or on track.
  • “Synergy”, a Web-based e procurement tool, was implemented in January 2009. Synergy allows for faster ordering and receiving of catalogue goods and services as well as better spending controls and visibility. Synergy is also the procurement tool for all contracting officers and supports their day-to-day contracting activities in an environment that enhances compliance with trade agreements and legislative policies and procedures.
  • An acquisition card monitoring program with the regions was implemented, and a new online tool to administer the program was provided.

Sources of Evidence

• Quarterly Contracting Report (for 2009-2010, Q1 and Q2 reports have been presented to the Board; Q3 will be presented in March)

Expectation (e): Information Technology – The Board must assure itself that the Agency adequately plans and invests in its IT resources to ensure they support the achievement of its business goals.

Key Questions 1: Does the Agency have a long-term IT strategy based on the business needs of the Agency?

Response

• A refresh of the CRA Information Technology (IT) Strategy and Plan for 2010/11 to 2012/13 has recently been completed and will be presented to the Board at its meeting in March 2010.
• The goal of the strategy and plan is to closely align with the strategies and priorities documented in the Corporate Business Plan.
• IT Sustainability and IT Responsiveness Risks are a product of a number of strategic drivers within the larger IT strategic landscape including alignment to the CRA IT Strategy and Plan 2010/11 to 2012/13. The drivers and mitigation strategies are not totally independent, and also are connected to other IT Strategic drivers outside the Corporate Risk Inventory (CRI).
• It will serve as a tool to identify the strengths and weaknesses of the CRA IT program, the challenges and opportunities facing us, our vision of the future and how we will seek to achieve it.
• Key goals and objectives of the CRA IT Strategy and Plan are:
  • Goal 1: Continuously improve the delivery of services to our clients and Canadians through sustainable, strategic enterprise technology investment.
    • Objective: Ensure the IT investment is well managed to maintain value and transparency in the allocation of IT costs and using industry best practices to ensure the capacity to meet current and future business requirements.
  • Goal 2: Enhance Business/IT Alignment through the continued collaboration with stakeholders and clients.
    • Objective: Client expectations are met by delivering excellence in IT project management through quality IT projects that are on-time and on-budget.
  • Goal 3: Continuous process improvement of IT Best Practices.
    • Objective: Improve the quality effectiveness and efficiencies in the measurement of IT performance.
  • Goal 4: Ensure a knowledgeable, skilled and engaged IT workforce that will provide expertise, leadership and innovation in the IT community.
    • Objective: Retain, develop and recruit the skilled IT human resources needed to respond quickly to the ever-changing technology world.

Sources of Evidence

• CRA IT Strategy and Plan 2009/10 to 2011/12
• ITB Risk Response Strategy for IT Sustainability
• ITB Risk Response Strategy for Responsiveness
• IT Architecture Roadmaps
• CRA Strategic Investment Plan
• IT Infrastructure Investment Plan

Key Questions 2: Are investment decisions congruent with the IT strategy and integrated into the Agency's business plans?

Response

• A multi-year asset management plan has been created to highlight the investments the CRA will need to make over the course of the next 10 – 15 years.
• IT multi-year investments/business cases are presented to the Resource Investment Management Committee (RIMC) to assist in sound decision-making in the context of the Strategic Investment Plan. ITB also has a number of review committees to ensure that IT investments are managed to ensure value. These include:
  • Branch Priorities Committee (BPC) – Reviews IT investments and establishes priorities within the IT Branch;
  • Branch Executive Committee (BEC) – Reviews programs, projects and policies and provides advice, approval and support to Chief Information Officer (CIO). Ensures activities of the Branch are aligned with Agency strategies and CRA Corporate Business Plan; and
  • Infrastructure and Application Major Project Review Committees (MPRC) – Provide senior executive decision-makers the ability to examine, question, and provide recommendations on all aspects related to the project portfolio being presented.
• The AC of ITB and his senior management team meet with the ACs of the other branches in bilateral meetings to review the status of IT operations and IT projects related to their business.

Sources of Evidence

• RIMC – records of decision
• CRA IT Strategy and Plan 2009/10 to 2011/12
• Major Project Review Committee minutes
• Architecture Steering Committee – records of decision

Key Questions 3: What is the Agency doing to ensure that it has skilled and competent employees necessary to support its IT operations?

Response

• ITB HR related goals and objectives include:
  • Invest in building capacity of the ITB workforce; and
  • Recruit, develop and retain a knowledgeable, skilled and engaged workforce.
• Core activities related to recruitment (external resourcing) are:
  • Explore methods to better market CRA ITB to external resources;
  • Maintain links with other Government organizations and educational institutions in order to share best practices with respect to recruiting;
  • Conduct post-mortems of recruitment programs (Information Technology Apprenticeship Program, External Recruitment);
  • Conduct external selection processes; and
  • Conduct needs analysis/survey.
• 2009-2010 accomplishments related to recruitment are:
  • Conducted a “Needs Analysis” to better understand activities involved in the attraction, assessment and placement of personnel from outside of the Branch and the Agency into available positions within ITB;
  • Conducted a consolidated post mortem on the Information Technology Apprenticeship Program (ITAP) and External Recruitment (REX) programs, as well as on our promotion/marketing activities to determine if they meet ITB's needs;
  • Modified the programs accordingly and developed a marketing strategy for next fall/winter; and
  • Explored the feasibility of expanding the area of selection for ITAP to specific areas outside of NCR.

Sources of Evidence

• CRA IT Strategy and Plan 2009/10 to 2011/12
• HR Operations Plan
• IT Renewal Program Updates

Key Questions 4: Does the Agency accurately measure and report on the success of its IT investments?

Response

• ITB continues to develop a well-defined, long term performance measurement framework that will allow the IT program to strengthen and build the foundation for successful IT performance reporting. The framework will align resources and plans to assist in the development of performance metrics.
• A Performance Indicators Quarterly Report (PIQR) that includes statistical performance information and trend analysis has been published.
• Performance measurement processes have been in place since 2007 to monitor and report on application incidents. Various ongoing Quality improvement processes (Peer Review, Application Sustainability, Software Estimation, Solutions Applications Catalogue) coupled with improvements in incident, change and configuration management tools and practices will permit a more complex and comprehensive view of performance.
• To provide continuous performance improvements ITB engages the Corporate Executive Board, Infrastructure Performance Improvement Lab to assist in the benchmarking of the following six towers: Storage, Network, Hosting, Messaging, Desktop Services, and Helpdesk services.
• ITB program performance metrics for 2009-2010:
  • Dollars spent on applications maintenance: $80,023,379
  • Dollars spent on new applications development: $66,881,895
  • Number of Incidents: Opened – 19,961; Closed – 17,464
  • Number of work orders raised and implemented on-time and on-budget annually: 494 for applications; 370 for infrastructure
• Service availability metrics:
  • CRA Web Site – Target: 99.0% Actual: 99.53%
  • CRA My Account – Target: 95% Actual: 98.32%
  • CRA T4 Net File – Target: 99.0% Actual: 99.50%
  • CRA T1 Net File – Target: 95.0% Actual: 99.50%
  • CRA File-on-Line (EOL) – Target: 95.0% Actual: 98.70%
  • CRA File-on-Line (EOL) Plus – Target: 95.0% Actual: 98.70%
  • CBSA Accelerated Commercial Release – Operations Support System – Target: 96.5% Actual: 99.12%
  • CBSA Custom Commercial System (CCS) Availability – Target: 96.51% Actual: 99.51%
  • CBSA Passenger Information System (PAXIS) – Target: 99.5% Actual: 99.63%
  • CBSA Integrated Primary Inspection Line (IPIL) – Target: 99.5% Actual: 99.46%

Sources of Evidence

• CRA IT Strategy and Plan 2009/10 to 2011/12
• Branch Performance Management Working Group Minutes
• Performance Management Presentations
• IT Service Availability (Quarterly Report)
• Corporate Executive Board 2010 Infrastructure Services Benchmark
• Gartner 2008 Applications Maintenance Benchmark

Expectation (f): Information Technology – The Board must assure itself that the Agency adequately manages and safeguards its IT resources to ensure they support the achievement of its business goals.

Key Questions 1: Are IT business continuity plans adequate (e.g. have they demonstrated success)?

Response

• ITB Business Continuity Plan (BCP) are adequate – however there has been no formal disaster where they have been officially implemented. Where significant events have occurred, albeit not at the disaster level, the plans have been used by management to ensure continuity of service. Examples are the February 2009 water leak at 21 Fitzgerald and the December 2008 HVAC system leakage at 35 Fitzgerald where the plans helped to identify new working locations for critical staff and services.
• Business Continuity Plan (BCP) exercises continue to be conducted to ensure management is well prepared to identify new gaps and improve their plans.
• During the ongoing process of completing Threat and Risk Assessments, BCP, and Disaster Recovery Plans (DRP), the ability of current and planned safeguards is analyzed to determine if the safeguards are adequate or if additional security is necessary.
• ITB gave a comprehensive presentation to the Board on the ITB BCP and DRP at its June 2009 meeting. The presentation detailed the Agency's work in identifying, protecting, and monitoring all information systems in the CRA from any real or perceived threats to ensure that a secure environment is maintained to uphold the expectations of its clients and employees.
• Site BCPs and Pandemic BCPs are completed and maintained for critical services for all areas in ITB. DRPs for CRA's Data Centres are maintained and exercises are conducted at least once per year.
• Baseline TRAs are completed for the mainframe, Intranet backbone, Security Perimeter – Public Access Zone (PAZ) / DMZ & Firewall, Corporate Administrative System, and the Distributed Computing Environment. Other TRAs are completed or updated as part of regular operations and project management.
• The Security Directorate of F&A (Security, Risk Management and Internal Affairs Directorate) and ITB (IT Security Services) work cooperatively to ensure compliance with TBS's Security Standard (MITS) in the completion of TRAs, BCPs, and DRPs.

Sources of Evidence

• CRA IT Strategy and Plan 2009/10 to 2011/12
• Project Risks
• Post-mortems after each BCP and DRT exercise

Key Questions 2: Are appropriate security provisions in place to mitigate intrusion and inappropriate access?

Response

• CRA continues to maintain adequate IT security posture against the evolving threats to the integrity of CRA data assets and processing.
• A Project was initiated to address Management of Information Technology Security (MITS) requirements in order to ensure IT applications and infrastructures remain MITS compliant. Threat Risk Assessments were completed for the major IT platform components and are currently in Management Review awaiting approval.
• Information Technology Branch has collaborated with Communications Security Establishment Canada to gain the requisite skills to institute best practices and methodology for security assurance within the application and system development life cycle.
• ITB is continuously improving the security posture of CRA's technology infrastructure in order to ensure the continued integrity of data assets and electronic processing.
• Refer to response on business continuity plans above.
• A Security Operation Center (SOC) which includes a Security Incident and Event Monitoring (SIEM) solution that provides event monitoring to detect and report intrusion attempts and inappropriate accesses to CRA systems has been deployed to all platforms except for the z/OS (mainframe) environment. Inclusion of the mainframe environment and continued maturation of the SOC to encompass new and evolving IT solutions and cyber threats are two areas that ITB will address in the future. The timeframe for implementation on the mainframe environment is dependent on funding and procurement activities.
• Vulnerability Assessment (VA) scans are performed to ensure that CRA's network remains safe from any internal/external threats and exposure. The results of these VA scans and required corrective remediation measures are reported to the affected areas. Evolving Web applications, new platforms and increasing threats are areas that require constant review.
• Executive Risk Assessments (ERA) are created when there is a potential threat that may harm a CRA or Canada Border Service Agency (CBSA) network device. These assessments are written with information provided by vendors and security professionals. Once written, the ERAs are distributed to the affected areas and monitored so that vulnerabilities may be mitigated. Over 100 ERAs were performed last year.
• The Agency continues to be recognized as a best practice organization in the area of IT security. ITB IT security continues to provide IT security guidance for all projects at the CRA and leadership in investigating and deploying security solutions.
• ITB provided the Board with an overview of IT security at the CRA at its December 2009 meeting.

Sources of Evidence

• RIMC Report on Security Modernization
• RIMC Report on Secure Data Network Program
• IT Security Audit Follow Up Report
• December 2009 Security Overview Presentation

Key Questions 3: Does the Agency have in place feasible plans for managing the maintenance/development and or replacement of applications and infrastructure?

Response

• The Application Sustainability Program (ASP) was approved and launched in January 2009 with a multi-branch executive level steering committee established to pilot and refine the governance.
• The Application Sustainability Assessment Framework (ASAF) provides the vehicle for the ongoing assessment of CRA applications. This framework will provide the path to identify, measure and mitigate sustainability risks while facilitating the management decision-making process to prioritize work plans.
• 2008-2010 was the transitional start-up phase. Applications requiring renewal have been identified. Projects of low complexity and interdependency have been initiated. A high-level action plan is successfully underway to begin the scheduling and engagement of complex, highly interdependent applications.

Sources of Evidence

• ASP Governance Framework
• Individual Projects Life Cycle: Gating Process
• 2008 & 2009 Application Assessment Surveys
• 2008-10 Work Plan
• Preliminary 2010-11 Work Plan
• IT Architecture Roadmaps
• Central Budget
• IT Infrastructure Investment Plan

Date modified:

2010-11-15