INFORMATION TECHNOLOGY ASSET MANAGEMENT

2,352 views
2,191 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,352
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
98
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

INFORMATION TECHNOLOGY ASSET MANAGEMENT

  1. 1. AUDIT REPORT INFORMATION TECHNOLOGY ASSET MANAGEMENT Audit Services Division June 2009 Approved by Chief Public Health Officer on June 25, 2009
  2. 2. Information Technology Asset Management Table of Contents EXECUTIVE SUMMARY ....................................................................................................................................... 1  BACKGROUND........................................................................................................................................................ 3  AUDIT OBJECTIVES.............................................................................................................................................. 3  SCOPE OF AUDIT ................................................................................................................................................... 4  APPROACH AND METHODOLOGY................................................................................................................... 4  AUDIT FINDINGS AND RECOMMENDATIONS .............................................................................................. 4  MANAGEMENT FRAMEWORK AND ACCOUNTABILITY .............................................................................................. 4  IT Asset Management Framework ..................................................................................................................... 5  IT Asset Policies and Procedures ...................................................................................................................... 7  IT Asset Processes ............................................................................................................................................. 8  Specific IT Asset Policy – Keeping IT Assets Current ....................................................................................... 9  OPERATIONAL ACTIVITIES .................................................................................................................................... 10  Acquisition Process.......................................................................................................................................... 10  Receiving and Warehousing ............................................................................................................................ 12  Systems for Recording Inventory ..................................................................................................................... 13  Surplus and Asset Disposal.............................................................................................................................. 16  Recuperation of IT Assets on Departure.......................................................................................................... 18  ACCRUAL ACCOUNTING........................................................................................................................................ 18  CONCLUSION........................................................................................................................................................ 23  APPENDIX A – AUDIT CRITERIA..................................................................................................................... 24  APPENDIX B – MANAGEMENT ACTION PLAN ............................................................................................ 27  APPENDIX C – LIST OF ACRONYMS............................................................................................................... 35  Cat: HP5-83/2-2009E-PDF ISBN: 978-1-100-12886-3 Audit Services Division – Public Health Agency of Canada June 2009
  3. 3. Information Technology Asset Management Executive Summary 1. The overall objective of the audit was to provide Public Health Agency of Canada (PHAC or the Agency) management with an assessment on whether the Agency’s Information Technology (IT) assets are being managed with due regard to economy and efficiency. This audit was conducted from January to June 2009. 2. The audit was PHAC-wide in scope and covered the IT asset management strategies and activities within the Agency from April 1, 2007 to March 31, 2009. This audit did not examine the controls of IT assets physical security due time constraint and significance. Management Framework and Accountability 3. The Agency does not yet have an IT asset management framework in place. We have noted that roles and responsibilities for managing and controlling IT assets are unclear and the accountability is scattered across PHAC. 4. Agency-specific IT asset management policies and procedures providing necessary linkages between management's objectives and materiel operations have not been developed. 5. IT asset management processes are neither well-organized nor well- documented. 6. Planning for necessary infrastructure hardware and software is well done. 7. Planning for desktop and laptop replacement is reactive because as noted in paragraph 10 below, PHAC does not have a reliable inventory system for such hardware and does not have a formal desktop/laptop replacement policy. Consequently, Information Management/Information Technology (IM/IT) depends on the availability of lapsing year-end funds to initiate its desktop/laptop replacement actions. Operational Activities 8. The Agency follows the Public Works and Government Services Canada procurement guidelines and takes advantage of volume discounts when available. Audit Services Division – Public Health Agency of Canada 1 June 2009
  4. 4. Information Technology Asset Management 9. The receiving processes ensure that equipment received complied with the purchase order, are inventory tagged and tombstone data is recorded in the inventory systems. 10. Several automated processes and systems are used to produce inventories. The diversity of automated systems prevents the Agency from producing comprehensive, complete, reliable and accurate hardware and software inventories. 11. The Agency does not have standard and common processes, templates, and systems to control the hardware and software licenses. 12. In December 2008, the National Capital Region IM/IT assigned a dedicated Project Manager to reengineer its IT asset management processes and implement new software products. Accrual Accounting 13. PHAC does not have either the controls or information to properly record its IT assets in compliance with either Treasury Board Accounting Standards or generally accepted accounting principles. Conclusion 14. PHAC’s IT assets are not well managed or controlled. In order to rectify this situation, PHAC needs to assign responsibility for the management and control of IT assets to the Chief Information Officer, which may delegate certain processes to operational areas as appropriate. Further, the Chief Information Officer, the Director of Assets and Materiel Management and the Chief Financial Officer need to develop and implement an appropriate management and control framework for IT assets within a reasonable period of time. Management Response 15. The Agency’s management agrees with our findings and recommendations and a management action plan are presented in Appendix B. Audit Services Division – Public Health Agency of Canada 2 June 2009
  5. 5. Information Technology Asset Management Background 16. It is important that Public Health Agency of Canada (PHAC or the Agency) achieve optimum economy and efficiency in acquiring, using and disposing of Information Technology (IT) assets. These assets are essential to enable PHAC to achieve its strategic goals. Significant resources, both human and financial, are required to manage IT assets effectively. 17. IT assets encompass desktop and laptop computers (commercial or scientific), display screens, mid-range computers and servers, networked printers, and telecommunication equipment such as routers and switches. It also refers to Commercial off-the-shelf software and licenses. 18. IT asset management includes a number of related functions, such as planning, acquiring, receiving, warehousing, recording, tracking, surplussing and disposing of IT assets. 19. PHAC IT assets are to be properly used to support the Agency’s programs, operations and activities and be consistent with the established government priorities and the Agency’s business plans. 20. Over the last twenty years, there have been significant advances in best practices for managing IT assets and in measuring and reporting on their performance. We have considered these advances in developing our recommendations for improvement. Audit Objectives 21. The objectives for this audit were: To assess the appropriateness of planning, policies, processes and internal controls designed to ensure that: • the investment in IT assets supports the achievement of PHAC’s strategic objectives; and • IT assets are managed with due regard to economy and efficiency. In this regard, the audit focused primarily on standardization, purchasing (including assessing prioritization processes and policies designed to keep systems current), and disposal of IT assets. To assess the appropriateness of accounting procedures and internal controls used to record the costs of IT assets, and to facilitate the reliable reporting of IT assets in the Agency’s Financial Statements. Audit Services Division – Public Health Agency of Canada 3 June 2009
  6. 6. Information Technology Asset Management Scope of Audit 22. The audit was PHAC-wide in scope and covered the IT asset management strategies and activities within the Agency from April 1, 2007 to March 31, 2009. This audit did not examine the controls for physical security of IT assets due time constraint and significance. Approach and Methodology 23. This audit was conducted in accordance with the Treasury Board (TB) Policy on Internal Audit and the Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing, except that no external assessment was performed to demonstrate that PHAC’s internal audit function complied with the IIA Standards and Code of Ethics. 24. The audit criteria presented in Appendix A were based on relevant TB policies. The audit team used a combination of audit methodologies, including: • interviewing a total of 27 Agency managers and key personnel directly or indirectly responsible for IT assets, and requesting documentary evidence as required; • reviewing documents (policies, documented procedures and practices, reports, business cases, etc.) related to IT asset management operational activities at the Agency; • conducting site visits to the National Microbiology Laboratory (NML) and the Manitoba/Saskatchewan regional office; and • examining a sample of procurement documents for IT expenses reported in the accounting records in financial year (FY) 2007-08. 25. The audit was conducted from January to June 2009. Audit Findings and Recommendations Management Framework and Accountability 26. TB Policy on Management of Materiel holds the deputy heads responsible for ensuring that: a materiel management framework is in place that reflects an integrated approach to risk management; provides relevant performance information; sets out clear accountability and decision-making regimes that are consistent with organizational resources and capacity; and supports timely, informed materiel management decisions and the strategic outcomes of departmental programs. Audit Services Division – Public Health Agency of Canada 4 June 2009
  7. 7. Information Technology Asset Management 27. An IT asset management framework is a control structure set up by a department or agency to operationalize the TB policy direction to efficiently manage its IT asset and associated responsibilities in a sustainable and financially responsible manner. 28. At a minimum, an IT asset management framework consists of appropriate accountability and decision-making structures, clearly communicated authorities, segregated responsibilities, appropriate policies and practices, and appropriate management, financial, and materiel information systems that support informed decision-making and allows for adequate performance monitoring. IT Asset Management Framework 29. The Agency does not yet have an IT asset management framework in place. We have noted that roles and responsibilities for managing and controlling IT assets are unclear and the accountability for IT assets is scattered across PHAC. 30. The Chief Information Officer (CIO). The CIO’s work description dated June 13, 2008 indicates the CIO is responsible for all PHAC Information Management and Information Technology (IM/IT) activities and services, including IT assets. However, scientific projects/activities with IT components are managed within the program areas with little engagement of the CIO. The CIO manages mainly PHAC IT assets residing on the Health Canada (HC) corporate network. 31. NML. NML’s Procurement and Materiel Management unit reports to the NML’s Director of Business Operations Division. It delivers materiel management support and services for the Canadian Science Centre for Human and Animal Health (CSCHAH), and the Winnipeg IM/IT group. More specifically, this unit provides: • procurement services to staff located at the CSCHAH and to some extent (IT purchases higher than $5,000) to NML; and • shipping and receiving, inventory control including System Application Products (SAP) data entry, warehousing and asset disposal services to all PHAC employees located in Winnipeg. 32. Purchases under $5,000 are completed by the Programs Services group within NML. Audit Services Division – Public Health Agency of Canada 5 June 2009
  8. 8. Information Technology Asset Management 33. In terms of IT services, NML continues to fund and be responsible for the support of four Local Area Networks that are not connected to the corporate network, namely: • the Building Controls-Building Security Network; • the Bioinformatics Network; • the Operations Centre Audio Visual (AV) Network; and • the Science Network: The Network (including servers) is jointly managed by PHAC Corporate IM/IT and HC IM/IT. 34. In addition, there is significant infrastructure purchased by the Canadian Network for Public Health Intelligence (CNPHI) Development group which is funded by the NML. CNPHI development and production infrastructure is hosted on the Science Network and managed by the CNPHI Development group. About 2,500 users within PHAC external partner organizations connect to CNPHI using the Science Network's Internet connection which is being managed by PHAC IM/IT. 35. These NML networks contain many IT assets such as servers, desktops, routers and switches, storage area network and telecommunication equipment. 36. HC-PHAC Memorandum of Understanding (MOU). We noted that the March 31, 2005 MOU has not been reviewed and updated to reflect the Agency’s new environment, and evolving technology. The MOU states that HC responsibilities related to Asset Management include the development of policies, assistance during the procurement of goods, management of assets and inventory, and disposal of assets through Crown Assets. Examples of responsibilities are the management of Microsoft licences (Office Suite and Windows), the procurement of IT assets using the Departmental Individual Standing Offer (DISO) vehicle, and the disposal of IT assets to Public Works and Government Services Canada (PWGSC) Crown Asset and the Industry Canada Computers for Schools Program. 37. Regional Offices. In the six PHAC regional offices, the IT asset functions are mainly provided by two distinct entities. The Winnipeg IM/IT group provides the planning, acquisition, receiving and inventory services while the HC Information Management Services Directorate staff located near each regional office, installs, hardware and software, transfers and moves IT hardware, and disposes and surplus equipment. Conclusion 38. While the CIO has been assigned responsibility for managing IT assets, in Audit Services Division – Public Health Agency of Canada 6 June 2009
  9. 9. Information Technology Asset Management actual terms, the CIO has not been empowered to act on this authority. As a result IT asset management is fragmented and inconsistent across the Agency. 39. For example, the existence of “islands of IT asset management” outside the purview of the CIO exposes PHAC to increased risk that IT assets may be poorly managed. Furthermore, it impedes the ability of the CIO to ensure that all IT assets are being used to support the Agency’s strategic objectives. 40. Additional risks linked to the disempowerment of the CIO include: • inability to achieve efficient and effective structured accountability and control of all IT assets, and • inability to establish a unique management control framework related Agency-wide IT assets. 41. The need for one PHAC IT asset management framework is made even more important because of the geographic dispersal of IT assets across Canada. Recommendations 42. PHAC Executive Committee should affirm the authority and responsibility of the Chief Information Officer to manage and control Information Technology assets. This authority should be effectively communicated throughout PHAC. 43. The Chief Information Officer should, in cooperation with the Chief Financial Officer, develop and implement an appropriate Information Technology asset management framework. The framework should be consistent with Treasury Board policy and good industry practices. 44. PHAC Executive Committee should ensure that appropriate financial and human resources are provided to the Chief Information Officer to support the success of its Information Technology asset management strategy and to support the ongoing operational Information Technology asset life cycle activities. IT Asset Policies and Procedures 45. The following three sections comment on some specific IT Asset policies, procedures and processes that would be encompassed by the IT asset management framework discussed in the previous section. Audit Services Division – Public Health Agency of Canada 7 June 2009
  10. 10. Information Technology Asset Management 46. Agency-specific policies and procedures providing necessary linkages between management's objectives and materiel operations have not been developed to manage IT assets. The Agency’s IT asset management function operates within the framework of HC’s policy. The policies have not been updated by the Agency nor does the Agency currently have an inventory of the specific policies it has adopted. 47. It is important to note that the Assets and Materiel Management (AMM) Division responsible for the materiel management function was created approximately a year ago. AMM is currently completing a corporate policy document related to Asset Management based on central Agencies’ policies, including those that were originally created by HC. 48. The absence of such fundamental management structures has created an accountability vacuum within the Agency relating to the management of IT assets such as: • the Agency does not keep track of all its IT assets in SAP; • the inventory systems are not systematically identifying the surplus and disposed items; • the transfer of assets between locations or individual is not always recorded in the inventory; • an inventory tag is not always attached on every asset; and • the inventory information is not regularly validated with a physical count. 49. A further consequence of not having documented policies and procedures is the loss of corporate memory when experienced employees leave the Agency and the lack of an important framework to guide new employees who join the Agency. Recommendation 50. The Chief Information Officer should develop, seek approval for and communicate an appropriate suite of Information Technology asset management policies, practices, procedures and processes in compliance with the Agency Asset Management policy under development. IT Asset Processes 51. Numerous processes and procedures required to manage the IT assets are generally neither documented nor integrated on a common platform. We noted different processes, tools and systems to manage IT assets. Significant differences were noted between the processes in place at NML, Winnipeg IM/IT and NCR IM/IT. Audit Services Division – Public Health Agency of Canada 8 June 2009
  11. 11. Information Technology Asset Management 52. In December 2008, IM/IT assigned a dedicated Project manager to review the whole IT asset processes, leverage what had already been implemented by HC, and subsequently assess the feasibility of having a unique instance for its asset tracking and reporting method. 53. We concluded that current processes in place across the Agency were fragmented, not always documented and not based on the same platform. Additional information is provided under the section Operational Activities. Recommendation 54. The Chief Information Officer should reengineer all processes across the Agency to manage all Information Technology assets. Specific IT Asset Policy – Keeping IT Assets Current 55. Within the framework and suite of policies and procedures discussed above, there should be a policy on keeping IT assets current as part of supporting PHAC’s strategic objectives. This section explores PHAC’s current approach to this issue and makes further recommendations with respect to the need for this specific policy. 56. The CIO does an appropriate job of planning for the acquisition and upgrade of infrastructure IT assets. The impact of new IT application systems that will be rolled in to the network, the current performance of the network, planned expansion of the network, and necessary hardware and software upgrades to infrastructure assets are all analyzed in determining the best approach to keeping these important IT assets current. 57. However, PHAC does not have a formal replacement policy for end user computing (desktops, laptops, peripherals, etc). The CIO understands the importance of having such a policy, but PHAC has never allocated sufficient resources to allow such a policy to be implemented. As a result, the CIO does its best, on an ad hoc basis, to keep IT assets current by using year end funds that would otherwise lapse. In our view, this is not a sustainable practice and is inconsistent with the long-term interests of PHAC. 58. As part of this ad hoc process, CIO developed several justification documents to demonstrate the need to modernize a portion of PHAC hardware and software portfolio. However, none of the justifications were the result of a rigorous collection of user requirements. 59. They do, however, take into consideration such factors as the growth of the Agency workforce, the aging of some equipment, the increase in the number Audit Services Division – Public Health Agency of Canada 9 June 2009
  12. 12. Information Technology Asset Management of support calls to repair the equipment, equipment no longer covered by warranty, requirements related to new operational projects and the necessity to upgrade software due to lack of support of older version by suppliers. 60. The following factors should be considered in developing an IT asset replacement policy: • changes in end user requirements; • defining a minimum standard that is acceptable to PHAC; • availability of vendor support; • ability to meet PHAC’s need to take full advantage of current productivity tools; • impact of obsolete equipment on PHAC’s ability to meet strategic objectives; and • availability of funds for an evergreen policy. Recommendations 61. The Chief Information Officer should develop a recommended Information Technology asset replacement policy that meets the strategic needs of PHAC in an economical and effective manner. An estimate of required funding to implement the policy should accompany the recommendation to the Resources Planning Management Committee. 62. PHAC Executive Committee should explicitly document the rationale for its decision to implement or modify the recommended policy so that the decision can be placed in context with PHAC’s tolerance for operational and Information Technology risks. Operational Activities Acquisition Process 63. The Agency acquisition processes comply with TB and PWGSC rules and regulations. IT assets are acquired by using PWGSC negotiated standing offers. Standing offers are agreements between PHAC, HC and potential suppliers for the supply of specified IT assets. They outline the terms and conditions applying to future requirements to be ordered on an "as and when required" basis. There are many types of standing offers and the type used depends on the geographical area involved (i.e. regional or Canada-wide). The PHAC or HC standing offers include the negotiated hardware and software standards including, individual components of IT hardware, and software assets. Audit Services Division – Public Health Agency of Canada 10 June 2009
  13. 13. Information Technology Asset Management 64. Several policies and guidelines exist to document rules and regulations relative to the acquisition of tangible assets. Our assessment of current practices revealed that they comply with the established policies or guidelines. 65. For major IT asset expenditures such as computers, IM/IT used the Request for Volume Discount (RVD) method as it provides the best value to the Crown and provides for continued replacement of computer equipment through bulk-buy arrangements with suppliers. 66. The IT asset acquisition methods being used by NML and Winnipeg IM/IT Directorate vary slightly but comply with the established guidelines. 67. Whenever NML wishes to acquire its own IT assets, the NML Manager Program Services transmits the acquisition request to the Winnipeg - IM/IT Chief of Informatics, Laboratories and Regions. Once approved, it is transmitted to the NCR - IM/IT, IT/Chief, IT Operations Supports for further approval and processing. 68. Within NCR, the majority of IT acquisitions (except the ones using credit cards) are centralized in IM/IT. Business and IT managers send their IT acquisition requests to their respective cost centre managers and then the acquisition requests are forwarded to the Administration Officer responsible for processing the IM/IT acquisition transactions. 69. Both groups involved in the acquisition process follow the policy and guidelines established by PWGSC by using the right mechanisms (RVD, National Master Standing Offer, Departmental Individual Standing Offer (DISO), Standing Offer, etc.) and following the right guidelines and procedures. 70. For software acquisition, the same processes are followed by NML and IM/IT except that the HC Enterprise Hardware Software Management (EHSM) has the final approval over the acquisition as opposed to the PHAC IM/IT group. Up to February 27, 2009, IM/IT relied on the HC EHSM group to acquire software specified in the DISO. However, as of March 1, 2009, HC dismantled this group. Considering that PHAC was not given the authority to process its own software purchases using the HC DISO, PHAC needs to negotiate this authority with PWGSC. In the interim, HC agreed to continue offering the software purchases using the DISO services. 71. By using the standing offers acquisition methods, PHAC ensures that established standards are followed, however, there are circumstances where users can purchase their own IT assets. These situations mainly occur when Audit Services Division – Public Health Agency of Canada 11 June 2009
  14. 14. Information Technology Asset Management the IM/IT in-stock inventory of IT assets acquired with year-end funds is depleted. Considering that IM/IT does not have additional funds to buy new IT assets, user groups requiring additional IT assets become autonomous and buy their own assets. 72. The risk associated to the individual acquisition process is that users might not systematically validate the IT asset technical components with IM/IT and deviate from the established IT standards. 73. We concluded that the acquisition process for IT assets complied with Government of Canada policies. Receiving and Warehousing 74. We noted that received equipment that complied with the purchase orders, are inventory tagged and tombstone data is recorded in the inventory systems. Different receiving methods are in place within PHAC depending on the work location. 75. Prior to the 2008-09 Request for Volume Discount (RVD) acquisition process (February-March 2009) IT hardware assets that were bulk-purchased were all received and processed by IM/IT representatives located in NCR. Upon receipt, the IM/IT staff verify the purchase orders, tag the new equipment with a unique inventory number, record the information in the Asset Management Application (AMA) system (not SAP), store the new equipment in the NCR-IM/IT mini ired-cage warehouse or at the rented All Continent warehouse location depending on the volume of items received, and ship new assets to any user sites (NCR, NML or regions) on request. When users receive their new hardware, they call the Helpdesk Support Group requesting the installation of the new hardware. At the installation time, the IM/IT captures additional information and uses it to update the inventory system. 76. In February 2009, IM/IT put out a request for proposal (RFP) for a $500,000 RVD to acquire new IT assets. The RFP stated that the winning supplier will be expected to place an inventory tag on each item and configure each IT asset as specified by IM/IT. It will store the IT assets on its premises until a request is received to ship the assets to a specified information for each IT asset to NCR - IM/IT for recording in the inventory system. It is expected that these new procedures will significantly reduce PHAC’s administrative workload and improve the reliability of inventory records. 77. Older hardware returned to the warehouse for surplus are stored in the warehouse and the IT asset status code is flagged as “surplus” in the Audit Services Division – Public Health Agency of Canada 12 June 2009
  15. 15. Information Technology Asset Management inventory database. When the IT assets are disposed of, the IT asset status code is identified as “inactive”. 78. Berry Road Warehouse in Winnipeg. The Berry Road warehouse in Winnipeg provides central receiving and warehousing services to the NML and the Manitoba/Saskatchewan Regional Office. All goods received (except specimens) are processed at the warehouse. IT assets are checked against purchase orders. The IT assets are then tagged with a unique inventory number and the asset information is recorded in the SAP financial system. It is then delivered to users or stored in the warehouse awaiting a request to deliver the equipment to specific users. The Warehouse Manager ensures that all in/out movements of IT assets are tracked in the inventory system. 79. When surplus equipment is received at the Berry Road warehouse, the SAP inventory information is updated to indicate that the IT asset is inactive. However, an inventory list of surplus IT assets on hand is not maintained. 80. When users receive their new hardware, a Helpdesk Support call is made requesting the hardware to be configured and installed on the network. At this time, additional information is captured by IM/IT, and the information is transmitted to the warehouse staff to update the SAP inventory system. 81. NCR. In NCR, users control a few wired-cage warehouses located in basements of buildings. They store surplus or IT assets awaiting disposal. 82. Our analysis of current process led us to conclude that the receiving of IT assets is the foundation of IT asset inventory. With the new RVD process, IM/IT put in place more efficient processes to ensure that IT assets are inventoried while decreasing its workload, asset manipulation, and operational costs. Systems for Recording Inventory 83. Several automated systems (SAP, HP Asset Centre, and various Spreadsheets) are used to record inventory information for hardware and software. As noted previously, the Agency is unable to produce comprehensive, complete, reliable and accurate inventories of its IT assets. The purpose of this section is to provide a more in-depth analysis of the current situation. 84. Hardware Inventory Winnipeg. In Winnipeg, the Berry Warehouse Support Group maintains the IT hardware information in the SAP system. It records the tombstone asset information when assets are received and updates it Audit Services Division – Public Health Agency of Canada 13 June 2009
  16. 16. Information Technology Asset Management when IM/IT staff provides them with information concerning the location and the movement of the IT assets. 85. Hardware Inventory in NCR. In the summer of 2006, IM/IT developed an in-house IT asset tracking system entitled AMA. Information on end user IT assets in the NCR were recorded in this system. 86. While the AMA system provided basic information, it did not provide the functionality provided by modern off-the-shelf software. The data in AMA was inconsistent and as of March 6, 2009, AMA was abandoned and replaced by the HP Asset Centre system, part of HP Openview family of software. 87. The HP Asset Centre is a database containing the information on IT assets. It includes several IT asset management functions such as contract management, procurement, software management, financial information, etc. The Asset Centre database contains information on IT assets. In addition to tombstone information on each asset, it can manage variable information that needs to be managed such as movement of asset between offices, surplus and disposal. 88. To produce its hardware inventory, IM/IT intends to use the new HP Enterprise Discovery software part of HP Openview family of software. This is a powerful Web-based software tool that, when installed on the network, scans the network to detect all IT hardware and software assets, updates the Asset Centre database with the current asset information, and flags variances. Asset inventories are then produced using the HP Asset Centre database. 89. The anticipated benefits of adopting the HP Openview software are numerous. One of the highest anticipated benefits is the timeliness of information provided by the automated HP Enterprise Discovery capabilities. It will provide the most benefit to PHAC by automatically and accurately detecting IT asset changes. With further process implementation effort and data management effort by PHAC, the Enterprise Discovery engine can track hardware movement through a programmed reconciliation process. Commercial off-the-shelf software applications can be identified, located, and software license compliance can be monitored. 90. However, as of May 2009, IM/IT does not have access or control of all PHAC networks. NML established and maintains four separate networks namely the: • Science Network; Audit Services Division – Public Health Agency of Canada 14 June 2009
  17. 17. Information Technology Asset Management • BioInformatics Network; • Building Controls-Building Security Network; and • Operations Centre Audio Visual (AV) Network. 91. Consequently, unless connections are established to link all PHAC current networks, IM/IT is not in a position to produce a comprehensive inventory of all IT assets. 92. In December 2008, NCR IM/IT assigned a dedicated Project Manager to reengineer its IT asset management processes and implement the new HP software products. No internal processes for HP software products existed prior to a Project Manager being assigned to focus on this area. Existing processes focused on manual processes or on disparate databases being used to track IT assets. However, the in-house expertise on the HP software is limited at PHAC considering that both HP software are housed, managed, maintained, updated and supported by HC staff. PHAC staff has had limited exposure to the new HP products and until recently, relied on HC expertise to use the system. Unfortunately for PHAC, at the beginning of March 2009, HC ended the support of its long term contractors to further enhance and maintain the current HP software leaving only two internal staff with the responsibility to manage and support the systems. 93. The introduction of HP Asset Centre added to the complexity to manage IT asset as the Agency supports two major distinct systems used to maintain its IT asset inventory. 94. We concluded that by replacing the AMA system by the HP Asset Centre system, IM/IT gained much functionality to manage its assets. However, to produce a comprehensive inventory of all PHAC-wide IT hardware and software assets, IM/IT needs to develop and document a clear strategy. 95. Considering that all five PHAC networks are not all inter-connected there is a risk that a comprehensive inventory of IT assets will not be produced. 96. Inventory of Software. Various PHAC groups (NCR-IM/IT Desktop Support, NCR-IM/IT Network Management, AMM, or IM/IT Winnipeg) use different methods/tools to track software inventory using Microsoft (MS) Excel spreadsheets, MS-Access databases, in addition to simple paper- based records. Information is not shared or consistent across inventory systems. 97. Within PHAC, there are two types of licenses; hardware and software related. The audit attempted to examine the processes associated to the management of software. However, due to the multitude of software licenses Audit Services Division – Public Health Agency of Canada 15 June 2009
  18. 18. Information Technology Asset Management in place (probably in excess of fifty) and the diversity of processes involved, we did not undertake a detailed examination. 98. Up to February 27, 2009 the HC EHSM provided the acquisition and inventory services for the Microsoft products, acquire software specified in the DISO, and produce the inventory of Microsoft Windows and Microsoft MS Office licenses. However, as of March 1, 2009, HC dismantled this group and PHAC negotiated with HC the continuity of these services until PHAC negotiates with PWGSC its own authority to purchase software using the HC DISO. 99. The analysis of license inventory reports demonstrated the absence of standard and common processes, templates, and systems to control the licenses. Conclusion 100. The management of software licenses is one of the highest risks (if not the highest) and challenges for IT asset management. Its management processes have to be rigorously controlled to ensure that contractual limitations are thoroughly complied with and not infringed. Otherwise, consequences such as financial and reputational could be experienced. Considering the high level of risk, control processes needs to be reengineered. Recommendation 101. The Chief Information Officer should develop and implement a comprehensive strategy to manage and control the hardware and software inventories for all PHAC Information Technology assets. Surplus and Asset Disposal 102. Surplus IT assets are stored at the Winnipeg Berry warehouse or the NCR mini-warehouses awaiting data purging. In compliance with the TB Directive on Disposal of Surplus Material, the surplus IT assets are purged from their data prior to shipping them to HC. This process is not systematically done for desktops and laptops that were not purchased by IM/IT. When IM/IT Desktop Support staff replaces older desktops, laptops or servers, these are sent to the warehouse awaiting data purification. 103. When the Winnipeg Berry warehouse receives older equipment, they are flagged as surplus in the SAP system. Consequently, these surplus hardware are no longer included in any active inventory list. However, a list Audit Services Division – Public Health Agency of Canada 16 June 2009
  19. 19. Information Technology Asset Management of surplus IT assets is not produced and is not available. In compliance with the Directive on Disposal of Surplus Material, the Agency offers all its surplus personal computers, laptops, and other IT equipment to the Industry Canada Computers for Schools Program. Prior to disposing of these equipment, the Warehouse staff initiates a data purification process to backup all data on a corporate electronic folder prior to removing this data from the computer hard drives and memory. When schools decline the surplus equipment, then they are sent to PWGSC, Crown Assets. 104. The IM/IT staff collects the older desktops and laptops when they replace them with newer ones and store them in their mini-warehouse. When equipment is sent to the mini-warehouse, the asset is not identified as surplus in the inventory system. Like Winnipeg, surplus equipment are kept in storage until the volume of surplus equipment becomes important enough to initiating the data backup of all information contained on the equipment and the sanitizing of data from hard disks and memory. Then the equipment is disposed of by offering them to schools first, and sending them to Crown Assets when schools refuse them. 105. For surplus IT assets that are controlled by users (such as printers, and some laptops), equipment might be sent to their own mini-warehouses awaiting disposal. This equipment is not identified as surplus in the inventory system. The audit was unable to confirm whether this surplus equipment was sanitized prior to disposing of them. 106. When data is not removed from desktops, laptops or servers prior to disposing of them, security risks occur: • compromise the privacy and security of information; • PHAC ‘s reputation might be attacked when data is found on PHAC surplus equipment; and • the inventory list might contain surplus equipment when assets are not identified as surplus in the inventory database. 107. We concluded that risks exist that surplus equipment was disposed of prior to backing up and sanitizing data from hard disks and memory. Recommendations 108. All surplus Information Technology assets should be sent to Information Management/Information Technology to ensure that data is backed-up and sanitized prior to disposing of them to Crown Assets or Health Canada. Audit Services Division – Public Health Agency of Canada 17 June 2009
  20. 20. Information Technology Asset Management 109. Information Technology assets that are sent to surplus should be identified as surplus in the inventory database. Recuperation of IT Assets on Departure 110. Considering the state of the hardware inventory, PHAC does not have the assurance that all assets are recuperated when staff or contractors leave the organization. 111. As previously outlined in this report, PHAC’s hardware inventory is not accurate. Furthermore, we noted that some IT assets were purchased by users and have not been inventory tagged or recorded in an inventory system. These hardware equipment have been lent to staff for home or office usage and no record exists to demonstrate that these staff have possession of these assets. 112. The absence of tracking information on assets that have been lent to staff creates opportunities for losing the asset. 113. We concluded that current inventory processes did not provide the assurance that all PHAC’s asset will be recuperated when an employee or a contractor leaves the organization. Recommendation 114. The Chief Information Officer should implement tracking systems for Information Technology assets lent to staff. Accrual Accounting 115. The Agency has not yet completed a suite of policies and procedures that address accounting for capital assets. As stated earlier in this report, the Agency’s IT asset management function operates within the framework of HC’s assets management policy, which also provides information on the accounting for capital assets. 116. Furthermore, we also noted in this report that the AMM is currently developing a PHAC corporate policy document related to Asset Management. 117. TB policies and standards require departments to establish procedures to account for their capital assets, namely to: Audit Services Division – Public Health Agency of Canada 18 June 2009
  21. 21. Information Technology Asset Management • ensure all costs required to make a capital asset operational have been recorded in the value of the assets; and • ensure to differentiate between betterments, which are capitalized, and repairs and maintenance, which are expensed. 118. TB and Generally Accepted Accounting Principles (GAAP) define capital assets generally as any asset which has been acquired, constructed or developed with the intention of being used on a continuous basis and is not intended for resale in the ordinary course of business. Capital assets also include betterments, which are expenditures enhancing the service potential of the asset. 119. TB also requires departments to capitalize the following costs related to software: • direct internal and external costs related to application development and implementation activities such as design of software configuration, coding, installation to hardware, training specific to implementation, etc.; • one-off licensing fee in order to use the software; and • upgrades and enhancements, which are defined as modifications to enable the software to perform tasks that it was previously incapable of performing. 120. Finally, TB and GAAP require departments to use consistent criteria in determining whether particular costs represent capital assets or current period expenses. 121. The Agency’s continuing process of creating itself as a stand-alone agency since 2004 accounts in part for the absence to date of PHAC policies and procedures for IT assets. Threshold Value 122. Consistent with TB guidelines, PHAC’s accounting policy is to capitalize IT hardware and software acquisitions that have a useful life in excess of one year and a unit cost greater than or equal to $10,000. 123. TB policy allows departments to establish a lower threshold than $10,000. In addition, it may also establish a lower and/or varying lower threshold for different asset classes but these must be consistent from year to year. 124. To date, the Agency has not documented its rationale for utilizing the standard TB approach nor made a formal assessment as to whether it might be more appropriate to vary the TB approach as permitted by TB. Audit Services Division – Public Health Agency of Canada 19 June 2009
  22. 22. Information Technology Asset Management Whole Asset vs. Component Approach 125. Capital assets can be recorded using the whole asset or component approach. The whole asset approach considers an asset as an assembly of connected parts as one asset. The component approach sees each of the parts as an asset to be capitalized individually. Both approaches are equally acceptable under TB standards. 126. Interviews indicated that the Agency uses the component approach. However, once again there has been no analysis to determine whether this is the best approach for PHAC and there is no formal policy to approving the approach chosen. Identifying Capital Costs 127. An Asset Master Record (AMR) is supposed to be created for all capital assets prior to committing funds for the acquisition or development of the capital asset. Capitalization and amortization of capital assets are based on the AMR files and, therefore the integrity of the AMR files is critical for proper accrual accounting. The capturing of this information assists the Agency in preparing its Statement of Financial Position. 128. Interviews indicated that the creation of an AMR is a shared responsibility within PHAC (NCR, laboratories and regions) and HC. The Cost Centre Manager (CCM) obtains an AMR number from the following functional authorities: • Assets and Materiel Management Division for NCR and the Laboratory for Foodborne Zoonoses (including the two satellite laboratories); • Financial Policy, Operations, and Systems Division in Winnipeg for NML and the Winnipeg/Saskatchewan region; and • HC Regional Senior Financial Officer for PHAC’s other regional offices. 129. The Asset Accounting module of SAP automatically requests an AMR number when a CCM enters a code using a capital asset account in SAP. However, SAP does not have a built in control to detect capital purchases that have erroneously been recorded as period expenses. 130. The Agency’s unaudited financial statements provide the following information on the IT capital assets for the year ended March 31, 2008 (as explained on Table 1). Audit Services Division – Public Health Agency of Canada 20 June 2009
  23. 23. Information Technology Asset Management Table 1 – IT Capital Assets for the FY 2007-08 Capital Assets April 1, 2007 Acquisitions March 31, 2008 Accumulated Net Book Cost Cost Amortization Value Computer equipment $ 3,074,332 $ 76,494 $ 3,150,826 $ 2,552,891 $ 597,935 Computer software 1,042,061 35,110 1,077,171 925,483 151,688 Total $ 4,116,393 $ 111,604 $ 4,227,997 $ 3,478,374 $ 749,623 131. In FY 2007-08, IT purchases 1 totalling $10.6 million were recorded in various IT expense accounts in SAP. An analysis of 28 purchases amounting to $3.9 million (having a unit cost greater than or equal to $10,000) revealed the following: • 25% of these expenses by dollar value ($968,307) should have been recorded as IT capital assets (as explained in Table 2); • 4% of these expenses by dollar value ($174,436) should have been recorded as leasehold improvements; and • there was no documented evidence to support the accounting treatment chosen. Table 2 – IT Expenses That Should Have Been Capitalized in FY 2007-08 Type of Asset Amount Computer equipment $ 495,146 Computer software 159,500 One-off licensing fee in order to use a software 313,661 Total $ 968,307 132. The current decentralization structure of the Agency accounts in part for the: • roles and responsibilities not being clearly articulated; • significant number of CCMs involved in IT purchases; • lack of integration of the financial and materiel management systems; • lack of central coordination for managing AMR files, and for providing functional direction and guidelines; and • possible lack of consulting from CCMs with AMM and IM/IT for advice concerning capital asset identification. 1 Excludes direct internal and external costs related to application development and implementation activities such as design of software configuration. These costs (i.e. payroll and payroll related costs, professional fees, etc.) could not be identified in SAP because as noted in paragraphs 132, 133 and 134. Audit Services Division – Public Health Agency of Canada 21 June 2009
  24. 24. Information Technology Asset Management 133. Further, in our view, the following items add to the complexity of the asset capitalization process: • asset capitalization procedures are not sufficiently explicit on how they are to be interpreted from a policy perspective by the CCMs; • lack of guidance on distinguishing between betterments or repairs and maintenance; • compliance with TB policies and standards may not be well understood; • improper or absence of validation of financial coding when CCMs sign Section 34 of the FAA; • possible lack of awareness of TB policies and standards and HC’s assets management policy; • lack of a suitably rigorous process for identifying costs to be capitalized that can withstand audit (i.e. time records, review and approval of costs charged by management of the project, etc.); • absence of monitoring to ensure that assets processes are well understood and complied with; and • no physical verification of asset holdings. 134. In the absence of detailed written policies and procedures, there is an undue risk CCM’s will continue to inconsistently account for, record and report IT assets. This inconsistency impacts adversely the integrity of the AMR files and the accuracy of the Agency’s Financial Statements and Public Accounts submissions. 135. Many of the recommendations made previously in this report will improve the control over the reporting of IT assets. The following are additional recommendations intended to address reporting of IT assets specifically. Recommendations 136. The Director, Assets and Materiel Management and the Chief Financial Officer should complete, seek approval for and communicate the Asset Management Policy to include detailed procedures and guidance to properly account for Information Technology assets. Policy, procedures and guidance should be consistent with Treasury Board relevant policies and standards on capital assets and software, and generally accepted accounting principles. 137. The Director, Assets and Materiel Management should monitor compliance with the policy by conducting regular reviews and annual physical asset inventory count. Audit Services Division – Public Health Agency of Canada 22 June 2009
  25. 25. Information Technology Asset Management 138. The Chief Financial Officer should perform a review of the Information Technology expenses for the last financial year in order to identify unrecorded Information Technology assets. Conclusion 139. PHAC’s IT assets are not well managed or controlled. In order to rectify this situation, PHAC needs to assign responsibility for the management and control of IT assets to the CIO, who may delegate certain processes to operational areas as appropriate. Further, the CIO, the Director of AMM and the Chief Financial Officer (CFO) need to develop and implement an appropriate management and control framework for IT assets within a reasonable period of time. Acknowledgments 140. We wish to express our appreciation for the cooperation and assistance afforded to the audit team by management and staff during the course of this audit. Audit Services Division – Public Health Agency of Canada 23 June 2009
  26. 26. Information Technology Asset Management Appendix A – Audit Criteria Objective 1 To assess to appropriateness of planning processes and Public Health Agency of Canada policies, procedures and internal controls designed to ensure that: • The investment in IT assets supports the achievement of PHAC’s strategic objectives; and • IT assets are managed with due regard to economy and efficiency. In this regard, the audit will focus primarily on standardization, purchasing (including assessing prioritization processes and policies designed to keep systems current), and disposal. Criteria Management Framework and Accountability IT Asset Management Framework A management framework for the IT assets has been developed, is in place and meets the needs of the Agency. a. Responsibility, authority, and accountability for IT asset management have been clearly established. b. An IT manager has been appointed and given responsibility to co-ordinate and direct the implementation of the IT portion of the government Materiel Management Policy. IT Asset Policies, Procedures and Processes Policies and processes are in place to manage the IT asset life management cycle. a. The Agency uses the TB policy manuals and/or has developed its own IT asset management manual and/or set of procedures. b. Agency’s IT asset policies are based on TB policy documents. c. Processes have been developed, documented, and are used to manage the IT asset life cycle. Audit Services Division – Public Health Agency of Canada 24 June 2009
  27. 27. Information Technology Asset Management Specific IT Asset Policy – Keeping IT Assets Current IT asset requirements are assessed and planned. a. IT asset needs are assessed in relation to program administration and operational requirements. b. IT asset requirements are identified and defined in terms of performance specifications. c. Use of IT asset resources is forecast, and major items are assessed and ranked in terms of program and operational requirements. d. An IT replacement policy and guidelines are used to ensure that the IT asset inventory remains adequate and its performance remains adequate. Operational Activities Acquisition Process Acquisition of IT asset, whether by the Agency or PWGSC, is economical, efficient and effective. a. Standards have been developed, documented, and followed when acquiring IT hardware and software. b. Methods of meeting IT asset requirements are analyzed, and the best options chosen. c. Selection of IT asset to be acquired is based on requirements assessments and performance specifications. d. Acquisition transactions are planned and executed based on service levels established in relation to lead time, quality, reliability, delivery or performance. Receiving and Warehousing The operation, utilization and storage of IT asset are efficient, effective and timely. a. The allocation, distribution, and scheduled use of IT asset are based on program or operational needs and requirements assessment reallocations are made in cases of under-utilization. b. Delivery of IT asset is followed-up (where necessary) and goods are inspected on delivery to ensure that IT asset received is the materiel contracted for. Audit Services Division – Public Health Agency of Canada 25 June 2009
  28. 28. Information Technology Asset Management Systems for Recording Inventory The operation, utilization and storage of IT asset are efficient, effective and timely. a. Records are maintained, using automated information systems where practical and cost-effective, to track inventory and to monitor costs, utilization including the level of IT asset turnover, losses, and equipment performance. b. The management of IT software licenses is efficient and ensure compliance to existing license agreement. Surplus and Asset Disposal Replacement and disposal of IT asset are economic and efficient. a. Opportunities are identified for the reallocation or disposal of excess IT asset materiel. b. Surplus IT asset which is no longer needed is disposed of, as well as the storage space that becomes redundant. c. IT asset is disposed and replaced at optimum time in the life-cycle to ensure that maximum benefits are achieved. Recuperation of IT Assets on Departure The operation, utilization and storage of IT asset are efficient, effective and timely. a. IT assets loaned to staff and contractors are recuperated when people leave the organization Objective 2 To assess the appropriateness of accounting procedures and internal controls used to record the costs of IT assets, and to facilitate the reliable reporting of IT assets in the Agency’s Financial Statements. Criteria Accrual Accounting Appropriate procedures are in place for accounting IT assets, based on relevant TB policies and standards on capital assets and software, and generally accepted accounting principles. Audit Services Division – Public Health Agency of Canada 26 June 2009
  29. 29. Information Technology Asset Management Appendix B – Management Action Plan Officer of Prime Recommendations Management Response Interest Target Date Information Technology Asset Management Framework 42. PHAC Executive Committee should affirm Agree. The Executive Committee (EC) Senior Assistant July 2009 the authority and responsibility of the Chief will affirm the authority and responsibility Deputy Minister Information Officer to manage and control of the Chief Information Officer (CIO) to (SADM) Information Technology assets. This manage and control Agency-wide IT authority should be effectively communicated assets. throughout PHAC. 43. The Chief Information Officer should, in Agree. An IT asset management CIO and Chief Draft by April cooperation with the Chief Financial Officer, framework will be developed and Financial Officer 2010 develop and implement an appropriate presented to IM/IT Management (CFO) Information Technology asset management Committee (MC) for framework. The framework should be endorsement/approval. Based on consistent with Treasury Board policy and recommendation from 42, roles and good industry practices. responsibilities will be adjusted accordingly. 44. PHAC Executive Committee should ensure Agree. The EC based on PHAC priorities SADM September that appropriate financial and human and available resources will provide the 2009 resources are provided to the Chief financial and human resources to the CIO Information Officer to support the success of to support the success of its IT asset its Information Technology asset management strategy and the ongoing management strategy and to support the operational IT asset life cycle activities. ongoing operational Information Technology Audit Services Division – Public Health Agency of Canada 27 June 2009
  30. 30. Information Technology Asset Management Officer of Prime Recommendations Management Response Interest Target Date asset life cycle activities. Information Technology Asset Policies and Procedures 50. The Chief Information Officer should Agree. a) IM/IT is in the process of CIO Started in develop, seek approval for and communicate developing and documenting a suite of IT October 2008 an appropriate suite of Information asset management protocols, processes and targeted for Technology asset management policies, and procedures for IT asset management completion practices, procedures and processes in and will store these documents in a December compliance with the Agency Asset central repository. 2009. Management policy under development. b) The Office of the Chief Information CIO February 2010 Officer (OCIO) will seek endorsement of Agency-wide IT asset management processes, procedures and protocols. c) Upon endorsement, the OCIO will CIO Starting May communicate appropriate new practices 2010 to Officers of Prime Interest (OPI) identified in the PHAC IT asset management framework. Information Technology Asset Processes 54. The Chief Information Officer should Agree. a) IM/IT will standardize asset CIO February 2010 reengineer all processes across the Agency management procedures understanding to manage all Information Technology the unique requirements of the assets. centralized warehousing infrastructure established in Winnipeg for the National Microbiology Laboratory and the Audit Services Division – Public Health Agency of Canada 28 June 2009
  31. 31. Information Technology Asset Management Officer of Prime Recommendations Management Response Interest Target Date decentralized infrastructure used in the National Capital Region and Regional locations. b) Procedures will be established to CIO May 2010 manage and track priority IT assets as defined below, while the Offices of Prime Interest identified in the PHAC IT asset management framework will be responsible for non-priority IT assets. Definition of priority IT assets: • network connected servers; • network connected routers; • network connected switches • Blackberrys; • network connected desktops; • network connected laptops; • desktop/laptop software; • server software; • hardware and software maintenance contracts; and • network connected printers Items not included as priority IT assets include remote site workstations, work-at- home PC’s, “unmanaged” software, desktop peripherals (keyboards, mice, Audit Services Division – Public Health Agency of Canada 29 June 2009
  32. 32. Information Technology Asset Management Officer of Prime Recommendations Management Response Interest Target Date etc.), local printers, other attractive assets. The implementation of standardized procedures will be dependent upon endorsement of an IT Asset Management Framework and the required operational funding to sustain centralized management and tracking. Specific Information Technology Asset Policy – Keeping Information Technology Assets Current 61. The Chief Information Officer should develop Agree. The IM/IT Directorate will develop CIO November 2009 a recommended Information Technology two separate evergreening strategies to asset replacement policy that meets the accommodate acquisition and strategic needs of PHAC in an economical replacement of: (a) attractive assets, and; and effective manner. An estimate of (b) capital assets. The evergreening required funding to implement the policy strategies will be presented to IM/IT MC should accompany the recommendation to for endorsement and Resource Planning the Resource Planning Management Management Committee (RPMC) for Committee. approval and funding consideration. 62. PHAC Executive Committee should explicitly Agree. The EC will document the SADM December 2009 document the rationale for its decision to rationale for its decision to implement or implement or modify the recommended modify the recommended policy so that policy so that the decision can be placed in the decision can be placed in context with context with PHAC’s tolerance for PHAC’s tolerance for operational and IT operational and Information Technology risks. Audit Services Division – Public Health Agency of Canada 30 June 2009
  33. 33. Information Technology Asset Management Officer of Prime Recommendations Management Response Interest Target Date risks. Systems for Recording Inventory 101. The Chief Information Officer should develop Agree. IM/IT will implement a strategy to CIO Strategy and implement a comprehensive strategy to manage and control hardware and Completed manage and control the hardware and software inventories acquired, managed software inventories for all PHAC Information and/or controlled by IM/IT. These Full Technology assets. strategies will have the capability to be implementation leveraged Agency-wide pending targeted for May endorsement/approval of a PHAC IT 2010. asset management framework and required resources and funding to carry out the work. The comprehensive strategy will include SAP for financial management and tracking (acquisition, depreciation) of IT assets while a complimentary system will be used for IT asset lifecycle management (acquisition, deployment, operation, replacement/disposal) of IT assets. The asset lifecycle management system will manage and track priority IT assets (see paragraph 54 for definition of priority Audit Services Division – Public Health Agency of Canada 31 June 2009
  34. 34. Information Technology Asset Management Officer of Prime Recommendations Management Response Interest Target Date IT assets) while the combination of SAP and the Offices of Prime Interest will be used to manage non-priority IT assets. Surplus and Asset Disposal 108. All surplus Information Technology assets Agree. A process will be documented and CIO August 2009 should be sent to Information implemented to ensure all surplus IT Management/Information Technology to assets are sent to the IM/IT so that data ensure that data is backed-up and sanitized is backed-up and sanitized prior to prior to disposing of them to Crown Assets or transfer to Crown Assets or HC for Health Canada. disposition. 109. Information Technology assets that are sent Agree. IM/IT will implement measures to CIO September to surplus should be identified as surplus in reconcile surplused assets managed 2009 the inventory database. by/or route through IM/IT. These assets will be tagged as surplus and recorded in an inventory database. Recuperation of Information Technology Assets on Departure 114. The Chief Information Officer should Agree. A process, including a proposed CIO June 2010 implement tracking systems for Information system, will be developed to track IT Technology assets lent to staff. assets lent to staff. The solution will be presented to IM/IT MC for endorsement and subsequent approval by RPMC. A system to track these items will be dependant upon approval of an IT asset management framework and associated Audit Services Division – Public Health Agency of Canada 32 June 2009
  35. 35. Information Technology Asset Management Officer of Prime Recommendations Management Response Interest Target Date funding for system implementation, licensing and resources to support tracking and monitoring of these assets. Accrual Accounting 136. The Director, Assets and Materiel Agree. a) Obtain approval for PHAC Dir, AMM May 27, 2009 Management and the Chief Financial Officer Asset Management Policy, which outlines should complete, seek approval for and requirements for identifying all capital communicate the Asset Management Policy assets valued over $10,000 and to include detailed procedures and guidance centralizes creation of asset master to properly account for Information records to the PHAC Assets and Materiel Technology capital assets. Policy, Management (AMM) division, from PHAC procedures and guidance should be Public Health and Policy Committee. consistent with Treasury Board relevant policies and standards on capital assets and b) Integrate capital asset requirements Dir, AMM July 2, 2009 software, and generally accepted accounting into procurement training. principles. c) Develop capital assets Dir, AMM and August 30, 2009 procedures/guidance document to CFO complement PHAC Assets Management Policy. d) Launch of materiel management Dir, AMM and August 30, 2009 intranet site and formal implementation of CFO policy and procedures. 137. The Director, Assets and Materiel Agree. a) Complete of annual Capital Dir, AMM November 30, Audit Services Division – Public Health Agency of Canada 33 June 2009
  36. 36. Information Technology Asset Management Officer of Prime Recommendations Management Response Interest Target Date Management should monitor compliance with Asset Inventory Verification for assets 2009 the policy by conducting regular reviews and valued over $10,000. annual physical asset inventory count. b) Implement a semi-annual asset Dir, AMM July 31, 2009 inventory reports to cost centre managers 138. The Chief Financial Officer should perform a Agree. FY 2008-09 Information CFO October 31, review of the Information Technology Technology expenses exceeding $10,000 2009 expenses for the last financial year in order will be reviewed to identify potential to identify unrecorded Information unrecorded capital assets Technology capital assets. Audit Services Division – Public Health Agency of Canada 34 June 2009
  37. 37. Information Technology Asset Management Appendix C – List of Acronyms Agency Public Health Agency of Canada AMA Asset Management Application AMM Assets and Materiel Management AMR Asset Management Record number CCM Cost Centre Manager CIO Chief Financial Officer CFO Chief Financial Officer CNPHI Canadian Network for Public Health Intelligence CSCHAH Canadian Science Centre for Human and Animal Health DISO Departmental Individual Standing Offer EC Executive Committee EHSM Enterprise Hardware Software Management FY Financial Year GAAP Generally Accepted Accounting Principles HC Health Canada HP Hewlett Packard IM/IT Information Management/Information Technology Directorate IT Information Technology MC Management Committee MOU Memorandum of Understanding MS Microsoft NCR National Capital Region NML National Microbiology Laboratory OCIO Office of the Chief Information Officer OPI Officer of Prime Interest PHAC Public Health Agency of Canada PWGSC Public Works and Government Services Canada RPMC Resources Planning Management Committee RVD Request for Volume Discount SADM Senior Assistant Deputy Minister SAP System Applications Products, the Agency central financial system TB Treasury Board Audit Services Division – Public Health Agency of Canada 35 June 2009

×