Professional Documents
Culture Documents
Strategic Plan
For IT Performance Audit
A three-year plan of proposed audits with a framework to guide the audit approach.
Related strategies for audits to be performed in the fields of information technology and electronic
communications in the ministries and agencies of the Qubec government.
February 2001
Prepared by:
Yves Denis
Clarence Kimpton
Denys Martin
Guy Perron
CONTENTS
Foreword ........................................................................................
Introduction .............................................................................
II
IT Environment Definition...........................................................
3
A.
3
..
III
IV.
Resources Invested.........................................................
10
10
D.
Audit Universe.............................................................
11
E.
12
Reference Works.............................................................
12
12
H.
13
Audits Report............................................................
14
14
K
15
Training ........................................................
M.
16
Conclusion .......................................................................
16
19
Appendices
1
Foreword
The growing strategic importance of the fields of Electronic Communications and
Information Technology (IT& C) led the Auditor General of Qubec (AGQ) to dedicate
to it of the specific work of audit in February 1997. Within the AGQ office, a
directorate, Information Systems Audit Management (DVSI) - section optimisation,
was given this task and was provided April 1998 of a first strategy with intervention
identifying the particular problems which are attached to the fields of IT& C.
Thus, the DVSI constituted and carried out various projects of optimisation of the
resources specific to the fields of IT& C and collaborated in other audit projects on IT
aspects. Work to date led to the principal following reports:
Overall Funds (aspect information system): Report 1997-1998, volume 1;
Adaptation to year 2000 of the IT systems to the government of Qubec: Report
1997-1998, volume 1;
Observations of the Auditor General (aspect adaptation to year 2000 of the IT
systems): Report 1997-1998, volume 2;
Management of the social services for young people (aspect information systems):
Report 1997-1998, volume 2;
Adaptation to year 2000 of the IT systems to the government of Qubec: Report
1998-1999, volume 1;
Acquisition of services (partnerships public/private phase): Report 1999-2000
divided into volumes;
Process of development and system maintenance of information for the Ministry of
revenue: Report 1999-2000, volume 1:
Management of electronic communication and information technology for the
Ministry for Transport: Report 1999-2000, volume 2;
ERP Project ("GIRES") Report 1999-2000, volumes 1 and 2.
Regarding audit priorities for the three next years, those were established by
selecting projects comprising of high level of importance and risk starting from a
summary list of principal projects from specialised documents, other legislative
auditors, recognised stakeholders or team-members.
This strategy is a tool for periodic analysis on the evolution of IT& C and related audit
interventions carried out, approaches used and the results obtained, in order to
ensure the relevance of our work and continuously to improve our practice. It seeks
to be also a tool to identify the types of audit interventions to be most useful and in
consideration of the priorities of the AGQ and the government of Qubec vision for
IT& C.
295386150.doc
23/03/2001 04:07:00 PM
Page 2
Introduction
II.
IT Environment Definition
A.
295386150.doc
23/03/2001 04:07:00 PM
Page 3
Programs, services and administrative forms (Ministry for Relations with citizens
and Immigration);
Laws and payments (Publications of Qubec);
Electronic Trade (Commission of the health and the occupational safety );
Register of personal and rights (Ministry for Justice);
Municipal Information highway (Ministry for municipal affairs and the greater
Montral);
Hello Qubec.com (Qubec Tourism);
Computerised Program being used for processing of files and information retrieval
(Public records);
Multi-media Catalogue Iris (national Library of Qubec);
Multi-media Qubec (Ministry for Culture and Communications);
special Products (Ministry for natural Resources);
Products and services cadastral (Ministry for natural Resources);
Electronic Exchanges and forms electronic (Ministry for Revenue);
Linguistic Resources (Office of French language);
Certificates of birth, marriage or death by Internet (Director of Civil Status).
Legal And Regulatory Framework
295386150.doc
23/03/2001 04:07:00 PM
Page 4
295386150.doc
23/03/2001 04:07:00 PM
Page 5
295386150.doc
23/03/2001 04:07:00 PM
Page 6
The responsibilities for the fields of IT& C in the government administration are
entrusted to ministries and agencies, the Treasury Board and ministries responsible
for particular mandates. Graph 1 presents a global view of these stakeholders.
Graph 1
Electronic Communication And Information Technology
With The Government Of Qubec
Environment Model
Ministry for
Relations with
citizens and
Immigration
Ministry for
Industry and
Trade
Regulator /
co-ordinator /
catalyst
Undersecretariat
information
highways and
IT resources
Suppliers of
services
DGSIG
DGT
Office of the
French
language
295386150.doc
23/03/2001 04:07:00 PM
Page 7
Resources Invested
The government of Qubec spent CAN $737 million in the field of information
technology in 1995-1996, most recent year for available statistics and represents
more than two thirds of the global expenditure of the government.
295386150.doc
23/03/2001 04:07:00 PM
Page 8
Rseau de
l'ducation
14%
Rseau de la
sant
18%
Organismes
extra
budgtaires
22%
Ministres et
organismes
budgtaires
46%
Figure 1
Social Solidarity
Revenue
Natural Resources
Transport
Education
86,6
78,2
30,5
23,5
20,8
M$
M$
M$
M$
M$
III.
Strategy of intervention
Several audit interventions are possible in IT& C. The development of this strategy of
audit intervention required a significant effort to target sectors where the Auditor
General can best support parliamentary control while carrying out the promotion of
sound practices of management. What is required above all, it is the relevance of our
interventions.
The present section describes initially the step for our strategy, benchmarks and
audits limitations, specifies the principles at the basis of the strategy such as our
audit universe. It also surveys audits carried out here and elsewhere in the fields of
IT& C and document their work. Lastly, it provides details on audits follow up,
resources required and training, timelines and project management.
295386150.doc
23/03/2001 04:07:00 PM
Page 9
A.
295386150.doc
23/03/2001 04:07:00 PM
Page 10
As for the criteria of risks, several models of analysis of risks were analysed
and we used that knowledge to develop our own, focussing on management
processes. Four types of risks were considered:
Our audit vision of IT& C is based on an analysis of the context and acquired
experience:
295386150.doc
23/03/2001 04:07:00 PM
Page 11
295386150.doc
23/03/2001 04:07:00 PM
Page 12
Closer links between the constitution of audit projects and their completion;
Authorisations from senior AG executives earlier in the annual cycle.
Priority with the audits with restricted SCOPE and of short duration;
The fields of IT& C evolve quickly. Consequently the formulated observations are
likely more quickly to become obsolete. These fields cover also a broad range of
activities and the whole of the functions of management. It is thus desirable that
our audits are sufficiently targeted and that the fruit of these audits is available
quickly.
D.
Audit Universe
Entities likely to be audited
The Law on the Auditor General stipulates that the audit of the books and accounts of
the Funds consolidated of the revenue, of a public organisation and an agency of the
government include financial audits, compliance audits, and performance audits.
This law also mentions that the Auditor General can proceed to audit registers, files,
documents and accounts of agencies, associations or companies who use any
subsidy granted by a government agency.
In the light of this information, the Auditor General of Qubec is entitled to audit:
Government Agencies
Treasury Board;
Ministries;
National Assembly;
Lieutenant-governor;
Citizen Ombudsman;
Electoral Commission;
Government enterprises (with agreement with the Administration Board)
Network of services
Health and social services
Education
Demarcation with standard audits of optimisation of the resources
295386150.doc
23/03/2001 04:07:00 PM
Page 13
Many legislative auditors carried out audits in the fields of IT& C and highlighted
several problems such as project management, security and benefits management.
The most active is certainly the US General Accounting Office (GAO). Appendix 3
gives an outline and results of their audits.
F.
Reference works
The literature proposes also various models of analysis likely to be used in the
framework of our audits. The principal ones, described summarily in Appendix 4, are
as follows:
Several of these models have a similar analytical structure. Most impressive are CMM
and CobiT. These models help evaluating activities in the fields of IT& C especially in
relation to the levels of performance and quality of the IT resources. However, the
model recommended by " Information Systems Auditing Control Association "
295386150.doc
23/03/2001 04:07:00 PM
Page 14
Audit Selected
Sixteen audit subjects were considered in the development of this strategy. Those
were identified using the knowledge obtained of the use of IT& C in the government
of Qubec and the audits which were carried out, of the examination of various
decisions of the Treasury Board of Qubec, the audits carried out by other legislative
auditors, exchanges with stakeholders concerned and models of analysis available.
Starting from a descriptive card of each subject (see Appendix 5), those were initially
evaluated according to their criticality (combination of the scope of an subject and
risks which is associated there) by using the criteria mentioned with the section
relating to the step used. The results are presented at the following graph. According
to the grid used, a project whose risk and scope are estimated at 10 comprises
greatest criticality. It is thus to say that all the evaluated projects obtained a note
equal or higher than 5 for the two aspects considered.
Criticit des objets de vrification
10
1
13
Risque
16
6,7,8
2,3
4,5
11,12
10
15
14
0
0
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
5
Ampleur
10
295386150.doc
23/03/2001 04:07:00 PM
Page 15
H.
The new standards for follow up of the recommendations of the audits of the
optimisation of the resources aims at informing the members of Parliament of the
degree of application of recommendations from the Auditor General.
All audits must have a follow up within a maximum of three years and with a level of
high insurance. The follow up must be planned at the end of the audit of the
optimisation of the resources and this planning must be revised, if it is required, after
a parliamentary committee.
The analysis of the audits carried out during the last years by the DVSI and strategies
of follow up:
Year Of
Publicatio
n
1997-1998
(volumes 1 and
2)
Audits
Follow Up Strategy
Development
of
the
information systems
Ministry for the Revenue
of Qubec
Management of
information technology
the Ministry for transport
of Qubec
1998-1999
(volume 1)
1999-2000
(volume 1)
1999-2000
(volume 2)
I.
Audit Report
295386150.doc
23/03/2001 04:07:00 PM
Page 16
Various activities must be carried out annually to correctly assume our responsibilities
with regard to the audit for the fields for IT& C in the government for Qubec.
Deployment of approximately 3 000 hours over seven months are planned for each
audit, which represents an approximate cost of 210 000 dollars. This estimate is
based on projects where questionnaires will be used each time that it will be possible
to do it and use of previous experience in the domain. Obviously, this estimate will be
revised after the completion of each audit.
Audit Time will be distributed as follows:
Audit Phase
Workload
Distribution
Preliminary analysis
25 %
Preliminary Report of analysis including its validation near the
5%
audited entities
Detailed examination including the validation of the
45 %
observations near the audited entities
Audit report
20 %
Parliamentary committee and preparation of the follow up
5%
Audit Follow Up
295386150.doc
23/03/2001 04:07:00 PM
Page 17
The present strategy will be updated annually. 450 hours is planned each year for this
exercise. The following table presents the timeline of implementation with five
resources. Five audits could be carried out in the long term from now to December
31 2003 in addition to the follow-ups and annual up to date of the strategy of audit.
L.
Training
This strategic plan has a critical impact on training audit resources. Knowing the next
audit mandates, it will be thus much easier to synchronise the work of training with
the needs for the audits. These specific needs will be listed inside the regular process
of development of the human resources.
M.
The principles at the base of this strategy require certain adjustments with the audit
process and the mechanisms of project management. Without compromising the
quality neither of the audits nor to derogate from the code of practice, it is
recommended to reduce certain stages of work such as the process of authorisation
of the projects.
The implementation of mandates of governmental scale within rather short times
requires a very tight management of project. In this context, the following changes
are proposed:
Develop, as well with the stage of the preliminary analysis as of the detailed
examination, a Project Organisation Manual detailing the required work, the
timelines and deliverables such as the mechanisms of management of the
contents, management of the changes and validation of the deliverables (see
standard table of content to appendix 6). This Project Organisation Manual is
to be approved by the principal director.
Systematic Use of a group of review of the contents of the deliverables
composed members of the DVSI or others to discuss and optimise the
strategies, work and observations.
Introduction of a mechanism of quality assurance for formal approvals on
specific deliverables.
Formalisation of follow up using monthly reports of project (work, timeline,
implementations of the period in progress and those to come) and, if need be,
of reports of progress (variations compared to the strategies planned and the
anticipated observations, solutions suggested).
The following table presents the interventions suggested of quality assurance and
peer review and of validation with the audited entity, which aim at ensuring the
quality of work and the results. It is suggested these mechanisms of quality form
an integral part of the framework of project management for the DVSI.
295386150.doc
23/03/2001 04:07:00 PM
Page 18
295386150.doc
23/03/2001 04:07:00 PM
Page 19
H
M
A NUMBER OF RESOURCES
1
2
3
4
5
6
7
8
9
10
1
2
3
4
5
6
7
8
9
10
Earl
y
0,2 0,3
1,0 1,0
2,0 2,0
1,0 1,0
2,0 2,0
0,2 0,3
4,5 4,0 4,5 1,0
0,2 0,3
4,0 5,0 5,0 5,0 3,8 1,7 3,0
HOURS
28 38
138 126
252 204
63 132 66
138 120
240 216
28 38
567 528 594 126
28 36
504 390 510 660 524 204 324
480 528 630 690 630 288 432 600 690 660 480 540 610 630 660 690 600 390 510 630 691 630 510 540 600 630 660 660 630 390 510 660 690 600 540
Activity
#
Project
TOTAL
1
2
7
4
3
5
TOTAL
2535
846
261
36
3678
66
2104
534
456
1056
2640
204
7060
66
525
456
66
1815
2749
1404
7081
258
456
64
1712
2490
2601
3016
1578
1368
36
1056
2706
1815
3017
3116
20309
NOTE: The black squares indicate the date of publication to the annual Report. 1: See the list of the projects on page 19.
THE AUDITOR GENERAL OF QUBEC
23/03/2001 04:07:00 PM
Page 20
Deliverable
AGQ
Peer
Revie
w
Validation
with the
audited
entity
analysis phase
Regulatory framework
X
X
Strategy of Report
Final Report
Principal director
And director
of audit
Audit
Project Leader
Project Review
Group
Teammember
Consultative
Committee
Teammember
23/03/2001 04:07:00 PM
Page 21
IV.
Conclusion
23/03/2001 04:07:00 PM
Page 22
23/03/2001 04:07:00 PM
Page 23
Appendix 1
Persons in charge
to assume the presidency and the secretariat of the Coordinating committee of the governmental information
highway, formed of the administrators concerned;
23/03/2001 04:07:00 PM
Page 1
Appendix 1
To constitute funds, for one two years period, dedicated to
the setting in place of services common related to the
deployment of the information highway in the public sector
like to the incentive on the organisational partnerships in the
service of public services.
23/03/2001 04:07:00 PM
Page 2
Appendix 2
THE
PLAN OF ACTION
GOVERNMENTAL INFORMATION HIGHWAY FOR BETTER SERVING THE CITIZENS
AND THE COMPANIES
Strategy of implementation
Plan of action
Field " human Resources "
Analyses of impact on work, the development of competencies, management of the changes, information, the involvement
and the training.
Field " Process "
It is a question of establishing new shared horizontal applications and reengineering of systems of management to
integrate the management of the material, financial and human resources (project "GIRES" (ERP), to develop a catalogue of
public purchases interns electronic goods and services (CAPE), forms, and systems of transactions and payments electronic.
Field " administrative Framework "
Frameworks of management of the IT resources, the human resources, security and architectures, legal framework and
strategic planning, of the tools and the services of day before allowing to analyse the most significant innovations
developed in the world have regard with the deployment of information technology in the public administration and the
documentary engineering.
Field " Information "
Access to information and services of the government by the means of Web site, of the governmental Intranet, banks and
catalogues of data like the governmental repertory, the diffusion of information, the development of Web sites; it will be a
question of bringing up to date on the one hand, the concept of State network by developing single windows for services
intended for targeted customers by branch of industry and on the other hand, the concept of " government on line " using
forms on line and of direct transactions on line.
Field " common Infrastructures and services "
They are the grid systems of the data, images, sounds, voice, such as the RICIB (integrated Network of IT and office
automation communications), the network sociosanitaire (the RTSS of the network of health and the social services), the
infrastructure with public keys, counters multiservices, message handling facility, CRIMP (search engine, services of
electronic trade, etc), the Intranets and extranets, the connections with Internet and the electronic mail, the access points,
the local infrastructures and the development of information highways, the systems of videoconference.
23/03/2001 04:07:00 PM
Page 1
Appendix 2
23/03/2001 04:07:00 PM
Page 2
Appendix 3
DESCRIPTION
23/03/2001 04:07:00 PM
Page 1
Appendix 3
malicious acts carried against Web sites.
critical infrastructures.
All these audits report indicate the majority of legislative auditors carried out sectoral
rather than government wide audits, due to their traditional approach to auditing.
There is a slight move towards performing audits focussing on the strategic
management in the field of IT& C rather than on their operational management or on
activities associated with only one information system with an entity. We also noted
some highly sophisticated audit models to guide the audit work carried out by the
GAO.
23/03/2001 04:07:00 PM
Page 2
Appendix 4
COMPARISON
IT& C
This document presents and comments on nine (9) models of analysis which can be
used with regard to the activities undertaken in the fields of electronic communication
and information technology (IT& C).
It appears timely to stress that all the models presented here comply with the spirit of
subparagraph 32 of section 4220 of the handbook of audit of the Auditor General of
Qubec which stipulates that " the standards enumerate three types of criteria which
are regarded as generally recognised and which, if they are relevant for the mandate,
must be privileged: 1) criteria established in the laws and the payments; 2) criteria of
the CICA; the 3) criteria establish by other agencies of recognised experts who follow a
procedure of approval calling upon consultations and public discussions ".
ISACA- CobiT Guidelines Management
ISACA has a framework based best practices and audit control of the information
systems. It particularly aims at helping the leaders to understand and manage the
risks relating to IT and the links between the management processes, the technical
questions, the needs for control and the risks.
The framework of reference is known under the acronym CobiT (Control Objectives for
Information and related Technology). It is structured around four main fields of
management implying 34 processes of management associated with information
technology:
23/03/2001 04:07:00 PM
Page
Appendix 4
To
To
To
To
To
To
To
To
To
To
To
To
Monitoring
To control the processes
To evaluate the adequacy of the internal control
To acquire an independent insurance
To perform an independent audit
Each process of management has goals and objectives, the critical factors of
successes related to the adequate implementation of this process of management,
resources and IT characteristics, indicators making it possible to measure the
performance as well as a narrative description of the five potential levels of maturity
(derivatives of the model of evolution of the software capacities (CMM).
CICA IT Management Controls
This model is based on the concept of the roles and comes to establish the
responsibilities security control which results from this. In this context, the roles are
broken down according to seven axes with knowing, 1) the general direction, 2) the
head of the service of information, the 3) owners, the 4) agents and 5) users of the
information systems just as the suppliers of services, than it is in the chapter of the 6)
development that of 7) the IT operations of the support of the systems. These roles
are also broken down according to the activities that result from this. The table below
summarises the links between the roles and the activities retained by the business
model
Roles
Directorate-General
Head of the service of
information
Owners
Agents
Users
Activities
Approval of the strategies, the policies and the standards;
distribution of the responsibilities; Develop and approval of the
plans of businesses
Develop of the strategies, the policies and the standards;
service of the services of technical support; directorate of
centralised services
Definition and written requirements; responsibility for the
control and security; confirmation of the controls; evaluation of
the risks; classification; delegation; agreements
Comply with of the policies and the standards; logical and
physical access authorisation and control of the changes
Comply with the requirements of the owners; responsibility for
23/03/2001 04:07:00 PM
Page
Appendix 4
Suppliers of services
development
Suppliers of services
IT operations and
support of the systems
IT resources
Development and acquisition of systems of application; comply
with the policies and the standards; management of the
changes; documentation
Agreements on the levels of service; planning; operations;
management of the problems; safeguards; disaster recovery
plans; management of the changes; support of the systems;
physical access
The model makes also a distinction between the concepts of authority, responsibility
and accountability.
On these bases, the model then comes to specify the responsibilities as regards
management for the risks and control before giving a report on the control, broken
down in objectives, standards and techniques:
planning IT
acquisition, the development and the maintenance of the IT systems
IT operations and the support of the systems
IT security
plans of continuity and the resumption of IT services
controls on the applications
Selection of the projects: determination of the projects which best support the
needs related to the mission for the organisation by taking account of the risks and
the returns on the investment.
Control of the projects: assurance that the projects continue to meet the needs and
the required levels.
Evaluation of the projects: comparison of the results anticipated and reached.
To satisfy the preceding goals, the model is broken down in five levels of maturity and
fifteen critical processes. The model also presents, for each process criticises, the goal
of this process, the required prerequisites, essential engagements of the top
management, the activities which must be ensured to satisfy the critical process in
1
23/03/2001 04:07:00 PM
Page
Appendix 4
question just as the objective elements which prove as this critical process is
formalised in a suitable way in the evaluated entity. The unit also describes the key
practices (tasks) which it is essential to carry out to satisfy the critical process in
question.
The table below shows the five levels of maturity and the fifteen critical processes that
are associated for them.
Level of maturity
Training course 1
Creating Investment
Awareness
Training course 2
Building the Investment
Foundation
Training course 3
Developing a Complete
Investment Portfolio
Training course 4
Improving the Investment
Process
Training course 5
Leveraging IT for Strategic
Outcomes
Critical processes
IT expenditure without a structured investment processes
Lastly, an appendix describing the process of evaluation that the teams of audit
should adopt when they undertake work resting the recommended model
accompanies the document deposited by the GAO.
CICA and AICPA SysTrust
systems 2
MS/MD
American Institute of Public Certified Accountants (AICPA) and the Canadian Institute
of the Chartered Accountants (CICA) offer a professional service of certification on the
reliability of the information systems called " SysTrust ".
In the framework of this service, the auditor evaluates and audits up to what point an
information system is reliable compared to four essential principles as regards
reliability of the systems: 1) the availability of the system according to agreements'
taken; 2) security; 3) integrity, 4) scalability
This model seeks to determine if an information system is reliable, i.e. if a system is
able to function without significant error, breakdown and failure during a given period.
Talk-survey AICPA/CICA SysTrust Principles and criteria of reliability of the systems (version
1.0), July 15, 1999
THE AUDITOR GENERAL OF QUBEC
23/03/2001 04:07:00 PM
Page
Appendix 4
Criteria established for each of the four principles evoked previously:
This model results from work of the Software Institute Engineering of the university
Carnegie Mellon de Pittsburgh. It is known under the term " Capability Maturity Model
" (CMM) in English.
This model makes it possible to evaluate the capacities (power to make) of an
organisation development maintenance of information systems. It comprises eighteen
key sectors gathered around five levels of maturity. The table below presents the
correspondence between the levels of maturity and the key sectors.
Level of maturity
1 Initial
2 Can be replicated
3 Defined
4 Controlled
5 Optimised
Key sectors
The Nile
Management of the requirements
software Project planning
Follow up and supervision of software project
Management of subcontracting software
Quality assurance software
Management of configuration software
organisational focusing on the processes
Thus an entity can have a given level of maturity if all the key sectors of this level of
maturity and preceding levels of maturity (if required) are satisfied. A key sector
known as is satisfied if the very large majority (more than 80%) of the key practices of
this sector are adequately controlled by the entity.
3
Software Institute Engineering Model of evolution of the capacities software, version 1.1,
CMU/SEI-93-TR-24, ESC-TR-93-177, February 1993
THE AUDITOR GENERAL OF QUBEC
23/03/2001 04:07:00 PM
Page
Appendix 4
Board)
Managing
Systems
In Practical
23/03/2001 04:07:00 PM
Appendix 4
each one of these phases. The practices of management of project generally accepted
can thus be considered according to two axes: according to the processes to be
satisfied (e.g. management of the cost of the projects) or according to phases' of the
projects (e.g. planning).
The list below presents the nine sectors of expertise to be satisfied as well as the
aims:
The model breaks down initially security in the fields of IT& C according to three axes:
1) the evaluation of the risk: determination and scope of the threats; 2) the setting in
place of measurement: design and implementation of the required solutions; 3)
assurance: corroboration and needs for security.
As for the CMM, the model proposes to determine a level of maturity (from 1 to 5) of
the security of the evaluated organisation. It examines the status of the twenty-two
practical issues of security and management and to compare them with a grid of
maturity defined in term of results. Level 1 implies that all the activities related to
security are carried out at least in a basic way whereas the higher levels require than
the activities are planned and followed (level 2), well defined (level 3), controlled
quantitatively (level 4) and continuously optimised (level 5).
6
Carnegie Mellon University Systems Security Engineering - Capability Maturity Model: Model
Description Document, Version 2.0, April 1, 1999
THE AUDITOR GENERAL OF QUBEC
23/03/2001 04:07:00 PM
Page
Appendix 4
GAO Information Security Management: Learning From Leading Agencies
This model results from work undertaken by the GAO in eight private agencies
recognised as leaders for IT security. It identifies critical issues required to ensure an
adequate management of IT security.
United States General Accounting Office Security Information: Serious Deficiencies Places
Critical Federal Operations and Assets At Risk, GAO/AIMD-98-92, September 1998
23/03/2001 04:07:00 PM
Page
Appendix 5
delivery (ESD)
Summary description
The government of Qubec use the fields of IT& C to increase its performance and to improve to a
significant degree services to the citizens and the companies. With this intention, it counts, like
other public administration, to carry out significant investments in structuring projects aiming at
the setting in place of new fashions of organisation of work in a context of electronic service
delivery (ESD).
In a very simplified way, the ESD of the government to the citizens and the companies implies
four large functional components: 1) services gateway; 2) batch services or specific; 3)
integration with the information systems of the ministries and agencies (M/O); 4) the specific and
shared infrastructure.
However, the design and the standardisation of several of the strategic elements composing this
ESD remain to carry out whereas significant work are already made by the M/O in the framework
of the modernisation of the public administration. Moreover, the interdepartmental committees of
required work were not set up yet. In this context, significant challenges of management can be
identified, related to the diversity of the existing resources which must be connected in the
context of an integrated solution. Moreover, of new common or divided components must be
made available, operated and managed from the point of view of the overall needs.
The following challenges are currently listed: 1) the overall management of the ESD to the
citizens and the companies; 2) the management of the change; 3) the management of the
security and the confidentiality of information; 4) the standardisation of information and the
mechanisms of exchanges; 5) the management of the development of the information systems
associated with the ESD; 6) the management and operations of the common infrastructures.
8/10
This subject implies significant investments (Difficult to quantify but several hundreds of
million dollars) in many governmental entities. Many initiatives are already in hand. The ESD
must make it possible to radically modernise the way in which the public administration
relates with the citizens and the companies and offer electronic services.
9/10
This subject involves very significant risks based on the scope of work required in the long
term and the gaps corroborated by another AGQ audit team. Four risks can be raised: 1) of
erroneous alignments of the ESD offered by the entities taking into account the governmental
and ministerial strategic needs; 2) uncoordinated work; 3) management (planning,
organisation, co-ordination, evaluation) overall incoherent in the absence of a framework of
management, an overall architecture and well defined scenarios of implementation; 4) a
management " all alone " rather than in " network " of the changes (organisation of work,
structures organisational, culture of the agencies).
23/03/2001 04:07:00 PM
Page 1
Appendix 5
delivery (ESD)
Question of importance:
Strategy of audit:
Budget of time adding up 2 600 hours over a 6 months period by a team made up of four people.
The budget of time includes the indirect work associated with the quality assurance, with the
review by the peers, the drafting of the Audit report and a possible parliamentary committee on
the subject. The majority of work will be held between February 2001 and June 2001, being
understood that the final Report would be published in volume II of the Report to the national
Assembly for the year 2000-2001.
To the level of the central entities, our work will bring us to the Treasury Board of Qubec and the
Ministry for the Relations with the citizens and Immigration. On the level of the sectoral entities,
our work will imply the publishing of a questionnaire to some fifteen entities (ministries and the
most significant agencies of the government of Qubec) and work on the spot near five of them.
It is expected that the preliminary analysis report of this project of audit will be submitted to the
principal director concerned in April 2001.
23/03/2001 04:07:00 PM
Page 2
Appendix 5
delivery (ESD)
Timely
YES X
period of
implementat
Justification:
ion
the activities considered are upstream many activities of implementation to come and they
condition at least partly success of them
Of the stakeholders pleads that the central management of the ESD is at present deficient
the issue of the modernisation of the public office is a contemporary subject of interest for the
member of Parliament
Criteria of
evaluation
Importance of
the deficiencies
Innovative
aspects
Importance
Public exposure
NOT
The central and ministerial management of the ESD has never been the subject
of a performance audit.
The changes brought by the ESD are of a great visibility for the citizens and the
companies
Hundreds of million dollars will be allocated to the ESD during the next years
The level of the debate is very high and covers the two facets of overall
management (central and sectoral aspects)
Evaluatio
n
COPLAN
/ 25 PTAs
/ 20 PTAs
/ 20 PTAs
/ 15 PTAs
Efficiency of the
project
For total work of some 2 600 hours, the performance audit would make it
possible to the national Assembly to have independent information on the
overall management of this aspect related to modernisation of the public
administration and better services to the citizens and the companies
/ 100 PTAs
TOTAL
/ 20 PTAs
23/03/2001 04:07:00 PM
Page 3
Appendix 5
23/03/2001 04:07:00 PM
Page 4
Appendix 6
2. ORGANISATION
3. PROJECT DEFINITION
Summary of the project: - Definition
- Objectives
- Question of importance
- Principal observations
Detailed examination:
- Audit Project audit objectives and evaluation criteria
- Expected deficiencies and significant issues
4. WORK PLAN
- Preliminary analysis strategy
- Timeline of the preliminary analysis
- Resources required for the preliminary analysis
- Deliverables from the preliminary analysis:
- Outline of the audited field and scope of the project
- Roles and responsibilities
- Regulatory Framework
- Audit Project audit objectives and evaluation criteria
- Expected deficiencies and significant issues
- Strategy of the detailed analysis
- Timeline of the detailed analysis
- Resources required for the detailed analysis
- Report Strategy
For the detailed examination:
- Detailed analysis strategy of the (identification of the deliverables)
- Timeline of the analysis detailed by deliverables
- Resources required for the detailed analysis
- Report strategy
- Audit Programs
- detailed Plans are in appendix
- deliverables at the end of the detailed analysis
- Report (final)
5. RULES OF MANAGEMENT
23/03/2001 04:07:00 PM
Page 1
Appendix 6
- General Principles
- Follow up mechanisms
- timelines
- monthly project report to the director of audit
- Contents Management
- Quality assurance (Q&A), Peers Review (PR) and validation of deliverables
For the detailed examination, to add:
- Follow up on deficiencies observed / observations, at review progress meetings
23/03/2001 04:07:00 PM
Page 2