Skip to main content
;

PACP Committee Report

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

PDF

“REPORT 4 — INFORMATION TECHNOLOGY SHARED SERVICES,” 2015 FALL REPORTS OF THE AUDITOR GENERAL OF CANADA

INTRODUCTION

Shared Services Canada (SSC) delivers email, data centres, and network services to 43 government departments and agencies (partners) in a shared services model.[1] SSC is also responsible for purchasing information technology (IT) equipment, such as keyboards, desktop hardware and software, and monitors, for the entire federal government.[2]

According to the Office of the Auditor General of Canada (OAG):

Before SSC was created, each department managed its own IT infrastructure and services based on its unique requirements to provide programs and services to the public. As a result, levels of IT services varied greatly across government. Each department also funded its IT investments from its own budget.[3]

Michael Ferguson, Auditor General of Canada, OAG, reminded the House of Commons Standing Committee on Public Accounts (the Committee) about the key findings and recommendations of Chapter 1 – Aging Information Technology Systems, of the 2010 Spring Report of the Auditor General of Canada:

Our 2010 audit report on Aging Information Technology Systems indicated that the federal government infrastructure was aging and at risk of breaking down. In turn, this could affect the government's ability to deliver some essential services to Canadians. The report recommended that a plan be developed for the government as a whole to mitigate risks associated with aging IT systems on a sustainable basis.[4]

In August 2011, the federal government announced the creation of SSC, which became a department in 2012 through the adoption of the Shared Services Canada Act.[5] According to Ron Parker, President, SSC:

Shared Services was created to standardize, consolidate, and re-engineer the federal IT infrastructure into a single, shared IT enterprise. The department aims to deliver one email system; consolidated data centres; a reliable and secure telecommunications network; and 24/7/365 protection against cyber-threats across the 43 departments, 50 siloed networks, 400-some data centres, and 23,000 servers.[6]

In 2013, SSC developed a seven-year transformation plan to consolidate, standardize, and modernize the federal government’s email, data centres, and network services to improve service, enhance security, and generate savings by 2020.[7]

In the Fall 2015 Reports of the Auditor General of Canada, the OAG released a performance audit that examined whether SSC had made progress in implementing key elements of its transformation plan and maintained the operations of existing services. It also studied how the Treasury Board of Canada Secretariat (TBS) assisted and provided governance and leadership on the strategic vision for SSC and how this fits into the federal government IT landscape.[8]

The Committee held a hearing on this audit on 10 March 2016.[9] From the OAG, the Committee met with Michael Ferguson, Auditor General of Canada, and Martin Dompierre, Principal. SSC was represented by Ron Parker, President; John A Glowacki Jr., Chief Operating Officer; and Manon Fillion, Director General and Deputy Chief Financial Officer, Corporate Services. Finally, John Messina, Chief Information Officer, and Jennifer Dawson, Deputy Chief Information Officer, appeared on behalf of TBS.[10]

SETTING SERVICE EXPECTATIONS

The OAG examined whether SSC had in place key elements needed to maintain service levels for partners, including a service strategy, service level agreements, a service catalogue, baselines, and targets. The OAG found that SSC had elements of a service strategy and had published a service catalogue, but the catalogue contained few details for many of the services. Additionally, SSC had rarely put in place detailed service agreements with partners.[11] According to Mr. Ferguson, this finding is important because without such agreements, SCC cannot demonstrate whether it is maintaining or improving its IT services, and whether these services are adequately supporting its partners’ capacity to deliver services to Canadians.[12] The OAG made the following three recommendations:

  • SSC should develop an overall service strategy that articulates how it will meet the needs of its partners’ legacy infrastructure and transformed services;[13]
  • SSC should continue to develop a comprehensive service catalogue that includes a complete list of services provided to partners, levels of services offered, and service targets;[14] and
  • SSC should work with its partners to establish agreements that clearly and concretely articulate service expectations, including roles and responsibilities, services targets, and associated reporting commitments.[15]

With regard to the OAG’s first recommendation, SSC responded that by 31 December 2016, it “will approve and communicate a comprehensive service strategy that sets out how it will deliver enterprise IT Infrastructure services to meet the needs of Government of Canada partners and clients.”[16] Mr. Parker told the Committee that SSC’s service management strategy for its priority services was already completed and shared with its partners.[17] In its action plan, SSC added that “in upcoming annual reviews, the scope of the service management strategy will be expanded to non-priority services.”[18]

The Committee recommends:

RECOMMENDATION 1

That, by 1 December 2016, Shared Services Canada (SSC) provide the House of Commons Standing Committee on Public Accounts with SSC’s service management strategy.

With regard to the OAG’s second recommendation, SCC responded that it “will establish a service catalogue project to support the evolution of the catalogue’s structure, content, and automation.”[19] According to SSC, the catalogue updates will begin in March 2016, and will continue on an ongoing basis as services evolve.[20] Asked to explain how pricing will be determined in SSC’s updated catalogue, Mr. Parker responded that the “pricing methodology is going to be based fundamentally off of the core level of service provided at the time that [SSC] was stood up with the base appropriation that [SSC] received.”[21] Beyond that SSC pricing will be based on new incremental-type services, growth and demand.[22]

With regard to the OAG’s third recommendation, SSC responded that it will update existing business arrangements with partners, and provide them with service level expectations by the end of December 2016.[23] Mr. Parker informed the Committee that SSC established service level expectations for five priority areas: email, mobile devices, video conferencing, application hosting, and the federal government’s wide area network services. Mr. Parker also noted that service level expectations cover such areas as service hours, service availability, and the time to restore services.[24] According to its action plan, SSC will establish service level expectations for the remaining services by December 2016.[25]

Questioned about the absence of detailed service agreements between SSC and its partners, Mr. Parker responded that SSC inherited various types and qualities of IT services and infrastructure, and that in most cases, there were no existing service level agreements.[26] John Glowacki Jr., Chief Operating Officer, SSC, explained that it was difficult to find a baseline for service levels for most of SSC’s partners because of the absence of “sufficient systems in place doing the operational metrics.”[27]

The Committee recommends:

RECOMMENDATION 2

That, by 1 December 2016, Shared Services Canada (SSC) provide the House of Commons Standing Committee on Public Accounts with a report summarizing the service level expectations established by SSC for all its services.

MEASURING AND REPORTING ON SERVICE PERFORMANCE AND PARTNER SATISFACTION

The OAG examined whether or not SSC reported on its performance and measured partner satisfaction.[28] The OAG found that SSC did not have service baselines, developed few targets to measure its performance, and provided few reports to partners on service performance.[29]

The OAG also examined SSC’s practices of measuring and reporting on service performance to Parliament.[30] The OAG found that in SSC’s 2014–2015 Report on Plans and Priorities, the department stated that it planned to set baselines for most of its nine service performance indicators instead of setting targets.[31] Furthermore, in SSC’s 2015–2016 Report on Plans and Priorities, instead of including targets, many of the targets stated that baselines needed to be established.[32] Questioned about how Parliament could measure the performance of SSC against its stated objectives, Mr. Parker responded that SSC had established baselines for each of its objectives, and that SSC was in the process of establishing performance indicators by which it will be possible to measure SSC’s performance.[33]

In SSC’s 2014–2015 Report on Plans and Priorities, three program areas included partner satisfaction as a performance indicator to be measured by a survey.[34] The OAG found that SSC could not demonstrate if it met partners’ expected outcomes because it did not formally set performance targets or measure partners on their level of satisfaction.[35] The partners that the OAG consulted confirmed that they had not formally been surveyed about their level of satisfaction, and some of them disputed SSC’s assessment of their satisfaction.[36]

The OAG recommended that SSC measure and report to Parliament and partners on key areas of IT system health performance—such as security, availability, reliability, and capacity—as well as partner satisfaction.[37] SSC responded that “[r]esults for key areas of IT system health and partner satisfaction will be reported to partners starting in April 2016 and action plans will be implemented if service levels fall below targets.”[38] “SSC will also provide more comprehensive reporting on IT system health in its reports to Parliament starting with the 2017–2018 Departmental Performance Report.”[39] In its action plan, SSC wrote that it “launched its customer satisfaction questionnaire in November 2015 and distributed the results to partners on [1 February 2016].” These results will be used by SSC “as a benchmark for customer [satisfaction] levels.”[40] SSC also wrote that it “will launch expanded reporting to partners by April 2016, including on customer satisfaction levels and IT system health.”[41]

IT STRATEGIC AND INTEGRATED PLANNING

The OAG examined how TBS assisted and provided governance and leadership on the strategic vision for SSC and how this fits into the federal government IT landscape.[42] The OAG found that TBS did not have an IT strategy that provides a government-wide approach to IT investments and service delivery with the objective of decreasing costs and improving services.[43] TBS had completed a draft IT Strategic Plan dated June 2013, but it had not yet been finalized, formally communicated, or implemented.[44]

Questioned about the draft IT Strategic Plan, John Messina, Chief Information Officer, TBS, acknowledged that “there was no official version of a strategic plan in place” when SSC was established, but he responded that “the priorities for [SSC] were laid out at the outset to bring 63 email systems down to one, to bring 50 networks down to one consolidated network, and to rationalize the data centres across Canada.”[45] According to him, SSC’s “mission has been clear” despite the lack of an official strategic plan.[46]

The OAG recommended that TBS put into effect a completed IT Strategic Plan for the federal government.[47] TBS responded that it will complete its IT Strategic Plan by 31 March 2016, and will work with departments and agencies to help them implement the plan once it is approved.[48] In its action plan, TBS wrote that its Chief Information Branch completed its review of the 2013 IT Strategic Plan in September 2015, completed its consultation with the Chief Information Officer community and internal IT policy teams in January 2016, and received SSC’s input and comments on the updated IT Strategic Plan in February 2016.[49]

Mr. Messina informed the Committee that, in order to update the IT Strategic Plan of the federal government, TBS had fully reviewed business and technology trends, industry best practices, the experience of other jurisdictions, as well as recent developments within the federal government. Mr. Messina also mentioned that TBS will complete this plan by 31 March 2016 as scheduled.[50] According to Mr. Messina, this plan will give SSC and other departments and agencies the guidelines and priorities for improving the management, the security, and the provision of IT services. It will also help the federal government’s IT community to develop and coordinate its own plans and activities.[51] TBS will also ensure the approval of the plan by June 2016,[52] and help the departments and agencies implement it by providing communications, guidance, and oversight.[53] Questioned about how TBS’s IT Strategic Plan will help SSC prioritize the demands of its partners, Mr. Messina responded that “it will establish and list what the priorities are.”[54] TBS’s governance committees will also ensure that priorities are being met and worked on by SSC.[55] For his part, Mr. Ferguson told the Committee that it should “specifically look for” TBS’s IT Strategic Plan once it is approved.[56]

The Committee recommends:

RECOMMENDATION 3

That, by 30 June 2016, the Treasury Board Secretariat of Canada provide the House of Commons Standing Committee on Public Accounts with the approved IT Strategic Plan for the federal government, and explain the actions that it will take to help the departments and agencies implement this plan.

ESTABLISHING EXPECTATIONS AND INFORMING PARTNERS ABOUT SECURITY RISKS

The OAG examined whether SSC supported the delivery of secure services to its partners by establishing security expectations with them on security processes and controls, and by reporting on the security of the IT infrastructure and services to them. The OAG also examined whether SSC followed IT industry standard practices as well as whether it had addressed the four core elements of security in its service provision to partners: data security, infrastructure and application security, incident management, and identity and access management.[57]

The OAG found that some of the 50 SSC agreements with partners that were examined specified security roles and responsibilities, but none of the agreements contained commitments to fulfil and report on security expectations.[58] According to Mr. Ferguson:

This is important because Shared Services Canada plays an important role in implementing Government of Canada security policies, directives, standards, and guidelines to ensure the security of government IT shared services. As the government's IT infrastructure service provider, it's important that the department collaborate with partners to manage security threats, risks, and incidents to help protect the government's critical IT-related assets, information, and services.[59]  

Mr. Parker cautioned:

That the Auditor General did not test the effectiveness of [the] security controls. Rather, […] he focused on the communications with partners and whether security's roles and responsibilities were adequately documented.[60]  

Mr. Parker acknowledged that SSC needed to improve how it shares security information with its partners, but he stressed that SSC’s IT infrastructure services were secure:

We have made important progress in securing the IT infrastructure, the perimeter of the IT infrastructure. As I mentioned in my speaking notes, a 24-7-365 security operation centre has been established, providing an overall perspective on the threats to the Government of Canada's IT infrastructure. We monitor the potential threats to the infrastructure services incredibly closely, along with our security agency partners. While there's never any guarantee—there's no immunity against cyber threats—we are very vigilant and have made investments over the last number of years to increase the security of our IT infrastructure.[61]

In addition, the OAG found that SSC did not adequately define roles and responsibilities to manage security with partners nor did it sufficiently engage them in managing security expectations.[62] The seven partners that were consulted by the OAG stated that they received limited information upon request to allow them to assess security risks to the applications and data they used to deliver programs and services to the public.[63]

In order for partners to comply with the federal government IT security policies, guidelines, and standards, the OAG recommended that SSC establish expectations and provide the necessary information to partners for the IT infrastructure and services that it manages.[64] SSC responded that it will “establish expectations related to security roles and responsibilities following the renewal of the Treasury Board Policy on Government Security; and provide partners with documentation on the security of enterprise services, including security assessment and authorization evidence and partner-specific security incident reports.”[65] In its action plan, SSC wrote that it “uses its interdepartmental Security Risk Management Board to report on security risks and compliance to security standards.”[66] According to SSC, this board meets every two weeks.[67] SSC also wrote that, on 1 February 2016, it launched consultations with partners on a matrix that outlines SSC and partner roles and responsibilities for IT security.[68] Following the renewal of the Treasury Board’s Policy on Government Security, SSC will develop a security expectations document.[69]

RECOMMENDATION 4

That, by 1 December 2016, Shared Services Canada provide the House of Commons Standing Committee on Public Accounts with its complete security expectations document.

ACCURACY OF REPORTED DATA AND PROCESS ON TRANSFORMATION

The OAG examined whether SSC reported on progress against its transformation plan and managed the expected outcomes and benefits of transformation.[70]

The transformation plan of SSC covered investments and planned savings associated with its mandate to rationalize and consolidate email, data centres, and network services for its 43 partners.[71] The OAG found that the data used to report to SSC’s Senior Management Board regarding the progress of the Email Transformation Initiative was acceptable for management decision-making, but that the data used to report on the progress of the Data Centre Consolidation initiative was unreliable or baseless.[72]

The OAG also found that progress on both initiatives was limited.[73] For example, for the Email Transformation Initiative, the OAG found that, as of the end of March 2015, SSC had migrated only 3,000 mailboxes out of about 500,000 that it had planned to migrate by that date.[74] For the Data Centre Consolidation initiative, as of the end of March 2015, SSC had migrated only 100 applications out of about 15,600 to new data centres, and had eliminated over 300 servers out of about 23,400.[75] When he appeared before the Committee, Mr. Parker said that 52,000 mailboxes out of about 500,000 had been transferred.[76]

The OAG recommended that SSC reassess the reporting process for its transformation initiatives to:

  • ensure that methods for measuring process are defined and aligned to key benefits established at the outset of the initiative; and
  • establish review mechanisms to ensure that information reported to the senior management board on the status of transformations initiatives is clear and accurate.[77]

SSC responded that it will “further develop its benefits management framework to align to the key benefits stated when SSC was created and to include methods for measuring progress.” SSC will also “review and confirm its key performance indicators to assure the accuracy of the progress against the Transformation Plan.”[78] With respect to the information reported to the senior management board, SSC will “improve its reporting and review mechanisms to ensure that the information on progress against transformation initiatives is reliable, clear, and meets the needs of its internal oversight bodies.”[79] According to SSC, these commitments will be completed by December 2016.[80] In its action plan, SSC wrote that it had established a Business Analytics Council and Information Governance program to support the development of the benefits management framework.[81] SSC also indicated that ongoing service reviews at its Service and Project Review Board had been launched to report on progress against key performance indicators.[82]

Regarding the Email Transformation Initiative, Mr. Parker explained that the costs of migration differed by department because both the challenges in migrating email systems and the readiness to do so varied across departments and agencies. For these reasons, Mr. Parker predicted that additional costs could be incurred. He also informed the Committee that email migrations were put on hold in November 2015 “while the vendor addressed the system’s stability and capacity issues.”[83] Questioned about when SSC will have transferred all the mailboxes, Mr. Parker responded that SSC will probably be able to provide that date in the fall of 2016 when its Transformation Plan will be updated.[84]

Questioned about the possibility that SSC would never catch up on the delays in its transformation initiatives, Mr. Parker responded as follows:

Again, this is a combination of do you change the scope, do you change the funding, or do you change the time? All of those three elements will come into play, so I hesitate to speculate about which of those elements will change in the updated plan until we have an updated plan.[85]

When questioned about the rationale for not breaking the transformation program into several smaller and more easily manageable programs, Mr. Parker responded that the transformation program is a single program with separate components: emails, data centres, and networks. According to him, it was essential to complete it in a single program because of the many interdependencies between all its components:

The networks are essential to email, and essential to data centres, and modernizing them along the way is crucial to the success, in fact, of the data centre project as well. We have a set of separate projects for email, the data centres, and the network. Their interdependencies are identified, have been identified, and we're working to manage those projects so that they intersect at the right time and the right place to enable one another.[86]

Mr. Ferguson suggested that the Committee “should be seized with and interested in seeing” SSC’s updated Transformation Plan when it is completed in the fall of 2016.[87]

The Committee recommends:

RECOMMENDATION 5

That, by 1 December 2016, Shared Services Canada (SSC) provide the House of Commons Standing Committee on Public Accounts (Committee) with its updated Transformation Plan, including the new timelines for the completion of the three transformation initiatives: email, data centres, and network services. In addition, beginning with the 2016–2017 fiscal year, SSC should, no later than 30 days after the end of each fiscal year, provide the Committee with an annual progress report on each of the transformation initiatives until they are completed.

CALCULATING AND REPORTING THE SAVINGS ASSOCIATED WITH THE IT INFRASTRUCTURE TRANSFORMATION

The OAG examined whether SSC established consistent financial practices to demonstrate that it was generating savings. The OAG also examined whether it considered appropriate costs when calculating and reporting savings and whether it defined its objectives and responsibilities for generating these savings.[88]

The OAG found that SSC had a plan for its transformation investments, a five-year Departmental Investment Plan to oversee its investment portfolio, and an annual Capital Plan for the 2014–2015 fiscal year for allocating funding to some of its project investments. However, the OAG also found that these plans did not have clearly established criteria and rationales for how SSC allocates and prioritizes its available funding for its activities.[89] In addition, since its creation in 2011, SSC had not had a clear process to ensure that it had the available funding to meet all of its investment needs.[90]

In the audit, the OAG noted that in early 2014, SSC recognized a risk that it would not generate the savings it had planned from IT infrastructure transformation.[91]

The OAG recommended that, in supporting its funding strategy for its ongoing operations and investments, SSC should include in its strategy:

  • a formal methodology to prioritize and allocate funding for its investments in legacy and transformation initiatives that includes detailed criteria and rationales; and
  • a clear process to ensure that it has the available resources to address its funding deficiencies.[92]

SSC responded that it will “document the methodology its uses to allocate funding for its investment in legacy and transformation initiatives, including its prioritization methodology, detailed criteria, and rationale.”[93] SSC formed a Chief Information Officer–Director General Pricing Strategy Committee in April 2015 to assist in the development of its pricing strategy.[94] “Mobile devices and email service pricing strategies were approved in June 2015 and are currently being implemented. Pricing strategies for the remaining 20 services will be approved by December 2016. The Service Pricing Strategy will be reviewed annually by SSC senior management as part of the planning cycle.”[95] In its action plan, SSC added that it had developed an enterprise-wide cost management model, and that SSC and the central agencies will discuss financial models for funding transformation initiatives and renewing end-of-life IT assets.[96]

RECOMMENDATION 6

That, by 1 December 2016, Shared Services Canada (SSC) provide the House of Commons Standing Committee on Public Accounts with its approved Service Pricing Strategy, and explain how this strategy will help SSC prioritize and allocate its funding and ensure that it has the available funding to address its deficiencies.

The OAG found that SSC did not have standardized cost management practices in place to allow it to produce consistent, timely, and accurate cost information.[97] “For example, for three SSC transformation initiatives, forecasted cost information was based on inconsistent costing models and the methodology and practices to create these models were not documented appropriately.”[98] The OAG also found that partner costs were not accounted for in determining savings for the federal government as a whole.[99] According to the OAG, “without accounting for the full costs of partner investments and activities, a significant portion of the cost estimates affecting savings are largely unknown.”[100] Mr. Ferguson also stressed that these two findings matter because SSC “spends about $1.9 billion each year to deliver IT services to partners, invest in projects, and fund its operations.”[101]

Asked whether partners’ transition costs will be calculated for future transactions, Mr. Parker responded that SSC will ask its partners for their estimated transition costs for the implementation of new initiatives.[102]

The OAG recommended that SSC periodically refine its methodologies and practices to enable it to accurately determine and report savings.[103] SCC responded that it will refine its methodologies and practices for determining savings to support an update to the Transformational Plan in fall 2016.[104] Mr. Parker told the Committee that SSC will update its Transformational Plan with the participation of its employees, partners as well as central agencies and outside experts.[105]  

The Committee recommends:

RECOMMENDATION 7

That, by 1 December 2016, Shared Services Canada (SSC) provide the House of Commons Standing Committee on Public Accounts with a progress report outlining how SSC refined its methodologies and practices to more accurately determine and report savings to Parliament and the Public. This report should include the baseline used to calculate the savings, and a detailed list of all the costs borne by the federal government that were not taken into account in the calculations.

BUDGET REDUCTION ASSOCIATED WITH THE EMAIL TRANSFORMATION INITIATIVE

In the audit, the OAG noted that $56 million in ongoing savings were reduced from SSC’s budget in the 2015–2016 fiscal year despite the fact that the Email Transformation Initiative was delayed for a year.[106]

Mr. Ferguson told the Committee:

The plan was to produce $56 million dollars’ worth of savings. The fact that the $56 million was taken out of the budget before the transformation was completed was exactly the issue we wanted to put in front of Parliament, because we knew it would have an impact on the organization.[107]

Questioned about these budget reductions, Mr. Parker responded:

Shared Services Canada always understood that there would be a challenge and risks around capturing savings before they actually materialized. It poses a challenge in terms of the email transformation, for example: $50 million was taken from the reference levels of Shared Services Canada at the beginning of this fiscal year, and the $50-million savings has not been realized and will only be realized once the migrations occur.[108]

Mr. Parker also explained that this reduction:

[H]as meant that we've had to re-prioritize, invest less in different projects, and I think the data shows that to the largest extent [it has] contributed to a slower roll out of the transformation initiatives themselves. That's one of the reasons why there are delays. The investment in the transformation plan has not been as large as initially forecasted.[109]

Notwithstanding this explanation, Mr. Parker told the Committee that SSC was taking responsibility for the missing savings, and that it had re-prioritized its commitments as required to stay within the levels of funding approved by Parliament.[110]

The Committee recommends:

RECOMMENDATION 8

That, going forward, Shared Services Canada publish concrete financial benchmarks of cost savings that align with its annual strategic plan, and report on them annually, including a full discussion of any key factors that caused a material deviation from the benchmarks.

ABSENCE OF THE OFFICE HOLDERS WHO WERE PRESENT DURING THE AUDIT

The Committee was very disappointed to learn that none of the witnesses who appeared on behalf of either SSC or TBS were in office at the time of the OAG’s audit.[111] As explained in the Committee’s Protocol for the Appearance of Accounting Officers, it should be noted that:

Under the Financial Administration Act, as amended by the Federal Accountability Act, Deputy Ministers and heads of agencies are identified as accounting officers with the duty to account for conduct of their statutory and delegated management responsibilities before committees of Parliament. Accounting officers are held accountable before the Public Accounts Committee for their duties in financial management.[112]
[…]
A previous office holder does not have the power to rectify a problem. Only the current office holder has responsibility in this sense of possessing the capacity to act. Nevertheless the Committee will expect former holders of an office if requested to give an account of their decisions related to the issue while in office. But since they no longer hold the office the previous incumbent cannot commit to action and hence cannot, in the practice of Canadian parliamentary government, be the "responsible" officials. However there is another sense of responsibility—that of being the person responsible for taking a specific action, making a decision, or failing to act. In this sense the personal responsibility of accounting officers represented by their signing of the accounts does not end when they leave office. Decisions and actions of former office holders can be and often have been the subject of study and comment in Committee reports.[113]

That is, being a former office holder does not allow one to circumvent his or her accountability under the terms of the Financial Administration Act. Should the Committee choose to question a former office holder, as regards a matter within its mandate, it can invite this person to appear as a witness and give testimony.

CONCLUSION

In its audit, the OAG found that SSC “did not establish clear and concrete expectations for how it would deliver services or measure and report on its performance in maintaining original service levels for its 43 partners.”[114] “SSC rarely established expectations or provided sufficient information to partners to help them comply with government IT security policies, guidelines, and standards.”[115] The OAG also found that SSC’s reporting against its Transformation Plan needed to be improved because it provided unclear or inaccurate reports to its senior management board.[116] Furthermore, the OAG found that SSC did not have consistent practices in place to demonstrate that government-wide savings were being achieved or to recognize that there were partner costs involved in all transformation projects.[117]

The Committee notes with concern the Auditor General of Canada’s finding that:

While the ETI project has been delayed for over a year, the proposed $56 million in ongoing savings were reduced from SSC’s budget starting in the 2015–16 fiscal year. This commitment is what SSC considers savings achieved from the initiative even though the project has not yet been fully completed.[118]

In light of the OAG’s findings, the testimony heard and the action plans examined, the Committee is not convinced that SSC will meet its commitment to complete its transformation of government IT shared services by 2020, or generate promised savings if it continues to operate as it has since its creation. This is no time for complacency. Not only do SSC and TBS need to rapidly implement the corrective actions outlined in their respective action plans, but they need to do so according to the Committee’s recommended timeline, which allows for timely reporting back to the Committee in order to fully address the issues identified in the OAG’s audit.

SUMMARY OF RECOMMENDED ACTIONS AND ASSOCIATED DEADLINES

Table 1 – Summary of Recommended Actions and Associated Deadlines

Recommendation

Recommended Action

Deadline

Recommendation 1

Shared Services Canada needs to provide the Committee with its service management strategy.

1 December 2016

Recommendation 2

Shared Services Canada needs to provide the Committee with a report summarizing its service level expectations.

1 December 2016

Recommendation 3

The Treasury Board of Canada Secretariat needs to provide the Committee with its approved IT Strategic Plan for the federal government.

30 June 2016

Recommendation 4

Shared Services Canada needs to provide the Committee with its complete security expectations document.

1 December 2016

Recommendation 5

Shared Services Canada needs to provide the Committee with its updated Transformation Plan, and an annual progress report on each of the transformation initiatives until they are completed.

1 December 2016

Recommendation 6

Shared Services Canada needs to provide the Committee with its approved Service Pricing Strategy.

1 December 2016

Recommendation 7

Shared Services Canada needs to provide the Committee with a progress report outlining how it refined its methodologies and practices to more accurately determine and report savings to Parliament and the Public.

1 December 2016

Recommendation 8

Going forward, Shared Services Canada needs to publish concrete financial benchmarks of cost savings that align with their annual strategic plan, and report on them annually, including a full discussion of any key factors that caused a material deviation from the benchmarks.

Effective after the tabling of the Committee’s report


[1]             Office of the Auditor General of Canada (OAG), “Report 4 – Information Technology Shared Services,” Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 1.

[2]             Ibid.

[3]             Ibid.

[4]             House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0845.

[5]             OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, pp. 1–2.

[6]             House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0855.

[7]             OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 2.

[8]             Ibid.

[9]             House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5.

[10]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd  Parliament, 10 March 2016, Meeting 5.

[11]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 5.

[12]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0855.

[13]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 7.

[14]           Ibid.

[15]           Ibid., p. 8.

[16]           Ibid., p. 7.

[17]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0855.

[18]           Shared Services Canada, Departmental Action Plan provided to the Committee on 9 March 2016, p. 1.

[19]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 7.

[20]           Ibid., p. 8.

[21]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0915.

[22]           Ibid.

[23]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 8.

[24]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0855.

[25]           Shared Services Canada, Departmental Action Plan provided to the Committee on 9 March 2016, p. 1.

[26]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0930.

[27]           Ibid.

[28]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 5.

[29]           Ibid., p. 8.

[30]           Ibid., p. 9.

[31]           Ibid., p. 10.

[32]           Ibid.

[33]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0955.

[34]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 10.

[35]           Ibid.

[36]           Ibid.

[37]           Ibid.

[38]           Ibid.

[39]           Ibid.

[40]           Shared Services Canada, Departmental Action Plan provided to the Committee on 9 March 2016, p. 2.

[41]           Ibid.

[42]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 5.

[43]           Ibid., p. 11.

[44]           Ibid.

[45]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0910.

[46]           Ibid.

[47]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 11.

[48]           Ibid.

[49]           Treasury Board of Canada, Departmental Action Plan provided to the Committee on 9 March 2016, p. 3.

[50]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0905.

[51]           Ibid.

[52]           Ibid., 0925.

[53]           Ibid., 0905.

[54]           Ibid., 0910.

[55]           Ibid.

[56]           Ibid., 1000.

[57]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 12.

[58]           Ibid., p. 13.

[59]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0850.

[60]           Ibid., 0855.

[61]           Ibid., 0925.

[62]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 13.

[63]           Ibid.

[64]           Ibid., p. 14.

[65]           Ibid., p. 15.

[66]           Shared Services Canada, Departmental Action Plan provided to the Committee on 9 March 2016, p. 2.

[67]           Ibid.

[68]           Ibid.

[69]           Ibid.

[70]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 15.

[71]           Ibid., p. 16.

[72]           Ibid.

[73]           Ibid.

[74]           Ibid.

[75]           Ibid.

[76]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0920.

[77]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016,p. 17.

[78]           Ibid.

[79]           Ibid.

[80]           Ibid.

[81]           Shared Services Canada, Departmental Action Plan provided to the Committee on 9 March 2016, p. 2.

[82]           Ibid.

[83]           House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0855.

[84]           Ibid., 0920.

[85]           Ibid., 1000.

[86]           Ibid., 0935.

[87]           Ibid., 1000.

[88]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 19.

[89]           Ibid.

[90]           Ibid.

[91]           Ibid.

[92]           Ibid., p. 19.

[93]           Ibid., p. 20.

[94]           Ibid.

[95]           Ibid.

[96]           Shared Services Canada, Departmental Action Plan provided to the Committee on 9 March 2016, p. 3.

[97]           OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 20.

[98]           Ibid.

[99]           Ibid., p. 21.

[100]         Ibid.

[101]         House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0850.

[102]         Ibid., 0920.

[103]         OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 23.

[104]         Ibid.

[105]         House of Commons Standing Committee on Public Accounts, Evidence, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 0855.

[106]         OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 22.

[107]         House of Commons Standing Committee on Public Accounts, Notice of meeting, 1st Session, 42nd Parliament, 10 March 2016, Meeting 5, 1020.

[108]         Ibid., 1005.

[109]         Ibid., 1020.

[110]         Ibid., 1035.

[111]         Ibid., 1005.

[113]         Ibid., pp. 11-12.

[114]         OAG, “Report 4 – Information Technology Shared Services, Fall 2015 Reports of the Auditor General of Canada, Ottawa, 2016, p. 23.

[115]         Ibid.

[116]         Ibid.

[117]         Ibid.

[118]         Ibid., Exhibit 4.2, p.22.