Audit of Information Technology Operations
The Canadian Food Inspection Agency's (CFIA) internal audit function provides the President, senior officials and agency managers with an independent capability to perform audits of the resources, systems, processes, structures and operational tasks of the CFIA. It helps the CFIA accomplish its objectives by bringing a systematic, disciplined approach to assessing and improving the effectiveness of risk management, control and governance processes.
The internal audit function is accountable to the CFIA's Audit Committee, of which the President is a member. All internal audit findings and recommendations must be reported to the Audit Committee, and all audits must be carried out in accordance with federal policy and legislative requirements, including the 2009 Policy on Internal Audit and the 2006 Federal Accountability Act.CFIA internal audit projects are selected based on highest significance during an annual agency planning process, which are then reflected in the Agency's Audit Plan for review by Audit Committee and approval of the President.
In 2010-2011, the Canadian Food Inspection Agency (CFIA) conducted an internal audit of its information technology (IT) operations to provide assurance that IT operational controls are in place to support the CFIA's Chief Information Officer, who is responsible for ensuring the integrity, availability and confidentiality of the Agency's information systems.
The CFIA continually improves its programs and protocols. Management's commitment to addressing recommendations made by internal audits is a critical part of that continual improvement.
Effective April 1, 2011, CFIA created a new Information Management and Information Technology (IMIT) Branch, which is responsible for
- information management and information technology leadership;
- development of IMIT strategic planning and operational work plans; and
- the provision of all IMIT services to Agency employees.
The report notes that the change in organizational structure did not have an impact on the findings of this audit.
In another change since the audit, some key IMIT service components have been transferred to Shared Services Canada (SSC). SSC, created in August 2011 to consolidate existing resources and personnel from 44 departments and agencies across the Government of Canada, is now responsible for addressing IT responsibilities relating to email, data centres and networks and associated internal services. The CFIA is working with SSC to address the audit findings.
Physical Security: The IMIT Branch promptly addressed identified areas of weaknesses relating to access control and the physical security of the data centre.
IT Operation Risk and Security: The IMIT Branch has put into place an approved Certification and Accreditation process and a full suite of supporting documentation.
Roles and Responsibilities: IT Operations roles and responsibilities have been formally defined.
IT Infrastructure: The IMIT Branch has identified critical business priorities and developed formal requirements to support IT information assets.
Defined Backup and Storage Requirements: The IMIT Branch is currently working on a Data Rationalization and Backup Project, with an expected completion of March 2012.
Service Capacity Management: The IMIT Branch has identified automated tools to track the inventory, with an anticipated implementation of March 2012.
Infrastructure Evergreen Project: The CFIA has approved replacements of its aging IT infrastructure, related to backups, scheduled to be completed by March 2012.
Service Level Management: The IMIT Branch is now reviewing statistics and metrics on a monthly basis to ensure vendors comply with service agreements.
Service/Help Desk Management: The IMIT Branch has initiated a project to formalize service standards.
Almost 90% of employees who use the CFIA service desk said that they were satisfied with the service provided (source: Client Satisfaction Survey, February 2011).
- Date modified: