IT Outsourced Services. Preliminary Survey

Transcription

1 IT Outsourced Services Preliminary Survey April 2013

2 TABLE OF CONTENTS 1.0 INTRODUCTION STATEMENT OF CONFORMANCE KEY SURVEY OBSERVATIONS RECOMMENDATIONS AND MANAGEMENT RESPONSE... 5 OVERALL MANAGEMENT RESPONSE CONCLUSION SURVEY OBSERVATIONS APPENDICES Appendix A: Risk Profile

3 1.0 INTRODUCTION The Canada Border Services Agency (CBSA) has historically obtained a number of its information technology (IT) services from outside government departments (OGD) and third parties. In the fiscal year, the Agency spent roughly $180 million on outsourced IT services, which represents about 60% of the Agency s IT budget. The Canada Revenue Agency (CRA) was the major service provider to the CBSA with an allocation of $165 million in After the customs function of the former Canada Customs and Revenue Agency (CCRA) was transferred to the CBSA, the two agencies continued to share a common network and infrastructure. The Agency s other Government of Canada IT service providers include: Shared Services Canada (SSC); Citizenship and Immigration Canada (CIC); Foreign Affairs and International Trade (DFAIT); Public Works and Government Services Canada (PWGSC); and Third party service providers managed by the CBSA. The audit of IT outsourced services was included in the Risk-Based Audit Plan: to and approved by the CBSA Audit Committee. At the time, CBSA management identified several risks associated with the relationships with existing service providers including the inability to maximize value for money, and service providers having competing priorities and not being positioned to meet future CBSA requirements. The initial audit objectives aimed to assess controls within the processes of managing the provision of IT services and measuring the performance of services. The service provision landscape changed significantly for the CBSA due to a major policy decision within the Government of Canada to centralize infrastructure services with the creation of Shared Services Canada (SSC). Created in August of 2011, SSC was established to consolidate, streamline and improve information technology infrastructure services across the federal government. SSC's mandate is to leverage economies of scale to provide all federal organizations with access to reliable, efficient, and secure IT infrastructure services. SSC inherited a number of IT services previously provided by the CRA with the responsibility for data centres, , data and telephony networks. Consequently, the CRA is no longer the main provider of infrastructure services to the CBSA; however the CRA will continue to provide distributed computing services (e.g. desktop support in regions), application and database support, IT security services and IT program management services to the CBSA, at an annual cost of roughly $56 million. These services are presently under review to assess the future of these services with the CRA. 3

4 Based on a series of executive level discussions, it was determined that the best approach for this audit was to complete the planning phase for the audit and return to the Audit Committee to determine the value of moving forward with an audit at this time. This preliminary survey covers the period from February, 2012 to October, It aims to understand the risks associated with services previously provided by the CRA due to the magnitude of costs and importance to the CBSA s operations. A preliminary survey provides an understanding of risks prior to conducting an audit, and offers the following advantages: Helps clarify the objectives and scope of the audit; Helps focus audit resources to significant risks, thereby providing greater value to management; Provides a better understanding of the activity being reviewed; and Determines what needs to be done, how and when. 2.0 STATEMENT OF CONFORMANCE This preliminary survey conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. The approach and methodology for this preliminary survey followed the International Standards for the Professional Practice of Internal Auditing as defined by the Institute of Internal Auditors and the Internal Auditing Standards for the Government of Canada as required by the Treasury Board Internal Audit Policy. This preliminary survey provides a low level of assurance. 3.0 KEY SURVEY OBSERVATIONS Since the establishment of the Canada Border Services Agency in December 2003, both the CBSA and the CRA have worked towards building a mature process for managing shared information technology services. The relationship has evolved and improved from a simple separation of budget to the creation of joint CBSA/CRA committees and the establishment of clearer service definitions and service level agreements. With the creation of Shared Services Canada, the service management processes among the three organizations require clarification and refinement to address the complexity of operations and processes of service management, demand management and financial management. The service arrangement with CRA requires further development of the Client/Service Provider model to advance its maturity. Service definition and service level agreements require further definition. While the service catalogue included service description, features, availability, price and service owner, there were limitations as the information was noted as either pending or generic. With respect to costing information, progress was made, however, the financial framework and processes were not always clear and accessible in a manner that would allow management to sufficiently understand costs and benefits. Preliminary discussions are underway to explore options on the role of the CRA in providing services to 4

5 the CBSA. This is to include an analysis to assess whether the CRA should continue to provide services to the CBSA or whether services will be transitioned to other service providers or back to the CBSA. The service relationship with Shared Services Canada is at its initial stages, where governance within the CBSA and with SSC needs to be defined. The CBSA and SSC have agreed to an operating protocol that lists operating assumptions during the transition period and have established a business continuity framework to ensure the continuity of operations while SSC is being established. However, there are risks that service arrangements, performance and processes are insufficiently specified to meet the CBSA s business needs over time. 4.0 RECOMMENDATIONS AND MANAGEMENT RESPONSE OVERALL MANAGEMENT RESPONSE The Information, Science and Technology Branch (ISTB) agrees that a full audit at the outset of Shared Services Canada s (SSC) mandate for Government of Canada (GC) data centres, e- mail and networks is not appropriate. The ISTB also agrees that the significant amount of change in the GC IT services environment, brought about by the creation of SSC, has impacts beyond the services provided directly by SSC. The relationship of the CBSA to the Canada Revenue Agency (CRA) is also undergoing transformation. Portions of the CRA IT organization that formerly provided services to the CBSA were transferred to SSC. The services that the CRA continues to provide to the CBSA are currently being analysed to determine whether the service model is optimal or if changes should be implemented to ensure value for money and service quality. The transformation agenda currently being pursued in GC IT services generally creates an environment of elevated risk due to the amount of change being implemented. The ISTB is taking appropriate measures to identify and manage risk, and to ensure the continuity and stability of important outsourced IT services. Recommendation 1: The Vice-President of the Information, Science and Technology Branch should develop an action plan to manage and mitigate the risks associated with IT outsourced services from CRA and SSC, including establishing performance measures for these services. 5

6 MANAGEMENT ACTION PLAN The ISTB has initiatives underway that are consistent with the recommendation of this report. With regard to the services provided by the CRA, the ISTB has: Initiated a review of the six service areas provided to the CBSA by the CRA with a view to determining the best sourcing of services based on service alignment, quality and dollar value. It is expected that some services will be repatriated to the CBSA and some will remain outsourced to the CRA or an alternate service provider. Defined service management processes in place for IT services provided by the CRA including a service level agreement that defines service deliverables and performance expectations. These service management processes will continue to be reviewed and adjusted on an ongoing basis to ensure alignment with altered or new service arrangements. Used the Profile of GC IT Services to categorize its operational areas by function to support the transfer of resources to SSC in 2011, as well as to manage the service relationship with the CRA during service management and repatriation discussions that began in As part of the current analysis of the CRA services repatriation, the CRA services are being aligned to the Profile of GC IT service. The analysis is expected to be completed by March Engaged actively with the CRA to clarify the services provided to the CBSA by the CRA and implement a management framework that links those services to costs and performance metrics. Existing quarterly service reports are being updated to include improved service metrics. With regard to SSC, the ISTB has advanced the following initiatives, some of which are completed and others are under development. As the relationship matures and through lessons learned, we will continue to solidify the operating models and engagement strategy over the course of the following year. The ISTB has: DATE March 2014 December 2014 Defined the CBSA Ecosystem, describing the complexities of the multidepartment, multisystem CBSA IT infrastructure, service and interconnection environment 6

7 required to support secure and efficient border management. Defined priority services and established performance expectations particularly related to the monitoring, response and management of the infrastructure and systems contained in the CBSA Ecosystem, irrespective of the lead department. Engaged SSC in the definition of governance processes in multiple streams: e.g. operational governance, joint funding submission and project governance, governance around strategic planning priority setting. With the High Availability Response Team (HART), implemented a systematic, interdepartmental process to monitor the performance of critical IT systems and infrastructure, and provide senior management visibility into IT incident management for critical departmental activities. 5.0 CONCLUSION Given the transition point with SSC, and the implications to the arrangement with the CRA, it is recommended that the audit be deferred at this time. Internal audit will monitor the implementation of the recommendation(s) and conduct an audit in the fiscal year. Future audits are expected to evaluate some or all of the controls over outsourced services including aspects such as the achievement of business requirements, compliance with the contract, relationship management, functionality and controls of provided services, fulfillment of assurance requirements and governance from the CBSA`s perspective. This should be accomplished to advocate the interests of the CBSA, wherein there is a common understanding of the boundaries of audits including the defined audit rights, and the functionality and controls provided by service providers. 6.0 SURVEY OBSERVATIONS 1. The relationship between the CRA and CBSA has evolved and improved since the establishment of the CBSA in Since the establishment of the Canada Border Services Agency in December 2003, both the CBSA and CRA have worked towards building a mature process for managing shared information technology services. There have been improvements in the governance processes that have evolved from a simple separation of budget to the creation of CRA/CBSA joint 7

8 committees and the establishment of clearer service definitions and service level agreements. With the creation of Shared Services Canada, the service management processes among the three organizations require clarification and refinement to address the complexity of operations and processes of service management, demand management and financial management. The CBSA and CRA have established a framework 1 to strengthen collaboration between entities, provide guidance and establish an escalation process. Both parties have defined a governance framework with multiple touch points including defined meetings and fora. The CRA / CBSA joint committees were also established with terms of reference to manage the provision of IT services. Figure 1: CBSA-CRA Relationship CBSA is created in December 2003, sharing a common infrastructure with CRA. The MOU is established to 2005: Incremental costs are added to the initial transfer amounts to 2009: A governance framework is finalized to 2010: A services catalogue is created, and service level agreements are signed to 2011: Improvements are made to the Governance Framework, MOU and SLAs. Governance needs to be revisited after the transition of core infrastructure services to Shared Services Canada : MOU is revised to include improved service definitions. 1 CRA CBSA Governance Framework for the Provision of IT Services (Aug 2011). 8

9 2. The service arrangement with CRA requires further development of the Client / Service Provider model to advance its maturity. The service arrangement between the CRA and CBSA was based on a shared environment and capacity, and initially not on a shared services model. Over the years, the agencies made efforts to move towards a shared service provider relationship with, for example, the definition of a governance structure and a memorandum of understanding (MOU). Given the nature of the relationship that originated based on a shared IT environment, there was no incentive to further define the relationship, including a comprehensive service catalogue or service level agreements. Information on cost drivers such as the number of databases hosted, or switches were largely available but not employed to determine service costs due to the nature of the relationship. Service definition and service level agreements (SLA) require further definition. The Data and Technology Infrastructure Management (DTIM) Core Services Catalogue2 provides documentation of the IT services that DTIM provided to IT clients at the CBSA. The service catalogue included the service description, service features, availability and service level, price and service owner. There were some limitations, where pricing information was not readily provided within the service catalogue; the information was either noted as pending or generic (e.g. this service is priced on a project-by-project basis). Additionally, service levels were not detailed, wherein mostly generic availability indicators were documented (e.g. 24/7 operations). In addition to the limitations of the service catalogue, the service level agreements had certain limits: There were limited service level objectives metrics defined. Generally, availability is employed as the key metric. Aside from work order-driven services, the prices of services were not indicated based on quantity or usage. 3. Progress made within the CRA and CBSA service arrangement does not provide accessible and clear costing information to CBSA management. Progress was made to enhance cost management practices, particularly for work order-driven services, however the financial framework and processes were not always clear and accessible in a manner that would allow management to sufficiently understand costs and benefits

10 The preliminary survey found that although not fully transparent to CBSA management, a costing model was employed for some services. For example, fees associated with a new network connection for a building were subject to a costing formula denoting that costs were assessed based on factors such as resource costs and usage. For a new network connection, the first year would involve the creation of a work order, which would include the costs for resources (salary), bandwidth and equipment. In the second year maintenance costs would be calculated based on administrative charges per month, an asset replacement fee, and usage (e.g. costs for bandwidth). However, the methodology was not always clear or available to CBSA management. At present, service definitions do not clearly reflect cost drivers such as resource and usage costs. 4. The CBSA relationship with Shared Services Canada is in its initial stages, where governance needs to be defined. There are risks that service arrangements and processes are insufficiently specified to meet the CBSA s business needs over time. The CBSA relationship with Shared Services Canada is in its initial stages, and challenges have arisen during the transition to Shared Services Canada, including the level of control that the CBSA can expect over service levels and costs. Risks associated with effective service delivery have increased due to the absence of a formal governance framework and other elements, such as the lack of a tailored service catalogue and formalized agreements such as an MOU and SLAs. The governance framework previously defined between the CRA and CBSA is not present with Shared Services Canada. In addition, SSC provides generic service descriptions based on the Treasury Board definitions. A service catalogue has not been developed that is specific to the CBSA s service needs. Finally, agreements such as MOUs and SLAs have not been established between the CBSA and SSC, who have agreed to an operating protocol that lists operating assumptions during the transition period. Additionally, a business continuity framework is established to ensure the continuity of operations while SSC is being established. Given the government-wide SSC mandate, the establishment of stronger governance arrangements between SSC and the CBSA is not a priority in the near future. Rather SSC plans to address its service standards and relationship to its full client base, which it refers to as partner departments. This does present associated risks for the CBSA to manage, including: SSC s ability to deliver services in a secure and efficient manner while meeting CBSA business standards and complying with legal and regulatory requirements. The CBSA/SSC governance process that includes processes for defining service requirements, service definitions, agreements, and performance expectations and targets. 10

11 5. Preliminary discussions are underway to explore options on the role of the CRA in providing services. This includes an analysis to assess whether the CRA should continue to provide services to the CBSA or whether services will be transitioned to other service providers or back to the CBSA. Shared Services Canada is now responsible for the network, and data centre services. The CRA provides desktop support in the regions, some IT Security, the desktop image, and support of application deployment and other services. The preliminary survey found that there are discussions underway between the CBSA and CRA to evaluate the remaining services with the CRA to determine: whether services will remain with the CRA; whether services will be repatriated to the CBSA; and whether services will be transferred to other service providers such as SSC. The expected outcomes include better definition of service relationships of the CBSA with both SSC and the CRA, to clarify organizational roles and manage complexity. The organizations plan to detail costs for each service to the degree possible as part of this exercise. There are risks that service arrangements and processes are insufficiently specified to meet the CBSA s business needs over time. The governance framework will require revisions along with the service definitions within the service catalogue and the service level agreements for critical IT services. An SLA is one of the primary metrics used to measure performance. 11

12 7.0 APPENDICES Appendix A: Risk Profile 3 The resulting risk profile includes a determination of exposures based on the work performed during the preliminary survey, wherein control practices for areas of higher risk should be further assessed. The risk profile is an aggregate of risk exposures for the CRA and SSC; given the risks associated with a large-scale change of service providers, it is expected that the risk exposures have increased. Control Description Potential Risk Exposure Managing the Provision of IT Services DS1.1 Service Level Management Framework DS2.1 Identification of All Supplier Relationships DS1.2 Definition of Services DS2.2 Supplier Relationship Management Define a framework that provides a formalized service level management process between the customer and service provider. The framework should maintain continuous alignment with business requirements and priorities and facilitate common understanding between the customer and provider(s). Identify all supplier services, and categorize them according to supplier type, significance and criticality. Maintain formal documentation of technical and organizational relationships covering the roles and responsibilities, goals, expected deliverables, and credentials of representatives of these suppliers. Base definitions of IT services on service characteristics and business requirements. Ensure that they are organized and stored centrally via the implementation of a service catalogue portfolio approach. Formalize the supplier relationship management process for each supplier. The relationship owners should liaise on customer and supplier issues and ensure the quality of the relationship based on trust and transparency (e.g., through SLAs). 3 Based on Cobit 4.1, Information Systems Audit and Control Association (ISACA). 12

13 DS2.3 Supplier Risk Management DS1.3 Service Level Agreements PO5.1 Financial Management Framework PO5.4 Cost Management PO5.5 Benefit Management ME1.1 Monitoring Approach DS1.5 Monitoring and Reporting of Service Level Achievements ME4.3 Value Delivery Legend: Risks have increased Risk exposures remain the same Identify and mitigate risks relating to suppliers ability to continue effective service delivery in a secure and efficient manner on a continual basis. Ensure that contracts conform to universal business standards in accordance with legal and regulatory requirements. Define and agree to SLAs for all critical IT services based on customer requirements and IT capabilities. This should cover customer commitments; service support requirements; quantitative and qualitative metrics for measuring the service signed off on by the stakeholders; funding and commercial arrangements. Performance Measurement Establish and maintain a financial framework to manage the investment and cost of IT assets and services through portfolios of IT enabled investments, business cases and IT budgets. Implement a cost management process comparing actual costs to budgets. Costs should be monitored and reported. Where there are deviations, these should be identified in a timely manner and the impact of those deviations on programs should be assessed. Implement a process to monitor the benefits from providing and maintaining appropriate IT capabilities. IT s contribution to the business, either as a component of IT-enabled investment programs or as part of regular operational support, should be identified and documented in a business case, agreed to, monitored and reported. Establish a general monitoring framework and approach to define the scope, methodology and process to be followed for measuring IT s solution and service delivery, and monitor IT s contribution to the Agency. Integrate the framework with the corporate performance management system. Continuously monitor specified service level performance criteria. Reports on achievement of service levels should be provided in a format that is meaningful to the stakeholders. The monitoring statistics should be analysed and acted upon to identify negative and positive trends for individual services as well as for services overall. Manage IT-enabled investment programs and other IT assets and services to ensure that they deliver the greatest possible value in supporting the enterprise s strategy and objectives. 13