:
I call the 61st meeting of the Standing Committee on Public Accounts to order.
Colleagues, we are here today to do a public hearing on chapter 5, Information Technology Investments—Canada Border Services Agency, of the spring 2015 report of the Auditor General of Canada.
I have no business beforehand, other than to mention that the Canada Border Services Agency had their action plan in and on time. That's much appreciated. Thank you. Also, colleagues, a reminder that next Monday, June 1, we will hold yet another public hearing, which will be on chapter 4, Access to Health Services for Remote First Nations Communities. That's also flowing from the spring 2015 report.
Without further ado, I will call on our Auditor General, Mr. Ferguson, to give us his opening remarks. Sir, you now have the floor.
:
Mr. Chair, thank you for this opportunity to discuss our spring 2015 report on information technology investments managed by the Canada Border Services Agency.
Joining me at the table is Martin Dompierre, principal, who was responsible for the audit.
[Translation]
This audit focused on assessing whether the Canada Border Services Agency has the corporate and management practices in place to enable the delivery of information technology investments that align with and support its strategic corporate objectives.
As part of the audit, we consulted six federal government departments and agencies to get their views on their collaboration with the agency.
[English]
The Canada Border Services Agency plays a key role in Canada's security and prosperity by managing the access of people and goods to and from Canada. In the 2013-14 fiscal year, the agency admitted close to 100 million travellers and cleared more than 14 million commercial shipments. These and other agency activities resulted in the collection of $26.9 billion in revenues.
Information technology plays an important part in the agency's ability to achieve its strategic objectives and its mandate to ensure border security. The agency's current portfolio is made up of 30 information technology projects, with a budget of more than $1 billion.
Overall, we found that the agency has had significant challenges in managing its information technology portfolio in a way that ensured it could deliver IT projects that meet requirements and deliver expected benefits.
In December 2013, the agency put in place a new project portfolio management framework to strengthen its management of IT investments. We found that the framework was comprehensive, but our review of five projects against the framework revealed that the agency had not fully applied it, which resulted in several issues.
[Translation]
For example, we found that the information provided to senior committees tasked with overseeing the information technology portfolio did not contain accurate financial information, project status information, or timelines. This information is important to ensure that projects are being managed to meet all stages of approval, meet delivery requirements, and align with the agency's strategic objectives.
[English]
In addition, projects often lacked clear requirements, had no defined and measurable benefits, or had poorly stated benefits. This resulted in project delays, duplication of effort, and business requirements that were not finalized. For example, over 75% of projects had minimal or no information on whether benefits would be realized or aligned with strategic objectives.
[Translation]
Information technology plays a key role in the agency's ability to achieve its strategic objectives and mandate. Without access to complete, reliable project information with clear business requirements, the agency is restricted in how efficiently and effectively it can manage its portfolio of projects.
Our report makes three recommendations to the Canada Border Services Agency. The agency has agreed with our recommendations and has shared its action plan with us.
Mr. Chair, this concludes my opening remarks. We would be pleased to answer any questions the committee members may have. Thank you.
My name is Caroline Weber. I am the vice-president of corporate affairs at the Canada Border Services Agency, or CBSA. I have with me today my colleagues, the associate vice-president of information, science and technology, Mr. Louis-Paul Normand, and Mr. Chris Bucar, who is acting director general of resource management.
I'd like to thank the committee for affording us the opportunity to appear today in order to discuss chapter 5 of the spring report from the Auditor General of Canada.
As the committee is aware, the audit of CBSA's information technology investments examined whether the agency's corporate and management practices are enabling the delivery of IT investments.
[Translation]
As the Auditor General noted, the CBSA is a law enforcement agency, charged with a dual mandate to secure the border, while contributing to Canada's prosperity by managing the access of people and goods to and from the country.
Our responsibilities are diverse and complex. In a global age, modern border management means focusing our efforts on six core areas: pushing out the border; facilitating the entry of low-risk people and goods; delivering integrated and effective enforcement; improving efficiencies; increasing harmonization with our international partners; and focusing on client service excellence.
Managing the border in today's environment involves broadening our understanding of what is traditionally thought of as “the border”.
[English]
Rather than thinking of the border as a line across the 49th parallel, our approach increasingly is to manage the border as a corridor where decisions are sequenced and made, as much as possible, before people and goods arrive. Addressing threats at the earliest possible point is essential to strengthen security and improve the free flow of goods and people through our border, and investment in our information technology is critical to our ability to do that.
Since 2013 the CBSA has invested considerable time and energy to improve project management, while developing and delivering one of the most complex suites of IT projects in the Government of Canada, including significant responsibilities under the beyond the border action plan.
The investments being made in information technology are not solely about back office efficiencies. These projects are necessary to realize operational benefits such as improving the CBSA's lookout system, scrutinizing passenger name record information before inbound flights depart, and analyzing electronic manifest information before commercial import shipments arrive at crossings.
[Translation]
Consequently, the agency has an IT project portfolio totalling more than $1 billion. As noted by the Auditor General, the agency implemented a strong project portfolio management framework in 2013 to better manage these investments to 2020.
The CBSA is pleased that the Auditor General's spring report reinforces that the direction and actions taken by the agency are on the right path to further improve the management of major IT projects.
We also agree that the recognized strong project management framework will continue to evolve, providing more and more predictability for project delivery.
[English]
Overall, the audit reached three main conclusions: that while the CBSA has established a robust project portfolio management framework, it requires full implementation and a strengthened governance process for IT investments; that more clarity was needed for IT systems requirements to ensure project requirements could be met, and defined measures were needed to assess project benefits; and that clear requirements for how project dashboard information is collected, validated, and reported were required for consistent and complete project status reporting on IT projects.
Mr. Chair, as the agency has responded in the report and in the management action plan provided to this committee, the CBSA agrees with the Auditor General's conclusions. We are committed to continuing to strengthen the controls and oversight necessary to fulfill our commitments on IT projects and ensuring that they deliver expected benefits.
We have a detailed work plan in place to address the key issues. That has been reviewed by the Auditor General's office. We are tracking on time to meet those commitments. A few examples of this work include the following: updating important IT planning documents, such as the annual IT plan and an investment plan, which includes all significant capital projects over the next five years; establishing directives to ensure that enterprise architecture is adhered to by all IT projects through formal gate reviews and approvals; formalizing the coordination and oversight function across all project stakeholders, developing a baseline set of performance benefits indicators and quarterly reporting to the executive cadre on benefits realization status of IT projects; and initiating a formal review process of the procedures and practices of how project dashboard information is collected, reported, and enforced.
The agency has also delivered its IT investment plan, which includes all major activities.
[Translation]
Mr. Chair, we have duly noted the need to continue to implement our strong project portfolio management framework and will take steps to improve project portfolio management, project planning, and project reporting.
We are pleased, however, that the chapter presented by the Auditor General credits the work and our work plan already underway, and that we are well-positioned to meet our commitments on time.
[English]
Mr. Chair, I would like to note the Auditor General's own comments on the audit. When he appeared before this committee on April 29, 2015, he stated:
We were very happy with the framework that had been put in place in the agency and the fact that it was comprehensive. Our concern, again, was that it wasn't at this point in time always being applied in the management and the oversight of the projects.
This concludes my opening statement. I would be pleased to answer any questions the committee may have.
:
Thank you very much, Mr. Chair.
I want to welcome the witnesses and thank them for joining us.
[English]
First of all, I have an observation I'd like to make. Over the last several years, the Government of Canada has been implementing very robust security measures at border points and at the same time implementing the most historically robust trade alignment of Canada in our history with trade agreements all around the world. I can't imagine how challenging that is for border services. On top of that, I happen to know, coming from the Kitchener-Waterloo area, how quickly information technology is progressing. Every six months there are new opportunities available. So you have your work well cut out for you.
I know from your opening comments, Ms. Weber, that you're well aware of that, and that the flow of goods, addressing threats, and examining the corridor between our nations around the world are top of mind for you.
I wonder if you could start us off by giving us an overview and an update on the implementation of two, or perhaps three, of the larger IT projects you are currently undertaking in order to keep our borders safe and secure and to facilitate the free flow of goods and people.
:
Thank you for the question.
I don't know whether you had any particular projects in mind. The audit report focuses on five of them.
[English]
I think I'll start with entry-exit, because it goes to explain the complexity of IT, which you alluded to. In our world, it's the complexity of the ecosystem we work in. It's a global system out there and our partners are strewn around the world.
In the case of entry-exit, this is the ability to capture exit information as people leave Canada and to share this, in some cases in land mode with the U.S. and in other cases in air mode with other government agencies. We are at the pointy end of 90 acts of Parliament, so our partners who are using some of the information we collect are not within our direct control.
Entry-exit is a good example of this. There are nine partners within the government that wanted the information there. The first major hurdle we ran into involved a horizontal privacy impact assessment not of the collection of the data but of how that data was going to be used. I'm looking at my colleague here who is at the heart of the privacy impact assessment work. That caused some delays. More recently on this is the fact that the regulations to be able to do this are in the border bill and we're still waiting for confirmation of the border bill.
This goes to tell you that there are a lot of dependencies external to the projects. We have to manage those. We know the business we're in, but by and large we have to account for those constraints and that was for entry-exit.
:
I want to say thank you to all of the witnesses here today. I certainly appreciate your roles and what you do.
I'd like to start by going back to the report.
I certainly recognize Mr. Woodworth and his earlier points in regard to the complexity of the environment you deal with. The different laws and different agencies and private companies you have to deal with add to that complexity.
I also appreciate that our trade relationship with the United States is one of the most important relationships we have. The beyond the border initiative is something that I'm very supportive of, and I know that people in my riding of Okanagan—Coquihalla are very supportive of it. Safety and an increased ability to get goods and services and people across the border are vital.
Getting back to the actual report, in response to paragraph 5.30, the CBSA commits to updating its agency investment plan. I believe you said that you'll do it by spring of 2015. Then, with the annual investment plan, I believe it will be by June 2015. We're almost at June.
Could you please give a status update on these two areas and what that means in regard to the recommendation going forward?
:
We look at this information every couple of weeks, and then every month at our senior executive committee, as well.
In my organization we're responsible for looking over the shoulder of my colleagues in making sure the information is accurate. We are putting in place more robust and clearer instructions on how to populate some of those things.
We did have some discrepancies, as the Auditor General referred to. We knew about those discrepancies, but we were living with them because there were time gaps or time lags between some of the information. We were not including some standard information that would have been easy to add because we knew it was there and it's not the way we usually reflect things internally. However, we are changing that as a result of this audit.
We will continue to look at this and conduct our own internal audits. I imagine the Auditor General will revisit this audit in a few years, as they usually do, and provide an external check on us, as well.
:
Sorry to cut you off, Mr. Normand, but quite frankly, if you're going to try to explain to me master data management, I don't have that long. We don't have a week. I have five minutes.
The bottom line is, I just read to you, sir, and I've asked you to look at it. Clearly, it says, “The Agency”, —you, CBSA—“changed a key component in favour of a new solution”—new solution, not an old solution; this is the Auditor General's report, sir, that I'm reading to you—“that has caused Citizenship and Immigration Canada to revisit the components it is building.”
If you changed your mind on something and told Citizenship and Immigration you had changed your mind, and they had to go back and do something else, did that not cause a delay?
:
Thank you, Chair. I'm good either side of that.
Welcome to our witnesses today.
Mr. Ferguson, I'd like to start, if I may, with you.
Specifically, in your opening remarks you commented on some of the deficiencies that your office found within the agency, and we've heard today about the complexity of this massive project, a significant investment by taxpayers in the agency, and specifically directed at IT investments. I'd like to direct you to paragraph 5.12 on page 3, where you talk about a project portfolio management framework—the agency had designed a strong project portfolio management framework, granted, according to your comments—and how this framework has not been fully utilized.
When we look at the size of the investment, could you comment specifically on whether the project portfolio management framework is going to give the government and taxpayers confidence that we have the tools and management structure in place to do the job that's necessary in developing this important technology?
:
What we've identified, essentially, is that, again, they have designed a strong project portfolio management framework, so, as I've said before, we were happy with the fact that the framework existed.
Over the course of the next number of paragraphs, we talk about many of the aspects of that framework, such as governance structure in paragraph 5.17 and their investment planning in paragraph 5.21. Then we talk a bit about enterprise architecture and the risk profile. Again, they have a number of different components to that framework which we found were good.
However, I think that in order to have the level of confidence you were talking about—and it is a billion-dollar portfolio of projects—what's important is to make sure that the framework is fully implemented and is used. The first step is there, and it's an important step to have the framework, but then what's really important is to make sure that framework is being followed. Some of the things, such as making sure that all of the information going to committee is rigorous and agrees with all of the supporting documentation so that the committee has the information, I think are a good example of that.
:
Absolutely, and thank you very much for the question.
We did recognize a number of years ago that we needed to improve with regard to IT project management, so we put in place this framework and started implementing it. I can tell you that our IT projects are being delivered on time now and on budget, so the framework that we put in place has achieved that.
In addition to some of the issues that the AG has identified, benefits realization was part of our framework as well, but we hadn't implemented it yet, so we are following through on that plan. We've had the benefits realization discussions at our technology and innovation project committee—I don't think I have the title of that committee right, because we use acronyms all the time—and we are moving forward. There are people mobilized to look at benefits management and benefits realization.
I think that we're not alone in the Government of Canada. There is no excuse for that, given the size and the importance of what we're doing, but I think it's something that we've been struggling with across the government in terms of making sure that even if we have an idea of what the IT system is going to do—and many of ours are replacements of legacy systems to improve security, not always to generate savings—we haven't always quantified that. Our task before us is to operationalize the savings that have been previously identified or the benefits that have been previously identified.
:
Thank you for the question.
The replacement of that system is actually twofold. One is within the CBSA's control, and it's the lookout database that we talked about earlier. The other aspect is for our officers in the ports of entry to use GCMS, the global case management system, deployed and managed by CIC. In this case, we are using what's called FOSS right now. When you scan your passport it goes to the database called FOSS, and that's what we're decommissioning. FOSS is currently doing the two systems.
We had to agree as to what would be done in GCMS, so in the CIC system, and what had to be done and developed by CBSA. It's not an incremental cost, in that if we hadn't done it—in this case we decided to do it—then CIC would have had to do it.
The disagreement had to do with who was to do it, not the cause of an overrun. The $2.3 million was the licence for the FOSS vendor, the legacy vendor. The decision would have been to carry it on anyway because of the rollout plan that we deployed. In other words, there was no way that we would have been able to turn off FOSS as a back-up system in December 2013 as originally planned.
It was not really an incremental cost.
:
That is our objective, of course.
To make the border more secure, we have to interact with our partners. That means we need another system. However, when we say that, we are not just talking about a system. We are talking about 288 applications and 42 databases. The main challenge is the integration and interaction of those systems.
The system must do everything in an exemplary manner. That is why the architecture is becoming absolutely critical. We have to make sure that it is open, but that we also increase security. That is of the utmost importance.
It is actually the main challenge. The CBSA often decides not to go ahead with a system because it cannot really put the right bolts into the right places to ensure that the system will be secure.
:
Okay. I'm just wondering, because obviously Treasury Board guidelines are there for a reason. Those policies are set for a reason. When an agency does not abide by them, as is being reported right now through the Auditor General's report, I'm wondering how those situations are dealt with. I'm surprised that you wouldn't know at this stage.
I'll move now to paragraph 5.20. A question was raised earlier about five of the projects the report examined that went through the Canada Border Services Agency project management framework and that moved on to their next phases without meeting some of the necessary prerequisites that were outlined.
Could you outline to me what the five projects were, just so that we have it on the record, and why it was not necessary to meet the established prerequisites? What were the prerequisites, to start with, and how close were the five projects to meeting them? Were there any consequences for not meeting those prerequisites?
Perhaps you could explain that to me, because I don't think we've had a clear understanding of that at this stage.
:
Right. Thank you for the question.
With regard to those five projects, we mentioned that we've had a project measurement framework since 2012. The project measurement framework did not include an investment management component and benefits realization component. All of those projects were gated under the project management framework. The portfolio management framework, which was deployed in February 2014, added that rigour.
It's not a matter of if a project should be exempted; all projects are subjected to this now. At the time of the audit, no new projects had gone through the early gates. All the projects were in the latter gates of the portfolio management framework.
As I mentioned earlier, for all active projects I've pushed people back to meeting the requirements of the earlier gates—having all of the benefits identified, the requirements identified, and all of that. There's no exception. It's just that they had gone through those gates without doing it originally.
:
Do you want me to read the five projects into the record?
They're the entry-exit initiative, FOSS, or the field operations support system replacement project, the interactive advanced passenger information initiative, the single window initiative, and the temporary resident biometrics project.
Our issue was that as we were implementing our new framework, some of these projects—all of them, really—were in flight already. It was a question of how far back do you go given the project is.... For example, the single window initiative was approaching release to meet the previous gates, when the gates didn't exist when the project started.
:
Thank you for the question.
As we've noted, we have completed our IT plan, our investment plan, and a number of things you see in our management action plan. I've looked at a pilot version of a report on benefits realization, and we have a way to go. We'll have that report ready in September. As I said, we have people working to make sure we have benefits operationalized for all of these projects that are beginning.
We really appreciate the opportunity.
We've worked very hard in the agency to take an attitude toward audits and evaluations that these provide us with management information and help us to do our job better. As I said, benefits realization was part of our work plan anyway, but the audit did highlight some other areas where we decided we had better put something more robust in place to make sure it's institutionalized and continues into the future.
Speaking to the complexity issue, I also think our framework allows us to identify problems earlier so that we can talk about alternatives and solutions, so that we're not marching blindly off a cliff into a project that doesn't work or doesn't contribute to our agency's goals. The gating process lets us monitor if something's starting to go in a bad direction, or out of budget. I think we have a lot of information on a very frequent basis.
Thank you.
Mr. Normand, my good friend, Mr. Falk, asked you about buying off the shelf, but I know, sir, you weren't looking for an Atari or Commodore 16.
Let me go back to page 12 and paragraph 5.37 about FOSS, the field operations support system. In response to an earlier question, you said that there was a dispute between the two agencies, CBSA, which is your agency, and Immigration Canada. There's no confusion here; it's absolutely true.
What you said too, I believe, sir, is that the issue was who would do this, which may have inferred who would pay. Is that what you were saying?
:
Okay. I don't have time to go back, so you can go back and look at that.
I have a specific question for you, Ms. Weber. It was actually Ms. Jones' question initially. I would go back and look at Ms. Jones' first question period because that's when it was asked.
Ms. Weber, you have acknowledged today, it seems to me, that the Auditor General says you have an overall—if I can use the term—macro system that's quite good. The issue is making sure you hit the gate boxes, as you might call them, along the way, where you didn't do so well. You have agreed you need to do that, according to your plan.
How do you intend to make sure it gets done? I recognize, Ms. Weber, that you're not doing them. It's not you as an individual that's going to actually make sure all of these things get done. This is a big job involving a lot of people.
How are you going to make sure it gets done? The Auditor General clearly said it didn't get done the last time.
:
Thank you for the question.
We were all involved in the decisions about which gates would get checked off as we implemented a new framework. The challenge for us has been IT projects that were already in progress, had been started, were a long way down the road to being completed when we bring in a new project management framework. The question then was whether we were going to go back in order to check the boxes on these projects, or whether we were going to continue and deliver, especially when we're near the end of a project, knowing that we would leave it undocumented, but thinking perhaps it wasn't the right way to use our resources at that time.
On a go-forward basis, all of our projects are being put through the entire framework with no exceptions, and we review that all the time. It wasn't that these projects—
:
The reference you are making is in paragraph 5.56. We're talking about the importance of the health of a project being reported to the people who have oversight of those projects so they understand where the project is.
This is an example in the business-to-business project where it was confusing to understand exactly what stage the project was at because they seemed to have said it was closed, but then they were also continuing to work on it.
Understanding that is important. Going through projects and making sure that each stage is met along the way is critically important to understand that all the requirements as well as the time and the budget are on schedule, to make sure the project is going to deliver what was intended.
We would never ask a department to go back and try to redo gates that have already been passed. But we would expect the department, at the point they were putting in place a new framework, to at least look at those projects that were in place and identify if they seem to be on the right path to deliver what they were intended to deliver, regardless of the fact that you can't go back and re-document certain gates, whether they were passed or not passed.
Ms. Weber, you seemed to want to reply to one of Mr. Allen's comments. You felt that you got all the things on the table? That's good. I'm happy to hear that.
When we talk about frameworks and whatnot, it seems to me that part of the reason is to deal with the complexities that Mr. Woodworth had raised, to deal with some of the matters that Mr. Falk raised as well, making sure you don't end up going down the wrong path and delivering something to CIC or to another agency that was unintended.
I also think it's important to take a step back and look at that yes, it's getting more and more complicated, but it is possible to deliver a very good project on time and on budget, and all those things, and to have one or two people or a small team to check off all the internal controls. But I do take the Auditor General's point that there's considerable risk to that. I would think that if someone got sick or if the team disbanded and there were unanswered questions long after that team had disbanded, that's why there are these these frameworks, so that you can come before a parliamentary committee like this, and answer questions and say that the taxpayers are getting all the things they're supposed to.
I certainly appreciate it. With 90,000 people coming across our borders every day, I'm glad there are people like you who are able to take that on.
I also had a question on page 18, the same page that Mr. Allen did. It's in paragraph 5.57.
Since May 2014, the Information, Science and Technology Branch introduced a new process to monitor project performance using a technique known as earned value management reporting....
I hadn't heard of this. Could you please give me an idea of what this technique is? What is it intended to do in light of the Auditor General's concerns?
:
Thank you for the question.
The earned value management technique has been around for years and years. The first requirement is that you need to have a good plan. Based on that plan, you load up with your resources that you need to deliver on that plan. Then the tracking becomes the planned value. As you go through six months of activities, you should be 50% done on a 12-month project. If your actuals, your financials, are over that or below that, it creates a variance that you track. That's the essence of earned value. It does that for scheduling variance. It does that for cost variance.
Now in our dashboard to Treasury Board, the colour for cost and schedule is no longer subjective. It is based on a percentage of variance on cost or scheduled variance.
We removed a lot of subjectivity from the process using earned value analysis. At the risk of repeating myself, the key element is to produce a quality plan up front. People in a hurry will often produce subpar plans if they feel they can get away with it later.
Earned value catches bad plans early in the process.
:
Certainly. I will try to be quick about this.
As we've said, we've updated our investment plan and our annual IT plan as part of our regular cycle, and we've presented it to the Treasury Board for their approval already.
I'll move on.
Enterprise end-state architecture, we'll continue to expand that in both breadth and depth. A functional directive covering every domain of the enterprise architecture will be finalized by September 2015. Also, we've begun to move individual projects toward architecture standards that fully align with Shared Services Canada's directions, and the service life-cycle management framework ensures that enterprise architecture directions are adhered to by all projects.
Finally, we're going to continue to maintain our beyond the border project level risk profile and to provide a full portfolio risk update roll-up at the quarterly beyond the border senior project advisory committee.
Am I running out of time?
:
You are, Madam. Good intuition. Well done. Thank you.
Thank you, Mr. Albas.
That not only concludes Mr. Albas' time, but also the time allocated by the committee for these witnesses.
In the absence of any motions or suggestions otherwise, and I'm not sensing any, on behalf of the committee let me thank our guests from the Canada Border Services Agency for being here.
As always, to our Auditor General, thank you, sir, for the work that you and your department does. It's much appreciated.
With that, colleagues, all those in favour of adjournment, please leave.
The committee stands adjourned.