System Under Development Audit of the Secure Integrated Registration and Certificate Unit Project

Background

The Audit and Assurance Services Branch of Indigenous and Northern Affairs Canada ("INAC" or "the Department") identified the System Under Development (SUD) Audit of the Secure Integrated Registration and Certificate Unit (SIRCU) Project in the Department's 2015-2016 to 2017-2018 Risk-Based Audit Plan. The audit was identified as a very high priority as the accuracy of the Indian Register and the issuance of Secure Certificates of Indian Status (status cards) are fundamental to timely, effective and accountable delivery of federal programs and services for eligible individuals. One component of the SIRCU Project is to replace the existing Indian Registration System (IRS) with the Indian Registration and Estates Management System (IREMS). Indian registration information within the existing system underpins billions of dollars in program funding as well as policy analysis and research. The audit was originally initiated in January 2015; at the end of the planning phase, it was agreed upon with program management that the SIRCU Project was not sufficiently advanced to warrant audit work. The audit was put on hold and re-initiated in June 2016.

Audit Objective and Scope

The objective of the audit was to assess the adequacy of controls in place to mitigate key risks to the successful implementation of the SIRCU Project and to recommend risk management strategies to augment the effectiveness of the project's existing management control framework.

The audit scope focused on assessing the adequacy (design) of controls in place to manage SIRCU implementation risks in the following four broad risk areas identified during the planning phase: organizational readiness; project management; financial management; and enterprise architecture. The audit focused on current-state registration and Secure Certificate of Indian Status (SCIS) application/issuance processes with a future-looking assessment of key implementation risks.

Statement of Conformance

This audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

Positive Observations

The audit found several areas of strength. Specifically, the audit noted that standard project management practices were in place, including the implementation of an active and engaged SIRCU project steering committee. Additionally, a business case had been developed for the Indian Registration and Estates Management System (IREMS) and the implementation has included a formalized gating process, a business costing model, along with comprehensive business requirements and a method of prioritizing these requirements.

The audit also noted that opportunities for process and administrative improvement supported the business case for SIRCU's vision of centrally-virtualized, consistent and streamlined services across intake channels and regions. Furthermore, there were indications from internal stakeholders that certain proposed changes under the SIRCU vision, such as enhancing the usability of supporting Information Technology, would be welcomed.

Conclusion

The audit found multiple leading practices in place as well as opportunities to strengthen the design of certain key controls to better mitigate risks to the successful implementation of SIRCU and achievement of project objectives. Anchoring the definition of SIRCU scope on intended outcomes (i.e. results in terms of impact to Canadians), and aligning required resources to attain these outcomes, would better position INAC to manage the interrelated initiatives, activities and risks to achieving SIRCU outcomes.

Recommendations

The audit team identified opportunities for improvement in relation to business vision and outcomes, project management, organizational readiness and technology implementation, resulting in the following four recommendations:

1. The Assistant Deputy Minister, Resolution and Individual Affairs, should clearly define the intended SIRCU outcomes (i.e. results in terms of impact to Canadians), including how these outcomes will be measured and reported. This would include defining results in consultation with key stakeholders and then identifying, assessing and managing all relevant initiatives and risks in an integrated manner to deliver and demonstrate these results.
2. The Assistant Deputy Minister, Resolution and Individual Affairs, should review, clarify and communicate SIRCU's scope (and associated resource needs/allocations) in alignment with the intended outcomes, and track actual costs/resource usage of SIRCU delivery (including, if necessary, human resources in terms of full-time equivalents (FTEs)) against project costs/resource estimates.
3. The Assistant Deputy Minister, Resolution and Individual Affairs, should review the current SIRCU resourcing and funding model to determine whether there is sufficient capacity allocated to undertake the necessary policy, process, people and technology changes (including data conversion) to successfully implement the SIRCU outcomes. This would include reviewing the resources and subject matter expertise necessary to concurrently manage existing operations (including anticipated demands from legislative changes) as well as new initiatives supporting SIRCU (including IREMS).
4. The Assistant Deputy Minister, Resolution and Individual Affairs, should include data governance in its SIRCU plans with strategies to prepare/cleanse, migrate/convert and manage/govern data coordinated across functions (i.e. estates, treaties, registration, SCIS), including developing funding strategies to account for existing data issues and inherent data risks, and defining and planning for the data-related activities both in and out of scope of IREMS.

Management Response

Management is in agreement with the findings, has accepted the recommendations included in the report, and has developed a management action plan to address them. The management action plan has been integrated in this report.

2.1 Audit Objective

The objective of the audit was to assess the adequacy of controls in place to mitigate key risks to the successful implementation of the SIRCU Project and to recommend risk management strategies to augment the effectiveness of the project's existing management control framework.

2.2 Audit Scope

The scope of the audit focused on assessing the adequacy (design) of controls in place to manage SIRCU implementation risks in the following key areas, which were identified in the initial risk assessment performed during the audit planning phase:

• Organizational Readiness;
• Project Management;
• Financial Management; and
• Enterprise Architecture^{Footnote 2}.

As this audit was designed to be forward-looking, the scope excluded assessing the effectiveness of the controls. Also excluded from scope were the activities outside of INAC, such as infrastructure provided by Shared Services Canada and processes implemented by First Nations that are not part of INAC regional operations.

Fieldwork activities were performed at headquarters (HQ), including the National Processing Unit (NPU), as well as the Winnipeg Processing Unit (WPU), and the Manitoba and Alberta regional offices.

5.1 SIRCU Vision and Outcomes

The audit team observed several indications that the business case for SIRCU's vision of centrally-virtualized, consistent and streamlined services across intake channels and regions is warranted. For example, backlogs and wait times across regions can vary, and events (e.g. the recent "Occupy INAC" incidents at various INAC offices) can interrupt or halt services in a region. Under a centrally-virtualized SIRCU vision, services can be load-balanced across regions, thus addressing these challenges. Similarly, the audit team observed instances of inconsistent regional interpretations and implementations of registration-related policy, and administrative redundancy in the registration and SCIS application processes. Realizing the SIRCU vision would address these inconsistencies and redundancies.

The audit team's examination of the current processes, procedures and systems suggested that changes are required to transform the organization (policy, processes, people, and technology) in order to realize the SIRCU vision.

The audit team noted operational interdependencies that will impact the realization of SIRCU's vision. As an example, the shift to integrated processing of registration and SCIS card issuance without decommissioning the Certificate of Indian Status (CIS) may not achieve INAC's intended integration outcomes.

The CIS is an identity document that confirms that an individual is registered as a Status Indian under the Indian Act and provides them with access to benefits and services. The SCIS includes several security improvements to help protect registered individuals from identity theft while still providing them with access to benefits and services.

The application requirements for a SCIS card are generally more substantial than they are for a CIS card. For example, the application for a SCIS card requires additional proof of identification. Therefore, there may be little incentive for individuals to take the additional steps for a SCIS card when CIS cards are readily available and provide access to the same benefits. Although integrating the processes for registration and SCIS card issuance could achieve greater security and process simplification, if individuals opt out of the SCIS component of the integrated process in favour of obtaining a CIS card separately, these outcomes may not be achieved and administrative burdens may rise within INAC.

The auditors also noted that the shift to integrated processing could increase service risks realized during initial integration testing at the WPU. For example, interviews indicated that several SCIS applications received at NPU, that leverage an integrated process^{Footnote 3} for both registration and SCIS card issuance, may be expired by the time they arrive for SCIS processing. One factor contributing to these expirations is that the SCIS application requires a recent photo (either 6 or 12 months)^{Footnote 4} of the applicant. However, because these applications first go through a registration process based on individual entitlement, the time needed for this process can exceed the expiry date of the photo. Registration entitlement decisions can be complex and take time to process, which can lead to an SCIS application expiring before it can be processed, significantly diminishing client service and impacting SIRCU's ability to achieve a streamlined process and demonstrate improvement in the clients' experience.

The audit did not find evidence to demonstrate that the SIRCU Project is being managed with a comprehensive view of these and other operational interdependencies and complexities.

To effectively manage the significant changes, a clear understanding of intended outcomes is important. The audit team did not see evidence of clearly stated outcomes (i.e. results in terms of impact to Canadians) and a method of measuring these outcomes. For example, the audit did not find evidence of existing service level baselines (i.e., a minimum service level or current starting point used for comparisons over time) being used to measure and demonstrate results throughout the duration of the Project.

5.2 Project Management

The audit team observed several standard project management practices being applied to the SIRCU Project. For example, the auditors found that an active and engaged SIRCU project steering committee has been implemented, and a SIRCU monthly newsletter is distributed to Individual Affairs Branch staff. The auditors also observed a formalized project management approach being applied for the IREMS implementation.

The SIRCU Project is a significant and complex initiative with several interdependent and transformative initiatives involving people, policy, processes, and technology being managed by different organizational units. Further, some of the initiatives within SIRCU are being managed as separate projects (e.g. IREMS is being managed as a separate IT project).

When examining the management of the SIRCU Project and related initiatives, the audit team observed several instances of standard project management practices. At the same time, they observed several instances where SIRCU project management could be improved, including clarity on the project scope and communication to stakeholders. For example:

• The SIRCU Project Charter indicates that achievement of the SIRCU objectives depends on the initiative to phase out CIS cards, but the initiative is not included in the scope of the Project. However, subsequent documents, such as an update to the Assistant Deputy Minister, Resolution and Individual Affairs, include the initiative to phase out CIS cards as part of the SIRCU Project.
• Management and staff interviewed explained that there is inconsistent use of the term "SIRCU" and no clear definition of SIRCU as a project. They also noted that the timelines and goals are often changing and/or delayed.

Additionally, the audit team did not find evidence of a method to track and demonstrate how resources, in FTEs and/or funds, are being utilized against SIRCU Project cost estimates. The SIRCU Project charter outlines that 2015-2016 project costs included: funding for a Transformation and Integration Unit, with four FTEs for a definite period of three years ending March 2017; and $915K in Operations and Maintenance (O&M) funds for IREMS. The audit team noted there were estimated costs for IREMS and practices in place to track IREMS-related costs. However, other SIRCU initiatives are being funded out of A-Base funding and no SIRCU project code was established to facilitate the tracking of resource usage.

Managing the collection of interdependent projects and initiatives that make up SIRCU, with a clear definition of outcomes (end results), could help validate, clarify and manage scope and resource utilization.

5.3 Organizational Readiness

The SIRCU Project is introducing changes spanning people, policy, processes and technology, and will impact stakeholders across the country. A key success factor for any transformation is whether stakeholder groups are willing to accept the changes. Interviews with internal stakeholders in Alberta, Manitoba and headquarters, including the National Processing Unit and the Winnipeg Processing Unit suggested that several proposed changes under SIRCU are welcomed, such as enhancing the usability of supporting information technology.

Operational demands, such as ongoing legislative changes and litigation cases, present high risk to INAC's ability to deliver the SIRCU outcomes while at the same time maintaining critical services, such as certificate issuance.

The audit team observed evidence of current legislative efforts having an impact on SIRCU timelines. For example, auditors were informed that the phasing out of CIS cards was postponed and that SIRCU national calls were put on hold for a period of time in 2016 due to priorities related to legislative amendments. The audit team recognizes that litigation cases and legislative changes create operational demands that INAC must respond to on a priority basis, including a number of ongoing Human Rights Commission and litigation cases open at the time of this audit. However, many of the same resources responsible for delivering SIRCU are needed to respond to these priorities.

Furthermore, in addition to ongoing operations and legislative changes, many of the same resources needed to implement SIRCU changes will also be needed for the IREMS implementation (examples include, but are not limited to, developing IREMS requirements, cleansing and converting data, informing data governance plans, and assisting with user acceptance testing).

In light of the significant efforts needed for SIRCU, alongside with IREMS implementation, the audit team did not observe evidence of sufficient analysis demonstrating the adequacy of resources/funding going forward. In particular, the audit team did not find evidence of a comprehensive understanding of all the resources needed for the Project-related initiatives and activities, including the subject matter expertise required.

The audit team observed an incremental approach to delivering SIRCU with existing resources. Specifically, resources are working on SIRCU if and when they have additional capacity, increments at a time. However, proceeding incrementally without a funded approach fully supported by senior management heightens certain risks. In particular, without the organizational capacity needed to manage the significant changes, the benefits expected from the IREMS investment are at risk, the likelihood of a service disruption is heightened, and INAC may not meet operational obligations and/or stakeholder expectations.

5.4 Technology Implementation

A significant component of the SIRCU Project is the implementation of IREMS. The audit team observed, and interviews indicated, that the Government of Canada gating process is being used by INAC to implement IREMS. Documentation reviewed demonstrated that a detailed business costing model, project approach, and business case had also been developed.

The audit team noted that comprehensive business requirements for IREMS had been developed, and that these requirements generally reflect the needs of stakeholders for registration, estates management, treaty payments and SCIS. The audit team also observed an appropriate method for prioritizing requirements. In particular, IREMS requirements had been prioritized as "must have," "should have" and "could have" and the following factors informed this prioritization: Business Value; Business or Technical Risk; Implementation Difficulty; Likelihood of Success; Relationship to other requirements; Urgency and Stakeholder Agreement. While further review and refinement of these requirements will be important, this prioritization approach is generally aligned with standard practices.

The Indian Register is the official record identifying all Status Indians in Canada and underpins billions of dollars in government-wide program funding for First Nations as well as policy analysis, design and implementation across jurisdictions. Therefore, the data integrity, confidentiality and availability of this information are critical to managing reputational and financial risks.

IREMS will replace four legacy systems: the Indian Registration System, the SCIS web application, the Estates Reporting System, and the Treaty Payment System. Integrating the existing legacy systems is expected by the audit team to be complex and resource-intensive, and will need a strong data governance model. Risks in these areas will need to be examined and managed. For example, known data quality issues with legacy systems exist. Strategies are needed to address these quality issues and data inconsistencies across these systems as well as to govern the information to be housed by an integrated IREMS.

Consideration for data governance (including data privacy and security, data integrity across legacy systems, and an ongoing approach to managing information in IREMS) should be planned early in the IREMS/SIRCU Project so that the technological options and implementation plans reflect the information needs of INAC. The plans should consider metadata management (for example, how to interpret each element of data in a given system) as well as master data management (for example, the "source of truth" or "system of record" for a given element of data).

The audit team did not observe early planning for these key areas in a manner commensurate with the inherent risks. As an example, at the time of the audit, certain IREMS transition requirements, such as for data integrity and conversion, had not yet been developed. Without a clear definition of plans and requirements, resource planning for data governance and conversion may not be adequate. Moreover, future data security analyses may expose weaknesses that may be more costly to address at a later date.