Audit of industrial research assistance program (IRAP) - SONAR

Table of contents

Executive Summary and Conclusion

Background

This audit report presents the findings of the National Research Council Canada's (NRC) Audit of the Industrial Research Assistance Program (IRAP) – SONAR system. The President approved the audit following the recommendations of the Senior Executive Committee (SEC) and thereafter by the Departmental Audit Committee on June 24, 2016.

IRAP is NRC's innovation assistance program for small and medium-sized enterprises (SMEs). To ensure successful delivery of the Program, IRAP had put in place the SONAR system, an internally customized, web-based information and client management system. SONAR's current estimated annual development and maintenance cost (excluding infrastructure) is $2.2M.Footnote1 Effective February 2017, NRC's SONAR system links directly to NRC's SAP enterprise financial system for the processing of recipient claims.

Audit Objective

The objective of the audit was to provide assurance as to the adequacy of NRC's management control framework supporting the development and management of the NRC's SONAR systemFootnote2. Specifically, the audit sought to determine whether:

  • Governance structures have been designed and implemented for the development and management of the SONAR system;
  • Development and management of the SONAR system is based on sound risk management practices; and
  • Business controls are in place to support data integrity, and processes related to monitoring and reporting have been established and implemented.

Raison d'être

In fiscal year 2015‑16, more than 350 NRC IRAP and Finance Branch employees used SONAR to record advisory servicesFootnote3 and manage contribution agreements with approximately 3,500 recipients, with a total funding value of approximately $230M. A reliable and well-maintained information technology system that supports performance management of NRC's IRAP is a key enabler for the successful delivery of the Program and the realization of NRC's strategic objectives and mandate. As such, NRC continues to invest in design and system changes intended to ensure SONAR has continued relevance as a key business support tool.

Strengths

IRAP has made a number of governance improvements to address the management and development of NRC's SONAR system with collaborative effort from key stakeholders. We also noted that a structured change management process, as well as AgileFootnote4 management practices were recently adopted to allow for developmental activities of NRC's SONAR system to be more flexible in meeting IRAP's needs.

Areas for Improvement

Governance practices can be strengthened through clearly documenting and communicating roles, responsibilities and accountabilities of SONAR stakeholders. In addition, development of an IRAP digital strategy is needed to ensure that investments in IRAP are aligned with departmental priorities. Related to this, adoption of a risk management framework will help to ensure that risks to the management and development of SONAR are addressed in a manner consistent with organizational priorities and risk tolerance. Finally, improvements are required to user access controls for SONAR.

Audit Opinion and Conclusion

In my opinion as the Chief Audit and Evaluation Executive, while components of governance, risk and control elements for the management and development of the SONAR system have been established, NRC's management control framework supporting the development and management of the SONAR system needs improvement. NRC should strengthen its management control framework supporting the development and management of SONAR through the implementation of the recommendations set out in this report.

Statement of Conformance

In my professional judgement as the Chief Audit and Evaluation Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the audit opinion and conclusion. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entity examined. The engagement was conducted in conformance to the requirements of the Policy on Internal Audit, the associated directive, and the International Standards for the Professional Practice of Internal Auditing (Standards). The evidence was gathered in compliance with the procedures and practices that meet the auditing standards, as corroborated by the results of the quality assurance and improvement program. The evidence gathered was sufficient to provide senior management with proof of the opinion derived from the internal audit.

Alexandra Dagger, CIA, Chief Audit and Evaluation Executive

 

Acknowledgements

The audit team would like to thank those who collaborated in this effort to highlight NRC's strengths and opportunities for improvement as they relate to this audit project.

 

1.0 Introduction

The Audit of the Industrial Research Assistance Program (IRAP) – SONAR system was approved by the President following the recommendations of the Senior Executive Committee and thereafter by the Departmental Audit Committee on June 24, 2016 as part of the National Research Council Canada (NRC) 2016‑17 to 2018-19 Risk-Based Internal Audit Plan.

 

2.0 Background and Audit Context

IRAP is NRC's grants and contribution (G&Cs) program aimed at accelerating the growth of small and medium-size enterprises (SMEs) and stimulating wealth creation for Canada. NRC's SONAR system has been the primary business support tool for the delivery of the IRAP program for over 10 years. In the last five years, the IRAP program has been continuously developing and improving the SONAR system. More recently, with the introduction of Agile development practices, system enhancements in fiscal year 2017‑18 are being deployed through monthly releases within 20-day iterations ("Sprints"). Given the importance of SONAR to IRAP and that NRC is continuing to invest in its capabilities, it was determined that an audit focused on how NRC manages and develops SONAR would be of value to the department.

Since February 2017, the SONAR system directly links to the NRC SAP enterprise financial system to allow processing of the reimbursement claims submitted by IRAP recipients of government funding. This increases the importance of a formally established management control framework for the SONAR system.

 

3.0 Audit Objectives and Scope

Objective

The objective of this audit was to provide assurance as to the adequacy of the management control framework supporting the development and management of the SONAR system. Specifically, the audit sought to determine whether:

  • Governance structures have been designed and implemented for the development and management of the SONAR system;
  • Development and management of the SONAR system is based on sound risk management practices; and
  • Business controls are in place to support data integrity, and processes related to monitoring and reporting have been established and implemented.

Scope

The audit scope focused on activities and processes within NRC IRAP as the business owner of the SONAR system. Risk management and business process controls were examined in relation to three projectsFootnote5: Single sign-on, IRAP Innovation Portal (IIP) re-imaging, and SONAR-SIGMAFootnote6 Integration. The audit conclusions relate to the management control framework in existence for fiscal year 2017‑18Footnote7. Audit testing was completed as of 19 October 2017.

The audit scope excluded examining program performance data in the "snapshot" module and financial data in the NRC enterprise SAP system. The audit scope and procedures do not constitute information technology general controls testing (ITGC) for the purposes of the Policy on Internal Control.

 

4.0 Audit Findings and Recommendations

4.1 Governance Structures

Summary Finding

While many fundamental governance practices are in place, they can be strengthened through clearly documenting and communicating roles, responsibilities and accountabilities of SONAR stakeholders. In addition, IRAP is lacking a defined and approved digital strategy

Supporting Observations

4.1.1 Improved governance mechanisms and structures

We expected to find formal governance structures that include mechanisms for consistent review and approval of changes made to the SONAR system.

IRAP has recently implemented a number of governance mechanisms and activities that strengthen the management and the SONAR system. We found that the Program Delivery Advisory Committee (PDAC), re-established in May 2017, is now playing an advisory role for the prioritization of development and maintenance activities for SONAR. We found that IRAP's Senior Leadership Team (SLT) is also playing an advisory and consulting role in this area. These committees are accessible by the SONAR Product Owner (a new operating role within Agile governance frameworks), who is responsible for prioritizing SONAR development activities and managing stakeholders interests. This newly established mechanism provides for a separation of governance from management, a key principle for successful governance.

IRAP personnel clearly understand the accountability of the Vice President of IRAP, as well as delegated responsibilities of the Executive Director IRAP Division Services to manage and develop the SONAR system. This also includes a clear understanding of the responsibilities of the Product Owner within IRAP Division Services Program Expertise.

A dedicated IRAP Business applications team exists within NRC Knowledge and Information Technology Services (KITS) branch. Current employees possess good understanding of the IRAP program and user requirements for the SONAR system.

In addition, we expected there would be a defined SONAR digital strategy that aligns SONAR development activities with the objectives of IRAP. We found an IT Roadmap prepared by IRAP in fiscal year 2017‑18. While the Roadmap identified key deliverables, it did not include short to long-term objectives for SONAR, or cost/benefit considerations to support investment decisions and demonstrate alignment with departmental strategic and operational priorities.

4.1.2 Collaboration and alignment with Government of Canada (GoC) Initiatives

IRAP has been managing the SONAR system with a focus on online service deliveryFootnote8, citizens, and recipients. This aligns with current Government of Canada G&Cs initiatives and priorities.

We found that strong collaborative and consultative relationships exist between NRC KITS, NRC Security Branch and NRC Finance Branch for the enterprise management of the SONAR. Consultations and discussions, as well as standing cross-functional meetings, occurred in relation to key changes to the SONAR system, such as the SONAR-SIGMA Integration for the processing of recipient claims.

Key IRAP personnel are members of GoC working groups and actively participate in G&Cs communities of practice to ensure alignment of IRAP management activities for SONAR with GoC enterprise initiatives. The most prominent example includes the Treasury Board of Canada Secretariat Business Process Design Working Group.

4.1.3 Implementation of Agile and use of the TFS system to manage system development and changes

The change management system, TFS, was implemented in fiscal year 2016‑17. Since its implementation, IRAP has been investing consistently in building more structured processes and roles for change management for SONAR, with more formally documented epic stories, features, user stories and bugs. IRAP's Agile management practices have been maturing and evolving to align with the Agile control framework.

4.1.4 Roles and responsibilities

The IRAP Field Manual, an online web-based tool, is available to all IRAP employees and clearly documents the roles of SONAR users (i.e. Directors, Industrial Technology Advisors and Regional Contribution Agreement Officers), and we found that users understand their roles and responsibilities. However, there is no governance document that defines the SONAR accountabilities and responsibilities of key stakeholders such as the Vice-President of IRAP, NRC Chief Information Office/ KITS, NRC Security Branch/DSO, and NRC Chief Financial Officer (CFO)/ Finance Branch.

Areas for improvement

Current structures and accountabilities are not documented. In addition, a formally defined strategy with key objectives, risks and key performance indicators to support investment decisions and measure outcomes does not exist for the SONAR system.

Recommendations

It is recommended that:

  1. The Vice President of IRAP strengthens SONAR governance by ensuring that key roles and accountabilities are defined, documented and communicated. [Priority: HighFootnote9]
  2. The Vice President of IRAP ensure that an IRAP digital strategy be developed with defined short- to long-term objectives and key performance indicators (including costs) to support significant investment decisions and demonstrate alignment with departmental strategic and operational priorities. [Priority: High]
 

4.2 Risk Management

Summary Finding

IRAP has not adopted a risk management framework that ensures that risks to the management and development of SONAR are addressed in a manner consistent with organizational priorities and risk tolerance.

Supporting Observations

4.2.1 Risk management activities

We expected to find that risks for management and development of SONAR are identified, analyzed and evaluated, that the risk response is aligned with the SONAR strategy and organizational risk tolerance, and that risks are considered in the prioritization of investments in the SONAR system and the respective design of business process controls. We also expected roles for risk management to be clearly defined and understood.

We found evidence of risk considerations and elements of risk culture for the management and development of the SONAR system. For example, we noted a number of recent instances of risk considerations, including the IT Roadmap developed in fiscal year 2017‑18, the IRAP 2016‑17 Strategic Plan, and impact considerations within the TFS system when planning for system enhancements and fixing system issues. A number of SONAR development activities were undertaken to balance risk of unauthorized access to client sensitive information and operational needs. While these activities provide evidence of ongoing assessment and adjustment in senior management risk tolerance, they are informal.

IRAP Division Support staff demonstrated experience and knowledge with the management of SONAR risks. For example, IRAP staff are cognisant of client risk, unauthorized access to the system, loss of information and data, non-compliance with Government of Canada G&Cs requirements, and operational IT risks. IRAP staff clearly understand the delegated responsibilities of the Executive Director IRAP Division Services to manage risks in relation to the management and development of the SONAR system.

Areas for Improvement

IRAP has not documented the risks to the SONAR system. Instead, risk management activities are mostly informal and rely heavily on staff experience and knowledge. Evidence of the consideration of risk in prioritization of changes does not exist. While experienced staff can be effective in addressing risks, decisions and actions may not be consistent with organizational priorities and risk tolerance. A documented risk assessment would provide evidence of consideration of risk, cost and benefits when prioritizing system investments by IRAP.

Recommendations

It is recommended that:

  1. The Vice President of IRAP ensure that risks to the management and development of SONAR are identified, analyzed and evaluated, with risk responses that are aligned with the SONAR strategy and organizational risk tolerance. (Recommendation 2). [Priority: High]
 

4.3 Business Controls

Summary Finding

Business controls and processes are largely in place to support data integrity and the security of the system, provide information for decision-making, and ensure adequate training of users and timely communication of changes. There are, however, key weaknesses in user access controls to prevent or detect unauthorized access or modification to IRAP program data.

Supporting Observations

4.3.1 Data integrity

We expected to find that controls exist to ensure SONAR information/ data is complete, accurate, relevant, up to date, processed as intended and stored properly in the system.

Through our audit testing, we were able to confirm that at that time, a number of data input and validation controls exist within the SONAR system. However, these are not all aligned with the mandatory fields as defined in the Program system documentation. NRC operations during fiscal year 2015‑16 were affected by a cyber intrusion of July 2014 that brought all major systems offline and led to maintenance of paper files. As a result, information had to be entered into the SONAR system in a way that did not trigger the checks and balances (i.e. controls for data integrity) from each data field. This work around was discontinued in the beginning of fiscal year 2016‑17. An examination of the data through data analytics and a review of a targeted sample of 20 organizations, along with focus group discussions indicated that SONAR data is not always complete, accurate, relevant and up-to-date. Limited functionality within the SONAR system for tracking changes to data (i.e. audit trail capability) does not allow for a conclusive determination of whether the gaps in data quality, are owed to the special operational circumstances during fiscal year 2014-15 and 2015‑16 or to some gaps in training material, or a combination of the two.

This said, we found SLT and PDAC discussions from fiscal year 2017‑18 indicate that IRAP Senior management has recognized the need to improve data integrity within SONAR. An initiative to clean-up data in relation to organizations funded through the IRAP program is in progress. We also found that IRAP has developed data integrity monitoring reports to flag and correct discrepancies.

4.3.2 Information for decision making

We expected to find that controls exist to ensure that reports generated from SONAR are available and sufficient to support decision-making.

We noted that standard report capabilities of SONAR, as well as reports generated by Division Support Services, are used by IRAP management for the day-to-day management of the program. However, we found that the standard reporting capabilities meet the information needs of less than a quarter of the users. During the course of the audit, IRAP Division Services rolled out additional reporting capabilities through the BO tool, set up reporting baselines and trained a number of power users from each region during the second quarter of fiscal year 2017‑18. BO now allows for user-driven design and customization of reports, in addition to pre-built custom reports available to all users. As well, certain regions have built additional customized reports to use SONAR information more effectively for decision-making. While these changes have improved the adequacy of reporting capabilities, there is still more needed to close the gap.

4.3.3 Communication and Training

To ensure IRAP staff are aware of the SONAR changes taking place and are able to use the system to carry out their responsibilities, we expected to find mechanisms in place to support users, including communication strategies and the provision of training, tools, resources, and technical support.

IRAP has not established an internal communication strategy. Nonetheless, end users feel that communication of changes to SONAR by IRAP is adequate and timely. Additionally, employees are able to use the online IRAP Connexion toolFootnote10 to share information regarding SONAR capabilities and gaps.

We expected to find IRAP has assessed minimum level of training requirements as a key control to data input and maintenance of data integrity. We found that extensive SONAR user guidance and training material related to contribution management processes and workflow have been developed by IRAP Division Services and that these are accessible to users through hyperlinks in a web-based manual. Employees received communications and training material related to significant system changes for all three key projects that we examined as part of the auditFootnote11. Additionally, SONAR guidance and resources have been developed and provided at the regional level to further support staff. However, there is a need for more guidance on minimum data fields required to maintain in SONAR to ensure data quality.

4.3.4 Protection of the system and life-cycle management

We expected to find that IRAP leverages the NRC IT Risk Management Framework established by the Departmental Security Officer (DSO). We expected that IRAP considers security risks through the life-cycle of the SONAR system (system implementation, operations, maintenance and disposal) as prescribed by this Framework.

We found that IRAP applies the NRC IT Risk Management Framework and completed prescribed activities in relation to key implementation, enhancements and maintenance of the SONAR system. NRC completed the following between April 2015 to July 2017 to obtain authority to operate (ATO) the SONAR system on the secure Shared Services Canada infrastructure, as well as maintain continued authorization:

  • Authorities to operate with conditions (ATOC);
  • Statement of sensitivity for SONAR and assessment that a separate one is not required for SONAR IIP;
  • Acceptance of authentication assessment for the SONAR-SIGMA connection;
  • A security impact assessment for the SONAR-SIGMA integration;
  • The IRAP Management Framework and Operations Guide (MFOG) for SONAR; and
  • Testing of Shared Services Canada disaster recovery capabilities to restore SONAR.

Responsibilities to monitor implementation of outstanding actions in relation to conditions for ATOCs are not clear, and monitoring processes are ad hoc. As a result, many required actions to remove the "conditions" have not addressed within the agreed upon timelines.

4.3.5 Management of user access

We expected to find that user access to SONAR is controlled and monitored to prevent unauthorized access or modification of SONAR data.

IRAP manages user access to the SONAR application through role-based accounts. The majority of SONAR users are assigned one specific account to deliver their responsibilities, such as, an ITA account, a Director account, or a RCAO account. In the second quarter of 2017‑18, IRAP introduced improvements to the user authentication by linking SONAR access to the NRC active directoryFootnote12. This is aligned with standard best practices for design of preventive controls for unauthorized access to business applications.

We conducted a detailed review of user accounts and access within the SONAR production environment where the actual live data is input, processed and maintained. Our review focused on management of user access granted on exceptional basis outside of the standard ITA, Director and RCAO rolesFootnote13. We found a number of instances where existing access was not designed in line with expected practices and standard use of segregation of duties controls. Specifically, we found the existence of generic accounts, as well as information technology testing staff having access and making changes to actual data in the production environment. We also found a number of users being assigned more than one user account (an administrator support-role account, as well as an ITA-role and a Director-role account).

With regard to the current SONAR system capabilities to track changes to SONAR data, we found that these are limited when trying to identify changes to data and attribute it to users.  This limited capability along with the use of generic accounts carries a higher risk of unauthorized access and poses further challenges for maintaining data integrity and fraud detection and prevention.

4.3.6 Monitoring and reporting

With multiple key stakeholders involved, monitoring, reporting and taking corrective action are necessary to ensure the business controls in place are in line with the business requirements and risks.  We expected to find monitoring and reporting mechanisms in place to identify, evaluate, and communicate gaps in the operation of the SONAR system, and to ensure that appropriate corrective actions are implemented in a timely manner.

We found that challenges or gaps in meeting user needs are recorded through NRC's help desk tracking system (Assyst) or IRAP Connexion tool. Issues identified are monitored by dedicated IRAP Division Services employees who either address them directly or escalate them for further prioritization by the Product Owner and tracking through the TFS system. Consultations occurred at PDAC and SLT before corrective actions were taken by IRAP or KITS staff in fiscal year 2017‑18. IRAP Division Services undertook a retrospective analysis following the integration of the SONAR system with the SAP financial management system. The audit recognizes this as an example of best practices ensuring the continuous improvement of IRAP processes for the management of the SONAR system.

Areas for improvement

IRAP has not evaluated the controls in place to ensure that they are commensurate with risk and IRAP's current operational needs. For example, IRAP has not documented the acceptance of risks associated with the use of generic accounts in the SONAR production environment or evaluated the feasibility of implementing monitoring as a compensating control.

Recommendations

  1. The Vice President of IRAP should ensure that the business controls in place are evaluated and corrective actions are taken based on risks in the following areas: 1) user access and audit trail, and 2) data integrity and training. [Priority: High]
 

Appendix A: About the Audit

Audit Approach and Methodology

The audit was conducted in accordance with generally accepted professional auditing standards of the Institute of Internal Auditors (the IIA) and the standards and requirements set out in the Treasury Board Policy on Internal Audit.

The audit methodology included the following lines of evidence:

  • Documentation review;
  • 20 interviews and eight (8) focus group discussions with 50 participants (IRAP Directors, Industrial Technology Advisors (ITAs), Operations and Finance Managers (MOFs) and Regional Contribution Agreement Officers (RCAOs));
  • Analytical procedures of SONAR data (direct, unfettered access to SONAR and Business Objects (BO) reporting) and SAP controls reports;
  • Walkthrough of the Team Foundation Server (TFS) change management system, NRC's help desk (Assyst) system and BO reporting; and
  • Review of GCPedia and GCConnex documents and discussions and comparison to communities of practice within the Government of Canada.

The audit team engaged audit subject matter experts to provide ongoing consultation and examples in relation to current best practices for Agile information technology (IT) project and program management and governance.

Audit Criteria

The audit criteria, presented below, were primarily derived from the TBS Management Accountability Framework areas of management and Office of the Comptroller General's (OCG) Audit Criteria related to the Management Accountability Framework: A Tool for Internal Auditors (2011) and discussed with management in advance of commencement of audit testing.

Audit Criterias
Line of Enquiry Audit Criteria
1.0 Governance structures have been designed and implemented for development and management of the SONAR system
  • 1.1 The governance structure includes mechanisms for consistent review and approval of changes made to the SONAR system, including alignment with departmental and other relevant central agency requirements, revision of the accountabilities, investment plans, timelines, and reporting requirements
  • 1.2 Roles and responsibilities of staff responsible for managing and monitoring the SONAR system are defined, documented, updated, and communicated
2.0 Development and management of the SONAR system is based on sound risk management practices
  • 2.1 Management and development of the SONAR system includes formal risk management governance and practices that are aligned with Government of Canada and NRC's corporate practices and frameworks
3.0 Business controls are in place to support data integrity and processes related to monitoring and reporting have been established and implemented
  • 3.1 Controls exist to ensure SONAR information/ data is complete, accurate, relevant and up to date
  • 3.2 Controls exist to ensure SONAR data is processed as intended and stored properly in the system
  • 3.3 Processes and controls exist for SONAR IT system life cycle management and to adequately protect the SONAR IT system
  • 3.4 Controls exist to ensure that reports generated from SONAR information are available and sufficient in supporting decision making
  • 3.5 User access is controlled and monitored to prevent unauthorized access or modification of SONAR data, and is balanced with the need for operational information
  • 3.6 Changes to system, programs, and processes that are related to SONAR are adequately communicated to employees
  • 3.7 Employees are provided the proper training, tools, resources, and support to use the SONAR system to carry out their responsibilities
  • 3.8 Monitoring and reporting mechanisms are in place to review and challenge controls in place for the SONAR system and to identify, evaluate, and communicate any gaps
  • 3.9 Corrective actions are prioritized, implemented in a timely manner
 
 

Appendix B: Management Action Plan

Definition of Priority of Recommendations

High Implementation is recommended within six months to reduce the risk of potential high likelihood and/or high impact events that may adversely affect the integrity of NRC's governance, risk management, and control processes.
Moderate Implementation is recommended within one year to reduce the risk of potential events that may adversely affect the integrity of NRC's governance, risk management and control processes.
Low Implementation is recommended within one year to adopt best practices and/or strengthen the integrity of NRC's governance, risk management and control processes.
 
Recommendation Corrective Management Action Plan Expected Implementation Date and Responsible NRC Contact
1. The Vice President of IRAP strengthens SONAR governance by ensuring that key roles and accountabilities are defined, documented and communicated. [Priority: High]

Management Response:
Recommendation accepted.

IRAP recognizes that the functioning governance for SONAR should be formalized. IRAP currently has notably evolved governance mechanisms and structures and alignment with Central agency requirements for G&C systems. Elements of the existing governance structure include the committees of PDAC and SLT, the use of Agile methodology and TFS to manage SONAR changes, clearly documented roles in the IRAP Field Manual, consultations and collaborations with stakeholders and participating in GoC working groups and consultations on Grants and Contribution Modernization and related system considerations.

Formalizing the existing elements of the governance of SONAR will allow IRAP to determine and mitigate any observed key person risk and will allow IRAP to efficiently implement system changes by having better articulated points of contact required to implement enhancements and fixes.

Action Plan:
The Vice President of IRAP ensure that the functioning governance for the SONAR system is strengthened through formalized documentation and communication of key roles and accountabilities of different stakeholders. This will be done by mapping key roles and accountabilities of different stakeholders internal to NRC.

Date: February 28, 2018
Contact: VP IRAP
2. The Vice President of IRAP ensure that an IRAP digital strategy be developed with defined short- to long-term objectives and key performance indicators (including costs) to support significant investment decisions and demonstrate alignment with departmental strategic and operational priorities. [Priority: High]

Management Response:
Recommendation accepted.

IRAPs current business application strategy encompasses several means of ensuring the achievement of short-term objectives. These include leveraging its project management tool (TFS) using the Agile methodology, an IT Strategy that is updated each month and a monthly release cycle. These provide a 3-6 month's view of the system objectives at IRAP for SONAR.

The organization's commitment to an overarching business application strategy is evidenced by its establishment PDAC and the exiting SLT committee which are mandated in part to ensure system enhancements and fixes align with strategic and operational priorities.

Formalizing the existing business application strategy will allow IRAP to articulate both its short and long-term objectives to support its investment decisions.

Action Plan:
IRAP will formalize its existing business application strategy and will further leverage IRAP-DS ownership to ensure that there is support for significant investment decisions and demonstrated alignment with departmental strategic and operational priorities.

Date: May 31, 2018
Contact: VP IRAP
3. The Vice President of IRAP ensure that risks to the management and development of SONAR are identified, analyzed and evaluated, with risk responses that are aligned with the SONAR strategy and organizational risk tolerance. (Recommendation 2). [Priority: High]

Management Response:
Recommendation accepted.

IRAPs current risk management practices pertaining to system enhancements and fixes include identifying risks associated with each system change undertaken by the organization. These risks are documented in action plans, project charters and/or proofs of concept. The risks are determined as a result of stakeholder consultations between those requesting the change, IT and the product owner. IRAP also leverages the IRAP IT Roadmap and established IT security risk management practices within the NRC Security Branch to manage risk.

IRAPs commitment to sound risk management practices are also evidence by the implementation of PDAC which makes considerations of risk for proposed system changes and takes into consideration the costs and benefits associated with prioritizing investments on proposed system enhancements.

Action Plan:
The Vice President of IRAP will strengthen IRAP risk management practices through engagement with stakeholders and the prioritization of enhancements and fixes.

Date: May 31, 2018
Contact: VP IRAP
4. The Vice President of IRAP should ensure that the business controls in place are evaluated and corrective actions are taken based on risks in the following areas: 1) user access and audit trail, and 2) data integrity and training. [Priority: High]

Management Response:
Recommendation accepted.

IRAP currently manages risks present in business controls through user access controls, role based management, data input and validation controls and data integrity monitoring activities. Timely corrective action on identified risk is taken in response to FMD recommendations as well as in response to stakeholder feedback from product users, product owner and IT. Current and future SONAR improvements are evidenced through TFS utilization. Risk is further managed by formal and informal training and communication of system changes to appropriate parties.

Action Plan:
The Vice President of IRAP will ensure that IRAP will continue to evaluate the current business controls in place and strengthen its current commitment to taking corrective action based on risk on the two recommended areas (but not limited to): user access and audit trail, and data integrity and training.

Date: May 31, 2018
Contact: VP IRAP
 
 

Appendix C: Acronyms

Acronyms
BO Business Object
GoC Government of Canada
G&Cs Grants and Contributions
IIA Institute of Internal Auditors
IIP IRAP Innovation Portal
IRAP Industrial Research Assistance Program
IT Information Technology
ITAs Industrial Technology Advisors
ITGC Information Technology General Controls
KITS Knowledge and Information Technology Services Branch
MOFs Managers, Operations and Finance
NRC National Research Council Canada
OCG Office of Comptroller General
PDAC Program Delivery Advisory Committee
RCAOs Regional Contribution Agreement Officers
SEC Senior Executive Committee
SLT Senior Leadership Team
SME Small and Medium-Size Enterprises
TFS Team Foundation Server