Internal audit report outlining results of the assessment of the Review of Transport Canada’s Cloud Project
On this page
- Statement of conformance
- Background
- TC Cloud stakeholders
- Functions critical to the Cloud Project
- Cloud Project issues
- Summary of opportunities for improvement and management action plan
Statement of conformance
This Review conforms to the Government of Canada’s Policy on Internal Audit and to the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, as supported by the results of an external assessment of Internal Audit's Quality Assurance and Improvement Program.
Background
- The Internal Audit (IA) Risk-Based Audit Plan 2020-2021 included a review of Information Security in the Cloud to provide Transport Canada (TC) with real time assurance on the current state of governance, operations, and security of data as the Department migrates to the cloud computing environment.
- Due to various delays to the cloud project, IA was unable to review the information security elements of cloud migration, and instead focused its initial efforts on performing a current state assessment of the Cloud project, leveraging Microsoft’s maturity benchmark assessment of TC’s Cloud environment.
- The Government of Canada (GC) launched a Cloud First strategy in 2016 making the cloud the preferred option for delivering Information Management/ Information Technology (IM/IT) services. TC’s IT Modernization project was launched with the goal of delivering a modern infrastructure environment for TC applications in the Cloud.
- TC’s cloud project includes:
- building a cloud foundation (consisting of the technical components needed to be in place prior to migrating applications to the cloud)
- planning and executing a workload migration project (WLM)
- implementing a Disaster Recovery (DR) Management Program (currently fully outsourced)
- A Transport Canada Cloud Centre of Excellence (TC3oE) was set up to deliver the project.
- Around 370 business applications currently hosted at the Macdonald-Cartier Data Centre were supposed to migrate to the cloud originally by 2023, now pushed back to 2025 – the planned closure of the data center.
- TC self-funded the cloud project from 2017-2018 to 2019-2020. Treasury Board Secretariat (TBS) started providing cloud funding in 2020-2021 and will fund the cloud project for the next two fiscal years (2021-2022 and 2022-2023).
- There are various reasons causing a delay of the cloud project:
- the delayed Shared Services Canada (SSC) delivery of Secure Cloud Enablement & Defence (SCED)
- resources have been concentrated on applications related to the COVID-19 response as these have been given top priority for migration
- lack of skilled technical cloud resources and departures of some key skilled technical staff
- With this delay of the TC Cloud project, the Department has the opportunity to take stock to better understand the key risks/factors that are impacting the successful implementation of the project.
- IA performed an initial assessment and highlighted the need for TC to determine how best to move the Cloud project forward in the current environment given the unknowns and uncertainties surrounding its partners, skills, costs, and timelines. The assessment highlights opportunities to improve the implementation of the Department’s Cloud project.
- IA held discussions with multiple stakeholders internal (Digital Services Directorate (DSD), Human Resources (HR), Finance) and external to TC (TBS, Statistics Canada, Shared Service Canada (SSC), Agriculture and Agri-Food Canada, Employment and Social Development Canada, Microsoft) to identify risk factors, best practices, and lessons learned that would benefit TC’s Cloud journey.
- What follows is an overview of the Cloud Project Stakeholders and the functions critical to successful implementation of the Cloud Project as well as a summary of our findings that describe the current status and opportunities for improvement for each of the following areas:
- SSC Cloud Operating Model
- Roles and Responsibilities
- Recruitment and Staffing Strategy
- Cloud Project Resource Retention
- Financial Management of the Project
TC Cloud stakeholders
For a successful cloud journey, internal and external stakeholders must be involved.
Functions critical to the Cloud Project
To date, some of the Digital Services organizations primarily responsible for the functions listed below have had limited involvement in the Cloud project. These functions are critical to the success of the Cloud project.
Cloud Project issues
- Uncertainty around SSC Cloud Operating Model
- Roles and responsibilities for Workload Migration lack clarity
- Lack of an effective recruitment & staffing strategy
- Challenging to retain resources within the Cloud project
- Weak financial management of the Cloud project
Area | Current status | Opportunities for improvement |
---|---|---|
SSC Cloud Operating Model (COM) |
|
|
Roles and Responsibilities |
|
|
Recruitment and Staffing Strategy |
|
|
Staff Retention |
|
|
Financial Management |
|
|
Summary of opportunities for improvement and management action plan
The following summarizes the review opportunities for improvement and management's plan to address them.
# | Opportunities for improvement | Management action plan | Completion date (for each action) |
Office of Primary Interest (OPI) |
---|---|---|---|---|
1 |
Leverage cloud information and support from the Director General level Shared Services Canada (SSC) Committee to better understand the Cloud Operating Model (COM) offerings, timings and updates. Leverage cloud information and support from the Director General level Shared Services Canada (SSC) Committee to better understand the Cloud Operating Model (COM) offerings, timings and updates. |
Work with the Chief Digital Officer, SSC Client Executive and their respective teams to fully understand the SSC COM offerings, including agreeing on roles and responsibilities, funding models and timelines. | September 2021 | Digital Services |
2 | Develop a cloud strategy to clearly define the roles and opportunities of various DSD stakeholders (Enterprise Architecture (EA), Solutions, Security and Programs). | The team has started to build a multi-cloud strategy. | September 2021 | Digital Services |
Work with Digital Services and Transformation Office (DSTO), Corporate Services and business partners to develop a cloud strategy that includes internal roles and responsibilities, cost recovery mechanisms and well defined business objectives. | July 2021 | |||
Obtain support from senior management to establish the cloud project as a priority. | In collaboration with the Chief Financial Officer (CFO) and Transport Executive Management Committee (TMX), obtain full buy-in of cloud computing and the WLM migration project from TC's senior leadership. The Cloud Strategy will be developed first and supported with appropriate change management. | September 2021 | ||
EA and Programs to complete the analysis, rationalization and prioritization of applications moving to the cloud. | TC Center of Excellence (TC3oE) will work with EA (Application Portfolio Management), Solutions Center, the Business Continuity Planning (BCP) office and business sponsors to define the cloud end state of each application and prioritize this list based on mission criticality (as defined by the BCP office). | August 2021 | ||
3 | Incorporate lessons learned from other government departments’ and agencies’ (OGDAs) Cloud journeys or how they built/ recruited for their Cloud teams. | Using lessons learned from OGDAs, the TC3oE will start building capacity and recruiting cloud team employees with specific assigned roles and responsibilities to ensure the team has the right skills and competencies to fulfill their mandate. | September 2021 | Digital Services |
Identify an internal cloud funding model to provide sufficient permanent funding to hire and retain skilled staff. | July 2021 | |||
Formulate a flexible recruitment strategy with HR. | Work with HR advisors to address immediate staffing issues, identify a funding model and align the staffing prioritization with organizational prioritization. | August 2021 | ||
If competitive processes are a requirement for certain positions, explore streamlined and flexible processes which could accelerate hiring (in alignment with internal/ external hiring requirements). | Seek authorization from Chief Digital Officer (CDO) to use more flexible processes to fill out positions in the cloud team, including non-imperative CS-03/CS-04 technical position. | August 2021 | ||
4 | Consider adopting a learning plan/ strategy and exploring options for allocating time for employees to learn. | Secure sufficient training funds from TC (incl. from the WLM project envelope where applicable) to provide staff with adequate training. | August 2021 | Digital Services |
Adjust work expectations, to be built in the team's service levels to allow for 14 hours monthly of training/exploration. | July 2021 | |||
Consider creating a Cloud Developmental Program to help junior employees stay and flourish at TC. | Conduct an environmental scan amongst OGDAs to duplicate/adjust such programs already in place. To be developed in concert with a DSTO development program. | September 2021 | Digital Services | |
Conduct exit interviews to understand reasons for leaving to develop a more effective retention strategy. | Introduce exit interviews as part of the exit procedures for all TC3oE staff. | Completed: April 2021 |
||
5 |
Improve current financial management practices by proactively working with DSD finance and the Financial Manage Advisor. Review financial status – what are the priority expenditures (e.g. Amazon Web Services (AWS) work?). Explore Cloud funding mechanics (Treasury Board submissions, output from GC Cloud funding exercise). Determine fundamental resource needs (i.e. staff key cloud positions), allocate sufficient salary funding. |
Work with the Chief Digital Officer, SSC Client Executive and their respective teams to fully understand the SSC COM offerings, including agreeing on roles and responsibilities, funding models and timelines. | September 2021 | Digital Services |
Improve financial management practices including separating operations and capital expenditures, expense management and aligning with TC's Project Management Framework (PMF) to reduce risk. | July 2021 |