Summary: what we found in our audits
Systems
The Department’s information technology change management process and business continuity planning should be improved—see page 154.
Performance reporting
Our auditor’s reports on the financial statements of the Ministry, the Department, the Victims of Crime Fund, the Alberta Gaming and Liquor Commission, and the Lottery Fund are unqualified. We found no exceptions when we completed specified auditing procedures on the Ministry’s performance measures.
Overview of the Ministry
The Ministry’s 2006–2009 business plan describes four core businesses:
• Policing, crime prevention and response to organized crime
Four core
businesses • Custody, supervision and rehabilitative opportunities for offenders
• Security services
• Victims programs and services
The government of Alberta reorganized during 2006–2007 and the Ministry now includes the Alberta Gaming and Liquor Commission and the Lottery Fund.
Total revenue for the Ministry was $2.3 billion in 2006–2007. The Ministry’s main revenue sources are:
Ministry received
$2.3 billion
(millions of dollars)
Lottery revenue $ 1,534
Liquor and related revenue 658
The total operating expenses for the Ministry were $2 billion in 2006–2007, comprised mainly of:
Ministry spent $2 billion
(millions of dollars) Lottery Fund and payments to Ministries $ 1,547
Public Security 255
Correctional services 158
Victims of crime 18
Volume 2—Audits and recommendations Solicitor General and Ministry of Public Security
For more detail on the Ministry, visit its website at www.solgen.gov.ab.ca.
Scope: what we did in our audits
1. Systems
We examined the Department of Solicitor General and Public Security’s controls over its information technology environment.
2. Performance reporting
We audited the financial statements of the Ministry, the Department, the Victims of Crime Fund, the Alberta Gaming and Liquor Commission, and the Lottery Fund for the year ended March 31, 2007. We completed specified auditing procedures on the Ministry’s performance measures.
Our audit findings and recommendations
1. Systems
1.1 Change Management Recommendation
We recommend that the Department of Solicitor General and Public Security improve its change management process to include changes to its information technology environment made by service providers.
Background Three main
applications are used
The Department uses three main applications to manage its operations. These applications are:
• Correctional Management Information System (COMIS)
• Employee Time Management System (ETMS)
• Alberta Community Offender Management system (ACOM)
Department and Service Alberta both manage changes
The Department manages changes to COMIS and Service Alberta manages changes made to ETMS and ACOM. The Department has also outsourced information technology (IT) infrastructure support to Service Alberta and relies heavily on the availability of its network to deliver services to its business units.
Criteria: the standards we used for our audit
The Department should ensure that all changes to its IT environment follow a documented change management process that appropriately ranks and schedules the changes, and assesses their impact.
Volume 2—Audits and recommendations Solicitor General and Ministry of Public Security
Although COMIS has a documented change management process, which is consistently followed, ETMS and ACOM do not. Service Alberta does not always inform the Department of infrastructure changes. Consequently, before these changes are implemented, the Department cannot consider their effects on the IT environment or assess their impact.
Correction of
deficiencies has begun
The Department has started to correct some of these deficiencies through regular working committees for ETMS and ACOM. These committees discuss and approve changes to ETMS and ACOM. In addition, the Department is in the preliminary stages of creating a Project Management Office that will define a standard project management process for all IT projects.
Implications and risks if recommendation not implemented
Without a consistent change management process to make changes to the IT environment, which all teams follow, appropriate scheduling, ranking and impact assessment of changes may not occur. This could disrupt normal operations and decrease the reliability of Department information systems.
1.2 IT Business Continuity Plan Recommendation
We recommend that the Department of Solicitor General and Public Security develop procedures to implement its business continuity plan to ensure it can recover its information technology operations within required timeframes in a disaster.
Background Business
Continuity Plan exists
The Department has a documented Business Continuity Plan (BCP) that lists several business units as “critical.” The high-level information technology (IT) Business Continuity Plan document is supposed to allow restoration of the Department’s critical applications in a disaster. All of the Department’s critical applications are hosted at Service Alberta’s Edmonton central computing centre.
Criteria: the standards we used for our audit
The IT Business Continuity Plan should include the following key procedures:
• Determining IT recovery requirements based on the importance of business processes, as identified in the BCP
• Establishing and implementing backup and recovery methodology and techniques based on recovery requirements
• Co-ordinating and establishing appropriate recovery capabilities with service providers based on recovery requirements
• Testing the schedule to periodically validate recovery capabilities and timeframes
Volume 2—Audits and recommendations Solicitor General and Ministry of Public Security
Our audit findings
The Department’s high-level IT Business Continuity Plan does not include:
• identification of business processes identified in the BCP, associated applications and IT infrastructure for each critical business unit
Guidance on recovery needs to be prepared
• appropriate guidance to aid in the recovery of critical data from backups.
COMIS has documented backup and recovery options in the procedures manual, but these are not included in the plan, nor does the plan include backup and recovery documentation for other critical applications
• established recovery capabilities agreed to with the service provider, Service Alberta
• periodic tests to validate that the Department will be able to recover its critical applications and associated infrastructure within the required timelines.
Periodic testing should be performed
Implications and risks if recommendation not implemented
If the Department does not have a documented, functional IT business continuity plan in place, it will not be able to systematically recover data within required timeframes. As a result, it will not be able to minimize the problems that a service disruption may cause.
Volume 2—Audits and recommendations Sustainable Resource Development