The Office of the Auditor General (OAG) recently released an audit on modernizing information technology systems in the federal government.
The office performed this audit because:
Departments and agencies are maintaining old and outdated applications and relying on old and outdated infrastructure;
The failure of information technology systems would significantly affect the government’s delivery of services to Canadians;
Information technology systems are essential for delivering many of the government’s critical services to Canadians; and
Information technology modernization is an undertaking of considerable size, scope, and complexity. It also requires significant funding and associated resources that departments and agencies may not have.
Only 38% of the government’s approximately 7,500 information technology applications were considered healthy.
About one third out of the 1,480 applications designated as mission-critical —essential for the health, safety, security, or economic well-being of Canadians—were still considered in poor health.
The Treasury Board of Canada Secretariat (TBSC) had set a target of having 60% of all applications healthy by 2030. Continuing at the current pace, only 45% of applications would be considered healthy by 2030.
From 2019 to 2023, departments and agencies who reported on the health of their information technology systems did not assess close to 12% of their applications. This means that the overall health assessments of these applications were based on incomplete or inaccurate information.
Overall, the TBSC and Shared Services Canada (SSC) did not do enough to lead and support partner departments and agencies to modernize outdated information technology systems.
It has been more than 24 years since the government first identified aging systems as a significant issue and the secretariat still does not have a strategy to drive modernization. As such, progress on modernizing applications and data centres has been very slow.
Two thirds of the departments’ and agencies’ applications were reported as being in poor health and in critical need of modernization, but this number could be greater because departments and agencies are not providing the Treasury Board of Canada Secretariat with timely, accurate, and complete information about the health of their systems.
Many aging systems are currently being maintained on old and outdated infrastructure
Better leadership and oversight along with a concrete action plan and funding approach are needed to prioritize critical systems and address the challenges that may arise as systems are modernized.
Findings and Recommendations
The departments involved (TBSC and SSC) agreed to the OAG’s findings.
Finding 1: Very slow progress on modernizing applications over the last 5 years
Two-thirds of applications were in poor health, and progress on modernizing infrastructure was slow.
In 2023, the secretariat set a target: 60% of applications to be healthy by 2030.
The OAG found that from 2019 to 2023, the percentage of healthy applications increased marginally from 33% to 38%. Continuing at this pace would mean that 45% of applications would be healthy by 2030, far lower than the secretariat’s target of 60%.
To achieve the 60% target by 2030, the percentage would need to increase by more than 3 percentage points every year. And even if that target were achieved by 2030, 40% of applications would then still be in poor health, 31 years after the government first identified aging information technology as a significant issue.
From 2019 to 2023 the percentage of healthy mission-critical applications increased from 50% to 62%. However, this meant that at the time of our audit, 38% of mission-critical applications (that is, 562 of the 1,480 applications) were still in poor health.
Recommendation 1: The TBSC should consult with departments and agencies to determine and establish realistic targets and timelines for modernizing applications in poor health. The targets and timelines should be based on a documented methodology that considers factors such as priorities, the critical importance of applications, and the availability of skilled personnel and funding for departments and agencies—the secretariat’s response.
Finding 2: Slow progress in modernizing applications affecting the closure of legacy data centres.
We found that SSC was aware of the risks related to aging information technology infrastructure, and it developed action plans to address the infrastructure modernization needs of departments and agencies. In the 2018–19 fiscal year, for example, the department established a program and started prioritizing and investing in the repair and replacement of critical hardware infrastructure identified under its Operational Risk Program.
The OAG found that as of March 2023, work had not proceeded for 65% of the approximately 4,500 applications that departments and agencies had earmarked for modernization, including the migration to new or modernized infrastructure, such as data centres, and no schedule was in place for performing this work.
As a result of the delays in modernizing applications, as of March 2023, Shared Services Canada had not closed 280 out of the 720 data centres it had identified for closure. In our 2015 report on information technology shared services, we noted that Shared Services Canada had set a target of closing nearly all of its data centres identified for closure by 2020. The department informed us that it depends on departments and agencies to first modernize their applications before it can make progress on closing the remaining legacy data centres.
Recommendation 2: SSC should analyze the financial and non-financial effects of continuing to operate legacy applications and infrastructure instead of migrating modernized applications to new or modernized infrastructure in coordination with the TBSC and departments and agencies, undertake a review and prioritization exercise (including estimated timelines and budget) to modernize and migrate legacy applications to new supporting infrastructure and close the remaining legacy data centres.
Finding 3: The Treasury Board of Canada Secretariat did not provide sufficient leadership for modernizing systems.
OAG found that 24 years after the government first identified aging information technology as a significant issue, the TBSC did not have a strategy or detailed plan for moving forward with a consistent and common approach to modernizing old information technology systems.
· The secretariat did not complete and table the government-wide strategy for modernization by March 2012, despite its promise to do so in its response to our 2010 report.
Both the secretariat and SSC have recognized that there are significant challenges in moving forward with information technology modernization, including underinvestment and the lack of personnel with specialized skills.
In April 2023, the Treasury Board issued a Directive on Digital Talent. This directive aims to promote cooperation between federal departments and agencies and the secretariat to advance government-wide recruitment and training to ensure that employees get the information technology skills needed to perform their work. However, the directive will take time to implement and will require the secretariat’s support, particularly for information technology modernization efforts.
Recommendation 3: In coordination with SSC and in consultation with departments and agencies, the TBSC should finalize and implement a comprehensive strategy for addressing the information technology modernization needs of departments and agencies.
Identify and control the costs of maintaining legacy information technology systems;
Estimate the costs and time frame for modernizing or decommissioning information technology systems;
re-evaluate the governance mechanisms in place for prioritizing information technology systems that are to be modernized
address the scarcity of personnel with the needed skills to support information technology modernization
improve senior department and agency officials’ knowledge and understanding of information technology projects
Finding 4: Limited and inflexible funding approaches for modernization
TBSC did not have a funding approach that addressed funding for both the immediate and longer-term modernization needs of departments and agencies. This is important because federal government organizations may lack adequate funding to modernize their systems and address their future needs.
77% of CIOs reported that their departments or agencies did not have sufficient funding to meet their modernization needs.
There is limited incentive for individual departments and agencies to fund their modernization initiatives through their existing financial allocations.
Departments and agencies could also seek additional or new funding from the Treasury Board for their modernization needs. However, it is time intensive and while waiting the department or agency continues to incur costs related to the maintenance of old and outdated systems and heightens the risks of system failures.
According to 86% of CIOs the available mechanisms for funding modernization projects were not timely.
Almost 83% reported they were not satisfied with the available mechanisms for funding modernization projects. Some officers stated that the funding mechanisms available to them provided only a portion of the funding needed to modernize their applications.
The TBCS, in consultation with relevant stakeholders, should revise current funding mechanisms or develop new funding mechanisms to help departments and agencies modernize their information systems. The revised or new funding mechanisms should be:
timely, adaptable, and efficient and consider the immediate and future modernization needs of departments and agencies, including considering information technology modernization projects that span multiple years;
centralize the control and management of allotted funding to help prioritize and coordinate information technology modernization spending; and require departments and agencies receiving funding to regularly report back on their information technology modernization efforts and results.
The OAG concluded that the TBSC andSSC did not sufficiently lead or support the efficient and effective modernization of information technology systems for departments and agencies.
The secretariat and SSC need to act promptly to help departments and agencies support their information technology modernization needs and also help them address the costs of relying on outdated systems and reduce the risk of system failures.
Finally, departments and agencies need to regularly and promptly provide accurate and complete information about their applications. This will help the TBCS and SSC make better decisions about which systems are in greatest need of modernization.