Assurance Audit of the IT Infrastructure

The purpose of this audit was to provide the Registrar with an independent and objective assessment of the Court's IT (Information Technology) Infrastructure. Criteria used to assess the audit objectives were taken from Control Objectives for Information and related Technology (COBIT® - Version 4.0).

The scope of the audit included all aspects of the Court's IT infrastructure, except for application development and maintenance; security penetration was covered by the audit in that auditors concluded that a reasonable level of reliance could be put on internally conducted intrusion detection/penetration testing. The audit was conducted between December 20, 2007 and March 31, 2008, and the report was approved in May 2008.

The key findings of this audit included:

  1. The IM/T Business Plan is linked to the LISS Sector Business Plan and therefore auditors conclude that the vision and strategy for IT supports the Court's business strategy and government-wide directions.
  2. Accountabilities, roles and responsibilities relating to the Court's IT infrastructure are defined, understood and effectively acted upon however the IT Security Coordinator currently performs two contradictory roles: one role is to establish firewall rules and the other role is to monitor the firewall activity.
  3. There is an effective IT governance structure. Auditors conclude that the Court's governance structure for managing its IT infrastructure is established and effective in setting priorities for IT investments and resources, and IT investment plans are integrated into the corporate plans and processes.
  4. The Court's IT infrastructure is reliable since backups are performed on a regular schedule and network monitoring is being conducted. However there is no approved documented Business Continuity Plan and although network monitoring is being conducted auditors noticed that there is a third party allowed to access the SCC network.
  5. Some risks to the IT infrastructure are appropriately identified and managed with a Draft Modernization Risk Management Plan. However, there have been no Threat and Risk Assessments conducted on systems, services and programs.
  6. IT policies have been created to support the IT strategy and these policies were communicated to Court staff. Therefore auditors conclude that effective controls are in place such that activities and actions supporting the management of the IT infrastructure are in compliance with some applicable Treasury Board Secretariat and Court policies, directives, standards and procedures, particularly the new Policy on Management of ITpromulgated on July 1, 2007, the Enhanced Framework for the Management of Information Technology Projects, and the MITS Policy. However since no Threat and Risk Assessments have been conducted the SCC is not in full compliance with MITS.
  7. Performance related to the Court's management of IT is measured on an ongoing basis however there are no reports showing IT service performance compared to approved service levels.
  8. There are Quality Management (QM) items currently being implemented but there is no documentation to ensure that IT has adequate measurements for monitoring Quality Management Systems and there is no distinct development, testing and production environments at SCC. Therefore auditors conclude that some aspects of quality and continuous improvement to the management of IT are fostered in the Court's control process.

Except as noted above, auditors can provide assurance that the Court's IT infrastructure management and control framework is effective. There are some areas where current practices and processes could be improved to further strengthen the Court's IT infrastructure. The observations and recommendations of the report address these areas of concern. The Court management has accepted all of the recommendations and has put in place an action plan to implement them in the short-term.