Audit of Project Management – Report

1.0 Results in brief
2.0 Background
3.0 Findings and recommendations
4.0 Audit conclusion
Appendix A: Project roles and responsibilities
Appendix B: Project governance
Appendix C: CFIA project management process
Appendix D: Summary of test results
Appendix E: Audit criteria and sub-criteria
Appendix F: Audit entity risks
Appendix G: Audit sub-criteria significance ratings
Appendix H: Recommendation priority ratings
Appendix I: Management response and action plan
Appendix J: Abbreviation definitions

1.0 Results in brief

The Treasury Board Secretariat (TBS) Directive on the Management of Projects and Programmes sets the expectations for managing projects within Government of Canada departments and agencies

The Canadian Food Inspection Agency (CFIA, the agency) has an established project management process, as defined in the enterprise management framework (ePMF).

At CFIA, the enterprise project management office (ePMO) is responsible for providing the ePMF, tools and templates for management of projects.
The audit objective was to determine if the CFIA is applying effective project management practices and has a framework that supports successful project outcomes in accordance with Government of Canada policies and directives

The audit scope period was from January 2021 to July 2022.
Overall, the audit found processes and procedures are in place to support project management at CFIA.

However, key improvements are required to ensure the process is efficient to support successful project outcomes in the following areas:
- challenge function and course correction on projects
- alignment of the agency's ePMF with the TBS Directive on the Management of Projects and Programmes
- project adherence to the documented ePMF process
The audit recommends that CFIA:
- clearly define who performs oversight and a challenge function on projects, as well as the information they need, to make decisions or recommendations when projects require corrective action
- update the ePMF, including applicable guidance and tools to fully align and demonstrate compliance with the TBS Directive on the Management of Projects and Programmes
- establish a process for monitoring ePMF compliance and course correction when projects are not following the documented process

2.0 Background

Project management^{Footnote 1} at CFIA is coordinated through the enterprise Project Management Office (ePMO), who is responsible for establishing and maintaining the enterprise Project Management Framework (ePMF)

The ePMO provides project management services, offering guidance and support to those who apply the ePMF, such as agency executives, project managers and project support specialists.
Project Management in the Government of Canada should follow the expectations and requirements of TBS Policy on the Planning and Management of Investments (the policy) as well as the Directive on the Management of Projects and Programmes (the directive), which took effect in 2019^{Footnote 2}

The directive and policy include the requirement that government projects^{Footnote 3} and programmes^{Footnote 4} are effectively planned, implemented, monitored, controlled and closed, so that the expected benefits and results are realized for Canadians.
The CFIA has an ePMF that provides project management and governance expectations that apply to CFIA projects throughout their project lifecycle, depending on the project's tier

A project's tier is determined based on the project's financial investment, duration, risk, complexity and visibility. The project management process and governance structure are depicted in appendices A and B respectively.
The ePMO is currently undertaking an ePMF refresh, not available at the time of the audit, but will consider the findings from this audit
As of January 2022, the ePMO was overseeing 18 projects, with a total project value of over $130M, including digital modernization and real property projects that support the agency's mandate.

2.1 Audit objective

The audit objective was to determine if the CFIA is applying effective project management practices and has a framework that supports successful project outcomes in accordance with Government of Canada policies and directives.

2.2 Audit scope

The audit scope included the agency's ePMF and a review of a sample of ongoing or completed projects covering the time period between January 2021 and July 2022. The audit scope also considered lifecycle costing and project management governance.

The audit scope excluded investment planning; whether governance committees consider the interdependencies and sequencing of projects and initiatives across the agency and alignment with agency priorities when making investment decisions; and Organizational Project Management Capacity Assessment^{Footnote 5} processes.

2.3 Approach

The audit was conducted according to the Treasury Board Policy on Internal Audit and the Directive on Internal Audit, which provide for internal auditing expectations in the Government of Canada.

The audit was planned and performed to obtain reasonable assurance that the audit objective was achieved. A risk assessment was conducted during the planning phase of the audit to establish the scope and criteria (see appendices D and E), which were accepted by management. The audit findings were based on a comparison of the conditions in place at the time of the audit with the audit criteria.

Audit procedures included:

document review
project sample file review and testing^{Footnote 6}
interviews with internal stakeholders, including the ePMO, project managers and corporate management

2.4 Statement of conformance

The audit conforms to the Institute of Internal Auditors' International Professional Practices Framework, as supported by the results of CFIA's internal audit quality assurance and improvement program. Sufficient and appropriate evidence was gathered in accordance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing to provide a reasonable level of assurance over the findings and conclusions in this report. The findings and conclusions expressed in this report are based on conditions as they existed at the time of the audit, and apply only to the areas included in the audit scope.

3.0 Findings and recommendations

3.1 Challenge function and course correction on projects

The agency's project management governance structure, as well as the responsibility for delivering a final product that meets the needs are documented and communicated, but need strengthening. Responsibility for exercising a challenge function is not clearly defined, and it was not demonstrated for the projects tested. Moreover, information provided for project management governance did not encourage a challenge function.

Background

All projects managed under the ePMF umbrella at CFIA require an executive sponsor, a business sponsor and a project manager (see appendix A), as well as governance, both internal and external to the project (see appendix B). The executive sponsor (Vice-President level) has overall responsibility and accountability for ensuring the projects' final product or service meets the needs of the business while the governance committees endorse or approve both the project moving forward through the gates (appendix C), as well as changes to a project's scope, cost and schedule. At CFIA, there are up to 4 different governance committees based on a project's tier^{Footnote 7}.

Findings

The audit expected that project management governance as well as key leadership roles for the projects would provide effective monitoring, decision-making and course correction on projects as well as have the information needed to fulfill this role. The ePMO is planning on including a project governance review during its ePMF refresh.

The audit found that the design of the project management governance does not support an effective challenge function:

governance committee Terms of Reference (ToR) exist, but do not clearly identify the challenge function committees are expected to play on projects nor decision-making authorities for course correction
Senior Project Advisory Committee (SPAC, a Vice-President level committee chaired by the project's executive sponsor, makes recommendations for approval to People, Project, and Financial Management Committee (PPFMC), an Executive Director^{Footnote 8} level committee, which holds the decision-making authority for project gating and change requests

This may create reluctance for PPFMC to challenge decisions made at SPAC, which can negatively affect project success.
further, information used by committees is insufficient and, by design, there is limited engagement with PPFMC during Project Execution

As a result, issues, risks and challenges may not be properly addressed in time.
good practice noted: PPFMC provides a quarterly update on projects to CGC, which includes any recent project gating and change requests approved

In the fall of 2022, the quarterly update to CGC improved to include all active projects, key issues within project portfolios, and PPFMC activities such as focusing on benefits realization and lifecycle management.

The audit found that project management governance did not demonstrate an effective challenge function and that course correction did not occur for projects tested.

All gating and change requests were approved by governance, even though projects had incomplete required documentation and approvals or when change requests were submitted at the time activities were expected to be completed

Some projects tested had unmet conditions which governance did not always follow up on.

Also, instances occurred where committees requested information or identified items to discuss, but there was no follow up on these at subsequent meetings.

As such, there were no consequences for not managing projects in accordance with the ePMF or committee expectations. This resulted in projects continuing even though they were not performing well.
Project status updates and discussion at the Project Steering Committee (PSC), SPAC, and PPFMC focused mainly on scope, schedule, cost, issues and risks

However, this information was not always provided on a regular basis throughout the life of a project.

These committees minimally discussed other project elements and measures affecting project progress and performance that could signal a need to challenge or course correct.
Good practice noted: On May 31st, 2022, the ePMO started submitting a Project Assessment Report (PAR) to PPFMC for each project seeking gating or a change request

The PAR is the ePMO's input on what project issues to raise to PPFMC, and their recommendations to the governance committee on whether ePMO supports gating or the change request. Note: During the audit scope period, no PARs were expected to be submitted for the selected projects.

Why it matters

When officials responsible for project decision-making and oversight do not challenge or provide strategic advice on projects, critical issues and risks may not be appropriately raised, discussed or addressed. Without reliable mechanisms for regular review of project performance, it may be too late to identify root causes to course correct, as by design the benefits are measured after the project is closed. This can lead to delays, cost overruns, and lack of accountability and decreases the likelihood of achieving outcomes.

Recommendation

Recommendation 1 (Very High^{Footnote 9})

The Vice-President of Corporate Management Branch^{Footnote 10} should clearly define in the agency's Project Management Framework the project or programme roles and governance bodies who are responsible for exercising oversight and a challenge function, as well as the information they need, to allow for making recommendations or decisions when projects require corrective action.
This should include:
- identifying which governance committee(s)^{Footnote 11} are responsible and accountable for project health and monitoring, which governance committee(s) have decision-making authorities, and defining what their dispute resolution forum and/or mechanism is
- reviewing and updating project team roles and governance committee Terms of Reference
- establishing standard tools, guidance and information and frequency needed to support regular monitoring and oversight

3.2 Agency's ePMF alignment with TBS requirements

The agency has a framework to support management of projects, supporting tools and guidance, however, the ePMF does not fully align with the directive.

Background

To ensure that projects follow the directive's requirements, the CFIA has implemented a documented ePMF. The ePMF provides common direction for project management within the CFIA and includes a description of the process, activities and deliverables for each gate, tools and guidance, as well as roles and responsibilities of project teams.

Findings

The ePMO updated the ePMF following the introduction of the 2019 directive and the audit expected that the design of the ePMF processes, tools and guidance would align with it. The ePMO is currently undertaking an ePMF refresh exercise to better align with the directive.

While the ePMF describes the process that a project should follow from initiation to after a project launches, several areas of the ePMF do not fully align with the directive and should be considered as the agency updates its framework.

The Business Case, the relevance of the intended benefits, and lessons learned are not revalidated or reassessed at each gate, as required by the directive

Moreover, there is no process after a project closes to ensure that the benefits not realized or partially realized are measured and reported on later.

Without continuously assessing the validity of the project, its intended benefits and whether they will be or are realized, the agency may over-invest in a project no longer bringing its intended vision and benefits.
The directive expects that projects conduct assurance activities and independent reviews^{Footnote 12} in accordance with the project gating plan

The ePMF expects independent reviews as required prior to project execution, limiting this to projects with TBS oversight^{Footnote 13}. However, the ePMF does not define expectations for assurance activities and independent reviews when projects do not have TBS oversight.

Periodic arm's length review of projects can help ensure their success by identifying issues or risks to address, and may also help projects at an impasse resolve challenges.
A project's scope of work is supposed to include all the activities and outputs necessary to bring the change required to achieve business outcomes as per the directive

This would include estimates of lifecycle costs during the project. Change management^{Footnote 14} and lifecycle costs are not adequately and consistently addressed in the ePMF process and its supporting tools.

When there is insufficient support for a successful transition from the current state to the intended future state, there is a risk that intended benefits are not fully realized. Moreover, informing stakeholders of lifecycle costs would allow them make informed decisions during the project or as part of post-implementation investment.
Senior designated officials^{Footnote 15} for the management of projects are expected to establish standard performance measures to monitor project health and to enable effective decision-making

At CFIA, performance measurement includes measuring variances of scope, schedule and cost against re-baselined commitments rather than original baselines. The agency's approach is different than the common industry performance measure practices^{Footnote 16} which focus on the value the project is bringing (earned value, return on investment, direct impact, process efficiency, stakeholder support, engagement and satisfaction) and compare variances with the original baselines.

The risk of projects not being successful is higher when project teams and governance do not have or receive project performance information.
Good practice noted: In October 2022 the ePMO presented a draft agile framework to governance, as part of the ePMF refresh

Why it matters

If the agency's ePMF is not aligned with the most recent TBS requirements that consider the benefits, the change, the cost and the value that a project could bring, this affects the agency's ability to successfully manage projects and realize their benefits as intended at the onset of the project. Further, this could affect the agency's Organizational Project Management Capacity Assessment rating^{Footnote 17} and delegation of authority for project management.

Recommendation

Recommendation 2 (Very High)

The Vice-President of Corporate Management should update the ePMF, including applicable guidance and tools to fully align and demonstrate compliance with the TBS Directive on the Management of Projects and Programmes. These updates should include:
- requirement for a revalidation of the Business Case, relevance and attainability of intended benefits and ongoing viability of the project at each gate
- clearer requirements and guidance for change management and lifecycle cost estimation earlier in the process
- flexible project management approaches, including expectations and guidance of when and how they should be used
- requirements for assurance activities and independent reviews when projects are not subject to TBS oversight
- standard project performance measures that provide information on the value the project is bringing and that assess its progress, similar to measures used within the professional project management community
- activities for sharing prior project knowledge and collecting lessons learned during a project's lifecycle as well as how that information is collected and used to inform regular ePMF process improvements
- identifying the responsible official and a process to ensure that partially or not yet realized outstanding benefits remaining at the end of a closed project are measured and reported on

3.3 Project adherence to the ePMF process

The agency's ePMF documents project management processes and includes supporting tools and guidance. However, projects tested were not adhering to the documented process.

Background

The agency's ePMF provides common direction, tools and guidance for project management within the CFIA to enable project success and reduce project risk. These processes support intake, stage gating and change requests requirements, and help ensure ongoing effective management of the project by following a documented decision-making governance structure. As such, projects are expected to complete applicable deliverables prior to receiving approval to proceed to the next stage. Throughout the life of a project, there may be up to 36 deliverables, not including change requests.

All personnel in key project roles and project teams are expected to adhere to the ePMF, with a project's Executive Sponsor having ultimate responsibility and accountability for ensuring the delivered product or service meets the needs of the business (see appendix A)

Findings

The audit expected that projects consistently followed the required project management processes, completed the required deliverables, and that any deviations were formally documented and approved. However, testing completed on a sample of projects identified gaps and inconsistencies in following the documented process, as summarized in appendix D. For example:

all projects tested during the audit advanced their work or made changes to their scope, schedule or funding even though they had instances of missing approvals and incomplete required documentation

For example, approvals were missing from change requests and the monthly dashboards, and in some instances, detailed business requirements, stakeholder management plans and privacy impact questionnaires were not completed.

By not having the proper approval, it is possible that some issues and risks were not identified by stakeholders.
projects tested were not always following the proper governance requirements as per the ePMF

For example, Project Steering Committee (PSC) or a Senior Project Advisory Committee (SPAC) were not in place as expected for their project tier, and meetings did not occur at the minimum frequency required (monthly).

Further, these committees would stop meeting during a project's execution stage even when projects' health was deteriorating.
even though the ePMF refresh will address gaps with the directive, additional scrutiny is required to ensure the new ePMF is followed as documented

Why it matters

Without controls and approvals in place to ensure projects consistently follow the project management processes, projects may lack oversight and create workarounds to enable continuance of the project. This means that key information, issues and risks may not be appropriately communicated to all stakeholders which could adversely affect decision-making and project success.

Recommendation

Recommendation 3 (High)

The Vice-President of Corporate Management Branch should establish a process for monitoring compliance and course correction when projects are not following the documented ePMF process. This should include:
- clarity of project team responsibilities and accountabilities for following the ePMF
- establishing a process to address and respond to non-compliance to the ePMF, including implications during stage gating and change requests

4.0 Audit conclusion

The audit concluded that, overall, processes and procedures are in place to support project management at CFIA. However, key improvements are required to ensure the process is efficient to support successful project outcomes in the following areas:

challenge function and course correction on projects
alignment of the agency's ePMF with the TBS Directive on the Management of Projects and Programmes
project adherence to the documented ePMF process

Appendix A: Project roles and responsibilities

At CFIA, all projects are required to identify key project roles as they are essential to the successful realization of the outcomes. All personnel in key project roles and project teams must adhere to project management principles stipulated in the ePMF.

All projects at CFIA must identify and fill 3 key roles: Executive Sponsor, Business Sponsor, and Project Manager. Responsibility and accountability vary depending on the role.

Executive Sponsor (ES) – is generally at the Vice President level and is mandatory for all projects. The ES will own the result of the investment delivered by the project and is ultimately responsible and accountable for ensuring the delivered product or service meets the needs of the business. This includes providing visible active leadership and timely direction to mitigate project risks, resolve issues, and act on opportunities, and ensuring the continued alignment of the investment with the strategic objective/priorities and the achievement of the outcomes/benefits.

Business Sponsor (BS) – is generally at the Executive Director/Director level, and provides on-going support for the project. The BS is responsible for all aspects related to the planning and delivery of the project. This includes ensuring where business change is required to achieve the business outcomes, that the project scope of work includes all the activities and outputs necessary to bring about this change.

Project Manager (PM) – is generally at the Manager Level, and is responsible for the detailed management of the project. The PM will report to the BS, unless a Project Director^{Footnote 18} is identified, in that case the Project Manager will report to the Project Director. This includes responsibility for managing the success of the project from the time the investment is approved (Stage 2) to close-out (Stage 5) through adherence to the project management principles defined within the ePMF.

Appendix B: Project governance

Project governance. Description follows.

Appendix C: CFIA project management process

CFIA project management process. Description follows.

Appendix D: Summary of test results

Number of projects where documentation tested was non-compliant with the ePMF.
	Sample size	Stage 1: Idea generation	Stage 2: Concept initiation	Stage 3: Project planning	Stage 4: Project execution	Stage 5: Project close-out	Stage 6: Post-launch review	Change requests
Initiatives^{Table note a}	3	1/3	n/a	n/a	n/a	n/a	n/a	n/a
Ongoing projects^{Table note b}	3	3/3	3/3	3/3	2/2	1/1	n/a	2/3
Closed projects	2	n/a	n/a	n/a	n/a	n/a	2/2	n/a

Appendix E: Audit criteria and sub-criteria

The 3 lines of enquiry with corresponding audit criteria and sub-criteria were as follows:

Line of enquiry 1: project management portfolio planning^{Footnote 19}

Criteria 1: the CFIA's process to formally onboard and track projects ensures that the agency's complete portfolio has appropriate ePMO oversight.

1.1 The CFIA has a formally documented, communicated and monitored intake path for agency projects that ensures they follow the required project management practices and the Enterprise Project Management Framework. Significance rating – Medium^{Footnote 20}

Line of Enquiry 2: management of projects^{Footnote 19}

Criteria 2: the CFIA has designed and implemented effective project management processes that support efficient and timely oversight and project decision-making.

2.1 The project management process is effectively designed and implemented to support the efficient and timely oversight and decision-making. Significance rating – High^{Footnote 20}

2.2 Project performance data, including full-lifecycle cost and benefits, is prepared and provided by the project team in support of regular monitoring of projects and to allow course correction if needed. Significance rating – High^{Footnote 20}

Criteria 3: the CFIA has implemented project management processes that support successful project outcomes

3.1 Projects are managed with a view to maximizing efficiency, applying prior project management knowledge and ensuring the realization of benefits. Significance rating – Medium^{Footnote 20}

3.2 Change management activities are taking place throughout the duration of a project to support the broad business changes required for, and as a result of the project. Significance rating – Medium^{Footnote 20}

Line of Enquiry 3: the CFIA has implemented project management processes that support successful project outcomes.^{Footnote 19}

Criteria 4: the CFIA project management process promotes continuous improvement.

4.1 After the implementation of the project, CFIA measures the project's performance to determine the degree of the project's success, including realizing benefits. Significance rating – Medium^{Footnote 20}

4.2 CFIA conducts lessons learned and applies knowledge gained from prior projects to promote current and future project performance improvement. Significance rating – Low^{Footnote 20}

Appendix F: Audit entity risks

Risk – There is a risk that projects do not provide governance with complete and timely information on changes to scope, schedule or cost, full lifecycle costs and benefit realization to support effective monitoring, decision-making and course correction. (Line of enquiry (LOE) 2 and 3)

Why it matters – Without complete and timely information, governance may not be able to provide strategic advice on projects, which can lead to delays, cost overruns and lack of accountability.

Risk – There is a risk that CFIA's project management structure and governance oversight is overly complex and does not promote timely project delivery. (LOE 2)

Why it matters – Without a project management structure aligned with the risk of the project and able to provide timely advice, projects may not be receiving effective oversight and timely approvals.

Risk – There is a risk that CFIA has not developed and communicated an adequate and transparent project intake process that ensures all agency projects are formally tracked and subject to the required project management oversight. (LOE 1)

Why it matters – Without an adequate and transparent project intake process, the comprehensive inventory of all projects might not follow the agency's approved project management practices, oversight and tools.

Risk – There is a risk that CFIA's project management process does not include a documented agile methodology to facilitate project management nimbleness, efficiency, and responsiveness to changing client needs. (LOE 2)

Why it matters – In the absence of a documented agile process for suitable projects, the agency might already manage projects using agile tools, performance metrics and processes, which might lead to projects not achieving the desired outcomes.

Risk – There is a risk that projects at CFIA do not apply knowledge and lessons learned gained from prior projects to promote performance improvements. (LOE 2 and 3)

Why it matters – Without a continuous improvement process, past lessons learned might not be incorporated and similar problems may be occurring again.

Risk – There is a risk that CFIA's projects do not consistently follow the required project management processes and approvals. (LOE 2 and 3)

Why it matters – Without projects consistently following the project management processes and approvals, projects may be lacking oversight and may not be appropriately communicated to all stakeholders.

Risk – There is a risk that CFIA does not apply the required change management^{Footnote 21} practices throughout the duration of a project. (LOE 2)

Why it matters – Without a documented and implemented change management practices, the project team might not take the necessary change management activities to support the successful implementation of the project.

Appendix G: Audit sub-criteria significance ratings

Rating: high significance – This sub-criteria fits at least 1 of the following criteria:

critical to the achievement of the program/activity mandate, objectives and/or priorities
dollar value is very high
reach of this line of enquiry is broad (impact on the stakeholders is high, reaches the majority of stakeholders)

Rating: medium significance – Not meeting this sub-criteria would make the objective of the program/activity to be delayed or not to be achieved and the missing/delayed elements fit at least 1 of the following criteria:

supports the mandate, objectives and/or priorities of the program or activity
dollar value is high (25% of the program/activity)
scope/reach of the objective is broad (that is, the impact on stakeholders is high)

Rating: low significance – Not meeting this sub-criteria will cause only a few of the elements of the objective to not be achieved and the missing/delayed elements fit at least 1 of the following criteria:

marginally supports the mandate, objectives and/or priorities of the program/activity in scope
dollar value is low
scope/reach of the objective is low (that is, the impact on stakeholders is marginal)

Appendix H: Recommendation priority ratings

The CFIA uses internal audit recommendation priority criteria as follows:

Very high – Expectations are not fulfilled in an area that is either critical to the achievement of the program/activity, has a very high dollar value, or a very broad reach.

High – There is room for improvement in an area that is either critical to the achievement of the program/activity, has a very high dollar value, or a very broad reach; or expectations are not fulfilled in an area that would make the objective of the program/activity to be delayed or not to be achieved and the missing/delayed elements fit at least 1 of the following criteria–supports the mandate, objectives, and/or priorities of the program or activity, the dollar value is 25% or more of the program activity, and the scope/reach of the objective is broad (that is the impact on stakeholders is high).

Medium – There is room for improvement in an area that could make the program/activity be delayed or not achieved and the missing/delayed elements fit at least 1 of the following criteria–supports the mandate, objectives, and/or priorities of the program or activity, the dollar value is 25% or more of the program activity, and the scope/reach of the objective is broad (that is the impact on stakeholders is high).

Low – Expectations are not fulfilled or there is room for improvement in an area that will cause only a few of the elements of the objective to not be achieved and the missing/delayed elements either marginally support the mandate, the dollar value is low, or the scope/reach of the objective is low.

Very low – Expectations are fulfilled, no significant changes are required.

Appendix I: Management response and action plan

Recommendation 1: Very high

The Vice-President of Corporate Management Branch should clearly define in the agency's Project Management Framework the project or programme roles and governance bodies who are responsible for exercising oversight and a challenge function on projects, as well as the information they need, to allow for making recommendations or decisions when projects require corrective action. This should include:

identifying which governance committee(s)* are responsible and accountable for project health and monitoring, which governance committee(s) have decision-making authorities, and defining what their dispute resolution forum and/or mechanism is
reviewing and updating project team roles and governance committee Terms of Reference
establishing standard tools, guidance and information and frequency needed to support regular monitoring and oversight

* Governance committee(s) means both agency level and project level committees. As per the ePMF, Executive sponsors (generally at the Vice-President (VP) level) will own the result of the investment delivered by the project and are ultimately responsible and accountable for ensuring the delivered product or service meets the needs of the business.

Management response: management agrees with the recommendation.

Action and rationale

The Enterprise Project Management Office (ePMO) is in the process of re-designing the investment and project governance structure and function. This re-design will improve clarity on overall project accountability as a clear mechanism will be established to ensure oversight from the right level governance committee, supported by the independent opinion and advice from ePMO, is proportional and effective with the complexity and risk of the investment project.

Through this re-design, the ePMO will:

identify who is responsible and accountable for project health and monitoring, which governance committee(s) have decision-making authorities, and define what their dispute resolution forum is
review and update project team roles and governance committee Terms of Reference
develop corresponding guidance, tools, templates and identify the type and frequency of information needed to support successful project implementation as well as regular monitoring and oversight to enable decision making, including corrective action

Expected completion/implementation date: June 2024

Responsibility for action: Vice President, Corporate Management Branch (CMB)

Recommendation 2: Very high

The Vice-President of Corporate Management should update the ePMF, including applicable guidance and tools to fully align and demonstrate compliance with the TBS directive on the Management of Projects and Programmes. These updates should include:

requirement for a revalidation of the Business case, relevance and attainability of intended benefits and ongoing viability of the project at each gate
clearer requirements and guidance for change management and lifecycle cost estimation earlier in the process
flexible project management approaches, including expectations and guidance of when and how they should be used
requirements for assurance activities and independent reviews when projects are not subject to TBS oversight
standard project performance measures that provide information on the value the project is bringing and that assess its progress, similar to measures used within the professional project management community
activities for sharing prior project knowledge and collecting lessons learned during a project's lifecycle as well as how that information is collected and used to inform regular ePMF process improvements
identifying the responsible official and a process to ensure that partially or not yet realized outstanding benefits remaining at the end of a closed project are measured and reported on

Management response: management agrees with the recommendation.

Action and rationale

the ePMO will refresh the Enterprise Project Management Framework (ePMF) including applicable guidance and tools, in order to fully align and demonstrate compliance with the TBS directive on the Management of Projects and Programmes
in support of more flexible project management approaches, the ePMO will develop an agile methodology framework and tools while fully respecting the key controls outlined in Government of Canada Guide to Project Gating

Expected completion/implementation date

June 2024
Completed December 2022

Responsibility for actions: Vice President, Corporate Management Branch (CMB)

Recommendation 3: High

The Vice-President of Corporate Management Branch should establish a process for monitoring compliance and course correction when projects are not following the documented ePMF process. This should include:

clarity of project team responsibilities and accountabilities for following the ePMF
establishing a process to address and respond to non-compliance to the ePMF, including implications during stage gating and change requests

Management response: management agrees with the recommendation.

Action and rationale

ePMO will establish a process for monitoring compliance and course correction including implications during stage gating and change requests when projects do not follow the ePMF. Project teams responsibilities and accountabilities for ePMF compliance will be clearly articulated in the ePMF and Executive Sponsor appointment letter.

Expected completion/implementation date: June 2024

Responsibility for action: Vice President, Corporate Management Branch (CMB)

Appendix J: Abbreviation definitions

Canadian Food Inspection Agency (CFIA)
Corporate Governance Committee (CGC)
enterprise Project Management framework (ePMF)
enterprise Project Management Office (ePMO)
organizational change management (OCM)
Organizational Project Management Capacity Assessment (OPMCA)
Project Assessment Report (PAR)
Project Management Plan (PMP)
People, Project, and Financial Management Committee (PPMFC)
Project Steering Committee (PSC)
Senior Management Committee (SMC)
Senior Project Advisory Committee (SPAC)
Treasury Board of Canada Secretariat (TBS)
Terms of Reference (TOR)

Footnotes

Footnote 1

Project management is the systematic planning, organizing and control of allocated resources to accomplish identified project objectives and outcomes. Project management is normally reserved for focused, non-repetitive, and time-limited activities that have some degree of risk, and for activities beyond the usual scope of program (operational) activities. (TBS Policy on the Planning and Management of Investments)

Return to footnote 1 referrer

Footnote 2

Departments and agencies had 6 months to 1 year from April 2019 to fully implement this directive, depending on the status of their in-flight projects.

Return to footnote 2 referrer

Footnote 3

A project is an activity or series of activities that has a beginning and an end. A project is required to produce defined outputs and realize specific outcomes in support of a public policy objective, within a clear schedule and resource plan. A project is undertaken within specific parameters for time, cost and performance. (TBS Policy on the Planning and Management of Investments)

Return to footnote 3 referrer

Footnote 4

A group of related projects and change management activities that together achieve beneficial results for a department. (TBS Policy on the Planning and Management of Investments)

Return to footnote 4 referrer

Footnote 5

The Organizational Project Management Capacity Assessment (OPMCA) is the agency's capacity to successfully deliver a defined volume of work over a fixed period of time. TBS uses this assessment to determine the relevant expenditure authority and the appropriate level of Treasury Board oversight. At the CFIA, tier 1 projects with total project cost ≥ $5M and where the Project Complexity and Risk Assessment > OPMCA are subject to TBS oversight.

Return to footnote 5 referrer

Footnote 6

A total of eight (8) projects were judgmentally selected for testing: 3 initiatives, 3 active projects and 2 completed projects. An initiative is an activity within the Agency that may or may not be a project.

Return to footnote 6 referrer

Footnote 7

A project's tier is determined based on the project's financial investment, duration, risk, complexity and visibility.

Return to footnote 7 referrer

Footnote 8

Executive Directors are at a lower seniority level than Vice-Presidents

Return to footnote 8 referrer

Footnote 9

Recommendation priority ratings are described in Appendix H.

Return to footnote 9 referrer

Footnote 10

The Vice-President Corporate Management Branch at CFIA is the Senior Designated Official responsible for project management, and is also the Chief Financial Officer and Chief Security Officer.

Return to footnote 10 referrer

Footnote 11

Governance committee(s) means both agency level and project level committees. As per the ePMF, Executive Sponsors (generally at the VP level) will own the result of the investment delivered by the project and are ultimately responsible and accountable for ensuring the delivered product or service meets the needs of the business.

Return to footnote 11 referrer

Footnote 12

Independent project reviews are critical assessments of a project conducted by people who are at arm's length from it (ePMF Handbook)

Return to footnote 12 referrer

Footnote 13

Projects with total project cost ≥ $5M and where the Project Complexity and Risk Assessment is greater than the Organizational Project Management Capacity Assessment rating for the CFIA are subject to TBS oversight. Note – none of the projects tested for this audit included projects with TBS oversight.

Return to footnote 13 referrer

Footnote 14

In the context of this audit, "change management" includes all change management activities and outputs necessary to support the broad business changes required for, and as a result of the project. It also includes activities through which stakeholders awareness and expectations are confirmed. This encompasses the ePMF definition of Organization Change Management (OCM): "the process, tools and techniques to manage the people side of change to achieve the required business results". However, it does not include project change management, such as changes to scope, schedule and costs.

Return to footnote 14 referrer

Footnote 15

A person responsible for supporting the deputy head in fulfilling their function-specific policy requirements (TBS Policy on the Planning and Management of Investments)

Return to footnote 15 referrer

Footnote 16

The audit team researched project management practices for performance measurement, which included industry practices identified by the Project Management Institute, ISACA, Stacey Barr (PuMP) and Adobe.

Return to footnote 16 referrer

Footnote 17

The Organizational Project Management Capacity Assessment (OPMCA) is the Agency's capacity to successfully deliver a defined volume of work over a fixed period of time. TBS uses this assessment to determine the relevant expenditure authority and the appropriate level of Treasury Board oversight. At the CFIA, tier 1 projects with total project cost ≥ $5M and where the Project Complexity and Risk Assessment > OPMCA are subject to TBS oversight.

Return to footnote 17 referrer

Footnote 18

The Project Director, generally at the Director level, is responsible for driving the success of the project from the time the project is approved (Stage 2) to when the project has closed out (Stage 5). All tier 1 projects with TBS Oversight are required to have a dedicated Project Director working on the project.

Return to footnote 18 referrer

Footnote 19

See Appendix F for audit entity risks corresponding to each line of enquiry.

Return to footnote 19 referrer

Footnote 20

See Appendix G for audit sub-criteria significance ratings.

Return to footnote 20 referrer

Footnote 21

Return to footnote 21 referrer

Audit of Project Management – Report

On this page

1.0 Results in brief

2.0 Background

2.1 Audit objective

2.2 Audit scope

2.3 Approach

2.4 Statement of conformance

3.0 Findings and recommendations

3.1 Challenge function and course correction on projects

Background

Findings

Why it matters

Recommendation

3.2 Agency's ePMF alignment with TBS requirements

Background

Findings

Why it matters

Recommendation

3.3 Project adherence to the ePMF process

Background

Findings

Why it matters

Recommendation

4.0 Audit conclusion

Appendix A: Project roles and responsibilities

Appendix B: Project governance

Appendix C: CFIA project management process

Appendix D: Summary of test results

Appendix E: Audit criteria and sub-criteria

Appendix F: Audit entity risks

Appendix G: Audit sub-criteria significance ratings

Appendix H: Recommendation priority ratings

Appendix I: Management response and action plan

Recommendation 1: Very high

Action and rationale

Recommendation 2: Very high

Action and rationale

Expected completion/implementation date

Recommendation 3: High

Action and rationale

Appendix J: Abbreviation definitions