Audit of Campus Custodial Services at the Communications Research Centre

This publication is available online at http://www.ic.gc.ca/eic/site/ae-ve.nsf/eng/h_00350.html

To obtain a copy of this publication or an alternate format (Braille, large print, etc.), please fill out the Publication Request Form at www.ic.gc.ca/Publication-Request or contact:

Web Services Centre
Innovation, Science and Economic
Development Canada
C.D. Howe Building
235 Queen Street
Ottawa, ON K1A 0H5
Canada

Telephone (toll-free in Canada): 1-800-328-6189
Telephone (Ottawa): 613-954-5031
TTY (for hearing-impaired): 1-866-694-8389
Business hours: 8:30 a.m. to 5:00 p.m. (Eastern Time)
Email: info@ic.gc.ca

Permission to Reproduce

Except as otherwise specifically noted, the information in this publication may be reproduced, in part or in whole and by any means, without charge or further permission from Innovation, Science and Economic Development Canada, provided that due diligence is exercised in ensuring the accuracy of the information reproduced; that Innovation, Science and Economic Development Canada is identified as the source institution; and that the reproduction is not represented as an official version of the information reproduced, nor as having been made in affiliation with, or with the endorsement of, Innovation, Science and Economic Development Canada.

For permission to reproduce the information in this publication for commercial purposes, please fill out the Application for Crown Copyright Clearance at www.ic.gc.ca/copyright-request or contact the Web Services Centre mentioned above.

© Her Majesty the Queen in Right of Canada, as represented by the Minister of Innovation, Science and Economic Development Canada, (2018).

Cat. No. Iu-4-228/2018E-PDF
ISBN 978-0-660-26825-5

Aussi offert en français sous le titre Audit des Services de Garde du Campus Fournis par le Centre de Recherches sur les Communications.

Note to Readers

This report contains information severed in accordance to the Access to Information Act.

Audit and Evaluation Branch

March 2018

Recommended for Approval to the Deputy Minister by the Departmental Audit Committee on March 26-27, 2018

Approved by the Deputy Minister on April 23, 2018

Table of contents

List of Initialisms and Acronyms Used in Report

AEB
Audit and Evaluation Branch
CMS
Corporate Management Sector
CRC
Communications Research Centre
DND
Department of National Defence
DRTE
Defence Research Telecommunications Establishment
IFMS
Integrated Financial Management System
ISED
Innovation, Science and Economic Development Canada
MOU
Memorandum of Understanding
R&D
Research and Development
SOP
Standard Operating Procedure
SRMS
Salary Reporting and Management System
STS
Spectrum and Telecommunications Sector
TB
Treasury Board of Canada
WebTMA
The Maintenance Authority (cost recovery software)

1.0 Executive Summary

1.1 Introduction

Located at Shirleys Bay in Ottawa, the Communications Research Centre (CRC) is the federal government's primary laboratory for research and development in advanced telecommunication systems and technologies, with a particular focus on the efficient exploitation of radiofrequency (RF) spectrum. Within Innovation, Science and Economic Development Canada (ISED), CRC is currently housed in the Spectrum and Telecommunications Sector (STS).

Although its main focus and mandate is applied research in advanced telecommunications, CRC currently acts as a custodian of the Shirleys Bay Campus (the Campus), which includes over 300 hectares of federal land located 20 km west of downtown Ottawa. This secure Campus accommodates CRC, along with a number of other federal partners, including the Canadian Space Agency, several Department of National Defence (DND) organizations, and Library and Archives Canada (LAC).

CRC provides custodial services to Campus partners on a cost-recovery basis. This is based on individual Memoranda of Understanding (MOU) with Campus partners that stipulate the cost recovery methodology for operations and maintenance costs.  Within CRC, custodial services are provided by the Campus Operations Directorate, which includes three functions: (1) operations and maintenance; (2) real estate and property; and (3) security and fire services.

In recent years, the CRC has made a number of investments and divestments within the Campus, both to address health and safety-related real property liabilities resulting from aging infrastructure and buildings, as well as to modernize the Campus. Two buildings have been divested since 2015, and five more are in the process of being transferred to DND. Further, a total of $48.5M will have been spent on Campus infrastructure projects by March 31, 2018.

1.2 Audit Background

The objective of the audit was to provide reasonable assurance that an effective management control framework is in place over CRC's campus custodial services.

The audit scope focused on the management control framework of the Campus custodial services within CRC at the Shirleys Bay Campus from April 1, 2015 to March 31, 2017, including:

  • Governance of the custodial activities;
  • Risk management related to custodial activities;
  • Management of the lifecycle of real properties on the Campus;
  • Management of health and safety projects;
  • Cost recovery processes for Campus services; and
  • Physical security across the Campus.

1.3 Overview of Audit Results

Strengths

CRC has established a formal governance structure for oversight of all of its activities, including custodial services. This includes oversight mechanisms and management structures within CRC and a committee structure with Campus partners for decisions and activities related to the maintenance, investment and security across the Campus.

Risks are managed both formally and informally across CRC, and these risks are reflected in the departmental corporate risk framework.

Given the investment being made in health and safety projects, significant oversight and diligence is being applied to the management of these projects, including the application of formal project management activities and ongoing oversight by senior management within CRC and ISED.

To help ensure the Campus is managed and maintained effectively, CRC has implemented a system to manage and track its maintenance activities on behalf of Campus partners, which is generally working as required. In addition, to ensure access to and security of the Campus is controlled, a comprehensive security program with standard operating procedures has been established by the CRC, and is risk-based.

Areas for Improvement

Some opportunities for improvement were identified by the audit, including:

  • Governance: CRC should ensure that performance indicators related to its custodial activities, including the value of these activities, are reflected in the organization's performance information profile that is currently being developed.
  • Risk Management: CRC should establish a formal methodology for risk identification, assessment, mitigation and ongoing monitoring/reporting for the real property portfolio.
  • Internal Controls (Real Property Management): CRC, in consultation with the Corporate Management Sector, should finalize the real property management framework and its lifecycle management approach, develop asset management plans for all assets and ensure sufficient tools/guidance are in place for the development of investment planning activities.
  • Internal Controls (Cost Recovery Management): CRC should re-examine the current cost recovery method to identify opportunities to streamline and automate as much of the process as possible. In the short-term, the existing cost recovery process should be fully documented and cross-training of other employees should be prioritized. Further, CRC should strengthen its work order process to include controls that ensure labour hours and costs associated with the completed work order are accurate when inputting into WebTMA.
  • Internal Controls (Security): CRC should establish a process to periodically review the access granted to the Campus by the Commissionaires and periodically validate those individuals with access with its Campus partners.

1.4 Audit Opinion and Conclusion

The results of this audit revealed that controls are in place for the custodial activities undertaken by CRC for the Campus. However, opportunities exist to formalize its performance measurement strategy, risk management, and real property and lifecycle management framework. Further, there is an opportunity to streamline the cost recovery process and improve security administration and oversight.

1.5 Management Response

Management has agreed with the findings included in this report and will take action to address all recommendations by March 31, 2019.

1.6 Statment of Conformance

This audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Audit and Evaluation Branch's quality assurance and improvement program.

space to insert signature

Michelle Gravelle
Chief Audit Executive
Innovation, Science and Economic Development Canada


2.0 Entity Background

2.1 Overview of CRC

Located at Shirleys Bay in Ottawa, CRC is the federal government's primary laboratory for research and development in advanced telecommunication systems and technologies.  The origins of CRC date back to the 1940's, when the National Research Centre (NRC) investigated radio waves and the development of electronics equipment in support of Canada's war effort.  Following World War II, these research efforts were merged into the Defence Research Telecommunications Establishment (DRTE).  In 1962, the DRTE built Canada's first satellite, the Alouette, which has been designated an event of national historic significance by the Historic Sites and Monuments Board of Canada, and as one of the ten most outstanding achievements in the first 100 years of engineering in Canada. 

In the wake of Alouette's success, the government moved to expand civilian communications with the creation of the Department of Communications and its research arm in 1969 and the CRC was spun out of DRTE. In 1970, his excellency the Governor General in Council, on the recommendation of the Minister of National Defence, transferred from the Minister of National Defence to the Minister of Communications, the management, charge and direction of the public work known as the CRC, together with all buildings, works, furnishings, equipment, stores, research installations and materials.

CRC was designated research institute status in 1992 and was moved to Industry Canada in 1994. Its primary focus is on research and development (R&D), with a current priority on wireless communications. CRC's mission is to:

  • Perform wireless telecommunications R&D that advances the efficient exploitation of the radio spectrum, and serves as the government's leading source of scientific knowledge and long-term technical advice for spectrum management, regulation and policy purposes;
  • Support critical wireless telecommunications operational requirements of Government of Canada departments and agencies, such as National Defence and Public Safety; and
  • Take part in strategic R&D collaborations that leverage CRC's activities, resulting in knowledge and technology transfer, to the benefit of Canadian industry, the economy and CanadiansFootnote 1.

Within ISED, CRC is currently housed in the Spectrum and Telecommunications Sector.  For 2016-17, CRC's funding was approximately $46 millionFootnote 2 and its complement of full-time employees was about 205Footnote 3.

2.2 Custodial Responsibilities and Services

Although it is primarily a research institute, CRC has inherited the role of custodian for the Shirleys Bay Campus, which includes over 300 hectares of federal land located 20 km west of downtown Ottawa. This secure Campus accommodates the CRC, along with a number of other federal partners, namely the Canadian Space Agency, NRC, several DND organizations, and Library and Archives Canada.

As of February 2018, the Campus included 113 buildings (including temporary trailers and shelters) occupying 73,792 square meters. CRC has a minority presence on the Campus, occupying only 28% of total buildings.  A breakdown of the occupants within the Campus is provided below.

Table 1– Shirleys Bay Campus Gross Total (square meters)
Department #of buildings Total Square Meters Percentage of Total Square Meters
CRC and ISED Certification and Engineering Bureau 26 20,404 28%
Department of National Defence 58 32,341 44%
Canadian Space Agency 6 14,637 20%
Library and Archives of Canada 1 1,190 2%
Buildings shared by other departments 22 5,221 7%
Total 113 73,792 100%

CRC provides custodial services to their Campus partners on a cost-recovery basis. This is based on MOUs with these partners that stipulate the cost recovery methodology for operations and maintenance costs.  Custodial services are provided by the Campus Operations Directorate, which includes three functions:

  • Operations and maintenance: Provides services to the Campus, such as electrical, mechanical, carpentry and paint, utility, and snow removal. This group also provides a variety of services to ensure buildings and infrastructure on the Campus receive the required repairs and maintenance activities to continue to comply with applicable building codes, standards, and regulations.
  • Real estate and property: Leads and manages a number of environmental and real property management services that include planning and delivering the health and safety projects for the Campus, building cleaning, parking assignment, providing advice and guidance to senior management, and Campus committees and partners on campus projects and real property.
  • Security and Fire: Responsible for security and fire infrastructure, the commissionaires/reception centre services, identification and access control office, personnel security office and emergency response.

2.3 Recent Real Property Activity

In recent years, the CRC has made a number of investments in the Campus both to address health and safety related real property liabilities resulting from aging infrastructure and buildings, as well as to modernize the Campus, specifically:

  • In June 2012, a four-year health and safety portfolio of projects was approved to address key risks.  Projects totalling $18.4 million were provided funding from ISED.  Projects ranged from upgrading heating ventilation and air conditioning, to making electrical and plumbing upgrades, to renovating a building complex.
  • In Budget 2015, CRC received funding of $2.3 million over two years to redesign and construct the main entrance of the CRC's laboratory complex, as well as to design and construct a Big Data Analytics Centre.  The Big Data Analytics Centre has been completed and the entrance is nearing completion.
  • Budget 2016 provided a further $15.2 million for seven projects, to be completed by March 2018. These projects are ongoing and include refurbishment of several buildings, roof replacement, the security main gate house and building a new laboratory.

CRC has taken steps to divest buildings that are more appropriately managed by DND, or are no longer of value to the Crown; specifically:

  • Two buildings were transferred to DND; one in October 2015, the second in April 2017.
  • One building that was no longer required was demolished in March 2016.
  • Five buildings were formally being transferred to DND as of January 2018.
  • Two buildings have been identified as requiring demolition, but are attached to other in-use Campus buildings; therefore, appropriate actions are being considered.

Although CRC has taken on responsibilities for and achieved success in managing investments and daily operations as the custodian of the Campus, it has been done with a view to eventually transfer responsibility for these activities and ultimately re-focus on its original mission; that of communications R&D. In line with this, and to enable CRC to focus on its priorities, plans are currently underway to transfer the role of custodianship of the Shirleys Bay Campus from ISED to DND, which has a much larger Real Property portfolio; and therefore, more capacity and expertise to undertake the role. 

3.0 About the Audit

In accordance with the approved ISED 2016-17 to 2017-18 Multi-Year Risk-Based Audit Plan, the Audit and Evaluation Branch (AEB) undertook an Audit of Campus Custodial Services at CRC.

3.1 Audit Objective

The objective of the audit was to provide reasonable assurance that an effective management control framework is in place over CRC's campus custodial services.

3.2 Audit Scope

The audit scope focused on the management control framework of the campus custodial services within CRC for the Campus from April 1, 2015 to March 31, 2017, including:

  • Governance of the custodial activities;
  • Risk management related to custodial activities;
  • Management of the lifecycle of real properties on the Campus;
  • Management of health and safety projects;
  • Cost recovery processes for Campus services; and
  • Physical security across the Campus.

3.3 Methodology

The audit was conducted in accordance with the Internal Auditing Standards for the Government of Canada. The methodology used for this audit included the following:

  • Interviews were conducted with stakeholders from each of the areas being assessed, including Senior Management, the Director, Campus Operations, and the leads of real estate property, physical security, cost recovery, and the cost recovery software (WebTMA) team;
  • Walkthroughs of processes were held, including one each with the physical security team and real estate property team, and two each with the WebTMA team and the cost recovery team;
  • A total of 103 files were tested across all audit criteria; and
  • Over 100 documents were reviewed.

All of the audit evidence gathered through the above noted processes was synthesized, analyzed and supports the audit observations presented throughout this report.

Based on the identified risks, AEB developed the audit criteria and sub-criteria linked to the overall audit objective (see Appendix A).

A debrief meeting was held with the auditee on January 18, 2018, to validate the findings that form the basis of this report. This meeting also provided the auditee an opportunity to offer any additional information and clarification regarding the findings.

4.0 Observations and Recommendations

4.1 Introduction

This section presents detailed observations from the Audit of Campus Custodial Services at the CRC. The observations are based on evidence and analysis from both the initial risk assessment and the detailed audit work.

4.2 Governance

CRC has a formal governance structure in place to oversee and monitor its custodial activities and its work with Campus partners. However, CRC custodial activities are not reflected in the Branch's performance measurement strategy currently being developed.

Good governance helps an organization to make decisions with sufficient information, in a timely manner, in support of the organization's objectives. Within CRC, a formal governance structure has been established to monitor and oversee its activities, including custodial and health and safety.  These include the:

  • CRC Management Committee, which is comprised of senior representatives from CRC and is responsible for the advancement of CRC's mandate and priorities by ensuring that effective and coherent program and management practices are in place; and the
  • Occupation Health and Safety Committee, which is comprised of both employees (volunteers) and management (mandated) and is responsible for identifying and addressing potential health and safety issues on Campus.

Because CRC is also accountable to its Campus partners for specific custodial activities (as outlined in the individual MOUs with the partner organizations), there is an additional governance structure relative to Campus operations, including the:

  • Campus Steering Committee, which is comprised of senior management representatives from partner organizations, and is responsible for making strategic and long-term decisions relating to Campus development and strategic planning;
  • Campus Working Group, which is comprised of representatives from partner organizations at the working level, responsible for the day-to-day management and delivery of the custodial services; and
  • Campus Security Committee, which is comprised of representatives from partner organizations that are in a position to make security decisions relating to campus developments and to provide strategic security planning.

While a performance measurement strategy is currently being developed for CRC as a whole, there was no strategy in place for the time period reviewed by the audit. With no current vehicle to capture performance information related to its custodial activities, CRC may not be able to determine performance outcomes for its operations, or demonstrate its value-for-money in the services it provides.

Recommendation 1 (Low Risk)

CRC should ensure that performance indicators related to its custodial activities, including the value of these activities, are reflected in the Branch performance measurement strategy that is currently being developed.

4.3 Risk Management

Risks are managed both formally and informally across CRC, and these risks are reflected in the departmental corporate risk framework. However, there is no formal risk management approach in place that encompasses all custodial activities.

Good governance should be supported by strong risk management, which provides context and information for decision-making, and helps to protect an organization from unnecessary costs and harm. CRC participates and feeds into ISED's integrated risk management framework. The risks associated with the aging infrastructure within the CRC Campus have been included in the Department's Corporate Risk Profile since 2012-13.

Within CRC, the Campus Operations team undertakes ongoing risk management activities.  All of the divestments made and health and safety projects undertaken since 2011 have been based on risk-informed decisions. In addition, the Campus Operations team formally identifies, assesses and monitors risks to the health and safety projects as part of the overall project management approach, which includes daily issue impact documentation and discussions.  The team also regularly monitors maintenance activities to assess future infrastructure needs.  Finally, there are weekly management team meetings, which involve the President of the CRC, that include risk assessments and discussions.

At the time of the audit, no formal risk management framework had been established for the Campus real property portfolio and associated custodial activities.  However, a draft investment plan that contains risk information and the ability to link risk assessments with investment decisions was being developed. A framework that assists CRC specifically with its custodial responsibilities could support not only investment decisions, but also on-going operations and service delivery to partners on the Campus. Further, a risk framework could also have applications to other issues identified in this report (e.g. cost recovery process). With current risk assessments focused largely on health and safety projects, and without a formal risk management approach, key risks to all areas of the custodial portfolio may not be identified, assessed and remediated in a timely manner.

Recommendation 2 (Low Risk)

CRC should establish a formal methodology for risk identification, assessment, mitigation and ongoing monitoring/reporting for the real property portfolio.

4.4 Internal Controls

Real Property Management

A draft real property management framework has been established and an investment plan has been developed and presented to Campus partners. However, asset management plans to support the lifecycle management approach have not yet been prepared.

TB's Policy on the Management of Real Property requires that an appropriate real property management framework, including lifecycle and asset management plans, are in place and maintainedFootnote 4. CRC, in collaboration with the Corporate Management Sector (CMS), developed a draft real property management framework that outlines the governance, roles and responsibilities and lifecycle management activities in place to support informed real property management decisions.   

Based on this framework, CRC's Campus Operations Directorate has developed and communicated to Campus partners an annual investment plan that identifies items requiring attention in the upcoming year. In addition, a more comprehensive 3-5-year investment plan is currently in draft format. The Campus Operations Directorate actively monitors buildings on the Campus that are no longer of value to the Crown and have a working disposal plan for those buildings deemed to be no longer required (whether by transfer or demolition).  In addition, lifecycle management is being achieved, in the short-term, via the health and safety projects. These elements all support effective decision-making relative to real property. For the draft investment plan, there are opportunities to improve the rigor and documentation related to cost estimates, options analysis, rationale for projects and approvals.

Although a draft real property management framework has been established, no asset management plans are in place, which increases the risk that the lifecycle management approach will not be executed as designed. Further, without supporting analysis for the investment plan, there is a risk that management decisions made to support capital investments are based on inaccurate information.

Recommendation 3 (Medium Risk)

CRC, in consultation with the Corporate Management Sector, should finalize the real property management framework and its lifecycle management approach, develop asset management plans for all assets and ensure sufficient tools/guidance are in place for the development of the investment planning activities.

Project Management

A formal and effective project management approach has been taken for CRC's health and safety projects. However, key performance indicators were not established to allow measurement against expected outcomes.

As noted earlier in this report, capital investments have been made to address the infrastructure and health and safety issues on the Campus since 2012 and have served as an interim lifecycle management plan. Most recently, Budget 2016 provided $15.2M for seven projects to be completed by March 2018.

To ensure these projects were being managed appropriately and outcomes were being achieved, the audit reviewed a sample of the health and safety projects.  Testing indicated that the projects have been well managed with oversight and controls in place to allow for the delivery of the projects on time, within scope and on budget. Such controls include daily risk, issue and change management reports reviewed and discussed by the Real Estate and Property team, and the Director, Campus Operations; in-depth and in-person oversight by the President on a daily basis; monitoring and reporting of project schedules and status on a weekly basis to ISED senior management; and regular reporting to departmental oversight committees via ISED's stage-gate process.Footnote 5

While project outcomes were established within the business cases for each project, performance indicators were not determined to allow for measurement against the outcomes. Therefore, the projects have been measured based on time and budget only and not against project outcomes.  Without establishing performance indicators at the outset of a project, it is a challenge to determine the success of a project and whether it has achieved its objectives.

Given that these projects will be completed by March 2018, it will be important to establish performance indicators at the outset of future projects to enable measurement against the expected outcomes.

Management of Custodial Activities for Campus Partners

CRC has implemented an effective system to manage and track its maintenance activities on behalf of Campus partners. However, the process to recover costs from these partners is manual, complex and not fully documented.

As part of its role as a custodial organization, CRC is responsible to ensure that the maintenance of buildings and equipment is performed, and the associated allocation of costs to Campus partners is tracked and allocated appropriately.  Maintenance activities across the Campus are reported and tracked, and salaries for cost recovery are captured using a web-based software system called WebTMA. A dedicated Finance team is responsible to use the information in WebTMA, as well as information on Campus partner-associated expenses from the Integrated Financial Management System (IFMS), to recover costs from Campus partners using a pre-determined approach.  Cost recovery is based on the MOUs in place with each partner, which outline the services that each organization has opted in or out of, as well as the cost allocation methodology.

Cost Recovery

A complex series of spreadsheets are used to calculate and reconcile the amounts owing by each Campus partner for the custodial services provided by the CRC. 

Salary costs are determined using the information from three different systems: WebTMA, the Salary Reporting and Management System (SRMS) and IFMS. The process employed uses WebTMA to identify hours worked per technician and to determine the total costs per Campus partner. A reconciliation of this information is then conducted against IFMS to ensure that the calculated costs match with the actual costs within IFMS.

Non-salary expenses are extracted from invoice data housed in IFMS, and are then transferred to a "master data excel sheet" which uses pre-programmed formulae to allocate costs by type and to specific partners.

Testing found that there are approximately nine spreadsheets, with complex formulae embedded due to different cost drivers, used to determine both the salary and non-salary costs per billing period.  An extensive manual exercise is required to ensure that all costs have been allocated correctly, and that the formulae have calculated the amounts precisely. Despite this complexity, the current Standard Operating Procedure (SOP) for the cost recovery process only highlights the conversion of data from IFMS into the "master data excel sheet" and does not include all manual reconciliation steps in the process. In addition, at the time of the audit, only one individual within CRC was experienced and understood the full cost recovery process.

With such a manual and complex approach to both salary and non-salary cost recovery, there is a risk that recovery amounts could be inaccurate.  In addition, reliance on a single individual to generate billing amounts without sufficient documentation of the process, results in the risk that CRC would be unable to generate accurate recoverable amounts should the individual leave the organization.

Recommendation 4 (Medium Risk)

CRC should re-examine the current cost recovery method to identify opportunities to streamline and automate as much of the process as possible. In the short-term, the existing cost recovery process should be fully documented and cross-training of other employees should be prioritized.

Work Orders

A process has been established for the assignment and completion of maintenance work through WebTMA. The process is manual, as work orders are printed and handed to Operations employees, who perform maintenance activities and mark their hours on the printed work orders.  These physical work orders are reviewed by Shop Supervisors and then placed in a bin to signal approval, where they are collected by the Maintenance Program and Systems Officer and entered manually into WebTMA. 

Although there is a review by Shop Supervisors on the reasonability of the labour hours noted on the work orders, no reconciliation of work orders to the data entered in the system is performed.  Once labour hours and associated expenses are entered into WebTMA, the physical copies of the work orders are destroyed. As a result, there is no physical evidence retained of supervisory approval and there is no way to reconcile data entry in WebTMA after the fact. Without confirmation of approvals, or a review of the accuracy of information entered into WebTMA, there is a risk that the process used to finalise cost recovery data is inaccurate.

Recommendation 5 (Low Risk)

CRC should strengthen its work order process to include controls that ensure labour hours and costs associated with the completed work order are accurate when inputting into WebTMA.

Management of Campus Security

A comprehensive security program with standard operating procedures has been established by the CRC, and is risk-based.  However, there are opportunities to embed additional monitoring activities to strengthen the security program.

The physical security of the common areas of the Campus, including perimeter security, is the responsibility of CRC on behalf of all Campus partners. Security for and within partner buildings are not the responsibility of CRC. As a result of their responsibility, CRC has established a security program for the common areas based on a threat-risk assessment that is reviewed and updated every five years. As part of this program, a set of comprehensive SOPs has been developed that clearly outline roles and responsibilities for all stakeholders involved in Campus security.

A critical element of the Campus security program is access to the Campus. The security measures in place are mature. [This information has been severed]

A formal process is in place for security officers for the Campus partners (including CRC for their own employees) to authorize individuals to have access to the Campus which is administered by the Commissionaires at the front gate. [This information has been severed]

Recommendation 6 (Low Risk)

CRC should establish a process to periodically review the access granted to the Campus by the Commissionaires and periodically validate those with access with their Campus partners.

4.5 Management Response and Action Plan

The observations and recommendations of this audit were presented to CRC management. Management has agreed with the observations included in this report and will take action to address all recommendations by March 31, 2019.

A - For inclusion in the report

The findings and recommendations of this audit were presented to the Assistant Deputy Minister, Spectrum and Telecommunications Sector and the President of the Communications Research Centre. Management has agreed with the findings included in this report and will take action to address all applicable recommendations by March 31, 2019.

B - For follow-up purposes - Detailed actions to address the recommendations in the report

Recommendation Planned Action on the Recommendation Responsible Official (position) Target Completion Date
Recommendation 1 (Low Risk):
CRC should ensure that performance indicators related to its custodial activities, including the value of these activities, are reflected in the Branch performance measurement strategy that is currently being developed.
The CRC Performance Information Profile (PIP) accounts for the campus custodian role in both the program description and the Government-wide policy considerations section.  Additionally, the maintenance of CRC's facilities on the campus is included in the program logic model. CRC Director of Campus Operations -
Given that the focus of the Communications Technology, Research and Innovation Program is on scientific research and not on campus custodial operations, there are currently no performance metrics in the PIP dedicated to the CRC's stewardship functions.  CRC will develop performance indicators related to its custodial activities and ensure these indicators are reflected within the PIP. CRC Director of Campus Operations Milestone 1:
Develop campus custodial performance indicators to be included within the PIP:
April 30, 2018
CRC will perform a survey with campus partners in order to assess the performance of CRC's custodial activities against the established performance indicators.  The survey will allow campus partners to rate core custodial services provided by the CRC and will highlight any areas for performance improvement.  CRC Director of Campus Operations Milestone 2:
Complete Performance Measurement Survey with Campus Partners
December 31, 2018
Recommendation 2 (Low Risk):
CRC should establish a formal methodology for risk identification, assessment, mitigation and ongoing monitoring/reporting for the real property portfolio.
CRC is currently finalizing a comprehensive 5 year investment plan that tracks all campus investment activities against criteria such as budget and completion, ensures engagement through regular reviews, and provides maintenance planning for custodial assets. The investment plan provides risk information for all campus custodian activities and provides the ability for CRC to link risk assessments with investment decisions on an ongoing basis. More specifically, each activity will be assigned a level of risk according to impact and probability, prioritized, and factored into investment decision making. CRC Director of Campus Operations Milestone 1:
Develop 5 year Investment Plan:
September 30, 2018

The investment plan will be developed by the Campus Operations Directorate who will take into consideration the risks across the entire campus including: Operations, Real Estate and Property and Fire and Security.  Activities approved on the investment plan will help to mitigate identified risks and will be monitored and reported throughout the year.

The investment planning process will ensure that President approval is received for CRC specific activities and Campus Steering Committee approval is received for costs shared with Campus partners.

CRC Director of Campus Operations Milestone 2:
Finalize 5 year Investment Plan including the proposed risk methodology:
March 31, 2019
Recommendation 3 (Medium Risk):
CRC, in consultation with the Corporate Management Sector (CMS), should finalize the real property management framework and its lifecycle management approach, develop asset management plans for all assets and ensure sufficient tools/guidance are in place for the development of the investment planning activities.
CRC is currently finalizing a comprehensive 5 year investment plan that tracks all campus investment activities.  CRC will ensure the investment plan includes asset management lifecycle plans for campus custodial assets. CRC Director of Campus Operations Milestone 1:
Develop 5 year Investment Plan:
September 30, 2018

CRC in collaboration with CMS developed an ISED Real Property Framework in June 2016.  CRC, in consultation with CMS, will update and finalize the Real Property Framework pertaining to CRC. CRC Director of Campus Operation Milestone 2:
Update Real property Framework:
December 31, 2018
The 5 year investment plan and the ISED Real Property Framework will provide the tools/guidance required for sound investment planning at the CRC. CRC Director of Campus Operation Milestone 3:
Finalize 5 year Investment Plan including the proposed asset management plans:
March 31, 2019
Recommendation 4 (Medium Risk):
CRC should re-examine the current cost recovery method to identify opportunities to streamline and automate as much of the process as possible. In the short-term, the existing cost recovery process should be fully documented and cross-training of other employees should be prioritized.
CRC has begun to cross-train finance staff to ensure coverage of the tenant billing function.  There are currently three employees within the CRC finance team capable of performing most of the cost recovery function.  Full cross-training will be completed by September 31, 2018.

CRC Director of Finance Milestone 1:
Complete full cross-training:
September 30, 2018
CRC will continue to review the cost recovery process to streamline and automate processes where possible.  More specifically, CRC will centralize a repository of cost recovery documentation and will streamline and automate processes through automating interlinkages between the documents, minimizing redundancies, and removing unnecessary manual worksheet reconciliations. Additionally, CRC will better document the existing Standard Operating Procedures (SOP) for the cost recovery to ensure CRC employees have a comprehensive toolset for processing cost recovery information in a consistent manner. CRC Director of Finance Milestone 2:
Process Streamline and Automation:
December 31, 2018
Recommendation 5 (Low Risk):
CRC should strengthen its work order process to include controls that ensure labour hours and costs associated with the completed work order are accurate when inputting into WebTMA.
CRC will strengthen the work order process by ensuring physical copies of work orders are retained for one year and by ensuring regular reviews of TMA are completed by managers to ensure all employee hours are accounted for in the system and that hours worked against client facilities/activities are reflected accurately. Furthermore, TMA management reports will be developed, such as dashboard and labor trend analysis, to help managers ensure the TMA system is reporting employee hours accurately. CRC Director of Campus Operations Milestone 1:
December 31, 2018
Recommendation 6 (Low Risk):
CRC should establish a process to periodically review the access granted to the Campus by the Commissionaires and periodically validate those with access with their Campus partners.
CRC will formalize a process to ensure Campus Partners validate individuals with site access on an annual basis. CRC Director of Campus Operations Milestone 1:
September 30, 2018

5.0 Overall Conclusion

CRC has established a formal governance structure for oversight of all of its activities, including a committee structure that supports engagement with Campus partners on custodial services. Significant oversight and diligence is being applied to the management of health and safety projects, including the application of formal project management activities and ongoing oversight by senior management within CRC and ISED. A comprehensive security program with standard operating procedures has been established by the CRC, and is risk-based.

CRC should ensure that its performance indicators and risk management approach both reflect its custodial activities. The real property management framework and its lifecycle management approach (currently under development) should be finalised and implemented, and CRC should ensure that asset management plans are developed to support investment planning activities. There are opportunities to strengthen and automate the cost recovery process, and implement additional controls to ensure the process is followed.

Appendix A: Audit Criteria

Governance and Risk Management
Audit Criteria Sub-Criteria
1. There is an effective governance structure to oversee the custodial activities of the CRC. 1.1 A formal governance structure, including roles and responsibilities and decision making processes, has been established and is working effectively to oversee the custodial activities of the CRC.
1.2 A formal risk management program is in place within CRC to identify, assess, manage and report on the risks associated with its custodial responsibilities.
Internal Controls
Audit Criteria Sub-Criteria
2. An effective management control framework is in place and operating effectively over the Real Property and custodial responsibilities of the CRC. 2.1 Lifecycle planning and associated capital investment decisions are made to support the management of CRC's Real Properties.
2.2 Mechanisms are in place and are working effectively to assess compliance with applicable health and safety standards for CRC's Real Properties and address any required remediation.
2.3 Projects identified to address health and safety issues continue to achieve expected outcomes.
2.4 Controls, including those with existing systems (e.g. WebTMA), have been designed and are operating effectively to manage CRC's real property portfolio in accordance with its MOUs and applicable policies, codes and standards.
2.5 Controls over the cost recovery process in place for CRC's custodial operations are adequate and operating as intended to support the cost-sharing arrangements in place with its partners.
2.6 A risk-based, physical security program, that outlines roles and responsibilities, is in place to support the custodial responsibilities of the CRC.