Audit of the Project Management of the Food Safety Action Plan

March 2012


Table of Contents


1.0 Executive Summary

1.1 Introduction

On December 17, 2007 the Prime Minister announced the Food and Consumer Safety Action Plan (FCSAP). The Plan introduced new measures on food and product safety to ensure that Canadians have confidence in the quality and safety of what they buy. The FCSAP is a horizontal initiative aimed at modernizing and strengthening Canada's safety system for food, health and consumer products.

The FCSAP is an integrated, risk-based action plan built on the three pillars of active prevention, targeted oversight, and rapid response. It is a joint federal initiative with Health Canada (HC), the Public Health Agency of Canada (PHAC) and the Canadian Institutes of Health Research (CIHR).

The Canadian Food Inspection Agency (CFIA) is the lead federal government organization responsible for delivering on the Government's commitments to enhance food safety. The food portion of the FCSAP was developed jointly by the CFIA, Health Canada and the PHAC.

The Food Safety Action Plan (FSAP) is a five-year (2008-2013) project for the CFIA and it is a major component of the Government of Canada's broader FCSAP. Initiatives under the CFIA's FSAP aim to enhance oversight of imported and domestic food products. They will allow the CFIA to respond more quickly and effectively to food safety threats, while also being able to identify potential risks sooner and with more precision.

Total funding for the CFIA FSAP project is $223.4M over five years (2008-2013). The CFIA is in year four (fiscal year (FY) 2011-12) of implementing the FSAP with a $52.4M budget.

Commencing April 2010, there was a shifting emphasis within the Agency towards a more focused approach on how projects are to be managed. In particular, there was greater engagement by Senior Management and the formal roll-out of an Agency Enterprise Project Management Office (ePMO) providing tools, templates and training on various aspects of Project Management to Agency personnel.

This audit was approved in the Internal Audit Directorate's 2011-12 to 2013-14 Risk-Based Audit Plan.

1.2 Audit Objective

The objective of this audit was to provide assurance that the project management framework used in the design and implementation of the Food Safety Action Plan was in accordance with accepted standards.

1.3 Audit Scope

The scope of the audit was the FSAP five-year project (2008-2013). The audit period initially covered was from April 2008 to December 2010.

Upon the recommendation of the CFIA Audit Committee, the period of the audit was extended to October 2011. This was to allow the Project Management Office an opportunity to implement recently adopted Agency project management practices and to enable a review of the FSAP Transition Plan.

1.4 Main Findings and Recommendations

The Agency has made progress to enhance the overall project management framework for the management of FSAP. Taking into consideration that the FSAP initiative is now in its fourth year, the audit placed particular emphasis on information that could be applied to future initiatives of this type.

Governance

Finding 1.1: There is a clearly defined and active governance structure in place to provide overall direction, decision making and resource commitment to the FSAP project.

Risk Management

Finding 2.1: Significant progress has been made in the development of a rigorous risk management approach but there remains some opportunity for enhancement.

Internal Control

Finding 3.1: A formal project management methodology is in place but the FSAP integrated project plan is still undergoing refinements.

Finding 3.2: Regular reporting and monitoring of FSAP key indicators and high-level financial results is in place; however, there was no formal monitoring of FSAP deliverables and activity results.

Finding 3.3: Initial planning is underway for the management of ongoing Agency funding of $54.9M.

Recommendation: The VP of the Policy and Programs Branch should ensure that a detailed Transition Plan is developed, documented and implemented.

1.5 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria. The opinion is applicable only to the entities examined and within the scope described herein.

1.6 Audit Opinion1

In my opinion, the Project Management of the Food Safety Action Plan has an adequate governance structure in place but there are opportunities for improvement related to internal control and risk management processes.

Brian Smith
A/Chief Audit Executive, CFIA

1 All audit opinions relate to significant systemic weaknesses. Risks related to any identified weaknesses vary in terms of materiality and potential impact on the entity's ability to achieve its objectives.

2.0 About the Audit

2.1 Background

On December 17, 2007 the Prime Minister announced the Food and Consumer Safety Action Plan (FCSAP). The Plan introduced new measures on food and product safety to ensure that Canadians have confidence in the quality and safety of what they buy. The FCSAP is a horizontal initiative aimed at modernizing and strengthening Canada's safety system for food, health and consumer products.

The FCSAP is an integrated, risk-based action plan built on three pillars: active prevention; targeted oversight; and rapid response. It is a joint federal initiative with Health Canada (HC), the Public Health Agency of Canada (PHAC) and the Canadian Institutes of Health Research (CIHR).

The Canadian Food Inspection Agency (CFIA) is the lead federal government organization responsible for delivering on the Government's commitments to enhance food safety. The food portion of the FCSAP was developed jointly by the CFIA, Health Canada and the PHAC.

The Food Safety Action Plan (FSAP) is a five-year (2008-2013) project for the CFIA. It is a major component of the Government of Canada's broader Food and Consumer Safety Action Plan. Initiatives under CFIA's FSAP aim to enhance oversight of imported and domestic food products. This will allow the CFIA to respond more quickly and effectively to food safety threats, while also being able to identify potential risks sooner and with more precision.

Total funding for the CFIA FSAP project is $223.4M over five years (2008-2013). The CFIA is in year four (fiscal year (FY) 2011-12) of implementing the FSAP with a $52.4M budget.

Food Safety Action Plan (FSAP)
CFIA Resources Year 1
2008-09
Year 2
2009-10
Year 3
2010-11
Year 4
2011-12
Year 5
2012-13
Ongoing Total $
(Y1-Y5)
FTEs 119.0 185.0 241.0 262.0 290.0 289.0  
$ M $ 22.9 $ 39.3 $ 52.4 $ 52.4 $ 56.4 $ 54.9 $ 223.4

CFIA's objectives of the FSAP are to:

  • Enhance capacity to identify risks, determine where they come from, and how to reduce and mitigate them;
  • Provide inspectors with additional tools to prioritize their activities, verify compliance, and take enforcement actions;
  • Improve consumers' ability to be well engaged in order to make informed decisions - they must play an active role in the safety of their food; and
  • Ensure that industry and stakeholders play an active role in the safety of food by improving the Agency's guidance to assist them in implementing effective control systems.

Under FCSAP, thirteen interdependent areas of activity have been identified specifically for CFIA's action:

  • Risk Mapping/Baseline Surveillance;
  • Development & Implementation of Food Safety Systems;
  • Implementation of Importer Licensing;
  • Enhanced Offshore Efforts;
  • Appropriate Regulatory Backstops;
  • Public Consultation & Engagement Tools;
  • Product of Canada Labelling
  • Enhanced Inspection of High Risk Sectors;
  • Border Blitzes;
  • Enhanced Tracking of Imports;
  • Enhanced Recall Capacity;
  • Targeted Consumer Risk Communication; and
  • IM/IT Enabled Business Projects.

2.2 Objective

The objective of this audit was to provide assurance that the project management framework used in the design and implementation of the Food Safety Action Plan was in accordance with accepted standards.

2.3 Scope

The scope of the audit was the FSAP five-year project (2008-2013). The audit period initially covered was from April 2008 to December 2010.

Upon the recommendation of the CFIA Audit Committee, the period of the audit was extended to October 2011. This was to allow the Project Management Office an opportunity to implement recently adopted Agency project management practices and to enable a review of the FSAP Transition Plan.

2.4 Methodology

Audit criteria identify the standards against which an assessment is made, clarify the audit objectives, and form a basis for the work plan and conduct of the audit. The audit criteria are specific to the audit objective and scope of this project. For each of the criteria, the relationship to governance, control or risk management or a combination of the three has been identified. Detailed sub-criteria can be found in Appendix A.

Audit criteria for this audit were developed based upon a number of authoritative sources. These included the Office of the Comptroller General's DRAFT Core Management Controls, professional associations' standards, generally recognized industry norms and accepted good practices. In particular, with the audit emphasis on project management, additional sources of criteria for this audit included the following:

  • Project Management Body of Knowledge (PMBOK)– the Project Management Institute's (PMI) standards document for project management knowledge and practices;
  • The Information Systems Audit and Control Association's (ISACA) Audit Program and Internal Control Questionnaire, which reflected the Control Objectives for Information and related Technology (COBiT) – the IT Governance Institute's framework for IT and project management practices; and
  • Enhanced Management Framework (EMF) – Treasury Board Secretariat (1996).

Audit criteria for the audit objective were as follows:

Governance

  • A project governance structure to provide overall direction, decision making and resource commitment to the FSAP Project was established and is working effectively.

Risk Management

  • A documented risk management process exists and is being employed to identify, assess and respond to risk.

Controls

  • The Project plan is complete and reflects the FSAP project as a whole including key tasks, milestones, dependencies and deliverables.
  • Project management expertise, tools and processes are in place to guide the FSAP delivery and are functioning properly.
  • A documented process exists to monitor issues and is being used to identify, assess, develop and monitor plans, and review concerns on a regular basis.
  • Project status and results are monitored, tracked, controlled and reported to the appropriate levels within the Agency.
  • FSAP Transition Plan, from a project to the program area, is complete and reflects the ongoing activities of FSAP in the future.

The following audit approaches were applied during the conduct of the audit to ensure the collection of appropriate audit evidence:

  • Conducting interviews with FSAP PMO team members and other senior management;
  • Reviewing and analyzing FSAP project management documents/data;
  • Detailed review of the governance committee structure including records of decisions, minutes;
  • Testing of key Project Management processes (e.g., Project Plan, Issues Management, Risk Management, Change Management);
  • Recording of observations and evidence; and
  • Concluding on observations with regard to audit criteria.

Audit planning was initiated in June 2010. Audit fieldwork began in September 2010 and was restarted in September 2011 with fieldwork ending in October 2011.

3.0 Findings and Recommendations

3.1 Introduction and Context

The FSAP initiative is currently in its fourth year. While there has been much progress to enhance the overall project management framework being employed, we found that some components could not be fully implemented as intended and need more time to mature.

Commencing April 2010, there was a shifting emphasis within the Agency towards a more focused approach on how projects are to be managed. In particular, there was greater engagement by Senior Management on the status, success and progress of large Agency initiatives, such as FSAP. This led to the formal roll-out of an Agency Enterprise Project Management Office (ePMO), which provides tools and templates as well as training on various aspects of Project Management to Agency personnel.

Taking into consideration that the FSAP initiative is now in year four of five, the audit placed particular emphasis on information that could be applied to future initiatives of this type.

3.2 Governance

Finding 1.1: Governance

There is a clearly defined and active governance structure in place to provide overall direction, decision making and resource commitment to the FSAP project.

We expected to find an established project governance structure working effectively to provide overall direction, decision making and resource commitment to the FSAP Project.

The initial governance structure was enhanced commencing September 2010 with the PMO reorganized under an Associate Vice-President. The FSAP governance structure now has three (3) governance committees: FSAP Senior Project Advisory Committee (SPAC), FSAP Steering Committee (SC), and FSAP Management Committee (MC). The revised governance structure has formalized roles and responsibilities for each committee. In addition, weekly updates to senior management have begun and a deliverable dashboard has been implemented.

Based on a sample review of Records of Decisions from the three FSAP governance committees, the committees are meeting on a monthly basis, have the appropriate levels represented at the meetings and are addressing main FSAP components (e.g., issues, risks, and changes).

3.3 Risk Management

Finding 2.1: Risk Management

Significant progress has been made in the development of a rigorous risk management approach but there remains some opportunity for enhancement.

We expected to find a documented risk management process being employed to identify, assess and respond to risk.

As part of the enhanced governance structure, a Project Manager responsible for risk identification and risk management was identified. In addition, a consulting firm was engaged to conduct an assessment of risks to the project and establish a comprehensive baseline risk register for ongoing use. Risks began to be formally tracked in March 2011.

A random sample of identified risks was conducted to determine if risks were being identified in a consistent way and discussed/actioned at the appropriate governance level. We found that risks are being tracked, documented, discussed and actioned at the appropriate governance levels. Further refinement was made to the risk management process through the definition and documentation of formal risk management documents including process flowcharts, risk management procedures and defining roles.

Nevertheless, the methodology used to define risks may be further improved to support a consistent and comprehensive approach; for example, criteria for how probability and impact levels are measured and assigned (high, medium and low) were not included in the description, risk assessment procedures do not take into consideration external and internal factors, and the project risk types are defined against project scope, cost or schedule but do not provide definitions. The documentation for the mitigation strategies could also be amplified.

3.4 Internal Control

Finding 3.1: Project Management Methodology

A formal project management methodology is in place but the FSAP integrated project plan is still undergoing refinements.

We expected to find that a FSAP PMO would be established with project management expertise, tools and processes to guide the project delivery. This includes reporting of activities against an integrated project plan along with key tasks, milestones, deliverables and completion rate identified.

Progress has been made in the development of a project plan for FSAP. In conjunction with the Agency-wide roll-out and adoption of an Enterprise Project Management Office (ePMO) methodology in 2010, the FSAP PMO implemented ePMO templates in Year 3. A FSAP project scope document has since been prepared and a detailed Integrated Project Plan with a defined work breakdown structure, identifying milestones, deliverables and dependencies was still under development at the time of undertaking the audit. The FSAP PMO has now formally documented the core project management processes such as Issues Management, Risk Management, and Change Management.

Roles and responsibilities for FSAP PMO staff were drafted, documented and communicated. Staff received training from the ePMO on core project management principles, processes, tools, techniques and templates. In addition, the FSAP PMO is supplementing these resources with staff that have knowledge of branch activities to assist with overall FSAP integration and planning. Staffing remains a challenge for the FSAP PMO.

Finding 3.2: Reporting and Monitoring

Regular reporting and monitoring of FSAP key indicators and high-level financial results is in place; however, there was no formal monitoring of FSAP deliverables and activity results.

We expected to find the reporting of FSAP activities would include regular status reports and results in order to guide the delivery of the project and to provide the Agency with a clear understanding of the results and achievements of the FSAP activities.

We found that in the first three years of the project, annual reports highlighting the overall achievements of the initiative were produced. With the exception of these reports, status updates and ongoing monitoring of FSAP activities were limited and as such we were not able to conduct a review of the financial data for this period of time. As there was not an overall Integrated Project Plan guiding the project, reporting on the FSAP areas of activity was inconsistent in its level of detail and tracking results was difficult.

There were independent reviews conducted surrounding the IM/IT activity (one of the thirteen activities) of the project in Years 2 and 3 of the initiative. This resulted in increased attention to the FSAP activities and actions were taken to strengthen the overall project management framework including the formalization of core project management processes, and clarifying and defining resource requirements.

Regular monthly dashboard reports are completed and are provided for information at governance committee meetings. The dashboards are completed by area of activity and provide high level project information as well as status indicators on overall project health, scope, cost, schedule, risks and issues. Formal monitoring of the financial variances between the forecasted amounts and the budgeted amounts has also begun. The FSAP PMO is completing its first detailed analysis between the Branch work-plans and the actuals being reported.

However, at the time of our audit, reports did not permit variance analysis between monthly actual and budgeted amounts. Additionally, detailed reports further broken down by deliverable are not able to be produced by the financial system. Management has since indicated that regular activity reporting is underway.

Finding 3.3: Transition Plan

Initial planning is underway for the management of ongoing Agency funding of $54.9M.

We expected to find a Transition Plan covering the wind-down activities of the FSAP PMO and plans for the ongoing activities of FSAP for the future. A Transition Plan identifies the remaining work to be completed as well as resources required to complete the work with clearly defined roles and responsibilities.

We found that the FSAP transition activities are in the initial planning stages with limited documentation available at this time concerning the ongoing management of the $54.9M allocated for FY 2012-13. It is understood that as a direct output from the Program Design activity there will be identification of resources and accountabilities for ongoing FSAP activity (e.g., budget allocation, and number of FTEs).

In recognition of the ongoing activity that will be conducted after Year 5 of the FSAP initiative, the FSAP PMO has identified a transition lead tasked with developing the overall Transition Plan. At the time of our audit an outline for a detailed Transition Plan had been developed.

Recommendation:

The VP of the Policy and Programs Branch should ensure that a detailed Transition Plan is developed, documented and implemented.

Appendix A: Audit Criteria

Governance

  • A project governance structure to provide overall direction, decision making and resource commitment to the FSAP Project was established and is working effectively.
    • Effective oversight bodies are established.
    • The oversight body (or bodies) has a clearly communicated mandate that includes roles with respect to governance, risk management and control.
    • Authority, responsibility and accountability are clear and communicated.

Risk Management

  • A documented risk management process exists and is being employed to identify, assess and respond to risk.
    • Management has a documented approach with respect to risk management that: identifies the risks that may preclude the achievement of objective; assesses the risks it has identified; formally responds to its risks.
    • A documented risk management process exists and is being used to identify and assess risks, develop a risk response, and maintain and monitor the risk action plan.
    • Planning and resource allocations consider risk information.

Internal Control

  • Project status and results are monitored, tracked, controlled, and reported to the appropriate levels within the Agency.
    • A communication strategy/plan has been developed and implemented regarding communication of results and progress to external stakeholders (outside of the FSAP PMO).
    • The activities, schedules and resources needed to achieve objectives have been integrated into the budget.
    • Budgets for FSAP initiatives are established and expenditures are monitored against the established budgets.
    • A formal process is in place to challenge the assumptions and related resource allocations within the budget.
    • Forecasts are monitored on a regular basis.
    • Transactions are coded and recorded accurately and in a timely manner to support accurate and timely information processing.
    • Reviews are conducted to analyze and compare and explain financial variances between actual and plan.
    • Financial and non-financial reporting is reviewed and approved.
  • The project plan is complete and reflects the FSAP as a whole including key tasks, milestones and deliverables.
    • FSAP has a clearly defined and communicated Plan (strategic directions and strategic objectives, aligned with its mandate).
    • A resource plan is in place identifying skilled, knowledgeable and experienced personnel for the FSAP PMO with clearly defined roles and responsibilities that are documented, communicated and understood.
  • A documented risk management process exists to monitor issues and is being used to identify, assess, develop and monitor plans and review concerns on a regular basis.
    • The oversight body/bodies request and receive sufficient, complete, timely and accurate information.
    • Management monitors issues and adjusts course as needed.
    • A documented issue management process exists and is being used to identify and assess issues, develop and monitor an action plan, and review open issues on a regular basis.
  • Project management expertise, tools and processes are in place to guide the FSAP delivery and are functioning properly.
    • Recruitment, hiring and promotion consider the current and future needs of the organization.
    • Sound change management techniques are applied, to ensure all scope changes are documented and approved.
  • FSAP Transition Plan, from a project to the program area, is complete and reflects the ongoing activities of FSAP in the future.
    • To ensure successful transition, the scope, specific objectives, assumptions and dependencies of FSAP Project activities are documented and well understood.
    • Qualified and adequate resources are in place to complete the FSAP Transition activities with clearly defined and understood roles and responsibilities.
    • Details of a high level project work plan are documented and communicated in a timely manner describing the key activities/tasks, milestones and dates, resources, and work breakdown structure of FSAP Transition activities.
    • Post-FSAP lesson learned are documented and communicated across the Agency.