ARCHIVED - Audit of CBSA IT Infrastructure Service Delivery Agreements
Internal Audit Report

This page has been archived.

February 2008

Table of Contents

• Executive Summary
• Introduction
  • Background
  • Objectives and Scope
  • Audit Criteria
  • Approach and Methodology
• Overview
• Audit Findings
  • Authority, Responsibility and Accountability
  • Governance Structure and Reviews
  • Dispute Resolution Processes
  • IT Services and Service Level Definition
  • Alignment of Approval Processes
  • Risk Management
• Appendix A - Audit Criteria
• Appendix B - Definitions
• Appendix C - List of Acronyms

---

Executive Summary

The objective of the audit was to provide assurance to Canada Border Services Agency (CBSA) senior management of the following:

• that memoranda of understanding (MOUs), service level agreements (SLAs) and service delivery agreements (SDAs) used by the CBSA meet service expectations and delivery;
• that these documents are monitored and reviewed cyclically to address the changing business requirements of the CBSA; and
• that the controls are effective and complete in mitigating the inherent risks associated with the management of the SDAs.

The audit scope included the examination of the terms and conditions of the MOUs, SLAs and SDAs for information technology (IT) infrastructure service delivery. As well, it assessed the appropriateness of the management controls in place within the current environment and their effectiveness in meeting the CBSA's overall objective for IT infrastructure service delivery during the period of November 2006 to June 2007.

Excluded from the scope of the audit were specific IT internal controls for managing the infrastructure (such as IT infrastructure operations, procedures and instructions; job scheduling; direct performance monitoring; physical safeguards; and inventory management and preventive maintenance) and the examination of the terms and conditions of the MOUs and SLAs for provision of administrative services.

The audit fieldwork was conducted by Interis Consulting Inc. between May and July 2007.

Audit Opinion

The audit found that CBSA service expectations and delivery were met and monitored against the MOUs and related documents (SLAs, SDAs and business management frameworks). These agreements were cyclically reviewed and controls existed to manage operational risks associated with SDAs. Opportunities exist to better define services and service levels, to align business and IT strategic directions, and to improve risk-management practices.

Summary of Audit Findings

The audit of MOUs, SLAs and SDAs for IT infrastructure service delivery noted a number of strengths:

• Authorities, responsibilities and accountabilities are documented and understood at all levels.
• A governance structure that prioritizes IT resources in line with business needs is being enhanced and finalized with the service providers.
• MOUs, SLAs, SDAs and other related documents are regularly reviewed and there are formal processes in place to ensure that changes to these documents are appropriately approved and communicated. 
• Dispute resolution processes are in place and effective.

Controls associated with MOUs, SLAs and SDAs for IT infrastructure service delivery should be strengthened in the following areas:

• IT services and service level definition -- IT services and service levels are not always clearly defined or consistently understood within the existing arrangements. This makes it difficult to calculate the cost associated with the service and assess performance.
• Alignment of business and IT strategic directions -- Business and IT infrastructure strategic directions of the CBSA and its service providers are aligned; however, the approval process for IT infrastructure investments was not coordinated between the CBSA and its service providers resulting in adding risk to the investment decision process.
• Risk management -- Risk management is operational in nature. Formal risk management of IT infrastructure service delivery risks at the corporate level was at the initial stages. Without a systematic risk-management process, risks to the achievement of the service delivery objectives may materialize.

Management's Response

1. Introduction

1.1 Background

The Canada Border Services Agency (CBSA) was created in December 2003 and it was agreed that the Agency would obtain specific information technology (IT) services and support from external service providers. These IT services and support are governed through memoranda of understanding (MOUs), service level agreements (SLAs) and service delivery agreements (SDAs). While the major components of the infrastructure and the systems, and the IT services and support are provided by external service providers, the CBSA is responsible for the integrity, security and access control to its line of business systems.

In view of these arrangements, the CBSA identified the requirement for an audit of the governance arrangements of the delivery of IT services to the CBSA. This audit was considered a priority in light of the complexity of the current governance arrangements, the degree of change across the Agency and the importance of clear direction, accountability and oversight of IT infrastructure service delivery.

1.2 Objectives and Scope

Overall, the audit was to provide the necessary assurance to senior management of the following:

• that MOUs, SLAs and SDAs used by the CBSA meet service expectations and delivery;
• that these documents are monitored and reviewed cyclically to address the changing business requirements of the CBSA; and
• that the controls are effective and complete in mitigating the inherent risks associated with the management of the SDAs.

The audit scope included the examination of the terms and conditions of the MOUs, SLAs and SDAs for IT infrastructure service delivery. As well, it assessed the appropriateness of the management controls in place within the current environment and their effectiveness in meeting the CBSA's overall objective for IT infrastructure service delivery during the period of November 2006 to June 2007.

Excluded from the scope of the audit were specific IT internal controls for managing the infrastructure (such as IT infrastructure operations, procedures, and instructions; job scheduling; direct performance monitoring; physical safeguards; and inventory management and preventive maintenance) and the examination of the terms and conditions of the MOUs and SLAs for provision of administrative services.

1.3 Audit Criteria

Audit criteria were developed based on risk elements inherent to IT infrastructure service delivery, the management of the SDAs, public sector trends for effective IT infrastructure service delivery governance and the Control Objectives for Information and related Technology (CobiT) framework issued by the IT Governance Institute. These criteria form the foundation for a comprehensive assessment of the CBSA for IT infrastructure service delivery.

The audit criteria used to assess the CBSA's overall business practices, general controls and governance processes for IT infrastructure service delivery were organized into the following four categories:

• Strategic and operational direction
• Authority, responsibility and accountability
• Risk management
• Monitoring results and reporting

The audit criteria are presented in Appendix A.

1.4 Approach and Methodology

The approach and methodology was risk-based and compliant with the Treasury Board of Canada Secretariat's Policy on Internal Audit. The audit was conducted in accordance with an audit program that defined audit tasks to assess each criterion. Through interviews and documentation review, the audit team assessed the current practices against the criteria and formally assessed the effectiveness of each practice.

Interviews were conducted with various representatives of the different areas in the Innovation, Science and Technology Branch (ISTB), with CBSA regional managers who represented their regions and with identified managers from the external service providers.

The audit project was undertaken by Interis Consulting Inc. The audit planning took place between November 2006 and January 2007 and the fieldwork was conducted between May and July 2007.

2.0 Overview

The ISTB is responsible for the management of the IT services provided by the external service providers. The CBSA obtains external services from information management and IT services providers for the following:

• The support and operation of legacy business systems and supporting infrastructure required by the various branches and port of entry functions that were transferred to the CBSA. The service providers manage and support some legacy business systems and supporting infrastructure.
• IT infrastructure services (consisting of technology and data infrastructure); support for identified applications; the e-commerce platform; and the management of hardware, software and outsourced core services (such as the telecommunication network) and the national hardware maintenance contract. The service provider has physical control over the major components of the infrastructure and the systems required to support the workload of the CBSA. As such, the service provider manages the national IT support service, the data centre, the local area network and desktop computer services for internal CBSA end-users.

Arrangements with the external service providers were governed by MOUs, SDAs, SLAs and business management frameworks (MFs). Definitions of these documents are provided in Appendix B.

In 2006, and in collaboration with a service provider, the CBSA agreed to proceed and implement an enhanced shared services initiative in order to create a sustainable shared services IT infrastructure model that included the following:

• Clear governance and joint investment processes;
• Clear accountabilities and responsibilities;
• A well-understood and agreed-upon funding model;
• SLAs and service management; and
• Aligned goals, common interests and shared directions for IT infrastructure.

An action plan was established to identify activities, timetables and responsibilities to update and finalize the MOUs, SLAs and MFs. Work on this initiative was under way during the course of the audit with a target completion date of June 2007.[ 1 ]

The annual cost to the CBSA for services to manage access to the legacy business systems and to provide technology support is $2.5 million. In the 2006–2007 fiscal year, the CBSA paid a total of $102 million for IT services and this amount is forecasted to increase to $130 million in 2007–2008:

Pro forma statement as at July 3, 2007

Types of services	2007–2008 confirmed and forecasted payments ($ millions)	2006–2007 actual payment ($ millions)
Shared services infrastructure administration services and IT infrastructure services IT architecture and consulting services regional IT services	$69.84 (confirmed)	$62.13
Incremental existing services additional requirements for shared services	8.49 (forecast)	7.71
Asset replacement/procurement evergreening and additions to the IT asset base	6.34 (forecast)	9.27
Contracts hardware and telecommunications equipment, etc.	1.04 (forecast)	5.43
Development planning and development of IT solutions	41.78 (forecast)	14.99
Total	$127.49	$99.53

Note: The shared services amounts represent the ongoing costs as well as capital replacement costs associated with the operation of the shared infrastructure. Other forecasted amounts are variable based on the amount of new CBSA development and procurement activities in a given fiscal year.

3.0 Audit Findings

3.1 Authority, Responsibility and Accountability

Authorities, responsibilities and accountabilities are documented and understood at all levels; however, formal documents (SLAs, MFs and SDAs) have not been signed by the CBSA or all service providers.

The authority, responsibility and accountability of IT infrastructure service delivery should be clearly articulated and understood by all relevant parties in a consistent fashion.

The audit found that the MOUs, SLAs, SDAs and MFs provide definitions of roles, responsibilities, accountabilities and authorities. As well, regular communications between the CBSA and the service providers have led to a common understanding of authorities, roles and responsibilities. The governance structure, with its layers of management meetings, provides a forum for the discussion, definition, assignment and clarification of roles, responsibilities, authorities and accountabilities. 

In one case, the service provider has established a relationship management role to provide a single window to its services and continues to support horizontal communication based on function and need. As well, where the CBSA has a number of sites and critical business systems that require both a higher level of support and support outside normal business hours, the roles, responsibilities and accountabilities are particularly well documented, understood and applied.

Although they were commonly accepted as authority documents, the audit noted that the SLAs, SDAs and MFs were not signed by the CBSA or the service providers. These documents are currently being reviewed and revised, and are expected to be signed by the responsible parties to finalize the approval process.

While authorities, responsibilities and accountabilities are documented and understood, the lack of formally approved agreements between the CBSA and the service providers may lead to the perception that the agreements are incomplete or that there is a lack of commitment by senior management to those agreements. It increases the risk of misunderstandings and misinterpretations regarding services and service levels, the content and frequency of performance reporting, and the calculation for service costs.

Recommendation:

1. The ISTB should establish a timetable and implement the necessary actions to complete the current initiatives to review and approve all MOUs, SLAs, SDAs and MFs with its service providers.

Management Action Plan	Completion Date
A review of the MOU between the service provider for IT services and the CBSA is under way.	June 30, 2008
A review of the SLAs for regional IT services and for architecture and consulting services has been initiated. The associated business management framework documents will be addressed during the same time period.	June 30, 2008
The review of SLAs for IT infrastructure services and infrastructure administration services will be completed in the 2008–2009 fiscal year.	March 31, 2009
The SDAs (now called SLAs) with the service provider for access to the legacy business systems and technology support services have all been written and are in the review and consultation process. A review of the IT addenda will also be conducted in this time frame.	June 30, 2008

3.2 Governance Structure and Reviews

A governance structure that prioritizes IT resources in line with business needs is being enhanced and finalized. IT service agreements were reviewed and there were formal processes in place to ensure that changes are appropriately approved and communicated. 

The governance structure for IT infrastructure service delivery should ensure that IT management processes are in place to set strategic directions, develop operational plans, identify priorities and objectives, and communicate with the service providers. 

The audit found that the governance structure with the two external service providers is at different stages of development. The nature and scope is different for each of the two service providers. In one case, it is a client/service provider relationship; in the other, there is also a business partnership with shared systems and information.

In one case, there is a governance structure with established committees at the strategic and operational levels to ensure bilateral communication of priorities and issues. Bilateral meetings are held regularly at different levels, including quarterly meetings between the senior executives. In addition, a new committee was recently established to focus attention on strategic planning and alignment with business requirements and IT priorities. Through this governance structure, the audit noted there were regular reviews of the IT service agreements that included an annual meeting by the most senior representatives to review the MOUs and SLAs -- this is a requirement of the service agreements to ensure continued applicability and currency.

With the other service provider, the governance structure had been defined and was going through the approval process at the time of the audit. Previously, the prioritization of IT resources and business needs was being addressed through an operational project management structure. Although a formal governance structure was not in place, reviews of the MOUs and SDAs had occurred. Changes are being finalized and have yet to be presented for formal approval.

Recommendation:

2. The ISTB should complete the review of the governance structures with its service providers and establish a plan to formalize their approval and implementation.

Management Action Plan	Completion Date
The governance structures between the CBSA and IT service providers are under review and a plan will be established to formalize and communicate them.	June 30, 2008

3.3 Dispute Resolution Processes

Dispute resolution processes were in place and effective.

While the nature and scope of the service providers are different, the audit found that disputes were being discussed, addressed and resolved at the operational level with both service providers. 

In the case of one service arrangement, the documentation specified an escalation process in the case of a disagreement. There was a management structure in place that supported escalation of issues and resolution. If disputes were not resolved in the normal peer-to-peer meetings and interactions, they were escalated to the next level in the organizational hierarchy. A group in the ISTB was responsible for ensuring that disputes were resolved.

For the other arrangement, there was no formal dispute resolution process; however, the close working relationship led to disputes being addressed and largely resolved at the operational level.  Management indicated that the proposed governance structure to manage this relationship would include a formal dispute resolution process.

3.4 IT Services and Service Level Definition

IT services and service levels were not always clearly defined or consistently understood within the existing service arrangements.

The audit found there were various degrees of definition and understanding of IT services and service levels. 

For one service arrangement, the IT services provided to the CBSA were defined and clearly understood as access to and support of business delivery systems and data to be used by CBSA employees. Costing of these services was easy as it was primarily based on the number of CBSA users given access to these services; however, service levels had not been defined in the arrangement.

In the other case, the required IT services and service levels were not clearly defined and understood with the existing service agreements. The documentation provided some definition of IT services and service levels to be provided to the CBSA but not in sufficient detail to enable the CBSA to assess and manage performance.

Without clearly defined services, it was not always clear what services were included and their cost, and it is difficult to assess performance.

Costing of Services

The audit noted that the CBSA and its service providers had taken action to identify and control total costs. In most cases, the costing of IT services was based upon well-defined fixed and variable costs.

However, for two types of services (shared services and incremental services) under one service arrangement, the costing methodology was not well defined or understood. In the review of the historical information on the costing, there was insufficient detail to understand the original costs and the annual adjustments to them. Both parties spent considerable effort to ensure a complete understanding and rationalization of invoices. But this process of validating the costs resulted in inefficiencies in both organizations. Furthermore, as new individuals became involved in managing the relationship, the scrutiny over the invoices and methodology would repeat itself.

Performance Monitoring

To ensure service levels are meeting expectations, controls should be in place to monitor the performance of IT infrastructure service delivery, including the existence of performance measures and service targets.

The audit found that performance monitoring and reporting were in the initial stages of development with both service providers. This makes it difficult for the CBSA to measure whether the service providers are providing service at an acceptable level.

Efforts are being taken to better define service and service levels. Recent work commenced under the Enhanced Shared Services model has led to the development of more precise services and service levels for regional IT services. This is based largely on a National Service Catalogue of Local Information Technology Services that establishes IT services and standards for performance measurement and reporting.

Service Desk

Service desks can be a good source of performance information. This information can be used to track performance in the following:

• user account management
• hardware and software inventory
• hardware and software incidents
• repair or replacement of computer equipment
• suspension/reactivation of user identification
• suspension/reactivation of public key infrastructure accounts
• password reset on client accounts
• restoration of user data from servers (on-site and off-site)

The audit found that performance information was available through the service desks and activities were reported and used by CBSA management to measure service performance and service response times. However the information was not complete. One service provider has clearly defined service level objectives, which are monitored through the service desk. At the operational level, service desk statistics were used to do continual improvements to service. Problem reports were produced and the severity and criticality were identified. Post-mortems were performed. Recommendations were prepared and monitored and there was an escalation process.

However, this use of the service desk to measure performance was limited to service desk response times for various classes of problems. Action was under way during the course of the audit to better define and capture the performance metrics so that services can be measured, justified and perhaps compared with those of other providers.

Recommendation:

3. The ISTB should ensure that the initiatives under way to review, revise and approve new arrangements with IT service providers have clearly defined services and service levels. Specifically:
   1. Establish, align and define services. In addition, roles and responsibilities for monitoring and validating costs and the basis for the costs associated with shared services and incremental services should be defined, documented and communicated.
   2. Define and implement performance-reporting requirements for the service providers to measure and monitor the achievement of service levels.
   3. Continue efforts to make use of service desk information to monitor and assess performance against service standards.

Management Action Plan	Completion Date
The CBSA relationship management teams already perform the validation and monitoring of costs. The goal for this fiscal year is to document the costs of what makes up the IT shared services costs and the history of those costs. Also, by the end of this fiscal year, an agreed-upon approach to determine the incremental costs will be defined and documented.	March 31, 2008
The CBSA relationship management teams have established formats and methods to ensure that all new services are properly defined and that SLAs contain the information required to monitor and report on the services.	Completed
While completing the review of the SLAs with the service providers, the services and service levels are being clearly defined with associated metrics and performance reporting requirements.	March 31, 2009
Service desk information will be examined for quality and applicability of performance measures.	March 31, 2009

3.5 Alignment of Approval Processes

Business and IT infrastructure strategic directions of the CBSA and its service providers are aligned; however, the different approval processes associated with the funding of IT infrastructure initiatives are separate and uncoordinated with one service provider.

The audit found that business and IT infrastructure strategic directions of the CBSA and its service providers were aligned through the established committee and governance structures. In addition, new governance structures were being developed to improve the alignment of business and IT infrastructure strategic directions.

With one service provider, a new Integrated Technology Strategy Committee (ITSC) was established to focus attention on IT infrastructure strategic planning and alignment with business requirements. Representatives from both organizations will meet every two months to focus on the following:

• new system and infrastructure development;
• implementations that require variances to architectural standards; and
• proposals involving major design and/or engineering changes.

The ITSC will also serve as the joint investment planning forum for both organizations to identify opportunities to share financial costs and maximize returns on IT infrastructure investments.

The nature and scope and differences in businesses and objectives between the CBSA and its service providers makes aligning the approval processes more difficult as does the requirement to get agreement from both organizations before seeking joint investment funding approval.  However, the audit noted that different approval processes and corporate governance structures within the CBSA and within the service providers affect the coordination of IT infrastructure investments. Interviews with managers identified that the lack of coordination between the approval processes added risk to the IT infrastructure investment decision process. Funding for investment opportunities, beneficial to both the CBSA and the service provider, were approved separately by the two organizations with separate schedules. It was noted that the service provider tended to initiate the investment proposal process with the CBSA. However, given that the approval and funding processes are different in the two organizations, sometimes an IT project was initiated prior to a CBSA commitment.

Recommendation:

4. The ISTB should ensure the decision-making processes for IT investments are better aligned and coordinated.

Management Action Plan	Completion Date
An IT strategy committee was launched in acccordance with one of the recommendations for the enhanced shared services model. This committee provides a forum where investments in infrastructure can be openly discussed and reviewed. Service providers and the CBSA will, to the extent possible, exchange information on emerging requirements, technical changes and contract renewal schedules to allow sufficient lead time to review and develop the required investment proposals.	Completed
Strategic investments will be a standing agenda topic at bilateral meetings to ensure the best possible alignment and coordination of decision-making processes.	Ongoing

3.6 Risk Management

Risk management was operational in nature. Formal risk management of IT infrastructure service delivery risks at the corporate level was at the initial stages.

The audit concluded that risk management was primarily operational in nature. Risks related to the service provider's ability to provide secure, continuous service was being managed and risks were being mitigated. Service availability requirements were defined for critical business systems and critical locations and availability were closely monitored.

At the time of the audit, corporate risks were identified and assessed with the development of a CBSA enterprise risk profile. One of the corporate-level risks identified was third-party reliance. The audit found no evidence of documentation to indicate formal risk management of the specific risks associated with the IT infrastructure service delivery agreements. ISTB managers indicated that risk management was taking place but that no formal documentation was maintained.

Without a systematic risk-management process, risks to the achievement of the service delivery objectives may materialize. The audit noted two examples where risk management was not evident and issues arose: a decision by a service provider to withdraw IT services and delays encountered regarding the implementation of an IT project. In both these cases, a significant amount of senior management time has been engaged to address these issues.

Recommendation:

5. The ISTB should establish a risk-management process that will identify, assess, treat, monitor and communicate strategic business and IT risks associated with the IT infrastructure service delivery agreements.

Management Action Plan	Completion Date
The ISTB will undertake an analysis of the risks associated with having external organizations provide IT services, and an associated risk-management process will be developed to monitor and mitigate these risks. Risks and mitigation strategies will be identified and documented where applicable in the enterprise risk profile.	September 30, 2008, and ongoing

Appendix A - Audit Criteria

Control Category	Audit Criteria
Strategic and operational direction There are IT management processes in place to set strategic direction, develop operational plans, identify objectives and priorities, and communicate with partners.	The memorandum of understanding (MOUs) and service level agreements (SLAs)/service delivery agreements (SDAs) are aligned with the business and information technology (IT) strategies and directions of both the CBSA and its service delivery partners. [CobiT reference: P01.2] Required IT services and service levels are clearly defined within the MOU/SLA(s) and understood.
Authority, responsibility and accountability The degree to which authority, responsibility and accountability over IT infrastructure service delivery are clearly articulated and understood in a consistent fashion across all relevant parties.	The IT governance framework includes leadership functions, processes, roles and responsibilities, information requirements and organizational structures that ensure that the CBSA's investment managed through the MOU/SLA(s) is aligned with and delivers on its strategies and objectives. [CobiT reference: ME4.1 P04] Authority, responsibility and accountability are clear, unambiguous and consistent within the CBSA to adequately manage the IT infrastructure service delivery arrangement and monitor compliance with the MOU/SLA(s). The authority, responsibilities and accountability between the CBSA and IT service partners are clear, unambiguous and consistently understood. There are clearly defined roles, responsibilities, accountabilities and expectations in MOUs, SLAs and management framework documents. [CobiT reference: DS2] Decisions related to the MOU/SLA(s) are clearly communicated to ensure a common understanding. Lines of communication are clearly identified for all levels of authority, responsibility and accountability. Steering committees are in place, in which IT representatives of the CBSA and its service delivery partners participate to prioritize IT resources in line with business needs. [CobiT reference: P04]
Risk management The degree to which risk analysis is conducted formally and the degree to which all appropriate parties are implicated in risk assessment and determine if the risk analysis is being done consistently and in a manner that is aligned with the CBSA's broader risk management framework and corporate risk tolerance.	Risk-management responsibilities are embedded into the CBSA's service delivery partnership, thereby ensuring that CBSA business and IT managers regularly assess and report IT-related risks and the impact on business. [CobiT reference: P04.8 ME4.5] There is a maintained risk-management framework that documents business and IT risks associated with non-performance, mitigation strategies and agreed-upon residual risks. [CobiT reference: P09] Management follows up on risk exposures. [CobiT reference: ME4.5] Escalation procedures are in place to ensure that senior management is informed of high-risk exposures. Risks relating to the IT service provider's ability to continue effective service delivery in a secure and efficient manner on a continual basis are identified, mitigated and monitored. [CobiT reference: DS2.3]
Monitoring results and reporting The controls in place to permit the CBSA to monitor the performance of IT infrastructure service delivery, including the existence of performance measures and service expectations. The degree to which tolerance limits for acceptable ranges of deviations of performance to plan are established. The mechanisms in place to support corrective action when actual performance exceeds tolerance limits. The degree to which management and oversight bodies regularly request/ receive sufficient, complete, timely and accurate information to permit the effective monitoring of objectives, plans, strategies and results.	Timely reports are received and reviewed by the CBSA to monitor performance and identify opportunities to improve IT's contribution to business objectives. Senior management reports provide information on the performance of the CBSA's service delivery arrangements, including performance on key service levels and costs. [CobiT reference: ME1.5] Service levels are identified, agreed to, monitored and reported on. [CobiT reference: DS1] Status reports include the extent to which performance targets are met and risks mitigated. [CobiT reference: ME4.6] Reports on performance to senior management are timely and accurate. Senior management challenges the performance reports and the service delivery partner is given an opportunity to explain deviations and performance problems. [CobiT reference: ME4.6] CBSA IT managers work with their partners to identify and control the total costs and benefits within the context of the MOU/SLA(s) and initiate corrective action where needed. [CobiT reference: P05] Formal processes are in place to ensure that changes to the MOU/SLA(s) are appropriately approved and communicated. There are regular reviews of MOUs, SLAs and other related documents to ensure that they are effective, up to date, and that changes in requirements have been accounted for. [CobiT reference: DS1.6] There is continual monitoring of the performance and capacity of IT resources provided by the CBSA's partners. Data gathered is used to ensure that its service delivery partners: [CobiT reference: DS3.5] Report on service availability to the business as required by the SLAs. [CobiT reference: DS1.4] Accompany exception reports with recommendations for corrective action. [CobiT reference: DS3.5] Ensure deviations from expected performance are identified and appropriate management is initiated and reported. [CobiT reference: ME1.5, ME1.6] Ensure escalation procedures are in place so that senior management is informed of problems and issues. Review and negotiate to remediate performance deviations. Assign responsibility for monitoring the effectiveness of the remediation actions. Dispute resolution processes are in place and effective. Reports of service desk activity are used by management to measure service performance and service response times and to identify trends or recurring problems so improvements can be requested from its service delivery partners. [CobiT Reference: DS8.5]

Appendix B - Definitions

Memorandum of understanding (MOU)
A memorandum of understanding (MOU) is used to define the expectations, terms and conditions of the working relationship between two parties. It is an official agreement establishing the principles that will guide the implementation of service delivery, programs or projects.

Service delivery agreement (SDA)
A service delivery agreement (SDA) sets out accountabilities, service level targets and the delivery mechanisms to meet those targets. It sets out in broad terms high-level objectives, performance levels and responsibilities.

Service level agreement (SLA)
A service level agreement (SLA) is an agreement concerning a measurable level of service between the service provider and the service receiver. It covers service support requirements, quantitative and qualitative metrics for measuring the service signed off on by the stakeholders, funding and commercial arrangements, if applicable, and roles and responsibilities, including oversight for the SLA.

Business management framework (MF)
A business management framework (MF) is established to guide service delivery planning, the allocation of applicable resources and reporting on performance. It sets out management principles on how authority and accountability are delegated to individuals, on risk management and on monitoring performance.

Appendix C - List of Acronyms

CBSA

Canada Border Services Agency

COBIT

Control Objectives for Information and related Technology

ISTB

Innovation, Science and Technology Branch

IT

information technology

ITSC

Integrated Technology Strategy Committee

MF

business management framework

MOU

memorandum of understanding

SDA

service delivery agreement

SLA

service level agreement