Abbreviations
AAFC
Agriculture and Agri-Food Canada
CIO
Chief Information Officer
ISB
Information Systems Branch
IM
Information Management
IT
Information Technology
TB
Treasury Board
TBS
Treasury Board Secretariat
Executive summary
Application Portfolio Management is the process of managing and optimizing the department’s software applications by assessing each in terms of business value, costs, risks and alignment with departmental goals.
The TBS has developed policies and guidance for the management of departmental application portfolios, such as the Policy on Service and Digital and its associated guidance.
Oversight of AAFC’s application portfolio is important for delivering reliable, modern digital services and ensuring compliance with TBS requirements. Strong oversight ensures that processes support effective planning and investment, while also managing risks such as technical debt.
This audit was included in AAFC's 2024–25 to 2028–29 Audit and Evaluation Plan, which identified application portfolio management as a high risk area. Auditing AAFC's application portfolio management is vital, especially with an aging application portfolio, as it can yield the critical insights needed to improve application portfolio management in strategically determining whether to retire, modernize or replace specific applications, thus improving decision-making.
The objective of the audit was to assess whether there was oversight in place to support the management of AAFC’s IT application portfolio throughout its lifecycle.
We examined the oversight in place to determine whether roles and responsibilities were clearly defined for the management of AAFC’s portfolio of applications and whether lifecycle management was conducted on a timely basis to continually manage technical debt and meet TBS requirements.
Overall, we found elements of oversight are in place, however, opportunities exist to define roles and responsibilities related to AAFC’s application portfolio management; conduct regular and timely reviews of the application portfolio; and develop end-of-life application retirement plans.
Management agrees with the audit recommendations and has developed an action plan to address them by December 2026. For further details see Annex B.
1.0 Introduction
1.1 Background
Application Portfolio Management is the process of managing and optimizing the department’s software applications by assessing each in terms of business value, costs, risks and alignment with departmental goals. In addition, effective application portfolio management ensures that the portfolio supports the department while reducing duplication and costs as well as managing risks. One of these risks, the risk of technical debt, occurs with continued use of outdated or poorly maintained applications, which over time increase costs, reduce efficiencies, and can limit innovation.
As a federal department, AAFC must comply with the TB Policy on Service and Digital and its associated guidance for the management of its application portfolio. The department is expected to ensure that processes support effective planning and investments, and to manage risk such as technical debt.
As well, under the Policy on Service and Digital, TBS plays a central role in application portfolio management by providing the direction and oversight needed to ensure consistency and accountability across government. It defines reporting expectations and collects departmental application portfolio management data to assess the overall health of the federal application landscape. In addition, it also promotes standardization through common tools, guidance, and resources, with the goal that departmental efforts align with broader digital and investment strategies.
Strong oversight of AAFC’s application portfolio is important for delivering reliable, modern digital services and ensuring that processes support effective planning and investments and that risks are managed.
At AAFC, the application portfolio management team is located within Strategic Products and Partnerships division in ISB, which is led by the CIO. The Application Portfolio Management team consists of two employees and one part-time manager and had annual expenditures of approximately $280K for the fiscal year 2024-25. The team manages the intake and validation of application data and coordinates with technical users and owners to maintain data quality. It should be noted that responsibilities for the management of the application portfolio are distributed across multiple employees and branches within AAFC, and the above reflects only the core office staff and budget, not the full cost and level of effort for application portfolio management activities across the department.
As of September 2025, 130 of the applications listed in AAFC’s Application Portfolio Management System met TBS’ definition of a business application (see Figure 1). TBS defines a business application more narrowly than AAFC’s broader list of applications, focusing only on systems that are server or cloud-based, have databases, custom code, support costs, or are standalone platforms. By restricting the definition of business applications, TBS focuses governance on assets with significant cost, operational impact, and risk. The following figure presents the breakdown of AAFC’s business applications by branch.
Figure 1: Business applications by branch (per TBS definition)
[Description of the above image]
The pie chart shows the distribution of the 130 “business applications” across departmental branches, based on the TBS definition. The largest share belongs to the Programs Branch, which accounts for 36 applications. Science and Technology Branch has the second largest share at 30 applications. Information Systems Branch follows with 22 applications. The Human Resources Branch has 11 applications, and the Corporate Management Branch has 10 applications. The remaining branches collectively account for 21 applications. The chart illustrates that application ownership is concentrated primarily in the Science and Technology and Programs branches, with significantly smaller counts distributed across the other branches.
1.2 Risk context
This audit was included in AAFC's 2024–25 to 2028–29 Audit and Evaluation Plan, which identified application portfolio management as a high risk area. This was based on the department’s aging portfolio of applications, many of which are approaching the end of their lifecycle and require replacement. A significant number of these applications exhibit poor technical health or offer limited business value. Auditing AAFC's application portfolio management is vital, especially with an aging application portfolio, as it can yield the critical insights needed to improve application portfolio management in strategically determining whether to retire, modernize, or replace specific applications, thus improving decision-making.
Following a risk assessment during the audit planning phase, we more specifically identified the following risk areas for further examination:
Oversight
- Roles and responsibilities are clearly defined for the management of AAFC’s portfolio of applications.
- Lifecycle management is conducted on a timely basis for AAFC’s portfolio of applications to continually manage technical debt and meet TB requirements.
1.3 Audit objective, scope and approach
The objective of this audit was to assess whether there was oversight in place to support the management of AAFC’s IT application portfolio throughout its lifecycle.
The audit focused on the period from February 2025 to September 2025 to assess current application portfolio management activities.
The audit did not assess the following:
- application development processes
- cyber security
- responsibilities related to Shared Services Canada
More details about the audit objective, scope, criterion and approach are in Annex A: About the audit.
2.0 Detailed observations and recommendations
TBS requires departments to maintain up-to-date departmental business applications. Departments must identify opportunities to leverage the application portfolio for investment planning, technical-debt reduction, and be compliant with the TB Policy on Service and Digital.
2.1 Roles and responsibilities
The TB Directive on Service and Digital, a supporting component of the policy, notes that responsibility for the application portfolio management process lies with the CIO.
We examined whether roles and responsibilities are clearly defined for the management of AAFC’s portfolio of applications.
What the audit found
We found that while defined roles and responsibilities for tasks such as collecting and reviewing application data are clear, roles and responsibilities for the management of the portfolio of applications, technical debt and the timely disposal of applications are unclear.
Under the TB Policy on Service and Digital requirements, the CIO is responsible for the application portfolio management process. However, AAFC documentation and processes do not address the CIO’s responsibility for application portfolio management, technical debt and the timely disposal of applications. Responsibility has also not been delegated to individuals or committees elsewhere in AAFC.
Application decisions are driven by branch application owners rather than ISB or departmental business decisions. In interviews, ISB staff reported they lack decision-making authority because funding resides with the branches. ISB views decisions for branch supported applications as outside of ISB’s purview. This decentralized model has delayed decommissioning and contributed to departmental technical debt.
Why this matters
Clearly defined roles and responsibilities are needed to ensure that AAFC’s application portfolio is managed based on departmental priorities and that technical debt is reduced.
Recommendation 1
The Assistant Deputy Minister, Information Systems Branch should define roles and responsibilities for AAFC’s application portfolio management.
2.2 Lifecycle management
TBS requires departments to maintain their applications in good working order, and that end-of-life application retirement plans be developed and integrated into the departmental Information Management (IM)/IT plan for the decommissioning of applications that are no longer required.
We examined how AAFC reviews its application portfolio, whether the results are used to support decision-making, the management of technical debt, and whether end-of-life application retirement plans are developed to guide the decommissioning of applications.
What the audit found
We found that application data is being used to support decision-making in some areas within ISB, such as the investment planning process and the Workload Migration Project. However, application portfolio management at AAFC is reactive and ad hoc.
TBS requires that departments update and keep departmental business applications current, such that they have an aging IT assessment value of “Minimal attention required.” Using data submitted by departments, TBS assesses whether business applications are being maintained in good working order and determines the percentage of applications that require attention based on established criteria. As of September 2025, AAFC scored a "Minimal attention required” value of 23% (30 out of 130), meaning that 77% (100 out of 130) of AAFC’s applications require attention. This is well below the average 38% "Minimal attention required” value for other government departments.
While this data is available, AAFC does not have a regularized, departmental-wide process in place to review the portfolio of applications, manage technical debt and work toward reducing the number of applications that require attention. Interviews with ISB staff noted that to reduce technical debt, ISB management needs to play a stronger role in making decisions to decommission applications.
We noted the following exercises are underway at AAFC to inform the management of AAFC’s application portfolio. However, these are ad hoc exercises, which are not part of a regular and timely review process.
- Since the spring of 2024, AAFC has been conducting a data and digital prioritization exercise with the objective of assessing data and digital elements across AAFC (including applications) and determining whether they should continue to be supported by AAFC. Now in its third phase, the exercise is expected to conclude by the end of fiscal year 2025-26 and is anticipated to recommend the decommissioning of certain applications. While interviewees noted that this type of exercise should be performed on a more regular and timelier basis, we did not observe evidence that the process would be regularized.
- AAFC’s Workload Migration Project is planning for the migration of AAFC applications from aging data centres to modern, more secure and reliable solutions. ISB expects the project to conclude by the end of fiscal year 2025-26 and to provide insights into portfolio health.
- ISB is piloting a branch-specific Partner Service Agreement to report on branch application inventories that will include detailed 10-year plans for each application. The goal of the agreement is to better inform the selection and prioritization of application investments.
In addition to the lack of a regular and timely application portfolio review process, ISB advised that end-of-life application retirement plans are not being completed to guide the disposition of applications, maintain portfolio health and reduce technical debt, as required by TBS.
The implementation of the exercises noted above can be used to help move AAFC toward meeting this TBS requirement. The results of the Workload Migration Project, the data and digital prioritization exercise, and the implementation of the Partner Service Agreements across all AAFC branches, will provide ISB the opportunity to consolidate application data for enterprise-wide planning purposes and into end-of-life application retirement plans.
Why this matters
A regular and timely application portfolio review process and the development of end-of-life application retirement plans are needed to allow AAFC to continually manage technical debt and move the department closer to compliance with TB policy.
Recommendation 2
The Assistant Deputy Minister, Information Systems Branch should implement regular and timelier reviews of AAFC’s portfolio of applications to ensure that technical debt is continually managed and reduced.
Recommendation 3
The Assistant Deputy Minister, Information Systems Branch should leverage tools and information to meet TB requirements for end-of-life application retirement plans and integrate the results into the IM/IT plan.
3.0 Conclusion
Overall, we found elements of oversight are in place. However, opportunities exist to define roles and responsibilities in AAFC’s application portfolio management, conduct regular and timely reviews of the application portfolio and develop end-of-life application retirement plans.
Management response and action plan
Management agrees with the audit recommendations and has developed an action plan to address them by December 2026. For further details see Annex B.
Annex A: About the audit
Statement of conformance
The audit conformed to the Institute of Internal Auditors' International Professional Practices Framework, as supported by the results of AAFC’s internal audit quality assurance and improvement program. Sufficient and appropriate evidence was gathered in accordance with the Global Internal Audit Standards to provide a reasonable level of assurance over the findings and conclusion in this report. The findings and conclusion expressed in this report are based on conditions as they existed at the time of the audit and apply only to the areas included in the audit scope.
Audit objective
To assess whether there was oversight in place to support the management of AAFC’s IT application portfolio throughout its lifecycle.
Audit scope
The audit focused on the period from February 2025 to September 2025 to assess current application portfolio management activities.
The audit did not assess the following:
- application development processes
- cyber security
- responsibilities related to Shared Services Canada
Audit criterion
The following criteria were developed to conclude against the audit objective:
Oversight
- Roles and responsibilities are clearly defined for the management of AAFC’s portfolio of applications.
- Lifecycle management is conducted on a regular basis for AAFC’s portfolio of applications to continually manage technical debt and meet TB requirements.
Audit approach
The audit approach was risk-based and consistent with the Institute of Internal Auditors' International Professional Practices Framework. The Global Internal Audit Standards require that the audit be planned and performed in such a way as to conclude against the audit objective. The audit was conducted in accordance with an audit program, which defined audit tasks to be performed to obtain and examine sufficient and appropriate evidence to assess the audit criterion.
The audit included the review of documents such as TBS policies and guidance, ISB documents related to AAFC’s application portfolio management and interviews with AAFC management and employees.
Annex B: Management response and action plan
| Recommendation | 1. The Assistant Deputy Minister, Information Systems Branch should define roles and responsibilities for AAFC’s application portfolio management. |
|---|---|
| Management response and action plan | 1a. The Assistant Deputy Minister, Information Systems Branch, in collaboration with relevant stakeholders, will review and clarify the roles and responsibilities associated with application investment planning, funding and prioritization. |
| Target date | December 2026 |
| Responsible leads | Assistant Deputy Minister, Information Systems Branch |
| Recommendation | 1. The Assistant Deputy Minister, Information Systems Branch should define roles and responsibilities for AAFC’s application portfolio management. |
|---|---|
| Management response and action plan | 1b. The Assistant Deputy Minister, Information Systems Branch, in collaboration with relevant stakeholders, will review and clarify the roles and responsibilities of AAFC’s governance bodies associated with the oversight and funding for AAFC’s application portfolio. |
| Target date | December 2026 |
| Responsible leads | Assistant Deputy Minister, Information Systems Branch |
| Recommendation | 2. The Assistant Deputy Minister, Information Systems Branch should implement regular and timelier reviews of AAFC’s portfolio of applications to ensure that technical debt is continually managed and reduced. |
|---|---|
| Management response and action plan | 2a. The Assistant Deputy Minister, Information System Branch in collaboration with relevant stakeholders will implement a revised process to improve investment planning decisions by requiring updated application portfolio management data as a prerequisite for all investment and funding decisions. |
| Target date | December 2026 |
| Responsible leads | Assistant Deputy Minister, Information Systems Branch |
| Recommendation | 2. The Assistant Deputy Minister, Information Systems Branch should implement regular and timelier reviews of AAFC’s portfolio of applications to ensure that technical debt is continually managed and reduced. |
|---|---|
| Management response and action plan | 2b. The Assistant Deputy Minister, Information System Branch in collaboration with relevant stakeholders will implement a structured data and digital prioritization initiative, which will be formalized and implemented as an annual process. This process will include clearly defined timelines and required deliverables, ensuring all application portfolio management data is accurately updated to support strategic decision-making. |
| Target date | December 2026 |
| Responsible leads | Assistant Deputy Minister, Information Systems Branch |
| Recommendation | 2. The Assistant Deputy Minister, Information Systems Branch should implement regular and timelier reviews of AAFC’s portfolio of applications to ensure that technical debt is continually managed and reduced. |
|---|---|
| Management response and action plan | 2c. AAFC will implement Partner Service Agreements across all branches to increase visibility and achieve complete data compliance for their application portfolios. This will enable effective enterprise-wide oversight and better strategic decision-making. |
| Target date | December 2026 |
| Responsible leads | Assistant Deputy Minister, Information Systems Branch |
| Recommendation | 3. The Assistant Deputy Minister, Information Systems Branch should leverage tools and information to meet TB requirements for end-of-life application retirement plans and integrate the results into the IM/IT plan. |
|---|---|
| Management response and action plan | 3. AAFC will formally adopt and implement a two-phase decommissioning model for all applications that reach their predetermined end-of-life. This model will mandate that application owners submit a complete retirement plan, including all necessary data retention and litigation checks, before technical decommissioning begins. The Application Portfolio Management team will oversee the process to ensure compliance and alignment across all involved teams (information management, legal, technical leads). |
| Target date | December 2026 |
| Responsible leads | Director General, Enterprise Services and Solutions |