Abstract

This paper explores the systemic challenges and audit findings associated with risks facing large-scale IT infrastructure projects in Canada. It examines the risks facing these projects, the role of governance and oversight, and presents case studies including the Phoenix Pay System and Employment Insurance modernization.

Introduction

Large-scale IT infrastructure projects are critical to the delivery of public services in Canada, yet many have faced significant challenges leading to failure. These failures often result in wasted public funds, disrupted services, and diminished trust in government institutions. Auditing such projects is essential to uncover the root causes, ensure accountability, and recommend corrective actions. This paper examines the audit processes applied to IT projects in Canada, highlighting systemic issues in governance, planning, and execution. Through published audit reports, it aims to provide insights into how oversight mechanisms can be strengthened to prevent future failures.

Common Risks Facing IT Projects

Audits of IT infrastructure projects in Canada consistently reveal a number of recurring issues that contribute to systemic breakdowns. These failures are rarely attributable to a single factor; rather, they emerge from interrelated deficiencies in governance, planning, execution, and oversight.

Governance and Strategic Alignment

Weak governance is a foundational issue. Many projects lack clearly defined leadership roles, accountability structures, and strategic alignment with organizational goals. Without robust governance frameworks, projects are susceptible to scope creep, misaligned priorities, and decision-making paralysis. The absence of executive sponsorship and oversight committees often results in fragmented leadership and diminished responsiveness to emerging risks. (SSC, 2012)

Project Management Deficiencies

Poor project management practices exacerbate technical and operational risks. Audits frequently cite unrealistic timelines, underfunded budgets, and inadequate risk assessments. Project teams may lack domain expertise or fail to engage stakeholders effectively, leading to solutions that are technically sound but operationally misaligned. The lack of iterative development, pilot testing, and adaptive planning further compounds these challenges. (Mkoba, 2016)

Misalignment with Client and User Needs

A recurring theme in failed projects is the disconnect between system design and end-user requirements. Projects often proceed without formal service-level agreements or comprehensive needs assessments. This misalignment results in systems that are functionally complete but fail to deliver meaningful value to users. Inadequate stakeholder engagement during planning and implementation phases contributes to this gap. (UK, 2021)

Oversight and Monitoring Gaps

Insufficient oversight mechanisms prevent early detection and correction of issues. Audits reveal that many departments do not conduct regular performance reviews or implement timely corrective actions. The absence of performance dashboards, milestone tracking, and independent evaluations undermines accountability and transparency. These gaps allow small issues to escalate into systemic failures. (GAO, 2025)

Cultural and Structural Barriers

Underlying many technical and managerial issues are cultural and structural barriers within public institutions. Resistance to change, siloed operations, and rigid funding models hinder innovation and responsiveness. Projects often struggle to adapt to evolving requirements due to bureaucratic constraints and fragmented communication channels. (Eberlein 2008)

Understanding these risks is essential for designing resilient, user-centered, and accountable IT infrastructure projects. Addressing them requires not only technical solutions but also organizational reform and cultural change.

Case Study 1: Phoenix Pay System (Office of the Auditor General of Canada, 2018)

The Phoenix Pay System is one of the most prominent examples of a failed IT infrastructure project in Canadian history. (OAG Canada,, 2018) Launched in 2016 by Public Services and Procurement Canada (PSPC), Phoenix was intended to modernize and streamline payroll services for federal employees. However, the project quickly devolved into a crisis, affecting over 193,000 employees with underpayments, overpayments, or no payments at all. The system, originally budgeted at $310 million, has since cost taxpayers over $1.2 billion due to remediation efforts and ongoing issues.

The Auditor General’s 2018 report on Phoenix highlighted a series of critical failures. These included the decision to launch the system without adequate testing, despite clear warnings from internal assessments and external consultants. The project team ignored red flags, such as incomplete functionality and unresolved defects, and proceeded with implementation under political and administrative pressure. Moreover, the governance structure lacked clarity, and there was no contingency plan in place to address potential failures.

The audit also revealed that PSPC did not fully understand the complexity of federal payroll requirements, which vary across departments and employee classifications. The system was not equipped to handle these nuances, leading to widespread errors. Additionally, the project suffered from poor communication between stakeholders, insufficient training for users, and a lack of accountability.

Phoenix serves as a cautionary tale of how technical, managerial, and governance failures can converge to produce catastrophic outcomes. It underscores the importance of rigorous testing, stakeholder engagement, and transparent oversight in large-scale IT projects.

Case Study 2: Employment Insurance System Modernization (Office of the Auditor General of Canada, 2023)

The Employment Insurance (EI) system modernization project is another example of a long-standing IT infrastructure challenge in Canada. (OAG Canada, 2023) The system, which supports millions of Canadians annually, was flagged as high-risk as early as 2010 due to its outdated technology and vulnerability to service disruptions. Despite this, modernization efforts have been slow and fragmented, prompting the Office of the Auditor General (OAG) to conduct a performance audit in 2023.

The audit found that two-thirds of government applications were in poor health, with many relying on legacy systems that were difficult to maintain and integrate. The EI system, in particular, was built on aging infrastructure that lacked scalability and resilience. The OAG criticized the Treasury Board Secretariat and Employment and Social Development Canada (ESDC) for failing to develop a coherent modernization strategy, despite repeated warnings and allocated funding.

One of the key issues identified was the rigidity of funding mechanisms. Departments were often unable to reallocate resources or adjust project scopes in response to emerging needs. This inflexibility hindered innovation and delayed progress. Additionally, there was a lack of centralized oversight, leading to inconsistent project management practices and fragmented accountability.

The audit also highlighted the absence of performance metrics and service-level agreements, which made it difficult to assess the effectiveness of modernization efforts. Stakeholder engagement was minimal, and user needs were not adequately considered during planning and implementation phases.

This case illustrates the long-term consequences of neglecting IT infrastructure and the need for proactive, well-funded, and strategically governed modernization initiatives. It reinforces the importance of aligning technology upgrades with service delivery goals and ensuring that oversight bodies have the authority and resources to enforce accountability.

Case Study 3:  Systems Under Development Audit (Shared Services Canada, 2018)

Shared Services Canada (SSC) was established to consolidate and modernize federal IT infrastructure, including email systems, data centers, and telecommunications. (SSC, 2018.) The SSC Office of the Audit and Evaluation conducted a Systems Under Development (SUD) audit to evaluate SSC’s progress and identify risks associated with its transformation initiatives. The audit focused on several large-scale projects, including the Enterprise Data Centre Consolidation and the Email Transformation Initiative.

The audit revealed that SSC’s projects were significantly more complex than typical IT initiatives, requiring enhanced oversight and interdepartmental coordination. One of the primary concerns was the lack of a comprehensive risk management framework. Projects often proceeded without fully assessing technical feasibility, stakeholder readiness, or long-term sustainability. This led to delays, cost overruns, and inconsistent service delivery.

Governance structures were also found to be inadequate. Roles and responsibilities were not clearly defined, and decision-making processes were fragmented across branches. The audit emphasized the need for SSC to establish clear accountability mechanisms and improve communication with client departments. Without these measures, projects risked misalignment with user needs and operational requirements.

Another issue was the absence of performance tracking and reporting. SSC did not consistently monitor project milestones or evaluate outcomes against predefined objectives. This made it difficult to identify problems early and implement corrective actions. The audit recommended the adoption of standardized project management practices and the integration of performance dashboards to enhance transparency.

Overall, the SSC audit highlights the challenges of managing large-scale IT transformations in a multi-stakeholder environment. It underscores the importance of robust governance, proactive risk management, and continuous performance monitoring to ensure successful outcomes.

Lessons Learned from Audits

The audits of failed IT infrastructure projects in Canada offer a wealth of insights into what goes wrong and how future projects can be improved. These lessons are not only relevant to government agencies but also to private sector organizations undertaking large-scale digital transformations.

Governance and Leadership are consistently identified as critical success factors. Projects that lack clear leadership, defined roles, and accountability structures tend to drift off course. Audits recommend establishing governance frameworks that include oversight committees, executive sponsors, and performance metrics tied to strategic outcomes. Leadership must be actively engaged throughout the project lifecycle, not just during initiation.

Risk Management is another area where many projects falter. Audits reveal that risk assessments are often superficial or conducted too late to influence decision-making. Effective risk management requires early identification of technical, financial, and operational risks, along with mitigation strategies and contingency plans. Regular risk reviews should be embedded into project governance.

Stakeholder Engagement is frequently overlooked. Projects that fail to consult end-users, service delivery teams, and other stakeholders often produce systems that are misaligned with operational needs. Audits recommend inclusive planning processes, user-centered design, and iterative feedback loops to ensure that solutions are practical and usable.

Project Planning and Execution must be realistic and adaptive. Many failed projects were launched with overly ambitious timelines and underfunded budgets. Audits suggest adopting agile methodologies, phased rollouts, and pilot testing to reduce complexity and improve responsiveness. Planning should also include robust change management strategies to support adoption.

Monitoring and Evaluation are essential for accountability. Audits emphasize the need for performance dashboards, milestone tracking, and independent reviews. These tools help identify issues early and support evidence-based decision-making. (GAO, 2025)

Ultimately, the lessons from these audits point to a need for cultural change in how IT projects are managed, moving from rigid, top-down approaches to flexible, transparent, and user-focused models that prioritize service delivery and long-term sustainability.

Recommendations for Future IT Projects

To prevent the recurrence of large-scale IT project failures, Canadian public institutions must adopt a more strategic and adaptive approach to project management.

Large IT projects would benefit from being broken down in smaller self-contained components. As shown by the audits, complexity could be a barrier to success. Smaller sel-contained (but able to be connected) IT projects allow for more efficient course correcting, or if needed, stopping ill-fated IT transformation altogether before they morph into disastrously costly failures.

Governance structures must be strengthened. This includes assigning clear roles, establishing oversight committees, and integrating performance metrics that align with service delivery goals. Leadership must remain actively involved throughout the project lifecycle, ensuring accountability and responsiveness.

Risk management should be embedded from the outset. Projects must include comprehensive risk assessments, mitigation strategies, and contingency plans. These should be revisited regularly as the project evolves.

Stakeholder engagement must be prioritized. End-users, service providers, and technical teams should be involved in planning, testing, and feedback processes to ensure the final product meets operational needs.

Funding models should be modernized to allow flexibility. Departments must be able to reallocate resources and adjust scopes as needed, without bureaucratic delays. These recommendations, if implemented, can significantly improve the success rate of future IT infrastructure projects in Canada.

Conclusion

The challenges of implementing large IT infrastructure projects in Canada, as revealed through audits, underscores the urgent need for reform in governance, planning, and execution. The audits of the Phoenix Pay System and the EI modernization demonstrate how poor oversight and misaligned priorities can lead to costly and disruptive outcomes. (OAG Canada, 2018 and OAG Canada 2023) By learning from these failures and implementing strategic recommendations, such as, robust risk management, and inclusive stakeholder engagement, Canada can build more resilient, efficient, and user-centered digital systems. Audits play a vital role in this transformation, offering accountability and guiding continuous improvement in public sector innovation.

References

Eberlein, M. (2008). Culture as a Critical Success Factor for Successful Global Project Management in Multi-National IT Service Projects, Journal of Information Technology Management. Retrieved from https://jitm.ubalt.edu/XIX-3/article4.pdf

Greve, C., Lægreid, P., & Rykkja, L. H. (2021). The Palgrave Handbook of the Public Servant. Palgrave Macmillan.

Mkoba, E. and Marnewick C. (2016). Auditing Agile Projects: A Conceptual Framework. In Proceedings of the 2016 Annual Research Conference of the University of South Africa.

Office of the Auditor General of Canada. (2018). Report 1—Building and Implementing the Phoenix Pay System. Retrieved from https://www.oag-bvg.gc.ca/internet/English/att__e_43045.html

Office of the Auditor General of Canada. (2023). Report 7—Modernizing Information Technology Systems. Retrieved from https://www.oag-bvg.gc.ca/internet/docs/parl_oag_202310_07_e.pdf

Shared Services Canada. (2012). What Prevents Large IT Projects from Being Successful? Retrieved from https://web.archive.org/web/20220706172719/https://www.canada.ca/content/dam/canada/shared-services/migration/media/documents/ae-ce-eng.pdf

Shared Services Canada. (2018). Systems Under Development Audit. Retrieved from https://publications.gc.ca/collections/collection_2024/spc-ssc/P115-16-2018-eng.pdf

UK Government – Infrastructure and Projects Authority (IPA) (2021). Gate Review Process – Gate 4 Review: Readiness for Services. Retrieved from: https://assets.publishing.service.gov.uk/media/60f019b0e90e0764ccfbd7b1/1174-APS-4-CCS0521656666-001_Gateway_Web1.pdf

U.S. Government Accountability Office (2025). HIGH-RISK SERIES: Critical Actions Needed to Urgently Address IT Acquisition and Management Challenges. Retrieved from: https://files.gao.gov/reports/GAO-25-107852/index.html?_gl=1*e8errg*_ga*OTY0MTc0MDgzLjE3NDkwNjg1Mzg.*_ga_V393SNS3SR*czE3NTUxMDA3NTEkbzMkZzEkdDE3NTUxMDA5MjgkajkkbDAkaDA.

About the Author

Yves Genest

Mr. Genest is an experienced audit professional, who audited a vast array of organizations in the Federal government over the past thirty years. He started his career at the Office of the Auditor General of Canada where he occupied various positions for over fifteen years, including Principal, Practice Development.

He served as Chief Audit and Evaluation Executive at Shared Services Canada, and as Director General, Audit Directorate, at the Public Service Commission of Canada.

He was a former Vice-President, Research and Strategic Initiatives at the Canadian Audit and Accountability Foundation (CAAF). He was responsible for the development of projects requiring the expertise and knowledge of CAAF in performance measurement and auditing in partnership with various stakeholders.
Yves Genest is now serving as Senior Advisor for Project Audits at the Office of the Auditor General of Manitoba.

Contact the author at:

yves.genest@oag.mb.ca