Audit of the Delegation of Authority Application

Project Management Framework

Project Framework

A robust and well established project management framework is key for an effective and successful outcome of a project.  The audit team found that a project management framework was designed and initiated at the project onset via the establishment of a project charter. This charter incorporated key elements of project management, including the purpose, objective and scope, and the overall approach, outlining elements such as deliverables, control, schedule, level of effort, and costing estimates.

However, aside from the creation and update of the project charter, the audit team did not find evidence to suggest that the framework was fully implemented. For example, the timeline of the project was impacted due to interdepartmental business requirements scoping and the issues caused when the transfer of the DAA occurred between the PCH environment where the other government department was developing the application and their respective environment. The audit team expected to see reflected in the project management documentation, as defined in the project charter, changes and the necessary customization as result of the developers spending time to resolve these issues. The team did find evidence of a project management tool being used to track tasks.

Project Governance and Oversight

Governance and oversight are key aspects of project management.  Effective application of these aspects ensure roles and responsibilities are adhered to, sound project related decisions are made, timelines are met, and costs remain within budget.

The DAA project charter initially identified key project leadership roles, including the project director, project lead, project manager, technical lead and functional lead. Nevertheless, key project leadership changed with a new director and technical lead joining the team prior to implementation. As a result, the audit team expected to find evidence of project updates, project meetings, and change logs for project goals and timelines or other monitoring mechanisms. While this was not found, the team did observe that the roles were updated in the project charter and that a project management tool was employed. In addition, it was observed that as part of project governance and oversight, briefings were made to various departmental committees and that non-formalized solutions were implemented to ensure the project moved forward.

Overall, the project management framework initially incorporated good practices, with the development of a project charter, and identification of key project roles. However, the charter was limited in its application as individuals, timelines and complexities changed during the project, and monitoring mechanisms were limited. With the movement of key personnel overall project management fell on technical teams. Critical knowledge associated with the project delivery and implementation details rested in the hands of individuals rather than a centralized documentation and knowledge base which could make any future transitions or upgrades difficult. The audit team did find that since the arrival of the new Deputy Chief Financial Officer, there has been notable increase of rigor in project management and project governance and oversight.

Recommendation:

1. The Chief Financial Officer should apply a rigorous project management approach, in alignment with best practices identified in the PMBOK guidelines, and ensure it is updated as needed as the project evolves through the I2P and P2P phases.

Training and Change Management Approach

Training Strategy

Training is key for the successful implementation and use of an application. In order for training to be effective and efficient, a strategy and subsequent plan should be developed at the outset of the project with defined targets. A training plan for the DAA was developed and training on the use of the application was subsequently delivered to users. The training was standardized and was delivered to two distinct users groups – the Resource Management Directorates and managers - in person (classroom, group sessions, and one-on-one) and online prior to the roll out of the application. The training sessions focused on requirements to be added to the DAA module, how to use the module for delegations, and the impacts once authority had been delegated. The audit team found that the training was provided late and the plan did not include all relevant user groups.

Change Management Approach

Similarly to project management, change management is a key pillar on implementing or changing a process, application or system. This distinction increases in importance when the change fundamentally alters business processes in the Department. The DAA project was announced via the PCH intranet at least six and then one month prior to implementation of the application. Targeted communication to impacted users, or users for whom training was mandatory was limited. This communication approach was not as effective as intended since many stakeholders interviewed felt they were given little warning of the process change and delays in the project. The audit team did note that there were briefing to the various tables and committees within the Department as part of a limited change management approach.

PCH has created a network of change agents throughout the organization to assist in the management and implementation of changes and overall organizational effectiveness and improvement. This network was engaged at various points in the implementation of this application to provide advice and assist in communication and overall employee and management engagement of this change.

The audit team found evidence to suggest that a formal change management strategy was developed and in place related to the DAA implementation, but plans for that change management and overall stakeholder engagement were not created or executed, resulting in a need for a more robust and better documented approach to change management and stakeholder engagement. This approach was a factor in the lack of understanding of the solution’s impact and use, and an overall negative view of the solution itself from those stakeholders interviewed.

Recommendation:

2. The Chief Financial Officer should enhance change management practices, such as the development, application and updating of change management and stakeholder engagement plans, and increase active communications.

Mapping of Business and Technical Requirements

As a normal part of an application implementation, both business and technical requirements are mapped to ensure that there is alignment between the business processes and the capabilities of the technology. This mapping exercise was of importance as part of the DAA implementation as the module itself was taken directly from another department and implemented at PCH where business processes and technical requirements differ between the organizations.

The audit team found the business and technical requirements of the DAA solution were not analyzed in a timely manner as the analysis was conducted after the project was started.  The other government department’s DAA solution is designed for a single legal entity environment, while PCH is more complex with a multi-legal entity environment. Further, PCH has business process complexities and operational differences which made direct implementation of the solution impossible, specifically on how program costs are managed. Extensive customization was required for the solution to work for PCH, which required relying on the other government department’s technical team to execute as they had the rights to make actual code changes. It would be expected that at least some of these business and technical issues would be discovered during the project scoping phase via a gap analysis, instead of after project launch. This resulted in unexpected delays and technical implementation issues throughout the project.

The audit team found the project did not engage the relevant user and stakeholder groups in the design during the scoping phase of the project regarding business requirements.  Engagement did occur during implementation and development of the support structure for the application. The audit team noted that when the application was moved from development to production environment, a mismatch of business and technical requirements occurred resulting in project delays. However, once the PCH technical team was engaged in the project, they identified and addressed critical errors prior to installation in production. This demonstrates PCH technical expertise in SAP and the ability to gather and manage these requirements.

Recommendation:

3. The Chief Financial Officer should ensure early engagement of stakeholders to properly scope the project and develop business and technical requirements for the tool, including I2P and P2P.

Scalability of the Project for I2P and P2P

The DAA is the first phase of a three-phased procure to pay automation and implementation project culminating in the deployment of P2P.  As DAA is a direct pre-cursor for both modules to work, it is important that any specific components that were implemented are scalable to these future modules and do not prevent key functionalities from working as intended.

From a technical perspective, PCH is well positioned to scale to I2P and P2P as the current technical set-up is aligned with most I2P and P2P requirements. The implementation of these two modules should not be impacted by the current DAA set-up as long as the versions of I2P and P2P have been adjusted to work within a multi-legal entity environment and have been aligned to the unique business and technical requirements of the Department.

The audit team found the other government department’s technical documentation provides extensive, useful details on the technical set-up of their current DAA set-up, including table structures and migration paths.

User Access in the Application

Key controls related to user access are tested to validate that an application is functioning effectively, efficiently and as intended, and the existing set-up does not eliminate key segregation of duties. During the audit work, testing found that the technical teams had critically analyzed the specific impact of the new system functionalities, and had a strong knowledge of how delegation effected user access. The technical team was aware of the roles and privileges assigned to all users, demonstrating an in-depth knowledge of the solution set-up.

The practice at PCH is that when delegating “acting” access, the “actor” is granted all SAP roles and responsibilities associated with the delegator. This means that they have access and authority to all actions that the delegator had privileges to perform within SAP itself.

Accuracy of Human Resource Data in PeopleSoft

The audit work included a review of the human resource data that is duplicated between PeopleSoft, SAP, and actual human resourcing processes, to validate that the employee data (which drives the DAA solution) is accurate and timely. The review found that while the HR data is loaded daily into the DAA, at any point in time the PeopleSoft data is not up to date. There are a number reasons for this lag, all of which are outside the scope of this audit.  These include, but are not limited to, the well-known issues with the Government of Canada pay system and the staffing processes currently in use. As a result, HR resources utilize a work around method, via the use of an excel spreadsheet, to ensure critical HR processes can still function, but this does not always include updating the data in the system required for the DAA. This work around process, while being a stop gap measure, leaves room for human error, relies heavily on non-standardized knowledge and processes, and generally increases the risk of errors and inconsistent data. The current impact of the HR data lag is that users will not have access to DAA in a timely manner, which may not align with the business realities (i.e. a manager who needs to delegate authority but is unable to due to the user not being added to the system).