Offender Management System Modernization Phase 2

List of acronyms

List of acronyms
ACCOP
Assistant Commissioner, Correctional Operations and Programs
CIO
Chief Information Officer
CSC
Correctional Service Canada
FY
Fiscal Year
HR
Human Resources
IMIT TCOM
Information Management/Information Technology Transformation Committee
IMS
Information Management Services
IT
Information Technology
MAP
Management Action Plan
OMS-M
Offender Management System Modernization
PM
Project Management
PMF
Project Management Framework
PSPC
Public Services and Procurement Canada
RFP
Request for Proposals
ROME
Regional Offender Management Engagement
SDLC
System Development Life Cycle
SI
Systems Integrator
TB
Treasury Board
VMO
Value Management Office

© His Majesty the King in Right of Canada, as represented by the Correctional Service of Canada, 2024

Catalogue Number PS84-242/2024E-PDF
ISBN 978-0-660-72786-8

Overall audit objective

The objective of this multi-phased audit approach is to provide assurance that the management control framework in place for the Offender Management System Modernization (OMS‑M) Project ensures successful achievement of its planned outputs and intended outcomes, while completing the project on time, on budget, and in accordance with specifications.

The multi-phased audit approach is broken down into 3 sub-objectives:

  1. Project Governance and Planning
  2. Project Management
  3. System Development Life Cycle (SDLC)

These 3 sub-objectives are further broken down into 15 potential audit areas. A risk assessment is performed at the beginning of each phase to determine which of those 15 areas to focus on for that phase. Phase 1 of the audit was completed in January 2022 and covered 9 areas under all 3 sub-objectives. A follow-up to the recommendations issued for Phase 1 was performed during this Phase 2 audit.

The Appendix contains details on upcoming audit phases.

Phase 2 audit objective

The objective of the second audit phase was to determine whether CSC is adequately prepared to complete the planning and procurement phase of the OMS‑M initiative, including the alignment of supporting activities to enable key decisions on the scope, approach, and design of the solution. In addition, the audit included a follow-up on the recommendations from the Audit of OMS‑M Phase 1 to evaluate completion of actions and residual risk.

Phase 2 of the audit focused on the following areas
Scope Areas of focus
Procurement
  • Systems Integrator (SI) procurement
  • Solution procurement
  • Prototyping phase/vendor management
  • Value Management Office (VMO) procurement
Planning
  • Treasury Board submission development
  • Alignment of Data Foundations project to OMS‑M
  • Data readiness for OMS‑M planning and development phase
Business requirements
  • Project scope/ business requirements
  • Build vs buy decision

Phase 2 audit conclusion

The OMS‑M project recently completed numerous procurement and project milestones to receive Treasury Board (TB) approval in June 2023 for expenditure authority going forward. This approval mitigates many high risks which existed for the project throughout 2022 to 2023. The establishment of a dedicated OMS‑M Steering Committee in 2022 has also strengthened governance, reporting, risk management, and visibility of dependencies. The OMS‑M project is now expected to be completed in 2027 to 2028 at a cost of [redacted].

The audit team determined that CSC has successfully achieved the objectives of this audit phase and has effectively completed the planned actions in response to the previous audit phase, resulting in the resolution of most risks associated with those recommendations. However, there are still risks that need to be addressed as the project progresses, particularly in the areas of human resources (HR) and organizational structure, data strategy, schedule, and alignment of development methodologies among the different parties involved. It is important to note that no major deficiencies were found considering the current stage of the project.

This audit phase only partially covered organizational change management given the higher priority planning and procurement activities in flight during the time of the audit. Considering the importance of change management for large initiatives such as OMS‑M, future audit phases will cover the area in greater depth.

While dependencies between the Data Foundations project and the OMS‑M project are being managed and reported to the OMS‑M Steering Committee, there are still broader residual risks pertaining to the project’s data migration planning and alignment to the organization’s overall data strategy. The Data Foundations project is focused on developing interfaces to link data across systems, whereas broader efforts are required to clarify data governance, cleanse data, and develop a plan to prepare the organization’s data for use in the OMS‑M solution being developed.

Summary of conclusions by criteria

Project governance and planning
Audit criteria Result Description of results by criteria
1a) Governance Met
Phase 1 Follow-up: CSC has stood up an OMS‑M Steering Committee which meets regularly to review project status and risks. Governance for the upcoming delivery phase between internal and external parties is still in development. 
1c) Planning Met CSC has completed key project milestones and received TB approval to unlock expenditure authority for the upcoming design phase. Additional work needed to define supporting overall data plan.
Project management
Audit criteria Result Description of results by criteria
2a) PM Processes Partially met Phase 1 Follow-up: CSC is continuing to define the development methodology and project management approach for upcoming project phases and align vendor methodology with gating requirements. 
2b) Project Human Resources Partially met Phase 1 Follow-up: CSC has mitigated the risk of budget constraints for staffing due to TB submission delays, but risks remain in the short and medium term to recruit and onboard adequate staff in a timely manner. Work to finalize the organizational chart between the OMS‑M team and IMS is ongoing. An OMS‑M project team is in place; however, there has been turnover in senior project leadership in 2023.
2c) Risks and Issues Management Met Phase 1 Follow-up: Risks are regularly reported to the OMS‑M Steering Committee and documented in committee presentations.
2d) Procurement Met CSC completed an agile procurement process for a solution vendor through a successful prototyping phase. Only 1 solution vendor qualified. CSC has designed an agile contracting approach which supports the project’s phased development approach. A procurement process is underway for a System Integrator (SI). Timelines for the SI procurement are on track and aligned with the project schedule to onboard the SI in fall 2023.
System Development Lifecycle
Audit criteria Result Description of results by criteria
3a) Business Requirements Met
CSC has opted for an ambitious high modernization option for OMS‑M transformation, and to leverage vendor solution capabilities for most business capabilities. The full scope of organizational business process transformation to support this option is yet to be defined and planned and will be conducted during upcoming project phases. Additional work is required to define the IT infrastructure to support the desired end state.

Phase 2 audit recommendations

Project governance and planning
Audit objective Recommendations
1. To provide assurance that CSC has implemented an effective project governance framework that includes accountability, roles, responsibilities, change management, strategic planning, alignment with interdependent projects (such as, Data Foundation Project), and performance measurement.

1. The OMS‑M project sponsor should ensure adequate governance committees and working groups with IMS staff, management, and continued engagement by operational staff.

2. CSC should develop a data plan to support OMS‑M design and development and ensure it is aligned with the department’s overall enterprise data strategy.

3. The OMS‑M steering committee should receive regular reporting on the progress and dependencies of the department’s overall data strategy.

Project management
Audit objective Recommendations
2. To provide assurance that CSC has implemented effective project management practices that includes project management monitoring and reporting (such as, scope, time, budget, and quality management), project human resources, risks and issues management, and procurement management.

4. The OMS‑M project team should update the project gating plan, and clarify the System Development Life Cycle (SDLC) and project artefacts required for each gate.

5. The OMS‑M project team should work with IMS to finalize the organizational chart, roles and responsibilities, and Human Resources (HR) strategy.

System Development Lifecycle
Audit objective Recommendations
3. To provide assurance that CSC has implemented effective system development lifecycle methodology that includes business requirements, design, development, testing, implementation and rollout, transition to operations, and security/privacy/ internal controls.

6. IMS should articulate the cloud infrastructure and support requirements needed to support OMS‑M and ensure alignment of OMS‑M cloud infrastructure and support requirements to the department’s Cloud Strategy.

Follow-up from phase 1 recommendations

Project governance and planning
Recommendations MAP status Results Residual risk
1. Meetings dedicated to OMS‑M should be implemented so that issues and risks that need executive input can get the attention needed. Complete CSC set up a dedicated OMS‑M steering committee in January 2022 which includes senior management. The committee meets monthly and has received regular status reporting on the project. Low
2. Provide an information session to committee members highlighting the lessons learned from other similar transformation initiatives across government. Complete Steering committee members were provided with an information session in spring 2022 on lessons learned from other transformational projects such as the implementation of the Phoenix Pay System. Low
3. CSC should ensure that the OMS‑M governance structure has clear visibility of OMS‑M dependencies on other projects and related risks and issues. Complete The steering committee has been provided with regular reporting on the dependency to the Data Foundations project. Due to delays in the OMS‑M project, the timelines of the 2 projects are better aligned and the risks of the dependency are considered low. Risks related to the project’s data plan and alignment to the dept’s overall enterprise data strategy are not directly tied to the Data Foundations project. 

Moderate

Project management
Recommendations MAP status Results Residual risk
4. CSC should review its Project Management Framework (PMF) to ensure it is flexible and aligned with agile development practices if those practices are to be adopted by OMS‑M. This activity should be completed prior to the development and execution phase of the project. Complete CSC conducted a review and decided that no changes were required to the departmental PMF. CSC has opted for a primarily waterfall approach to the project delivered through 3 phases for different modules/capabilities. The solution vendor has provided its proposed deliverables. The OMS‑M team is still working to define what project management and SDLC deliverables will be required for Gate 3. The methodology of the SI is to be defined once onboarded. Moderate
5. CSC should evaluate its ability to meet its staffing needs within the existing budget in the event of minor to moderate additional delays in the project schedule; and given the activities of the team are expected to intensify in 2022, preparatory steps should be taken to avoid a staffing crunch during the critical phases of the procurement leading up to Gate 3 and the selection of a preferred vendor. Complete The OMS‑M project team completed the project activities to receive approval from TB for additional expenditure authorities in June 2023. To support the next phase of the project CSC aims to staff over 70 new resources on OMS‑M activities in 2023. The OMS‑M project team developed an HR strategy to support staffing, but there is a reasonable chance of delays in staff onboarding. Discussions have been ongoing between the OMS‑M team and the Information Management Services (IMS) branch on the organizational chart of these resources, and the organizational chart is yet to be finalized. Moderate
6. Reporting of significant risks and issues should be a regular standing item to governance committees, with mitigation options presented for discussion and approval purposes. Complete Risks and issues are reported monthly to the steering committee, and in greater depth on a quarterly basis.

Low

7. CSC should consult with Public Services and Procurement Canada (PSPC) in the development of its procurement plan and ensure that there is alignment between the procurement plans of both departments before the CSC plan is submitted for approval by Information Management/Information Technology Transformation Committee (IMIT TCOM). Complete

CSC developed a System Integrator (SI) procurement plan and presented the procurement approach to the OMS‑M steering committee. There is regular operational coordination between the CSC OMS‑M team and PSPC on the SI procurement approach and timeline.

CSC has opted not to pursue a Value Management Office (VMO) procurement.

Low

Findings: governance

1.1 Criterion: Effective and adequate governance structures are in place to provide oversight of the project

Strengths noted

Risks, challenges and opportunities for improvement

Impact

Failure to ensure adequate inclusion of IMS in OMS‑M project governance could lead to misalignment in departmental digital and investment plan to optimally support the OMS‑M vision and may impact the success of system integration.

Recommendation

1. The OMS‑M project sponsor should ensure adequate governance committees and working groups with IMS staff, management, and continued engagement by regional and operational staff.

Findings: planning

1.3 Criterion: Project planning is well aligned with CSC’s strategic priorities and provides adequate alignment with interdependent projects (such as, Data Foundation Project)

Strengths noted

Risks, challenges and opportunities for improvement

The project’s data planning and alignment to the department’s overall data strategy remains a risk area. A dedicated IMS team was stood up in fall 2022 to work on the department’s data strategy and support the OMS‑M project’s data requirements. Work remains to define the data requirements needed for the OMS‑M solution and organize data cleanup activities. [redacted] Overall data governance in the organization is a risk to be managed as the OMS‑M project moves forward.

Impact

Failure to develop a comprehensive data plan in alignment with the department’s data strategy could impede the design and development of the solution. Failure to adequately consolidate and cleanse data could impede the implementation and rollout of the designed solution.

Recommendations

2. CSC should develop a data plan to support OMS‑M design and development and ensure it is aligned with the department’s overall enterprise data strategy.

3. The OMS‑M steering committee should receive regular reporting on the progress and dependencies of the department’s overall data strategy.

Findings: project management processes

2.1 Criterion: Adequate processes are in place to manage the project schedule, scope, budget, and quality of the project

Strengths noted

Risks, challenges and opportunities for improvement

Impact

Without a clear gating strategy senior management will lack clarity on the control and oversight of the project at key junctures prior to the deployment of business capabilities and may lack information to make informed decisions in a timely manner.

Recommendation

4. The OMS‑M project team should update the project gating plan and clarify [redacted].

Findings: project human resources

2.2 Criterion: Adequate HR management practices have been planned and implemented for the project

Strengths noted

Risks, challenges and opportunities for improvement

Impact

Failure to efficiently recruit, onboard, and retain staff to the project could lead to project schedule delays.

Recommendation

5. The OMS‑M project team should work with IMS to finalize the organizational chart, roles and responsibilities, and Human Resources (HR) strategy.

Findings: risks and issues

2.3 Criterion: A risk and issues management process has been implemented to appropriately monitor and report on project risks and issues in a timely manner

Strengths noted

Risks, challenges and opportunities for improvement

No significant gaps or concerns were noted in this area.

Impact

Insufficient reporting and action to address risks could impede project success.

Recommendation

None

Findings: procurement

2.4 Criterion: Adequate procurement vehicles are available in a timely manner to support the project

Strengths noted

Risks, challenges and opportunities for improvement

Impact

Failure to execute supporting procurement activities will impact the project schedule.

Recommendation

None.

Findings: business requirements

3.1 Criterion: Business requirements have been formally documented, prioritized, and approved for the project, and processes are in place throughout the project

Strengths noted

Risks, challenges and opportunities for improvement

Impact

Failure to adequately plan and manage supporting IT infrastructure activities increases the risk of unplanned project costs and could lead to implementation delays.

Recommendation

6. IMS should articulate the cloud infrastructure and support requirements needed to support OMS‑M and ensure alignment of OMS‑M cloud infrastructure and support requirements to the department’s Cloud Strategy.

Management response to recommendations

Management has accepted the recommendations, and a management action plan has been created in response to the recommendations.

Appendices

Appendix A: OMS‑M project schedule

OMS‑M project schedule of activities by fiscal year
see text description below
Text version

This image depicts the schedule of major OMS‑M project deliverables by fiscal year.

  1. First line
    1. Gap Analysis occurs in FY 2023 to 2024
    2. Case Management Capabilities Design occurs late FY 2023 to 2024 to late FY 2024 to 2025
    3. Test occurs in late FY 2024 to 2025 and early FY 2025 to 2026
    4. Rollout occurs mid FY 2025 to 2026
    5. Stabilize occurs mid to late FY 2025 to 2026
  2. Second line
    1. Data Mapping, Integration Analysis and Design occurs in FY 2023 to 2024 to late FY 2024 to 2025
    2. Data Migration and Integration Build occurs in mid to late FY 2024 to 2025
  3. Third line
    1. Gap analysis occurs in FY 2023 to 2024
    2. Security capabilities occurs in late FY 2023 to 2024 to late FY 2025 to 2026
    3. Test occurs in late FY 2025 to 2026 to early FY 2026 to 2027
    4. Rollout occurs in mid FY 2026 to 2027
    5. Stabilize occurs in late FY 2026 to 2027 to early FY 2027 to 2028
  4. Fourth line
    1. Gap analysis occurs in FY 2023 to 2024
    2. Sentence management: automated sentence calculation occurs late FY 2023 to 2024 to mid FY 2026 to 2027
    3. Test occurs late FY 2026 to 2027 to early FY 2027 to 2028
    4. Rollout occurs mid FY 2027 to 2028
    5. Stabilize and transition occurs late FY 2027 to 2028
  5. Fifth line
    1. Foundational, Technical and Reporting Capability occurs FY 2023 to 2024 to FY 2027 to 2028
  6. Sixth line
    1. Ongoing Engagement, Communication and Training occurs FY 2023 to 2024 to FY 2027 to 2028

Appendix B: Audit phases and scope

In 2023 CSC modified the OMS‑M project plan to a phased approach based on iteratively developing and deploying business capabilities, starting with Case Management.

The audit approach aims to provide independent assurance throughout the lifecycle of the project. To account for the updated project plan, 4 subsequent audit phases are proposed – each spaced approximately 1 year apart and aligning with the remaining 3 project phases of the OMS‑M initiative. A Samson risk assessment will take place prior to each phase to confirm timing and scope. Each audit phase will be timed before a key decision point/phase in the project.

Annual timeline of OMS‑M project milestones and audit phases
see text description below
Text version

This image depicts the audit phase timelines and estimated approximate timing of OMS‑M project milestones by year.

2022

  1. Phase 1 audit completed early 2022
  2. RFP awarded to Abilis Solutions late 2022

2023

  1. Phase 2 audit completed mid 2023
  2. TB submission approved mid 2023
  3. SI contract award, Development phase begins late 2023

2024

  1. Gap analysis and solution design early 2024
  2. Phase 3 audit phase mid to late 2024

2025

  1. Case management development and testing early 2025
  2. Phase 4 audit phase mid 2025

2026

  1. Case management implementation early 2026
  2. Phase 5 audit phase mid 2026
  3. Offender security implementation late 2026

2027

  1. Phase 6 audit phase mid 2027
  2. Automated sentencing implementation late 2027
Audit results and plans by OMS‑M project phase (project governance and project management)
see text description below
Text version

This chart depicts in which phase audit criteria are assessed and results for the completed audits.

  1. Project Governance
    1. Governance
      1. Phase 1: Fall 2021 Partially met
      2. Phase 2: Spring 2023 Met
      3. Phase 3: Summer 2024 In scope for future phase
    2. Organizational Change Management
      1. Phase 1: Fall 2021 Met
      2. Phase 3: Summer 2024 In scope for future phase
      3. Phase 4: Summer 2025 In scope for future phase
      4. Phase 5: Summer 2026 In scope for future phase
      5. Phase 6: Summer 2027 In scope for future phase
    3. Planning
      1. Phase 1: Fall 2021 Partially met
      2. Phase 2: Spring 2023 Met
    4. Performance Measurement
      1. Phase 1: Fall 2021 Met
      2. Phase 5: Summer 2026 In scope for future phase
      3. Phase 6: Summer 2027 In scope for future phase
  2. Project Management
    1. Project Management Process
      1. Phase 1: Fall 2021 Partially met
      2. Phase 2: Spring 2023 Partially met
      3. Phase 3: Summer 2024 In scope for future phase
    2. Project Human Resources
      1. Phase 1: Fall 2021 Partially met
      2. Phase 2: Spring 2023 Partially met
      3. Phase 3: Summer 2024 In scope for future phase
      4. Phase 4: Summer 2025 In scope for future phase
    3. Risks and Issues Management
      1. Phase 1: Fall 2021 Partially met
      2. Phase 2: Spring 2023 Met
      3. Phase 4: Summer 2025 In scope – future
    4. Procurement
      1. Phase 1: Fall 2021 Partially met
      2. Phase 2: Spring 2023 Met
      3. Phase 3: Summer 2024 In scope for future phase
Audit results and plans by OMS‑M project phase (System Development Lifecycle (SDLC))
see text description below
Text version

This chart depicts in which phase audit criteria are assessed and results for the completed audits.

  1. System Development Lifecycle (SDLC)
    1. Business Requirements
      1. Phase 1: Fall 2021 Met
      2. Phase 2: Spring 2023 Met
      3. Phase 3: Summer 2024 In scope for future phase
    2. Design
      1. Phase 3: Summer 2024 In scope for future phase
      2. Phase 4: Summer 2025 In scope for future phase
    3. Development
      1. Phase 3: Summer 2024 In scope for future phase
      2. Phase 4: Summer 2025 In scope for future phase
      3. Phase 5: Summer 2026 In scope for future phase
      4. Phase 6: Summer 2027 In scope for future phase
    4. Testing
      1. Phase 3: Summer 2024 In scope for future phase
      2. Phase 4: Summer 2025 In scope for future phase
      3. Phase 5: Summer 2026 In scope for future phase
      4. Phase 6: Summer 2027 In scope for future phase
    5. Implementation and rollout
      1. Phase 4: Summer 2025 In scope for future phase
      2. Phase 5: Summer 2026 In scope for future phase
      3. Phase 6: Summer 2027 In scope for future phase
    6. Transition to operations
      1. Phase 4: Summer 2025 In scope for future phase
      2. Phase 5: Summer 2026 In scope for future phase
      3. Phase 6: Summer 2027 In scope for future phase
    7. Security, Privacy, Internal controls
      1. Phase 3: Summer 2024 In scope for future phase
      2. Phase 4: Summer 2025 In scope for future phase
      3. Phase 5: Summer 2026 In scope for future phase
      4. Phase 6: Summer 2027 In scope for future phase

Page details

Date modified: