Audit of the Human Resources Management Information System

Executive summary

The focus of the audit was the PeopleSoft system, which is the primary system of Health Canada and the Public Health Agency of Canada for processing human resources business transactions. The audit objective was to provide assurance that the control framework for PeopleSoft is effective for managing human resources as it relates to staffing, classification and compensation. Sufficient and appropriate procedures were performed and evidence was gathered to support the accuracy of the audit conclusion.

In November of 2011, Health Canada and the Public Health Agency of Canada rolled out the PeopleSoft system. To facilitate the transfer and sharing of costs of the system, they entered into a partnership arrangement with Agriculture and Agri-Food Canada. Overall, there is a well-defined and properly applied governance regime that provides for the review and oversight of stakeholder needs and data quality. To support data quality, there is a Data Integrity Strategy, which includes a data quality control framework.

Roles and responsibilities between Health Canada, the Public Health Agency of Canada and the Agriculture and Agri-Food Canada are well defined in the PeopleSoft Shared Services PartnershipGovernance framework, service agreements, and the PeopleSoft Project Charter. Roles and responsibilities are being effectively carried out. Operational risks related to the use of PeopleSoft are receiving oversight through the PeopleSoft Shared Services Governance Partnership and the Human Resource Senior Management Committee. A formal approach to managing operational risks would ensure that risks could be managed in an effective manner.

Health Canada and the Public Health Agency of Canada have managed most changes well and the introduction of the system has led to improvements in the self-service function, the use of standard business processes and improved management accountability. The anticipated benefit of using Express Lane Staffing, which will process low-risk staffing transactions quickly, has not yet been realized.

The Data Integrity Strategy has produced some positive results by identifying errors in PeopleSoft. Data integrity would be further strengthened with regular error reporting and timely follow-up to ensure that errors are being identified and corrected. Moreover, all manual leave adjustments should be sufficiently explained and verified in PeopleSoft. Risks associated with the protection and the confidentiality of employee information are being addressed. Further attention is required for employee information in the control and custody of the service provider, which should be reflected in the service agreement or an information-sharing agreement.

Management agrees with the seven recommendations and has provided an action plan to improve the management control framework for PeopleSoft to manage human resources at Health Canada and the Public Health Agency of Canada.

A - Introduction

1. Background

In 2006, the Treasury Board Secretariat identified the Government of Canada's Human Resources Management Information System, PeopleSoft, as the system to be used for the management of human resources for all of the federal government. PeopleSoft is a commercial-off-the-shelf system, modified to meet common Government of Canada human resource and legislative requirements, that provides an integrated platform for the management of human resource information.

Currently, many departments and agencies are using different human resources systems and this results in varying departmental processes for human resources transactions. The use of a common human resource business platform will result in the elimination of aging human resources systems and in the standardization of business processes and common data definitions across the Government of Canada (see Appendix C).

The PeopleSoft shared service came into being as a result of an initiative led by the Treasury Board Secretariat - the Human Resources Business Solution Project - which aimed at enabling the clustering of partner departments and agencies to share one operational instance of PeopleSoft. This would mean that departments and agencies would have to eliminate their current human resources systems and replace them with PeopleSoft.

In 2009, Health Canada and the Public Health Agency of Canada made a decision to replace its legacy system - HR Advantage - with PeopleSoft. HR Advantage was no longer a viable option, nor was it supported by the Corporate Services Branch's Information Management Services Directorate. Health Canada and the Public Health Agency of Canada had determined that it would be more cost-effective to participate in a partnership arrangement than for them to host their own instance of PeopleSoft. The cost to implement PeopleSoft for Health Canada and the Public Health Agency of Canada was approximately $6.2 million.

Prior to implementing PeopleSoft, Health Canada and the Public Health Agency of Canada conducted an extensive exercise to address known data integrity issues. In addition, they participated in a pilot study as part of the Human Resources Business Solution Project. In November 2011, PeopleSoft went live with five partner departments and agencies, representing more than 38,000 employees. In June 2012, Shared Services Canada joined the Partnership, adding another 6,000 employees. Agriculture and Agri-Food Canada is the service provider.

Departments within the partnership cluster are currently using the same configuration of PeopleSoft (v8.9) to support their respective human resources business functions. Changes to the common configuration require approval by the majority of departments and agencies within the Partnership to be accepted for adoption. This has resulted in the elimination of customization of PeopleSoft for a single department and the maintenance of a common configuration. The Government of Canada has announced that it will be releasing an updated version of PeopleSoft (v9.1) in 2014-15. Departments and agencies will be required to implement PeopleSoft to manage their human resource business activities by the end of the 2016-17 fiscal year.

The service agreements identify the services to be measured and the level of service to be provided by Agriculture and Agri-Food Canada for the shared common instance of PeopleSoft. Agriculture and Agri-Food Canada provides the functional support services for the PeopleSoft shared service. These services consist of but are not limited to shared service business support, service desk support, back-up and restoration, ad hoc reporting, performance reporting, and system maintenance. In the shared services partnership, the Corporate Services Branch's Human Resources Directorate provides human resources services to both Health Canada and the Public Health Agency of Canada. The cost for Agriculture and Agri-Food Canada to provide PeopleSoft and support services to the Health Canada and the Public Health Agency of Canada is approximately $1.7 million annually. The service agreements came into effect April 1, 2012, and expire on March 31, 2015.

PeopleSoft is Health Canada and the Public Health Agency of Canada's primary tool for supporting the processing of human resource business transactions. These processes include compensation (leave), classification, staffing, staff relations, employment equity and official languages, security and labour relations.

The implementation of PeopleSoft has resulted in the automation of human resources processes that were not previously available in HR Advantage and the Integrated Leave and Attendance Module. These enhancements have in some cases eliminated the need for duplicate entry and manual records without significantly changing some of the human resource business processes. In addition, the use of PeopleSoft in a shared environment promotes collaborative governance and the sharing of information; improved capacity to deliver human resources products and services; more effective fulfilment of legislative and operational human resource business requirements; and reduced operating and maintenance costs to support the human resources system.

The Regional Pay System is the primary source for generating information on salary expenses and benefits, and it updates Health Canada and the Public Health Agency of Canada's financial system - SAP. Compensation advisors input pay and benefit information through the PeopleSoft pay interface, which updates the Regional Pay System. In turn, the Regional Pay System generates a data extract, which is loaded into Health Canada's financial system. There is no direct connection between SAP and PeopleSoft (see Appendix D). Compensation advisors can also update the Regional Pay System, which is managed by Public Works and Government Services Canada, by way of direct access. However, direct input into the Regional Pay System is limited to only a few specific types of pay transactions or to occasions when PeopleSoft is unavailable for use.

2. Audit objective

The audit objective is to provide assurance that the control framework for PeopleSoft is effective for managing human resources as they relate to staffing, classification and compensation.

3. Audit scope

The audit examined the governance and risk management of the PeopleSoft application initiative and, for internal controls, focused on the human resources functional areas supported by PeopleSoft, namely staffing, classification and compensation.

The audit covered the fiscal year 2012-13. Excluded from the audit were the following human resources functional areas: security; employment equity and official languages; labour relations; health and safety; and priority management. Also excluded from the audit were Agriculture and Agri-Food Canada's business and information technology operations that support PeopleSoft.

4. Audit approach

The audit examined the governance, risk management and control practices of the human resource functional areas supported by PeopleSoft against a set of pre-defined audit criteria. The audit approach included a review of documentation, policies, standards, guidelines, and framework and business processes. Interviews were conducted with senior management, managers and human resource officials within the Human Resources Directorate. The audit team conducted audit tests and analysis of PeopleSoft data from the classification, staffing and compensation functional areas. The audit was carried out in the National Capital Region.

The audit criteria, outlined in Appendix A have been drawn from key sources: the PeopleSoft procedural documentation; Health Canada's PeopleSoft Business Case; Information Systems Audit and Control Association - CoBiT; Institute of Internal Auditor's Global Technology Audit Guide; Information Technology Infrastructure Library; Treasury Board Secretariat's Operational Security Standard - Management of Information Technology Security; Policy on Government Security; Directive on Privacy Practices; Directive on Privacy Impact Assessments; and Health Canada's Policy on Electronic Use of Networks.

5. Statement of conformance

In the professional judgment of the Chief Audit Executive, sufficient and appropriate procedures were performed and evidence gathered to support the accuracy of the audit conclusion. The audit findings and conclusion are based on a comparison of the conditions that existed as of the date of the audit, against established criteria that were agreed upon with management. Further, the evidence was gathered in accordance with the Internal Auditing Standards for the Government of Canada and the International Standards for the Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program.

B - Findings, recommendations and management responses

1. Governance

1.1 Oversight

Audit criterion: There is a well-defined and applied governance regime that provides for the review and oversight of stakeholder needs and data quality.

Health Canada and the Public Health Agency of Canada have an established governance structure that provides for senior management oversight of stakeholder needs, data quality and unresolved problems and issues. Oversight is provided by the PeopleSoft Shared Services Partnership Governance framework. This framework supports the Partnership in strategic planning, management and day-to-day operations by ensuring that the needs of all partners are considered in the decision-making process.

Figure 1 - PeopleSoft Shared Service Partnership Governance

Figure 1
Text Equivalent - Figure 1

The PeopleSoft Shared Services Partnership Governance framework consists of the following committees:

The Partnership Steering Committee is a committee at the assistant deputy minister level responsible for providing strategic direction and leadership to the Partnership. This Committee is the final decision-making and dispute resolution level for the Partnership. It also has the authority to approve expenditures for major enhancements. It meets three times per year.

The Partnership Management Committee is a committee at the director general level responsible for managing the Partnership. This Committee is the primary decision-making and dispute resolution level for the Partnership and also has the authority to approve expenditures for major enhancements. It meets three times per year.

The Service Management Committee is a director level committee responsible for ensuring that service meets the operational requirements of the partners. This committee has primary responsibility for assessing enhancement requests, and for prioritizing and approving minor enhancements. It is the first level of resolution for service performance issues and partner disputes. It is also responsible for reviewing the PeopleSoft Shared Service Dashboard. This Committee meets bi-monthly.

The Business Relationship Committee is a manager level committee responsible for managing service performance issues, request priorities and risks. This committee provides input to the annual processes to update governance, service levels and the funding model to develop the annual enhancement/maintenance plan. It meets monthly to discuss options and issue resolutions, review issues, register and review risk and register enhancement requests.

The Business Working Group is a manager level committee consisting of subject matter experts in their respective human resources functional areas. It was formed to investigate and resolve common and/or function-specific issues in the areas of compensation, staffing, classification and labour relations. This group meets as required.

The Service Operation Committee is a manager level committee responsible for managing service performance issues, and reviewing and discussing incidents and service requests. This Committee meets as required.

The PeopleSoft Shared Services Partnership Governance framework consists of the following committees:

The Partnership Steering Committee is a committee at the assistant deputy minister level responsible for providing strategic direction and leadership to the Partnership. This Committee is the final decision-making and dispute resolution level for the Partnership. It also has the authority to approve expenditures for major enhancements. It meets three times per year.

The Partnership Management Committee is a committee at the director general level responsible for managing the Partnership. This Committee is the primary decision-making and dispute resolution level for the Partnership and also has the authority to approve expenditures for major enhancements. It meets three times per year.

The Service Management Committee is a director level committee responsible for ensuring that service meets the operational requirements of the partners. This committee has primary responsibility for assessing enhancement requests, and for prioritizing and approving minor enhancements. It is the first level of resolution for service performance issues and partner disputes. It is also responsible for reviewing the PeopleSoft Shared Service Dashboard. This Committee meets bi-monthly.

The Business Relationship Committee is a manager level committee responsible for managing service performance issues, request priorities and risks. This committee provides input to the annual processes to update governance, service levels and the funding model to develop the annual enhancement/maintenance plan. It meets monthly to discuss options and issue resolutions, review concerns, register and review risk and register enhancement requests.

The Business Working Group is a manager level committee consisting of subject matter experts in their respective human resources functional areas. It was formed to investigate and resolve common and/or function-specific issues in the areas of compensation, staffing, classification and labour relations. This group meets as required.

The Service Operation Committee is a manager level committee responsible for managing service performance issues, and reviewing and discussing incidents and service requests. This Committee meets as required.

From interviews with key human resource staff who are members of the various committees and working groups, along with a review of committee minutes and records of decisions from the Partnership Management Committee, Service Management Committee, Business Relationship Committee and the business working groups, it was noted that Health Canada and the Public Health Agency of Canada have been active participants in the PeopleSoft shared governance regime. Oversight is being provided at all levels of the Partnership governance. From a review of the PeopleSoft problem logs, it was also noted that stakeholder needs and problems, with a few exceptions, are being addressed in a timely manner.

Data governance

Human Resources Senior Management Committee

Health Canada and the Public Health Agency of Canada implemented a PeopleSoft Data Integrity Strategy in September 2012, under the direction of the Human Resources Services Management Committee, to address issues of data quality. The Human Resources Services Management Committee, chaired by the Director General of Human Resources, is responsible for setting the direction of the Data Integrity Forum (described further below), receiving and assessing the results of the data integrity dashboard, influencing the human resource community and approving human resource process changes.

The purpose of the PeopleSoft Data Integrity Strategy is to address the following:

  • to identify PeopleSoft data quality issues;
  • to identify roles, responsibilities and accountabilities of stakeholders involved in the PeopleSoft data life cycle; and
  • to establish methodologies for measuring errors and an action plan to implement activities for permanently maintaining a high level of data quality in PeopleSoft.

A data quality control framework has been established to address data quality issues. Within this framework, five distinct groups have been identified:

Data Integrity Forum

The Data Integrity Forum consists of representatives from all human resources disciplines, along with the Human Resource Reports Team, the Human Resource Systems Team and the PeopleSoft Project Team. It has been set up to identify issues that relate to data integrity, confirm data ownership and identify the action items for each stakeholder.

Figure 2 - Data Quality Governance

Figure 2
Text Equivalent - Figure 2

Human Resources Senior Management Committee

Health Canada and the Public Health Agency of Canada implemented a PeopleSoft Data Integrity Strategy in September 2012, under the direction of the Human Resources Services Management Committee, to address issues of data quality. The Human Resources Services Management Committee, chaired by the Director General of Human Resources, is responsible for setting the direction of the Data Integrity Forum (described further below), receiving and assessing the results of the data integrity dashboard, influencing the human resource community and approving human resource process changes.

Data Integrity Forum

The Data Integrity Forum consists of representatives from all human resources disciplines, along with the Human Resource Reports Team, the Human Resource Systems Team and the PeopleSoft Project Team. It has been set up to identify issues that relate to data integrity, confirm data ownership and identify the action items for each stakeholder.

Data owners/Business owners

The data owners are represented by the human resources functional areas (staffing, classification, compensation, security and labour relations) and are responsible for creating data and maintaining data quality. They ensure that data are input correctly into PeopleSoft. They receive and analyze data quality error reports, confirm ownership and accountability, and validate business rules and corrections. Data owners are responsible for correcting data errors and for ongoing monitoring of the data.

Data stewards

Data stewards, under the direction of the Director of Human Resources Planning, Analysis and Systems, produce data quality reports. Data is analyzed to ensure that processes and system rules are validated. Once the errors have been validated, the error reports are distributed to the data owners. Data stewards are also responsible for following up with data owners about actions and decisions taken to correct the errors.

PeopleSoft users

The PeopleSoft users are employees, contractors, consultants, temporary help or third parties with whom special arrangements have been made to grant access to PeopleSoft. This class of user has been granted explicit authorization to access, edit, modify, delete, use and view information by the data owner. The data owners must authorize access. The data stewards monitor access controls on behalf of the data owners.

Data owners/Business owners

The data owners are represented by the human resources functional areas (staffing, classification, compensation, security and labour relations) and are responsible for creating data and maintaining data quality. They ensure that data are input correctly into PeopleSoft. They receive and analyze data quality error reports, confirm ownership and accountability, and validate business rules and corrections. Data owners are responsible for correcting data errors and for ongoing monitoring of the data.

Data stewards

Data stewards, under the direction of the Director of Human Resources Planning, Analysis and Systems, produce data quality reports. Data is analyzed to ensure that processes and system rules are validated. Once the errors have been validated, the error reports are distributed to the data owners. Data stewards are also responsible for following up with data owners about actions and decisions taken to correct the errors.

PeopleSoft users

The PeopleSoft users are employees, contractors, consultants, temporary help or third parties with whom special arrangements have been made to grant access to PeopleSoft. This class of user has been granted explicit authorization to access, edit, modify, delete, use and view information by the data owner. The data owners must authorize access. The data stewards monitor access controls on behalf of the data owners.

Overall, there is a well-defined and applied governance regime that provides for review and oversight of stakeholders' needs and data quality.

1.2 Roles and responsibilities

Audit criterion: Roles and responsibilities are defined, communicated and carried out in support of the system used to manage human resource business processes.

Roles and responsibilities for managing PeopleSoft within Health Canada and the Public Health Agency of Canada are defined in three documents: the PeopleSoft Project Charter, the PeopleSoft Shared Services Partnership Governance framework and service agreements.

Within Health Canada and the Public Health Agency of Canada, the responsibility to support PeopleSoft and the business owners who use the system lies with the Director of Human Resource Planning, Analysis and Systems. The PeopleSoft Systems Team, which is currently supported by four system officers, provides systems support to all human resource functional areas in Health Canada and the Public Health Agency of Canada. The team's duties consist of troubleshooting technical systems, providing guidance to end-users and providing user access to PeopleSoft. They also play an important role in the Data Integrity Strategy by providing system knowledge to the Data Analysis Team.

Additional roles and responsibilities between Health Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada are further defined in service agreements. The purpose of the service agreements is to set out the terms and conditions between Health Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada. The service agreements do not constitute a legal contract; rather, they are administrative agreements between departments. They do not alter the existing authority and accountability to execute its various roles and responsibilities in managing human resource activities. They do, however, add a shared responsibility to make the Partnership work successfully for all within it (see Audit Criterion 1.1 above).

In conclusion, roles and responsibilities between Health Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada are well defined, communicated and carried out in support of PeopleSoft.

2. Risk management

2.1 Management of operational risks

Audit criterion: Risks associated with the use of PeopleSoft are effectively managed.

The Assistant Deputy Minister, Corporate Services Branch, and his senior members of their branch executive committees ensure that there is a clearly defined governance structure to addresses risk issues across strategic, program and project levels. On the basis of interviews with key human resource executives and managers and a review of documentation, the following risks associated with the use of PeopleSoft in Health Canada and the Public Health Agency of Canada were identified:

  • the inability to customize the standard PeopleSoft configuration as a result of restrictions placed on Health Canada and the Public Health Agency of Canada as members of the cluster and by the Treasury Board Secretariat;
  • human resource staff resistance to change in new business practices associated with the use of PeopleSoft;
  • a shortage of skilled resources in PeopleSoft within Health Canada and the Public Health Agency of Canada;
  • data integrity; and
  • the protection and safeguarding of employee information.

These risks are receiving oversight on two fronts: through the PeopleSoft Shared Services Governance Partnership and the Human Resource Services Management Committee (consisting of departmental senior executives). Health Canada and the Public Health Agency of Canada, in collaboration with their partners, have been able to manage the inability to customize PeopleSoft by developing solutions and workarounds to address human resource functional and reporting requirements. It should be noted that the Chief Human Resource Officer, Treasury Board Secretariat, has recently requested departments and agencies to not make changes to the standard configuration of PeopleSoft.

With any major change, there is the inherent risk of resistance to change. The Directorate has managed this risk by ensuring that human resources staff using PeopleSoft for the most part are trained, as well as by promoting the benefits of its use.

Health Canada and the Public Health Agency of Canada had identified in original project scoping documentation that there would be a shortage of PeopleSoft skills in-house if they were to host their own instance of PeopleSoft. To address this risk Health Canada and the Public Health Agency of Canada have been able to take advantage of the pre-existing knowledge of PeopleSoft of other members within the human resources cluster.

Data integrity risk is being managed by the Data Integrity Strategy, which has been previously discussed for Audit Criterion 1.1 and is further discussed for Audit Criterion 3.3. To date, there has been only one meeting of the Data Integrity Forum. No minutes from the meeting were taken, so it is difficult to determine the nature of the discussions that took place. Analysis of the data is being conducted by the data stewards, and the findings are being presented to Human Resource Services Management Committee for review. In addition, data stewards have been working with the data owners to address issues concerning data integrity.

It was noted that no risk register is being used by either the PeopleSoft Shared Services Governance Partnership or Human Resource Services Management Committee. A threat and Risk Assessment was prepared by Health Canada in September 2011 for PeopleSoft. The threat and risk assessment, which was approved by both Health Canada and the Public Health Agency of Canada's senior management. It indicated potential risks to the security of employee information. Only recently have these risks received attention by the PeopleSoft Shared Services Partnership Governance. This is explained further for Audit Criterion 3.4.

The audit concluded that operational risks related to PeopleSoft are being managed informally. A formal approach to managing operational risks would ensure that risks are managed in an effective manner.

Recommendation 1

It is recommended that the Assistant Deputy Minister, Corporate Services Branch (Shared Services Partnership) develop a formal approach, including the use of a risk register, to managing the operational risks of using PeopleSoft, in order to identify, assess and mitigate risks.

Management response

Management agrees with the recommendation.

PeopleSoft partners will be informed of the requirement for Health Canada and the Public Health Agency of Canada to establish a risk register. A risk register will be developed and approved by the Assistant Deputy Minister of the Corporate Services Branch and shared with PeopleSoft partners.

The Human Resources Services Management Committee will review the risk register on a quarterly basis, thereby ensuring that risks are being managed.

3. Internal controls

3.1 Management of change

Audit criterion: Health Canada and the Public Health Agency of Canada have effectively managed the changes required to maximize the benefits of PeopleSoft for the classification, staffing and compensation functions.

In general, the drivers for change are activities, pressures or events that influence the strategic direction within an organization. In 2009, Health Canada and the Public Health Agency of Canada recognized the need to move from its legacy system (HR Advantage) to PeopleSoft. The HR Advantage system could no longer provide the business functionality required to manage human resource business transactions. In addition, there was a government-wide requirement for departments and agencies to use PeopleSoft. Health Canada and the Public Health Agency of Canada had determined that it would be more cost-effective to participate in a partnership arrangement than for them to host their own instance of PeopleSoft.

The expected benefits of using PeopleSoft were many, such as streamlining business processes, improving client service, achieving greater efficiency, improving the staffing process and management accountability, and improving the capacity to deliver human resource products and services. A detailed list of anticipated benefits is provided in Appendix E. In order to realize the full potential of the application, the Corporate Services Branch developed strategies for the transition of both organizations to a new way of doing human resource business, such as the Change Management Strategy (2011), the Communications Strategy (2010), the Fit-Gap Analysis (2010) and a detailed implementation plan. Each of these was designed with the intent to maximize the benefits of PeopleSoft.

The audit examined the staffing, classification and compensation functions to determine how change was managed to maximize the benefits of using PeopleSoft.

Staffing

Staffing actions are processed mainly by using the Workforce Administration Module in PeopleSoft. This module manages personal, job and employment-related information about employees, as well as the management of assignment-related information, acting assignments and appointments.

A significant change associated with the implementation of PeopleSoft has been the addition of the Recruitment Module. At the time of the audit, this module has been partially implemented; its full rollout is anticipated by November 2013. New functionality has been introduced, such as Express Lane Staffing actions that allow managers to initiate a staffing request directly into PeopleSoft (Express Lane Staffing self-service). Express Lane Staffing was rolled out at the time PeopleSoft was implemented. Managers are able to quickly process low-risk staffing transactions, such as assignments, casuals, non-advertised deployments, secondments, and term extensions. In addition, administrative officers can access functionality on behalf of managers. Express Lane Staffing has been offered to all branches in the National Capital Region, but only a few are using this functionality. No training has been provided to managers outside of human resources in using Express Lane Staffing. Some managers have also indicated to their human resources advisors that they find Express Lane Staffing to be very complicated. Lastly, it was noted that cost centre managers were advised in August 2013 that a staffing action request, with approval by the branch senior financial officers, is now required for processing a staffing action using Express Lane Staffing for Health Canada. On the other hand, for the Public Health Agency of Canada a separate financial approval by financial officers of the Office of the Chief Financial Officer is not required for all staffing action requests.

In conclusion, Health Canada and the Public Health Agency of Canada have not yet achieved the anticipated benefit of using Express Lane Staffing.

Classification

Classification work is accomplished using mainly the Position Management Module in PeopleSoft. The module is used to create and manage work descriptions, classification decisions and associated positions, including language requirements. Also, it is used to manage designation/exclusion information related to positions.

The implementation of PeopleSoft does not represent a significant change in how business transactions are being processed. The classification action request form is being used for input to create the expanded position action request report. Currently, PeopleSoft does not provide for digital signatures, and therefore a hard copy of the classification action request is still required as part of the input process.

Compensation

The most notable improvement in PeopleSoft services has been seen in the self-service functions, namely the self-service leave and personal information updates, which have reduced service requests and integrated process functions to one system.

Compensation work is accomplished using mainly the Workforce Administration and Pay Interface modules in PeopleSoft. The implementation of the PeopleSoft Pay Interface represents a significant change in the way compensation advisors process pay-related data. Pay data is no longer entered into the Regional Pay System; rather, it is directly entered into the PeopleSoft Pay Interface. Pay transactions must follow the process flow, which includes peer verification, before they can be processed by the PeopleSoft Pay Interface. There is an additional layer of security for access to the PeopleSoft Pay Interface that is provided only to compensation advisors. Internal controls have been strengthened in this regard. It was noted during the course of the audit that not all pay-related transactions were processed in the same manner (that is to say that workforce adjustment and overtime were also being processed in the Regional Pay System). The latter transactions may need to be re-entered into the PeopleSoft Pay Interface, resulting in a duplication of efforts. There was no clear direction coming from human resources management regarding instances of when the Regional Pay System was permitted to be used.

It should be noted that the Compensation Unit will commence transferring pay and benefit-related information to Public Works and Government Services Canada as part of the Government of Canada's Pay Modernization Initiative, starting in November 2013. Under this Initiative all pay and benefit-related activities will be managed centrally by Public Works and Government Services Canada.

In conclusion, Health Canada and the Public Health Agency of Canada have managed most changes well and have benefited from the changes. It has not yet realized, however, the anticipated benefit of using Express Lane Staffing. Additional guidance to compensation advisors is required regarding the use of the PeopleSoft Pay Interface and the Regional Pay System.

Recommendation 2

It is recommended that the Assistant Deputy Minister, Corporate Services Branch (Shared Services Partnership), in collaboration with the Director General, Financial Operations Directorate (Shared Services Partnership), ensure that Express Lane Staffing be reviewed in order to determine how to maximize its use.

Management response

Management agrees with the recommendation.

Management will seek endorsement of Express Lane Staffing by Partnership Executive Committee in October 2013 on the understanding that appropriate compensatory full-time equivalent/salary controls will be identified.

Recommendation 3

It is recommended that the Assistant Deputy Minister, Corporate Services Branch, (Shared Services Partnership) ensure that guidance is provided to compensation advisors concerning the use of the PeopleSoft Pay Interface and the Regional Pay System.

Management response

Management agrees with the recommendation.

The Compensation Unit will update and distribute enhanced standard operating procedures for the PeopleSoft pay interface and the Regional Pay System to all compensation advisors.

3.2 Standardization of business processes

Audit criterion: The implementation of PeopleSoft has led to the standardization of business processes for the classification, staffing and compensation functions.

As part of the Government of Canada's Human Resources HR Modernization Initiative, the Office of the Chief Human Resources Officer was mandated to coordinate and design enterprise-wide alignment of human resource business processes for more effective and efficient departmental operations (see Appendix C). To achieve the aims of the Initiative and promulgate the adoption and use of common human resource business practices and processes, Health Canada and the Public Health Agency of Canada developed a business case for PeopleSoft (Sept. 2009) with the purpose of replacing the aging HR Advantage legacy system. The business case objective was to adopt a human resources system that met evolving business needs and could be aligned with the Government of Canada's strategic direction by providing a wide range of electronic services and taking full advantage of technical solutions, such as a fully integrated learning management system, enhanced reporting and an end-to-end business model. This would provide enhanced service to clients, improved data integrity and uniform processes for Health Canada and the Public Health Agency of Canada. The current PeopleSoft configuration (v8.9) and its accompanying business processes have been recognized by the Office of the Chief Human Resources Office, Treasury Board Secretariat of Canada, as the Government of Canada standard for processing human resources business transactions.

PeopleSoft is designed to ensure that there is a systematic approach to processing human resource business transactions. To complete a human resource business transaction in PeopleSoft, all previous steps must be completed before the process can advance to the next step. The entry of transactions and data must follow the integrated business process flow. It was noted from a review of hard copy files that the human resources process is still very much a paper-based process. Human resource information from paper-based forms, such as the classification action request and staffing action request, that are used for input into PeopleSoft, requires verification and approval before the information is entered into the system. PeopleSoft does not provide digital signatures. Therefore, a paper-based form must still be relied on for input into PeopleSoft.

The audit team reviewed business process documentation and hard copy files from the staffing, classification and compensation functions. The following observations were made below.

Staffing

The audit team reviewed internal advertised/collective staffing and casual, non-advertised deployment or term extension staffing actions. A documented business process exists for each of these staffing actions. In addition, on the basis of a review of hard copy staffing files with PeopleSoft process documentation, it can be concluded that there are standard business processes for managing staffing actions.

Classification

The audit team reviewed the "Create a Position" and "Change to a Position" classification processes. It was noted that a documented business process exists for each of these classification actions. Moreover, on the basis of a review of hard copy classification files with the PeopleSoft process documentation it can be concluded that there are standard business processes for managing classification actions. The Classification Action Request form is the basis for classification undertaking to create or update a position. This form is used for all classification actions.

Compensation

The audit team reviewed the "Taken on Strength," "Leave without Pay," and "Transfer In" compensation actions. It was noted that a documented business process exists for each of these compensation actions. Based on a review of compensation files with the PeopleSoft process documentation, it can be concluded that there are standard business processes for managing compensation actions. In addition, it was noted that pay and benefit information is being entered in both the PeopleSoft Pay Interface (E-Pay card) and the paper-based pay card for Health Canada, resulting in a duplication of effort.

The implementation of PeopleSoft has led to more standardization of business processes for the classification, staffing and compensation functions.

3.3 Data integrity

Audit criterion: Procedures, processes and controls exist to ensure that human resource data are complete, accurate and timely.

Data integrity is crucial for the reliability of the PeopleSoft system. If data is unreliable, key reports are compromised and user acceptance is reduced. The Human Resource Services Management Committee has identified data quality in PeopleSoft as a high priority in the Human Resources Directorate. The implementation of the Data Integrity Strategy was put into place to elevate the importance of having high quality information.

Transaction processing in the classification, staffing and compensation areas is accomplished using a paper based manual system, and it is not until the end of the transaction that the data is entered into PeopleSoft. The examination of procedures, processes and controls was conducted in the staffing, classification and compensation functions.

Staffing

Procedures and processes for managing staffing activities are well documented in the PeopleSoft training manuals. Based on interviews with officials from the staffing unit and a review of documentation, it was observed that procedures and processes were being followed. The audit team selected a sample of 30 staffing records (16 indeterminate - internal advertised files - and 14 Express Lane Staffing files), namely casual and secondment with the focus on key information contained in the staffing action request (that is to say action reason, employment type and effective dates) and appropriate approval authority. The staffing information recorded in PeopleSoft was compared with that in the hard copy files. No significant errors were found. Two PeopleSoft staffing transactions could not be substantiated because the hard copy files could not be located. Lastly, it was observed that each hard copy file included a completed checklist to ensure that all information recorded in PeopleSoft was accurate and complete.

Classification

Procedures and processes for managing classification activities are well documented in the PeopleSoft training manuals.  Based on interviews with officials from the classification unit and a review of documentation, it was observed that procedures and processes were being followed. The audit team reviewed a sample of 28 classification records (12 "Create a Position" and 16 "Change to a Position" files) with a focus on key information contained in the classification action request and the Employee Performance Agreement and Review (that is to say classification code, action reason, and effective dates). No significant errors were found.

Lastly, it was observed that each hard copy file contained a checklist. Upon further review it was noted that many of the checklists were not being completed. This is an important quality assurance mechanism to ensure that data entered into PeopleSoft has been verified and validated.

Compensation

Procedures and processes for managing pay and benefit activities are well documented in the PeopleSoft training manuals. Such activities were followed, with exceptions noted for Audit Criterion 3.1.

Three pay and benefit type activities were selected for review. These business activities were "Transfer-In," "Leave Without Pay," and "Taken on Strength". A sample of 36 compensation records were reviewed (8 "Transfer-In," 10 "Leave Without Pay," and 18 "Taken-on-Strength" records were selected). Key information reviewed for each of the pay transactions included start and end dates for "Leave Without Pay," pay list and pay office number, leave and salaries. There were no significant errors identified in the sample. All transactions reviewed in the sample showed sufficient peer review. Additional information obtained by the data stewards (see Audit Criterion 1.1) has revealed that a high number of employees were missing their pension start date, or that the information in PeopleSoft did not match what was in the Regional Pay System. In addition, a number of employees were missing their continuous service date, or the date in PeopleSoft did not match what was in the Regional Pay System. The existence of these errors has been confirmed by the Compensation Unit. The incorrect date could have a negative impact on employee continuous service awards. It was also noted that there was no set frequency in how often data stewards produced error reports and how often the information was provided to the human resources functional areas. Finally, once the errors have been provided to the subject matter experts, there was no evidence to support regular follow-up to achieve timely correction of the errors. This shortcoming could affect the quality of the reports generated from PeopleSoft and ultimately the decisions made by management.

In conclusion, the Data Integrity Strategy has produced some positive results. Errors and the source of the errors are being identified in PeopleSoft. There is an increased awareness of the importance of high quality data in PeopleSoft. In addition, the Strategy has resulted in a collaborative effort towards data quality by all functional areas in the Human Resources Services Directorate and has established processes for data quality assurance, assessment and correction. The completeness and accuracy of data in PeopleSoft would be improved with regular error reporting and timely follow-up.

Recommendation 4

It is recommended that the Assistant Deputy, Corporate Services Branch (Shared Services Partnership), ensure that processes and procedures are put in place to achieve timely correction and follow-up of the errors identified in PeopleSoft.

Management response

Management agrees with the recommendation.

The Human Resources Services Directorate will strengthen data integrity controls by:

  1. documenting data integrity procedures;
  2. maintaining a list of all data integrity issues, including a description, the frequency, Impact, and criticality;
  3. ensuring that data owners (that is, human resources directors) receive error reports on a bi-monthly basis;
  4. requiring data owners to report on remediation actions and progress on a bi-monthly basis; and,
  5. providing bi-monthly progress reports to the Human Resource Services Management Committee.

As part of the normal business process, Compensation will make manual leave adjustments in the following circumstances:

  • employee has transferred from another department and his/her leave account is being established;
  • leave request is received after year-end close, and therefore the carried over balance needs to be adjusted (increased or reduced depending on the situation);
  • a review of the employee's leave file indicates that he/she has been allotted more/less leave than that to which he/she is entitled; and
  • request by Labour Relations Division as a result of mediation or settlement.

In a further analysis, of 4,175 manual leave adjustments in PeopleSoft, auditors found 456 manual leave adjustments that were made without an explanation for the change. PeopleSoft provides a text field (not a mandatory field) for providing an explanation for the adjustment. There was insufficient information in PeopleSoft to determine the reason for the leave adjustment. It was also noted that PeopleSoft accepts manual leave entries without verification by someone other than the individual making the change. This is an important internal control that is missing. It is difficult to determine the validity of the adjustment without an explanation and the accompanying verification.

Recommendation 5

It is recommended that the Assistant Deputy Minister, Corporate Services Branch (Shared Services Partnership), ensure that all manual leave adjustments are sufficiently explained and verified in PeopleSoft.

Management response

Management agrees with the recommendation.

Compensation will update and communicate enhanced standard operating procedures for manual leave entries in PeopleSoft, specifying requirements for explanatory notes and leave transaction approvals.

Compensation will implement regular quality assurance reviews of randomly selected files to document that standard operating procedures are being followed.

Pay system reconciliation

Pay transactions are created in the PeopleSoft Pay Interface, and verified and authorized through the primary edits in the Pay Interface before being submitted to the Regional Pay System by way of a batch process. In the Regional Pay System, they receive final edits and processing. The batch process pulls only the authorized transactions. During the batching process, the authorizer (that is, financial officer) reviews and authorizes the batch run using the Batch Summary Fax form. Once the process is complete, each authorizer (financial officer) receives an email message containing a link to a summary report produced by the Regional Pay System. Five copies of the authorized batch summary faxes were reviewed. No errors or anomalies were found.

Once the Regional Pay System receives the batch file, the system runs the batch through a series of secondary edits. If there is an error, in that the data in the Regional Pay System does not match the data in the PeopleSoft Pay Interface, the transaction will be rejected and is returned to the Compensation Specialist's work list as they would when pay data are submitted. Corrections are made, and the edit process begins all over again. All transactions that pass the edits in the Regional Pay System are processed in the batch run. The Regional Pay System then sends a file containing the results of the validated transactions the following morning, which is uploaded to the PeopleSoft Pay Interface. The batch summaries produced from the PeopleSoft Pay Interfacecontain the number of transactions, types of transactions, the total dollar amount and the name of the financial officer who authorized the transactions for payment. However, the Regional Pay System does not acknowledge the total number of transactions processed and the total dollar amount of the transactions received from the PeopleSoft Pay Interface. Without a reconciliation of control totals between the two systems it is difficult to determine whether all pay transactions have been received from the PeopleSoft Pay Interface.

Recommendation 6

It is recommended that the Assistant Deputy Minister, Corporate Services Branch (Shared Services Partnership), ensure that there is reconciliation between the Regional Pay System and the PeopleSoft Pay Interface.

Management response

Management agrees with the recommendation.

Corporate Compensation and the Chief Financial Officer Branch will produce a tool that will easily compare and identify discrepancies between the two systems.

Corporate Compensation has requested a report from Public Works and Government Services Canada that will show the number of Regional Pay System transactions and their financial impact. This data will then be compared with a PeopleSoft report, and any discrepancies between the two systems will be identified and corrective action taken.

3.4 Protection of personal information

Audit criterion: Health Canada and the Public Health Agency of Canada address risks to the confidentiality of employee information (personal information) by ensuring that sensitive data are protected in accordance with Government of Canada policies and directives.

Privacy

Under the Treasury Board Secretariat's Policy on Privacy Protection, deputy heads are required to establish practices for the management and protection of personal information under their control to ensure that the Privacy Act is administered in a consistent and fair manner. The Directive on Privacy Practices supports the policy by setting out the requirements for sound privacy practices and management of personal information. Taken together, the Policy on Privacy Protection and its related directives and guidelines are the instruments upon which a sound privacy management strategy within government institutions is structured. Departments and agencies are required to prepare a privacy impact assessment for any new or substantially modified program activity involving the creation, collection and handling of personal information. Employee information has been designated as being personal information and rated to the Protected B level.

In accordance with the Treasury Board Secretariat's Directive on Privacy Impact Assessments, privacy implications must be appropriately identified and assessed, and privacy risks mitigated with new or modified systems hosting personal information before they are implemented. The audit findings conclude that the Health Canada and the Public Health Agency of Canada deployment of PeopleSoft was not in compliance with the Treasury Board Secretariat's risk mitigation directives.

The scope of the Health Canada and the Public Health Agency of Canada approved privacy impact assessment, completed in December 2011, identified seven risks, two of which were rated as high. The privacy impact assessment did not encompass the analysis of personal information risks related to the deployment and use of PeopleSoft. The privacy impact assessment was confined to the data conversion and implementation of base PeopleSoft modules only.

A subsequent privacy impact assessment was prepared in May of 2013 whose scope did encompass an examination and assessment of the use and disclosure of personal information by the human resources functional areas in an operational environment using the PeopleSoft system. Of the 17 risks, two have been rated as high, and 15 have been rated as moderate. Moreover, the three risks identified in the 2011 privacy risk assessment have also been raised in the 2013 PIA. The only high risk that was identified in 2011 that continues to exist today concerns information sharing between Health Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada. Further clarity regarding control and custody of personal information should be reflected in the service agreement or an information-sharing agreement. It was also noted that there was no separate service agreement or information-sharing agreement for the Agency in this regard. Personal information in the control of the service provider could be at risk with regard  to its use, disclosure and access.

A draft management response and action plan has been prepared in response to the recommendations in the 2013 privacy impact assessment. It is anticipated that the management response and action plan will be approved by the Director General of human resources by December 31, 2013.

Security

The Government security policy defines information technology security as the "safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information." Between the Government security policy and the Policy on the Management of Government Information, mandatory requirements are established for departments to protect information throughout its lifecycle. These policy requirements are expanded upon by the Treasury Board Secretariat's Operational Security Standard for the Management of Information Technology Security. The standard forms the backbone of the Government of Canada's risk management philosophy and management of information technology security risks: to prevent the compromise of information technology systems by mitigating the risks before deploying systems in a production environment.

The operational security standard requires departments to conduct a threat and risk assessment, a risk management tool used to identify, assess and recommend safeguards to reduce residual risks to an acceptable level. Section 12.3.3 of the Management of Information Technology Security standard indicates that following the completion of a threat and risk assessment, "Departments must have their systems or services certified and accredited before approving them for operation." The purpose of certification is to verify that the security requirements established for a particular system or service are met and that the controls and safeguards work as intended. The purpose of accreditation is to signify that management has authorized the system or service to operate and has accepted the residual risk of operating the system or service on the basis of the certification evidence. The accreditation and certification, more recently replaced by the security authorization and assessment, is an effective compensating control of the security standard, whose purpose is to confirm that deliverables of the threat and risk assessment remedial action plan have been implemented and that the controls and safeguards work as intended. Approval of the security authorization and assessment is an implied statement of fact by business owners that sound stewardship practices and due diligence have been employed in reducing information technology security risks to an acceptable level, thereby safeguarding the information assets and personal information in their custody from potential compromise.

Agriculture and Agri-Food Canada's instance of PeopleSoft had not been certified or accredited when Health Canada and the Public Health Agency of Canada implemented itin November 2011. Health Canada and the Public Health Agency of Canada had obtained an interim authority to operate, granted under a conditional agreement that risks be reduced to acceptable levels within a prescribed period (generally six months). Agriculture and Agri-Food Canada has recently informed Health Canada and the Public Health Agency of Canada that its instance of PeopleSoft has been recommended for final authority to operate and that formal approval and sign-off for the security authorization and assessment is to be completed by November 30, 2013.

In conclusion, the risks associated with the protection and confidentiality of employee information are being addressed. Further attention is required concerning employee information in the control and custody of the service provider, which should be reflected in the service agreement or an information sharing agreement.

Recommendation 7

It is recommended that the Assistant Deputy Minister, Corporate Services Branch (Shared Services Partnership), take the necessary actions to improve the protection of employee information managed by PeopleSoft.

Management response

Management agrees with the recommendation.

Management will review the 2011 threat and risk assessment and develop an action plan for residual risks.

Management will address the risks identified in the 2013 privacy impact assessment:

  1. Require Agriculture and Agri-Food Canada to improve the information sharing and privacy clauses of the service agreement to meet the standards noted in the 2013 privacy impact assessment.
  2. Revise the user privacy notices that are received at system login to more accurately reflect the terms and conditions of use and the requirements of the Privacy Act.
  3. Determine and clearly document the appropriate uses and disclosures of this personal information (for example, for human resources planning purposes).

C - Conclusion

Overall, Health Canada and the Public Health Agency of Canada control framework for PeopleSoft to manage the human resource function needs moderate improvement.

There is a well-defined and applied governance regime that provides for the review and oversight of stakeholder needs, data quality, and unresolved problems and issues. The Data Integrity Strategy is providing positive results by identifying errors in PeopleSoft. The Strategy has also resulted in a collaborative effort towards data quality by all functional areas in the Human Resources Services Directorate and has established processes for data quality assurance and assessment. One area for improvement is a need for increased follow-up by the functional areas to achieve the timely correction of errors.

The roles and responsibilities of Health Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada in support of PeopleSoft are well defined in the PeopleSoft Shared Services PartnershipGovernance framework, service agreements and the PeopleSoft Project Charter. Roles and responsibilities are being effectively carried out.

Operational risks related to the use of PeopleSoft are receiving oversight on two fronts: through the PeopleSoft Shared Services Governance Partnership; and the Human Resource Senior Management Committee. One area of improvement would be to see the Committee adopt a more formal approach to risk management, including the use of a risk register to manage risks related to PeopleSoft.

Health Canada and the Public Health Agency of Canada have managed most changes well, which has led to improvements in the self-service function, the use of standard business processes and improved management accountability. Health Canada and the Public Health Agency of Canada would benefit from using Express Lane Staffing, which will quickly process staffing transactions.

The classification, staffing and compensation functions are generally following procedures and processes to manage human resource business transactions. No significant data integrity errors were found. There were several employee records with important dates recorded incorrectly in PeopleSoft. Explanations for manual leave adjustments in PeopleSoft need to be provided and should be verified in PeopleSoft before they are accepted.

Risks associated with the protection and the confidentiality of employee information are being addressed. Further attention is required for employee information in the control and custody of the service provider, which should be reflected in the service agreement or an information sharing agreement

The areas of improvement that have been noted will collectively strengthen the management control framework for PeopleSoft in support of the human resources function.

Appendix A - Lines of enquiry and criteria

Audit of the Human Resources Management Information System
Criterion title Audit criteria
Line of Enquiry 1: Governance
1.1 Oversight Table 1 - Footnote 2Table 1 - Footnote 3Table 1 - Footnote 4 There is a well-defined and applied governance regime that provides for the review and oversight of stakeholder needs and data quality.
1.2 Roles and responsibilitiesTable 1 - Footnote 1Table 1 - Footnote 2Table 1 - Footnote 3 Roles and responsibilities are defined, communicated and carried out in support of the system used to manage human resource business processes.
Line of Enquiry 2: Risk management
2.1 Management of operational risksTable 1 - Footnote 4Table 1 - Footnote 12 Risks associated with the use of PeopleSoft are effectively managed.
Line of Enquiry 3: Internal controls
3.1 Management of change Table 1 - Footnote 12Table 1 - Footnote 13Table 1 - Footnote 14 Health Canada and the Public Health Agency of Canada have effectively managed the changes required to maximize the benefits of PeopleSoft for the classification, staffing and compensation functions.
3.2 Standardization of business processes Table 1 - Footnote 11 The implementation of PeopleSoft has led to the standardization of business processes for the classification, staffing and compensation functions.
3.3 Data integrityTable 1 - Footnote 4Table 1 - Footnote 9 Procedures, processes and controls exist to ensure that human resource data are complete, accurate and timely.
3.4 Protection of personal information
Table 1 - Footnote 5Table 1 - Footnote 6Table 1 - Footnote 7Table 1 - Footnote 8Table 1 - Footnote 10
Health Canada and the Public Health Agency of Canada address risks to the confidentiality of employee information (personal information) by ensuring that sensitive data are protected in accordance with Government of Canada policies and directives.
Footnote 1

PeopleSoft Shared Service: Partnership Governance - September 17, 2012

Return to footnote 1 referrer

Footnote 2

Service Agreement for PeopleSoft Shared Service Between AAFC and HC/PHAC - March 7, 2012

Return to footnote 2 referrer

Footnote 3

PeopleSoft Shared Service - Service Level Agreement - February 13, 2013

Return to footnote 3 referrer

Footnote 4

Information Systems Audit and Control Association - CoBit 4.0, 4.1

Return to footnote 4 referrer

Footnote 5

TB - Operational Standard: Management of Information Technology Standard

Return to footnote 5 referrer

Footnote 6

TB - Directive on Privacy Practices - January 31, 2013

Return to footnote 6 referrer

Footnote 7

TB - Directive on Privacy Impact Assessments - April 1, 2010

Return to footnote 7 referrer

Footnote 8

TB - Policy on Government Security

Return to footnote 8 referrer

Footnote 9

Institute of Internal Auditor's Global Technology Audit Guide - July 2007

Return to footnote 9 referrer

Footnote 10

Health Canada's Policy on the Electronic Use of Networks

Return to footnote 0 referrer

Footnote 11

PeopleSoft Procedure Manuals and Process Maps

Return to footnote 11 referrer

Footnote 12

PeopleSoft Business Case - September 2009

Return to footnote 12 referrer

Footnote 13

TB - Project Charter - Human Resources Business Solution Project - April 2010

Return to footnote 13 referrer

Footnote 14

Information Technology Infrastructure Library

Return to footnote 14 referrer

Appendix B - Scorecard

Criterion Rating Conclusion Rec #
Governance
1.1 Oversight NMI Overall, there is a well-defined and applied governance regime that provides for review and oversight of stakeholder needs and data quality. -
1.2 Roles and responsibilities NMI Roles and responsibilities are clearly defined, communicated and carried out in support of the system used to manage human resource business processes. -
Risk management
2.1 Management of operational risks NMO Risks are receiving oversight on two fronts: through the PeopleSoft Shared Services Governance Partnership and the Human Resources Senior Management Committee. A formal approach to managing operational risks related to PeopleSoft would ensure that risks are managed in an effective manner. 1
Internal controls
3.1 Management of change NMO Health Canada and the Public Health Agency of Canada have managed most changes well, which has led to improvements in the self-service function and improved internal controls. It has not yet realized, however, the anticipated benefit of using Express Lane Staffing. Additional guidance to compensation advisors is required regarding the use of the PeopleSoft Pay Interface and the Regional Pay System. 2 & 3
3.2 Standardization of business processes NMI The implementation of PeopleSoft has led to more standardization of human resource business processes for the classification, staffing and compensation functions across Health Canada and the Public Health Agency of Canada. -
3.3 Data integrity NMO The Data Integrity Strategy has produced some positive results by identifying errors in PeopleSoft. Further follow-up is required to ensure that errors are being corrected in a timely manner. The completeness and accuracy of data in PeopleSoft would be improved with regular error reporting and timely follow-up. Explanations for leave adjustments in PeopleSoft need to be provided and should be verified in PeopleSoft before they are accepted by the system. 4,5 & 6
3.4 Protection of personal information NMO Risks associated with the protection and the confidentiality of employee information are being addressed. Further attention is required for employee information in the control and custody of the service provider, which should be reflected in the service agreement or an information-sharing agreement. 7
S Satisfactory NMI Needs Minor Improvement NMO Needs Moderate Improvement NI Needs Improvement U Unsatisfactory NM Unknown; Cannot Be Measured

Appendix C - Road map to target state vision

Figure 3 - Roadmap to Target State Vision (Enterprise-Wide)

Figure 3
Text Equivalent - Figure 3

The Current State of HR Systems in the Government of Canada is fragmented. Departments and Agencies are using multiple systems to manage their HR activities. There are only a few Departments and Agencies that are managing their human resource activities as members of cluster whereby Departments and Agencies have adopted the Government of Canada's (GoC) Human Resources Management System (PeopleSoft). At this time, HR data is not standardized across GoC. The business processes for managing HR activities are different across the GoC. Many of these HR systems are now beginning to "rust out" due to technological obsolescence, which prevents them from being able to integrate with more modern systems.

As more and more Departments and Agencies begin to replace their aging HR applications and move to a shared services approach, using a common human resource management system for managing and delivering HR activities, this will lead to more standardization of HR data and business processes across the GoC. The use of a standard HR systems configuration across the GoC will increase interoperability with other GoC standard systems.

Enlarge Figure 3

Source of information: Treasury Board Secretariat - Human Resources Modernization: Presentation to the Council of Systems Cluster Groups (March 2012).

Appendix D - PeopleSoft system data flow overview

Figure 4 - PeopleSoft system data flow overview

Figure 4
Text Equivalent - Figure 4

The complete data flow and HR data processing of PeopleSoft consists of four portions that could be described as following:

  1. HC/PHAC - PS Interfaces/Components
    The Web-based interface allows users to enter and/or process HR data or transactions in accordance with their tasks/needs. Most of these users are:
    1. HC/PHAC - End Users (employees, managers) access PeopleSoft via the Web browser to submit, change, approve leave requests, or simply view leave balance, etc.
    2. HC/PHAC - Human Resource Staff (most of HR functions) access to PeoplSoft to conduct their tasks.
    3. HC/PHAC - Compensation Staff/Function access the Pay Interface (add-on module to PeopleSoft) to enter/process Pay transactions.
  2. Agriculture Canada - PeopleSoft 8.9 System/Database Servers
    Agriculture and Agri-Food Canada hosts, maintains, and administers the PeoplSoft System/Database Servers that provides access to HC/PHAC users to process the HR data/transactions.
  3. PWGSC - Regional Pay System
    Regional Pay System (RPS) receives pay information from PeopleSoft and then loads the pay information into RPS every two days. Moreover, the RPS also extracts and sends the pay information (in the form of Pay files) to HC/PHAC SAP - FIRMS
  4. HC/PHAC SAP - FIRMS
    SAP - FIRMS receives Pay files from Regional Pay System (RPS) and loads the Pay files into SAP via a batch process.

Enlarge Figure 4

Appendix E - Anticipated benefits of implementing PeopleSoft

Business focus Anticipated benefits
Strategic alignment Results in a state-of-the-art human resources tool that incorporates best practices and is deemed the industry leader. This human resources system is used by 26 departments and agencies, aligned with the Government of Canada direction for human resources systems and processes, and is endorsed by Treasury Board Secretariat. It supports common business practices and processes across government, reduces the reliance on home-grown tools and supports human resources in its day-to-day activities.
Improved services Allows human resources advisors to become more effective and efficient with the introduction of self-serve tools, the pay interface, an automated pay history card, a sequential position numbering system, and Government of Canada standard reports.
Reduces the transactional workload of human resources staff by providing self-serve tools.
Generates the potential for cost reductions associated with leveraging changes/updates or new common Government of Canada processes as part of continuous process improvement.
Delivering human resources services Meets the current business needs in the areas of case management and responds to emerging business requirements.
Allows the department to readily adopt the common business practices and processes being developed and promulgated by Canada Public Service Agency for the whole of government.
Offers the department flexibility for future strategic investments and direction.
Makes additional functionality available to the department such as the Online Pay Interface and the ability to leverage the E-Pay card solution from another department.
Supports improved delivery of services, including reduction of training needs of human resources advisors, reduction of backlog and elimination of multiple entries.
Modern technology Replaces an outdated, end-of-life system that is inefficient and ineffective, and costly to adjust, maintain and operate.
Eliminates the unique system and service delivery issues and problems currently encountered by the department.
Supports a common approach by many users, resulting in a better infrastructure.
Provides a common platform that permits easy integration with other systems and reduces the technology interface requirements.
Minimizes technical risks.
Provides ongoing supplier support, including extending the life of the system, as upgrades and modernization will be part of the vendor support to the product.
Fosters partnership and collaboration with human resources initiatives through other departments (members of the human resources cluster), initiatives that have the potential to reduce information technology costs related to enhancements, interfaces, tools, training material and documentation.
More efficient management Requires the use of standard data and single-source input, which improves data integrity and the consistency of results for reports and tracking.
Promotes data quality and reliability by supporting the consolidation and sharing of information, promoting its visibility, and facilitating its transferability and portability among departments.
Provides the department with a series of best practices and management tools from PeopleSoft implementation in other departments.
Requires the use of a common set of integrated business processes for delivery of the full spectrum of human resources activities.
Offers the department flexibility for future strategic investments and direction.
Translates into efficiencies with the introduction of a pay interface, an automated pay history card, a sequential position numbering system and Government of Canada standard reports.
Improved resourcing Reduces the requirement for human resources staff with specialized and unique skills associated with the current system.
Reduces the learning curve of human resources advisors who join the department from current PeopleSoft user departments.
Allows peer counselling within the 26 cluster departments.
Supports common business processes, which leads to a more stable human resources workforce, by assisting in the recruitment and retention of human resources specialists as well as facilitating organizational realignments.
Cost reduction Avoids expenditures on currently planned departmental investments in system upgrades and independent human resources management systems.
Includes shared development and support costs and offers flexibility for future strategic investment.
Reduces the cost of training of human resources staff as many in the human resources community will already be trained in use of PeopleSoft.
Achieves economies of scale in the operation of application management services, maintenance and replacement of hardware and infrastructure, and in the periodic major upgrades to new versions of the system platform.

Source of information: PeopleSoft Business Case - September 2009: Anticipated benefits to participate in a partnership arrangement with Agriculture and Agri-Food Canada.

Page details

Date modified: