Audit of the Human Resources Management Information System

The PeopleSoft Shared Services Partnership Governance framework consists of the following committees:

The Partnership Steering Committee is a committee at the assistant deputy minister level responsible for providing strategic direction and leadership to the Partnership. This Committee is the final decision-making and dispute resolution level for the Partnership. It also has the authority to approve expenditures for major enhancements. It meets three times per year.

The Partnership Management Committee is a committee at the director general level responsible for managing the Partnership. This Committee is the primary decision-making and dispute resolution level for the Partnership and also has the authority to approve expenditures for major enhancements. It meets three times per year.

The Service Management Committee is a director level committee responsible for ensuring that service meets the operational requirements of the partners. This committee has primary responsibility for assessing enhancement requests, and for prioritizing and approving minor enhancements. It is the first level of resolution for service performance issues and partner disputes. It is also responsible for reviewing the PeopleSoft Shared Service Dashboard. This Committee meets bi-monthly.

The Business Relationship Committee is a manager level committee responsible for managing service performance issues, request priorities and risks. This committee provides input to the annual processes to update governance, service levels and the funding model to develop the annual enhancement/maintenance plan. It meets monthly to discuss options and issue resolutions, review concerns, register and review risk and register enhancement requests.

The Business Working Group is a manager level committee consisting of subject matter experts in their respective human resources functional areas. It was formed to investigate and resolve common and/or function-specific issues in the areas of compensation, staffing, classification and labour relations. This group meets as required.

The Service Operation Committee is a manager level committee responsible for managing service performance issues, and reviewing and discussing incidents and service requests. This Committee meets as required.

From interviews with key human resource staff who are members of the various committees and working groups, along with a review of committee minutes and records of decisions from the Partnership Management Committee, Service Management Committee, Business Relationship Committee and the business working groups, it was noted that Health Canada and the Public Health Agency of Canada have been active participants in the PeopleSoft shared governance regime. Oversight is being provided at all levels of the Partnership governance. From a review of the PeopleSoft problem logs, it was also noted that stakeholder needs and problems, with a few exceptions, are being addressed in a timely manner.

Data governance

Human Resources Senior Management Committee

Health Canada and the Public Health Agency of Canada implemented a PeopleSoft Data Integrity Strategy in September 2012, under the direction of the Human Resources Services Management Committee, to address issues of data quality. The Human Resources Services Management Committee, chaired by the Director General of Human Resources, is responsible for setting the direction of the Data Integrity Forum (described further below), receiving and assessing the results of the data integrity dashboard, influencing the human resource community and approving human resource process changes.

The purpose of the PeopleSoft Data Integrity Strategy is to address the following:

• to identify PeopleSoft data quality issues;
• to identify roles, responsibilities and accountabilities of stakeholders involved in the PeopleSoft data life cycle; and
• to establish methodologies for measuring errors and an action plan to implement activities for permanently maintaining a high level of data quality in PeopleSoft.

A data quality control framework has been established to address data quality issues. Within this framework, five distinct groups have been identified:

Data Integrity Forum

The Data Integrity Forum consists of representatives from all human resources disciplines, along with the Human Resource Reports Team, the Human Resource Systems Team and the PeopleSoft Project Team. It has been set up to identify issues that relate to data integrity, confirm data ownership and identify the action items for each stakeholder.

Figure 2 - Data Quality Governance

Data owners/Business owners

The data owners are represented by the human resources functional areas (staffing, classification, compensation, security and labour relations) and are responsible for creating data and maintaining data quality. They ensure that data are input correctly into PeopleSoft. They receive and analyze data quality error reports, confirm ownership and accountability, and validate business rules and corrections. Data owners are responsible for correcting data errors and for ongoing monitoring of the data.

Data stewards

Data stewards, under the direction of the Director of Human Resources Planning, Analysis and Systems, produce data quality reports. Data is analyzed to ensure that processes and system rules are validated. Once the errors have been validated, the error reports are distributed to the data owners. Data stewards are also responsible for following up with data owners about actions and decisions taken to correct the errors.

PeopleSoft users

The PeopleSoft users are employees, contractors, consultants, temporary help or third parties with whom special arrangements have been made to grant access to PeopleSoft. This class of user has been granted explicit authorization to access, edit, modify, delete, use and view information by the data owner. The data owners must authorize access. The data stewards monitor access controls on behalf of the data owners.

Overall, there is a well-defined and applied governance regime that provides for review and oversight of stakeholders' needs and data quality.

1.2 Roles and responsibilities

Audit criterion: Roles and responsibilities are defined, communicated and carried out in support of the system used to manage human resource business processes.

Roles and responsibilities for managing PeopleSoft within Health Canada and the Public Health Agency of Canada are defined in three documents: the PeopleSoft Project Charter, the PeopleSoft Shared Services Partnership Governance framework and service agreements.

Within Health Canada and the Public Health Agency of Canada, the responsibility to support PeopleSoft and the business owners who use the system lies with the Director of Human Resource Planning, Analysis and Systems. The PeopleSoft Systems Team, which is currently supported by four system officers, provides systems support to all human resource functional areas in Health Canada and the Public Health Agency of Canada. The team's duties consist of troubleshooting technical systems, providing guidance to end-users and providing user access to PeopleSoft. They also play an important role in the Data Integrity Strategy by providing system knowledge to the Data Analysis Team.

Additional roles and responsibilities between Health Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada are further defined in service agreements. The purpose of the service agreements is to set out the terms and conditions between Health Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada. The service agreements do not constitute a legal contract; rather, they are administrative agreements between departments. They do not alter the existing authority and accountability to execute its various roles and responsibilities in managing human resource activities. They do, however, add a shared responsibility to make the Partnership work successfully for all within it (see Audit Criterion 1.1 above).

In conclusion, roles and responsibilities between Health Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada are well defined, communicated and carried out in support of PeopleSoft.

2. Risk management

2.1 Management of operational risks

Audit criterion: Risks associated with the use of PeopleSoft are effectively managed.

The Assistant Deputy Minister, Corporate Services Branch, and his senior members of their branch executive committees ensure that there is a clearly defined governance structure to addresses risk issues across strategic, program and project levels. On the basis of interviews with key human resource executives and managers and a review of documentation, the following risks associated with the use of PeopleSoft in Health Canada and the Public Health Agency of Canada were identified:

• the inability to customize the standard PeopleSoft configuration as a result of restrictions placed on Health Canada and the Public Health Agency of Canada as members of the cluster and by the Treasury Board Secretariat;
• human resource staff resistance to change in new business practices associated with the use of PeopleSoft;
• a shortage of skilled resources in PeopleSoft within Health Canada and the Public Health Agency of Canada;
• data integrity; and
• the protection and safeguarding of employee information.

These risks are receiving oversight on two fronts: through the PeopleSoft Shared Services Governance Partnership and the Human Resource Services Management Committee (consisting of departmental senior executives). Health Canada and the Public Health Agency of Canada, in collaboration with their partners, have been able to manage the inability to customize PeopleSoft by developing solutions and workarounds to address human resource functional and reporting requirements. It should be noted that the Chief Human Resource Officer, Treasury Board Secretariat, has recently requested departments and agencies to not make changes to the standard configuration of PeopleSoft.

With any major change, there is the inherent risk of resistance to change. The Directorate has managed this risk by ensuring that human resources staff using PeopleSoft for the most part are trained, as well as by promoting the benefits of its use.

Health Canada and the Public Health Agency of Canada had identified in original project scoping documentation that there would be a shortage of PeopleSoft skills in-house if they were to host their own instance of PeopleSoft. To address this risk Health Canada and the Public Health Agency of Canada have been able to take advantage of the pre-existing knowledge of PeopleSoft of other members within the human resources cluster.

Data integrity risk is being managed by the Data Integrity Strategy, which has been previously discussed for Audit Criterion 1.1 and is further discussed for Audit Criterion 3.3. To date, there has been only one meeting of the Data Integrity Forum. No minutes from the meeting were taken, so it is difficult to determine the nature of the discussions that took place. Analysis of the data is being conducted by the data stewards, and the findings are being presented to Human Resource Services Management Committee for review. In addition, data stewards have been working with the data owners to address issues concerning data integrity.

It was noted that no risk register is being used by either the PeopleSoft Shared Services Governance Partnership or Human Resource Services Management Committee. A threat and Risk Assessment was prepared by Health Canada in September 2011 for PeopleSoft. The threat and risk assessment, which was approved by both Health Canada and the Public Health Agency of Canada's senior management. It indicated potential risks to the security of employee information. Only recently have these risks received attention by the PeopleSoft Shared Services Partnership Governance. This is explained further for Audit Criterion 3.4.

The audit concluded that operational risks related to PeopleSoft are being managed informally. A formal approach to managing operational risks would ensure that risks are managed in an effective manner.

Recommendation 1

Management response

3. Internal controls

3.1 Management of change

Audit criterion: Health Canada and the Public Health Agency of Canada have effectively managed the changes required to maximize the benefits of PeopleSoft for the classification, staffing and compensation functions.

In general, the drivers for change are activities, pressures or events that influence the strategic direction within an organization. In 2009, Health Canada and the Public Health Agency of Canada recognized the need to move from its legacy system (HR Advantage) to PeopleSoft. The HR Advantage system could no longer provide the business functionality required to manage human resource business transactions. In addition, there was a government-wide requirement for departments and agencies to use PeopleSoft. Health Canada and the Public Health Agency of Canada had determined that it would be more cost-effective to participate in a partnership arrangement than for them to host their own instance of PeopleSoft.

The expected benefits of using PeopleSoft were many, such as streamlining business processes, improving client service, achieving greater efficiency, improving the staffing process and management accountability, and improving the capacity to deliver human resource products and services. A detailed list of anticipated benefits is provided in Appendix E. In order to realize the full potential of the application, the Corporate Services Branch developed strategies for the transition of both organizations to a new way of doing human resource business, such as the Change Management Strategy (2011), the Communications Strategy (2010), the Fit-Gap Analysis (2010) and a detailed implementation plan. Each of these was designed with the intent to maximize the benefits of PeopleSoft.

The audit examined the staffing, classification and compensation functions to determine how change was managed to maximize the benefits of using PeopleSoft.

Staffing

Staffing actions are processed mainly by using the Workforce Administration Module in PeopleSoft. This module manages personal, job and employment-related information about employees, as well as the management of assignment-related information, acting assignments and appointments.

A significant change associated with the implementation of PeopleSoft has been the addition of the Recruitment Module. At the time of the audit, this module has been partially implemented; its full rollout is anticipated by November 2013. New functionality has been introduced, such as Express Lane Staffing actions that allow managers to initiate a staffing request directly into PeopleSoft (Express Lane Staffing self-service). Express Lane Staffing was rolled out at the time PeopleSoft was implemented. Managers are able to quickly process low-risk staffing transactions, such as assignments, casuals, non-advertised deployments, secondments, and term extensions. In addition, administrative officers can access functionality on behalf of managers. Express Lane Staffing has been offered to all branches in the National Capital Region, but only a few are using this functionality. No training has been provided to managers outside of human resources in using Express Lane Staffing. Some managers have also indicated to their human resources advisors that they find Express Lane Staffing to be very complicated. Lastly, it was noted that cost centre managers were advised in August 2013 that a staffing action request, with approval by the branch senior financial officers, is now required for processing a staffing action using Express Lane Staffing for Health Canada. On the other hand, for the Public Health Agency of Canada a separate financial approval by financial officers of the Office of the Chief Financial Officer is not required for all staffing action requests.

In conclusion, Health Canada and the Public Health Agency of Canada have not yet achieved the anticipated benefit of using Express Lane Staffing.

Classification

Classification work is accomplished using mainly the Position Management Module in PeopleSoft. The module is used to create and manage work descriptions, classification decisions and associated positions, including language requirements. Also, it is used to manage designation/exclusion information related to positions.

The implementation of PeopleSoft does not represent a significant change in how business transactions are being processed. The classification action request form is being used for input to create the expanded position action request report. Currently, PeopleSoft does not provide for digital signatures, and therefore a hard copy of the classification action request is still required as part of the input process.

Compensation

The most notable improvement in PeopleSoft services has been seen in the self-service functions, namely the self-service leave and personal information updates, which have reduced service requests and integrated process functions to one system.

Compensation work is accomplished using mainly the Workforce Administration and Pay Interface modules in PeopleSoft. The implementation of the PeopleSoft Pay Interface represents a significant change in the way compensation advisors process pay-related data. Pay data is no longer entered into the Regional Pay System; rather, it is directly entered into the PeopleSoft Pay Interface. Pay transactions must follow the process flow, which includes peer verification, before they can be processed by the PeopleSoft Pay Interface. There is an additional layer of security for access to the PeopleSoft Pay Interface that is provided only to compensation advisors. Internal controls have been strengthened in this regard. It was noted during the course of the audit that not all pay-related transactions were processed in the same manner (that is to say that workforce adjustment and overtime were also being processed in the Regional Pay System). The latter transactions may need to be re-entered into the PeopleSoft Pay Interface, resulting in a duplication of efforts. There was no clear direction coming from human resources management regarding instances of when the Regional Pay System was permitted to be used.

It should be noted that the Compensation Unit will commence transferring pay and benefit-related information to Public Works and Government Services Canada as part of the Government of Canada's Pay Modernization Initiative, starting in November 2013. Under this Initiative all pay and benefit-related activities will be managed centrally by Public Works and Government Services Canada.

In conclusion, Health Canada and the Public Health Agency of Canada have managed most changes well and have benefited from the changes. It has not yet realized, however, the anticipated benefit of using Express Lane Staffing. Additional guidance to compensation advisors is required regarding the use of the PeopleSoft Pay Interface and the Regional Pay System.

Recommendation 2

Management response

Recommendation 3

Management response

3.2 Standardization of business processes

Audit criterion: The implementation of PeopleSoft has led to the standardization of business processes for the classification, staffing and compensation functions.

As part of the Government of Canada's Human Resources HR Modernization Initiative, the Office of the Chief Human Resources Officer was mandated to coordinate and design enterprise-wide alignment of human resource business processes for more effective and efficient departmental operations (see Appendix C). To achieve the aims of the Initiative and promulgate the adoption and use of common human resource business practices and processes, Health Canada and the Public Health Agency of Canada developed a business case for PeopleSoft (Sept. 2009) with the purpose of replacing the aging HR Advantage legacy system. The business case objective was to adopt a human resources system that met evolving business needs and could be aligned with the Government of Canada's strategic direction by providing a wide range of electronic services and taking full advantage of technical solutions, such as a fully integrated learning management system, enhanced reporting and an end-to-end business model. This would provide enhanced service to clients, improved data integrity and uniform processes for Health Canada and the Public Health Agency of Canada. The current PeopleSoft configuration (v8.9) and its accompanying business processes have been recognized by the Office of the Chief Human Resources Office, Treasury Board Secretariat of Canada, as the Government of Canada standard for processing human resources business transactions.

PeopleSoft is designed to ensure that there is a systematic approach to processing human resource business transactions. To complete a human resource business transaction in PeopleSoft, all previous steps must be completed before the process can advance to the next step. The entry of transactions and data must follow the integrated business process flow. It was noted from a review of hard copy files that the human resources process is still very much a paper-based process. Human resource information from paper-based forms, such as the classification action request and staffing action request, that are used for input into PeopleSoft, requires verification and approval before the information is entered into the system. PeopleSoft does not provide digital signatures. Therefore, a paper-based form must still be relied on for input into PeopleSoft.

The audit team reviewed business process documentation and hard copy files from the staffing, classification and compensation functions. The following observations were made below.

Staffing

The audit team reviewed internal advertised/collective staffing and casual, non-advertised deployment or term extension staffing actions. A documented business process exists for each of these staffing actions. In addition, on the basis of a review of hard copy staffing files with PeopleSoft process documentation, it can be concluded that there are standard business processes for managing staffing actions.

Classification

The audit team reviewed the "Create a Position" and "Change to a Position" classification processes. It was noted that a documented business process exists for each of these classification actions. Moreover, on the basis of a review of hard copy classification files with the PeopleSoft process documentation it can be concluded that there are standard business processes for managing classification actions. The Classification Action Request form is the basis for classification undertaking to create or update a position. This form is used for all classification actions.

Compensation

The audit team reviewed the "Taken on Strength," "Leave without Pay," and "Transfer In" compensation actions. It was noted that a documented business process exists for each of these compensation actions. Based on a review of compensation files with the PeopleSoft process documentation, it can be concluded that there are standard business processes for managing compensation actions. In addition, it was noted that pay and benefit information is being entered in both the PeopleSoft Pay Interface (E-Pay card) and the paper-based pay card for Health Canada, resulting in a duplication of effort.

The implementation of PeopleSoft has led to more standardization of business processes for the classification, staffing and compensation functions.

3.3 Data integrity

Audit criterion: Procedures, processes and controls exist to ensure that human resource data are complete, accurate and timely.

Data integrity is crucial for the reliability of the PeopleSoft system. If data is unreliable, key reports are compromised and user acceptance is reduced. The Human Resource Services Management Committee has identified data quality in PeopleSoft as a high priority in the Human Resources Directorate. The implementation of the Data Integrity Strategy was put into place to elevate the importance of having high quality information.

Transaction processing in the classification, staffing and compensation areas is accomplished using a paper based manual system, and it is not until the end of the transaction that the data is entered into PeopleSoft. The examination of procedures, processes and controls was conducted in the staffing, classification and compensation functions.

Staffing

Procedures and processes for managing staffing activities are well documented in the PeopleSoft training manuals. Based on interviews with officials from the staffing unit and a review of documentation, it was observed that procedures and processes were being followed. The audit team selected a sample of 30 staffing records (16 indeterminate - internal advertised files - and 14 Express Lane Staffing files), namely casual and secondment with the focus on key information contained in the staffing action request (that is to say action reason, employment type and effective dates) and appropriate approval authority. The staffing information recorded in PeopleSoft was compared with that in the hard copy files. No significant errors were found. Two PeopleSoft staffing transactions could not be substantiated because the hard copy files could not be located. Lastly, it was observed that each hard copy file included a completed checklist to ensure that all information recorded in PeopleSoft was accurate and complete.

Classification

Procedures and processes for managing classification activities are well documented in the PeopleSoft training manuals.  Based on interviews with officials from the classification unit and a review of documentation, it was observed that procedures and processes were being followed. The audit team reviewed a sample of 28 classification records (12 "Create a Position" and 16 "Change to a Position" files) with a focus on key information contained in the classification action request and the Employee Performance Agreement and Review (that is to say classification code, action reason, and effective dates). No significant errors were found.

Lastly, it was observed that each hard copy file contained a checklist. Upon further review it was noted that many of the checklists were not being completed. This is an important quality assurance mechanism to ensure that data entered into PeopleSoft has been verified and validated.

Compensation

Procedures and processes for managing pay and benefit activities are well documented in the PeopleSoft training manuals. Such activities were followed, with exceptions noted for Audit Criterion 3.1.

Three pay and benefit type activities were selected for review. These business activities were "Transfer-In," "Leave Without Pay," and "Taken on Strength". A sample of 36 compensation records were reviewed (8 "Transfer-In," 10 "Leave Without Pay," and 18 "Taken-on-Strength" records were selected). Key information reviewed for each of the pay transactions included start and end dates for "Leave Without Pay," pay list and pay office number, leave and salaries. There were no significant errors identified in the sample. All transactions reviewed in the sample showed sufficient peer review. Additional information obtained by the data stewards (see Audit Criterion 1.1) has revealed that a high number of employees were missing their pension start date, or that the information in PeopleSoft did not match what was in the Regional Pay System. In addition, a number of employees were missing their continuous service date, or the date in PeopleSoft did not match what was in the Regional Pay System. The existence of these errors has been confirmed by the Compensation Unit. The incorrect date could have a negative impact on employee continuous service awards. It was also noted that there was no set frequency in how often data stewards produced error reports and how often the information was provided to the human resources functional areas. Finally, once the errors have been provided to the subject matter experts, there was no evidence to support regular follow-up to achieve timely correction of the errors. This shortcoming could affect the quality of the reports generated from PeopleSoft and ultimately the decisions made by management.

In conclusion, the Data Integrity Strategy has produced some positive results. Errors and the source of the errors are being identified in PeopleSoft. There is an increased awareness of the importance of high quality data in PeopleSoft. In addition, the Strategy has resulted in a collaborative effort towards data quality by all functional areas in the Human Resources Services Directorate and has established processes for data quality assurance, assessment and correction. The completeness and accuracy of data in PeopleSoft would be improved with regular error reporting and timely follow-up.

Recommendation 4

Management response

As part of the normal business process, Compensation will make manual leave adjustments in the following circumstances:

• employee has transferred from another department and his/her leave account is being established;
• leave request is received after year-end close, and therefore the carried over balance needs to be adjusted (increased or reduced depending on the situation);
• a review of the employee's leave file indicates that he/she has been allotted more/less leave than that to which he/she is entitled; and
• request by Labour Relations Division as a result of mediation or settlement.

In a further analysis, of 4,175 manual leave adjustments in PeopleSoft, auditors found 456 manual leave adjustments that were made without an explanation for the change. PeopleSoft provides a text field (not a mandatory field) for providing an explanation for the adjustment. There was insufficient information in PeopleSoft to determine the reason for the leave adjustment. It was also noted that PeopleSoft accepts manual leave entries without verification by someone other than the individual making the change. This is an important internal control that is missing. It is difficult to determine the validity of the adjustment without an explanation and the accompanying verification.

Recommendation 5

Management response

Pay system reconciliation

Pay transactions are created in the PeopleSoft Pay Interface, and verified and authorized through the primary edits in the Pay Interface before being submitted to the Regional Pay System by way of a batch process. In the Regional Pay System, they receive final edits and processing. The batch process pulls only the authorized transactions. During the batching process, the authorizer (that is, financial officer) reviews and authorizes the batch run using the Batch Summary Fax form. Once the process is complete, each authorizer (financial officer) receives an email message containing a link to a summary report produced by the Regional Pay System. Five copies of the authorized batch summary faxes were reviewed. No errors or anomalies were found.

Once the Regional Pay System receives the batch file, the system runs the batch through a series of secondary edits. If there is an error, in that the data in the Regional Pay System does not match the data in the PeopleSoft Pay Interface, the transaction will be rejected and is returned to the Compensation Specialist's work list as they would when pay data are submitted. Corrections are made, and the edit process begins all over again. All transactions that pass the edits in the Regional Pay System are processed in the batch run. The Regional Pay System then sends a file containing the results of the validated transactions the following morning, which is uploaded to the PeopleSoft Pay Interface. The batch summaries produced from the PeopleSoft Pay Interfacecontain the number of transactions, types of transactions, the total dollar amount and the name of the financial officer who authorized the transactions for payment. However, the Regional Pay System does not acknowledge the total number of transactions processed and the total dollar amount of the transactions received from the PeopleSoft Pay Interface. Without a reconciliation of control totals between the two systems it is difficult to determine whether all pay transactions have been received from the PeopleSoft Pay Interface.

Recommendation 6

Management response

3.4 Protection of personal information

Audit criterion: Health Canada and the Public Health Agency of Canada address risks to the confidentiality of employee information (personal information) by ensuring that sensitive data are protected in accordance with Government of Canada policies and directives.

Privacy

Under the Treasury Board Secretariat's Policy on Privacy Protection, deputy heads are required to establish practices for the management and protection of personal information under their control to ensure that the Privacy Act is administered in a consistent and fair manner. The Directive on Privacy Practices supports the policy by setting out the requirements for sound privacy practices and management of personal information. Taken together, the Policy on Privacy Protection and its related directives and guidelines are the instruments upon which a sound privacy management strategy within government institutions is structured. Departments and agencies are required to prepare a privacy impact assessment for any new or substantially modified program activity involving the creation, collection and handling of personal information. Employee information has been designated as being personal information and rated to the Protected B level.

In accordance with the Treasury Board Secretariat's Directive on Privacy Impact Assessments, privacy implications must be appropriately identified and assessed, and privacy risks mitigated with new or modified systems hosting personal information before they are implemented. The audit findings conclude that the Health Canada and the Public Health Agency of Canada deployment of PeopleSoft was not in compliance with the Treasury Board Secretariat's risk mitigation directives.

The scope of the Health Canada and the Public Health Agency of Canada approved privacy impact assessment, completed in December 2011, identified seven risks, two of which were rated as high. The privacy impact assessment did not encompass the analysis of personal information risks related to the deployment and use of PeopleSoft. The privacy impact assessment was confined to the data conversion and implementation of base PeopleSoft modules only.

A subsequent privacy impact assessment was prepared in May of 2013 whose scope did encompass an examination and assessment of the use and disclosure of personal information by the human resources functional areas in an operational environment using the PeopleSoft system. Of the 17 risks, two have been rated as high, and 15 have been rated as moderate. Moreover, the three risks identified in the 2011 privacy risk assessment have also been raised in the 2013 PIA. The only high risk that was identified in 2011 that continues to exist today concerns information sharing between Health Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada. Further clarity regarding control and custody of personal information should be reflected in the service agreement or an information-sharing agreement. It was also noted that there was no separate service agreement or information-sharing agreement for the Agency in this regard. Personal information in the control of the service provider could be at risk with regard  to its use, disclosure and access.

A draft management response and action plan has been prepared in response to the recommendations in the 2013 privacy impact assessment. It is anticipated that the management response and action plan will be approved by the Director General of human resources by December 31, 2013.

Security

The Government security policy defines information technology security as the "safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information." Between the Government security policy and the Policy on the Management of Government Information, mandatory requirements are established for departments to protect information throughout its lifecycle. These policy requirements are expanded upon by the Treasury Board Secretariat's Operational Security Standard for the Management of Information Technology Security. The standard forms the backbone of the Government of Canada's risk management philosophy and management of information technology security risks: to prevent the compromise of information technology systems by mitigating the risks before deploying systems in a production environment.

The operational security standard requires departments to conduct a threat and risk assessment, a risk management tool used to identify, assess and recommend safeguards to reduce residual risks to an acceptable level. Section 12.3.3 of the Management of Information Technology Security standard indicates that following the completion of a threat and risk assessment, "Departments must have their systems or services certified and accredited before approving them for operation." The purpose of certification is to verify that the security requirements established for a particular system or service are met and that the controls and safeguards work as intended. The purpose of accreditation is to signify that management has authorized the system or service to operate and has accepted the residual risk of operating the system or service on the basis of the certification evidence. The accreditation and certification, more recently replaced by the security authorization and assessment, is an effective compensating control of the security standard, whose purpose is to confirm that deliverables of the threat and risk assessment remedial action plan have been implemented and that the controls and safeguards work as intended. Approval of the security authorization and assessment is an implied statement of fact by business owners that sound stewardship practices and due diligence have been employed in reducing information technology security risks to an acceptable level, thereby safeguarding the information assets and personal information in their custody from potential compromise.

Agriculture and Agri-Food Canada's instance of PeopleSoft had not been certified or accredited when Health Canada and the Public Health Agency of Canada implemented itin November 2011. Health Canada and the Public Health Agency of Canada had obtained an interim authority to operate, granted under a conditional agreement that risks be reduced to acceptable levels within a prescribed period (generally six months). Agriculture and Agri-Food Canada has recently informed Health Canada and the Public Health Agency of Canada that its instance of PeopleSoft has been recommended for final authority to operate and that formal approval and sign-off for the security authorization and assessment is to be completed by November 30, 2013.

In conclusion, the risks associated with the protection and confidentiality of employee information are being addressed. Further attention is required concerning employee information in the control and custody of the service provider, which should be reflected in the service agreement or an information sharing agreement.

Recommendation 7

Management response

C - Conclusion

Overall, Health Canada and the Public Health Agency of Canada control framework for PeopleSoft to manage the human resource function needs moderate improvement.

There is a well-defined and applied governance regime that provides for the review and oversight of stakeholder needs, data quality, and unresolved problems and issues. The Data Integrity Strategy is providing positive results by identifying errors in PeopleSoft. The Strategy has also resulted in a collaborative effort towards data quality by all functional areas in the Human Resources Services Directorate and has established processes for data quality assurance and assessment. One area for improvement is a need for increased follow-up by the functional areas to achieve the timely correction of errors.

The roles and responsibilities of Health Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada in support of PeopleSoft are well defined in the PeopleSoft Shared Services PartnershipGovernance framework, service agreements and the PeopleSoft Project Charter. Roles and responsibilities are being effectively carried out.

Operational risks related to the use of PeopleSoft are receiving oversight on two fronts: through the PeopleSoft Shared Services Governance Partnership; and the Human Resource Senior Management Committee. One area of improvement would be to see the Committee adopt a more formal approach to risk management, including the use of a risk register to manage risks related to PeopleSoft.

Health Canada and the Public Health Agency of Canada have managed most changes well, which has led to improvements in the self-service function, the use of standard business processes and improved management accountability. Health Canada and the Public Health Agency of Canada would benefit from using Express Lane Staffing, which will quickly process staffing transactions.

The classification, staffing and compensation functions are generally following procedures and processes to manage human resource business transactions. No significant data integrity errors were found. There were several employee records with important dates recorded incorrectly in PeopleSoft. Explanations for manual leave adjustments in PeopleSoft need to be provided and should be verified in PeopleSoft before they are accepted.

Risks associated with the protection and the confidentiality of employee information are being addressed. Further attention is required for employee information in the control and custody of the service provider, which should be reflected in the service agreement or an information sharing agreement

The areas of improvement that have been noted will collectively strengthen the management control framework for PeopleSoft in support of the human resources function.

Appendix A - Lines of enquiry and criteria

Appendix B - Scorecard

Appendix C - Road map to target state vision

Figure 3 - Roadmap to Target State Vision (Enterprise-Wide)

Enlarge Figure 3

Source of information: Treasury Board Secretariat - Human Resources Modernization: Presentation to the Council of Systems Cluster Groups (March 2012).

Appendix D - PeopleSoft system data flow overview

Figure 4 - PeopleSoft system data flow overview

Enlarge Figure 4

Appendix E - Anticipated benefits of implementing PeopleSoft

Source of information: PeopleSoft Business Case - September 2009: Anticipated benefits to participate in a partnership arrangement with Agriculture and Agri-Food Canada.