Audit of Human Resources Special Projects - PeopleSoft - Final Report
(approved November 3, 2010)
Table of contents
Context
In 2006, the Treasury Board of Canada Secretariat (TBS) recognized the PeopleSoft Government of Canada Human Resources Management System (GC HRMS), version 8.9, as the target system environment for human resources (HR) systems for federal government organizations. Furthermore, the Public Service Commission's (PSC) Human Resources Management Information System (HRMIS) and the Leave Information Management System (LIMS) were at risk of losing their technical support. On September 14, 2009, the PSC successfully rolled out PeopleSoft. In order to facilitate the transfer and share in the costs of the project, the PSC entered into a partnership arrangement with Veterans' Affairs Canada (VAC). (VAC was the first federal government organization to implement this version of the PeopleSoft GC HRMS application.) This partnership was enabled by collaborative measures identified in a Memorandum of Understanding (MOU) between the two organizations.
Rationale
The project is a significant investment and affects the ongoing operations of the PSC. The PSC-VAC partnership was the first of its kind for both organizations. Though technological risk was reduced by the use of well-established commercial software and implementation risk was reduced by moving to a system already in use by another department, it also opened the PSC and its data to increased external risks. Governance, strategic direction and communication also become more complex in a shared management situation. As with most major system installations, there was potential for user resistance to change. As well, the conversion of data into the new system presented a risk to the completeness and integrity of employees' personal information.
The Public Service Commission's Internal Audit Committee approved the Audit of Human Resources Special Projects - PeopleSoft in February 2009.
Objective
The objective of this audit was to determine whether the implementation, testing and operation of the new shared system, PeopleSoft, are adequate and can support continued and efficient HR functionality. In particular, the audit reviewed the project management component, data integrity controls of the new HR application project and opportunities for making optimal use of Information Technology (IT) capability.
Conclusion
Human Resources Management Directorate (HRMD) has fully implemented PeopleSoft as a replacement for the technically non-supported HRMIS and LIMS applications. For this project, the PSC partnered with VAC. This approach helped mitigate the risks associated with the implementation and operation of a new system. This first of its kind venture for the PSC also resulted in cost economies. The execution of this project achieved all strategic objectives. HR specialists were able to fulfil their operational duties during and after implementation, while PSC employees experienced a seamless transition.
In order to maintain sustainability of PeopleSoft operations and the integration of new functionalities, some existing processes could be bolstered to reduce potential risks, enhance accountability and improve operations. Formal measures should be developed to facilitate the transfer of knowledge in the event of staff turnover. Although risk management was an integral part of the project, better documentation at the oversight level would help ensure accountability in this shared environment. It was also found that additional work is needed in the areas of tracking training, system access and business continuity. In general, the successful implementation of PeopleSoft provides the PSC with an up-to-date application to manage HR effectively. Furthermore, the system can support additional functionalities that will help bring the Commission closer to becoming a model organization in both financial and HR management.
Management has worked in cooperation with the Internal Audit Directorate (IAD) to expedite the audit and provide additional comments and information, as necessary. Management has provided action plans that will address the weaknesses noted.
Internal Audit Directorate (IAD) identified the implementation and testing of the new PeopleSoft application as a proposed audit under the 2009-2010 Internal Audit Plan. The Public Service Commission’s (PSC’s) Internal Audit Committee approved the Audit of Human Resources Special Projects - PeopleSoft in February 2009. The planning phase for this audit started in September 2009.
In earlier Reports on Plans and Priorities, the PSC stated that "becoming a model organization in financial and human resources management" is a management priority.This included a planned commitment to enhance and invest in Information Technology (IT) management strategies that support evolving technology needs and mitigate potential risks such as those related to system compatibility, integration, security, obsolescence and vendor support.
In April 2006, a Treasury Board Directive on Corporate and Administrative Systems Investment recognized the PeopleSoft Government of Canada Human Resources Management System (GC HRMS), version 8.9, as the target system environment for human resources (HR) systems for federal government organizations. PeopleSoft is the government-wide choice of HR suites and has a Program Centre that provides support and maintenance and is dedicated to identifying system improvements and solutions. The Program Centre represents the cluster of government departments and agencies actively involved with PeopleSoft. The goal of the cluster is to continuously improve the functionalities of the system to adapt to changing regulatory requirements and HR needs. VAC and the PSC each have a vote on decisions. Furthermore, the PSC’s Human Resources Management Information System (HRMIS) and the Leave Information Management System (LIMS) were at risk of losing their technical support. This threatened the functionality required to support Human Resource Management Directorate (HRMD) priorities and operations. After weighing viable alternatives via business case options analyses, it was decided that implementing the PeopleSoft system was the most appropriate option.
In order to facilitate the transfer and share in the costs of the project, the PSC entered into a partnership arrangement with Veterans’ Affairs Canada (VAC). VAC was the first federal government organization to implement this version of the PeopleSoft GC HRMS application. This partnership was enabled by collaborative measures identified in an MOU between the two organizations.
On September 14, 2009, the PSC successfully rolled out PeopleSoft. E-mail communications and a dedicated area on the PSC’s Intracom site were used to communicate information on the system to users and stakeholders.
In the summer of 2010, planning for the implementation of the Pay Interface add-on module started, with the goal of streamlining payroll operations. The module will be treated as a distinct project for planning and implementation purposes.
The project is a significant investment and affects ongoing operations of the PSC. This is the first time either the PSC or VAC have entered into such an arrangement for the implementation, ongoing operation and support of an IT system. Though the partnership offered significant economies, it also opened the PSC and its data to increased external risks. Governance, strategic direction and communication all become more complex in a shared management situation.
The transition from existing leave and other HR systems to the new system presents some potential impacts on PSC employees and functional specialists. User resistance to change is possible during such a transition. As well, the conversion of data into the new system presents a risk to the completeness and accuracy of personal information of PSC employees.
It should be noted that technological risk was reduced by the use of well-established commercial software and the implementation risk was reduced by moving to a system already implemented by another government organization.
The objectives of this audit were to determine whether the implementation, testing and operation of the new shared system, PeopleSoft, are adequate and can support continued and efficient HR functionality. In particular, the audit reviewed the project management component, data integrity controls of the new HR application project and opportunities for making optimal use of IT capability.
We expect that:
- An effective oversight body has been created, with a clearly communicated mandate that includes roles with respect to governance, risk management and controls;
- Objectives are established and communicated;
- Internal control, security and auditability measures exist during configuration and integration of the PeopleSoft application in order to protect systems, data and other resources and to ensure their availability and integrity; and
- During the post-implementation phase, external and internal environments are monitored to obtain information that may signal a need to re-evaluate the organization’s objectives or controls.
The audit reviewed the overall management of the project, both the initial implementation at the PSC and the ongoing PSC operational aspects of this new shared system with VAC. Specifically, the audit covered:
- Governance and partnership;
- Planning and risk management practices of the project; and
- The integrity, security and privacy of PSC data.
Although the audit looked at some of the risks shared by the two organizations in the joint initiative, IAD did not audit the VAC systems specifically, nor did it provide any level of assurance or recommendations to VAC.
The internal audit was conducted in accordance with PSC standards, based on the Institute of Internal Auditor’s standards and the TB of Canada’s policy. The PSC’s IAD is working toward full compliance with all applicable standards. We have examined sufficient evidence and collected the information necessary to arrive at the conclusions made. In some cases, the evidence sought was not available, resulting in an observation to this effect.
The PSC Standard Audit process includes three principal phases:
- The Planning Phase;
- The Detailed Examination Phase; and
- The Reporting Phase.
All deliverables are reviewed and signed off by the Director, Internal Audit. As part of the audit process, briefings and validations of observations were ongoing with the Vice-President of Corporate Management Branch (CMB) and his representatives. CMB has provided all requested documents and access to employees.
The Planning Phase began in September 2009, during which a preliminary risk assessment was used to identify lines of inquiry. IAD developed draft criteria using the Core Management Controls: A Guide for Internal Auditors (Draft-November 2007) of the Office of the Comptroller General of Canada as well as Control Objectives for Information and Related Technology of the IT Governance Institute, among others. Additionally, criteria were refined through the review of existing procedures and reports, along with interviews of key management and operational staff, including branch executives and functional specialists.
From this phase, the audit moved to the Detailed Examination Phase. Methodologies included interviews with management and staff and review and analysis of key processes and documents, including systems-generated reports, strategy documents, personnel data files and other data. Sample-based retesting was also performed. The Detailed Examination Phase concluded in August 2010. Findings were developed and presented to HRMD on September 15, 2010.
Control objective #1 - An effective oversight body has been created with a clearly communicated mandate that includes roles with respect to governance, risk management and control.
8.1 Project governance
The audit found that project documentation clearly defined the oversight body’s authority, responsibility and accountability. The oversight structure was defined in the original MOU and further clarified in the 2010-2011 MOU drafts. Hierarchical lines of authority were set out and the Terms of References detail the membership, frequency of meetings and standing items.
Financial arrangements were cleared with the Finance and Administration Directorate, while the Accounting Operations Directorate detailed the settlement process in collaboration with the Legal Affairs Branch. Details of these processes and controls were part of the MOU developed by Legal Affairs Branch for the implementation of the PeopleSoft application, in partnership with VAC. This initial MOU will be replaced by another one to be signed in fall 2010 that will cover the post-implementation phase of the project. The audit found that the MOU addressed compliance with laws and regulations as well as other matters relating to the partnership. The MOU is reviewed on an annual basis. Auditors determined that this review process is comprehensive and that the resulting MOU took into account changing risks and new circumstances that have arisen as the project and the partnership evolve.
The partnered implementation of the project and its cost-sharing implications were a first of its kind for the PSC. This led to resourceful solutions. In order for each organization to address mandate issues with providing IT-related services, Legal Affairs Branch developed a “deemed employee clause”, based on models used elsewhere in government, to be built into the MOU. Preparation of project documents involved government lawyers from various organizations. Furthermore, selected sections and wording of the MOU led to its adoption as a template now used within Staffing and Assessment Services Branch for MOUs with other departments and agencies.
It is estimated the partnership arrangement resulted in savings of over $2,020,000 for the implementation of GC HRMS.
8.2 Resource planning
PeopleSoft expertise is in high demand as it is the platform of choice for government organizations. In spite of limited resources, particularly on the functional side, IAD found that the project team was able to work together to accomplish its objectives.
The audit noted that the project’s governance structure defined the roles and responsibilities for project sponsors and owners, steering committee, project office and the project manager. These were well communicated and were instrumental in supporting the various players from both parties in the orderly attainment of their respective objectives. However, unexpected circumstances following the implementation of the application arose, due to the temporary absence of one of the project’s key players. This situation coincided with a change in leadership within HRMD.
Although the position was filled in a relatively short time, this resulted in a void during post-implementation, contributing to delays in the transfer of corporate knowledge and other activities. For example, at the project management level, Safeguard Implementation Plan items were interrupted and IT security meetings were postponed. However, at the operations level, Information Technology Services Directorate (ITSD) staff continued their meetings and follow-up activities. It was noted that there was no natural succession within the project team as the next “in line” to this key position was three levels down and, secondly, that there were no formal skill-related contingency measures for the project in the event of a prolonged absence of key personnel.
Although risk management documentation was reviewed at the joint committee level, the interruption of risk management reviews at the project level threatened to reduce the accuracy and timeliness of such information from being presented to the higher levels of oversight (e.g. the joint committees).
Recommendation
1. Human Resources Management Directorate should develop formal contingency measures for key PeopleSoft skills. This would include identifying positions that, if left vacant, could jeopardize business goals as well as identifying available sources of the skills, competencies and knowledge to fulfil these roles. In crucial roles, specifically the Project Lead, suitable replacements should be able to assume responsibilities with short notice. Regular backups should be in place for other positions.
Management response
HR Systems will formalize and pursue the transfer of knowledge, post-implementation, between functional and business analysts and will continue to leverage functional expertise from VAC. Additionally, HR Systems will formalize contingency plans with VAC, as well as develop and name existing staff for backup regarding key functions for support maintenance and development, including update report status to the Director General (DG) HRMD in case of emergencies.
- Responsibility: Manager, HR Systems jointly with Manager, IT Application Services
- Timeline: December 2010
Control objective #2 - Objectives are established and well communicated.
8.3 Project planningIAD found that there was a well-defined strategic planning structure for implementation, documented in a business case charter, and, where required, corresponding strategies. Roles, responsibilities and channels of communication were clearly described. The encompassing scope of the project demanded wide-reaching strategies in several areas. These strategies (including communication, reporting, data conversion and training) were detailed, robust and aligned with corporate strategic objectives.
The formal communication processes and mechanisms in place supported the sharing of timely, relevant and reliable information to users and other external stakeholders. The communication strategy and plan featured well-detailed documentation. The Web site, e-mailed communiqués and a catalogue of self-service on-line guides also added to the plan. Consensus through interviews and feedback from stakeholders with major and minor PeopleSoft usage and roles confirmed that they were well informed of the status of the system and, ultimately, its implementation.
8.4 Training
It was expected that the PeopleSoft training would enable personnel to properly perform their duties. Specifically, it was crucial that HR users responsible for inputting and using data had timely and sufficient training to perform operational tasks. IAD obtained and reviewed PeopleSoft training documentation to assess completeness and adequacy. Additionally, business users of the systems – HR staff known as Subject Matter Experts (SME) – were interviewed to verify whether the courses, instruction and training material were timely, sufficient and adequate for them to discharge their responsibilities.
The audit indicated that the training strategy for the implementation of PeopleSoft was complete and robust. Detailed training was formatted for different audiences and sessions were given for each level of user, according to their respective subject matter areas, including at the Director, DG and PSC support personnel levels. According to SME interviews, the training was informative and well-delivered and sufficient training material was available.
Examination revealed minor discrepancies between the various documents in the actual training schedules. Furthermore, training record-keeping appeared ad hoc and was spread over several files. It was noted that this style was adopted to suit tight timeframes. Some 60 users were trained in total and the efforts were concentrated on the approximate 20 users who provide the data entry services, as opposed to those who use the system for queries and reports. Although there was little logging of individual sessions, HRMD adapted and customized training to fit demanding schedules and timelines. Attendance sheets were kept, though some discrepancies were found. There were no performance evaluations for the training sessions or trainers. This lack of formal measures and evaluation of the training prevents the collection of critical information on the effectiveness of both the training and the system itself.
Self-service sessions were also provided for all PSC employees once the application was deployed. Although instructional literature was available on Intracom, these sessions were much appreciated by any employees uncomfortable with the system processes for submitting and amending leave requests and managing leave balances.
Additional post-rollout training was provided after October 2009 but was mostly one-on-one with HR users. In May 2010. a more robust training log was created to schedule additional training. This log also included other non-HR user training required by certain stakeholders throughout the PSC. Attendance logs and evaluation measures are not yet in place, though management is exploring the option of using the PeopleSoft system to track employee training.
Recommendation
2. Human Resources Systems Division should use reliable training logs in conjunction with attendance sheets to accurately track employee training on the use of the system. Results should be evaluated after the sessions to ensure client satisfaction and effectiveness of the training and to develop future training strategies.
Management response
Management agrees that a formal evaluation form should be used to track training. It is using the newly developed evaluation form for each training session delivered and will review the results to adjust training, as required, and develop future training strategies. HR Systems is maintaining the existing log for PeopleSoft training activities and will formalize PeopleSoft training records for tracking and quality assurance purposes through the HR system PeopleSoft training activities.
- Responsibility: Manager, HR Systems
Timeline: January 2011
8.5 Risk management
Risk identification and management were integral aspects of the project, including informal risk management review discussions at the joint committee meetings.
IAD expected to find evidence of the resolution of interorganizational issues by both the project management team and the oversight body. As well, according to the Project Charter, a Privacy Impact Assessment (PIA), Threat and Risk Assessment (TRA) and a Statement of Sensitivity (SOS) were to be completed. The project was to manage risks using the Continuous Risk Management methodology, a strategy recommended by TBS for projects. Auditors found that all of these documents were adequately completed and compliant and that the methodology was adhered to.
The content of the PIA, SOS, and TRA form the basis for the Safeguard Implementation Plan (SIP). The SIP is the official record of risk management activity for PeopleSoft. This document lists the recommendations, actions planned, Offices of Primary Interest and status of implementation for a particular project. PeopleSoft was the first project to pilot the SIP approach to risk management at the PSC, and according to ITSD, it remains the most complete example in the organization. ITSD is the custodian of the SIP and liaises with the project team to gather information and update the document on a regular basis.
During the project implementation, a Risk Management Log was used and maintained on a regular basis. These risks were reviewed by the Joint Planning Committee biweekly and contingency plans were developed for high risk areas. A status report (known as the Project Dashboard) was presented to the Steering Committee and to the Executive Management Committee.
Updates and meetings were interrupted when the project manager was changed. Meetings that were held at irregular intervals between PeopleSoft’s IT Security Coordinator and the functional teams before the change were suspended for a period. However, it was noted that an informal meeting between IT Security and the PeopleSoft technical team did take place in February 2010. Formal meetings resumed in May 2010 and were held on a regular, monthly basis. HRMD has also indicated that, for additional oversight and support, a meeting was held with the PSC’s DG HRMD and DG ITSD as well as their counterparts at VAC. In addition, the VP, CMB and DG HRMD held meetings and were extensively involved in all aspects of this project.
As per the draft MOU 2010-2011, the SIP and risk management issues are to be addressed at the joint committee level. Although IAD found no evidence of this in the meetings’ agendas or decision records, interviews indicated that the SIP was informally examined during Joint Planning Committee (JPC) roundtable discussions. Additionally, SIP review was added as an agenda item at the September 8th, 2010 JPC meeting.
The explicit inclusion in the MOU of risk management as a standing item at Joint Committee meetings illustrates that management is sensitive to the importance of this control. However, although risk management was informally discussed, the lack of documentation weakens the record of discussions and decisions and the ability for the committees to demonstrate accountability. Moreover, the absence of information on decisions or actions to be taken could impede strategic planning. Ultimately, reduced emphasis on risk management at higher levels could jeopardize prioritization, funding or delivery of action items and affect the viability of the project, especially in the context of the existing partnership.
Recommendation
3. To comply with the committee Terms of References and Memorandum of Understanding, Human Resources Systems Division should develop mechanisms to ensure effective and regular review of risk management issues and status at the strategic governance level. This should be documented in the minutes or records of decision.
Management response
Management will add risk management for PeopleSoft’s regular business and for GC Pay Interface, as well as the Safety Implementation Plan, as standing items on the agendas of the Joint Planning Committee and Steering Committee and will document respective records of decision.
- Responsibility: Manager, HR Systems jointly with Manager, IT Application Services
- Timeline: October 20, 2010
A Risk Management Log for GC Pay Interface was tabled at the Joint Steering Committee meeting on October 20, 2010. Management will develop and finalize a Risk Management Log concerning the regular business phase of the PeopleSoft system. DG, HRMD will assess amount of Directorate-level review needed.
- Responsibility: Manager, HR Systems jointly with Manager, IT Application Services
- Timeline: December 2010
Control objective #3 - Internal controls, security and auditability measures exist during configuration and integration of the PeopleSoft application in order to protect systems, data and other resources and to ensure their availability and integrity.
8.6 Controls
The audit found that, overall, there were strong measures in place to protect PSC resources, data integrity and the privacy of information. The data conversion was conducted successfully, supported by a comprehensive strategy and methodology.
Auditors found thorough and complete data testing measures in place to verify the integrity of the conversion and ongoing input. Business analysts from both organizations performed both sample-based and query-based testing. IAD retested a sample of PeopleSoft data to ensure its integrity and no unexplained anomalies were found.
In the lead-up to the PeopleSoft launch, some test case scenarios had to be retested several times as part of the troubleshooting process. Approximately 95% of the problems were technical, rather than functional, issues. The testing documentation included what was tested, the results and details of the individual fixes from a functional perspective when there was added value for business analysts for future rework. All technical solutions were kept in a system (known as “Bug Tracker”) shared between the PSC and VAC. This system is available to both functional and technical teams.
The MOU indicates that both the PSC and VAC are responsible for ensuring the compliance of data retention and disposal of information within Library and Archives Canada standards. The system’s archiving and disposal capabilities do not meet PSC or Library and Archives Canada requirements. This is a government-wide issue since the PeopleSoft system has never been able to archive to commercial or governmental standards. There is a VAC-led working group (including representatives from the PSC, VAC, and Library and Archives Canada) at the Program Centre to deal with the issue. The solution is expected to be part of the product by July 2011 and will be implemented in the next PeopleSoft version release. According to HRMD, bringing data retention and disposition into production will be the first priority after the implementation of Pay Interface. It was noted that an annex to the MOU will be added, reflecting Working Group resolutions. As a contingency measure, a solution for GC HRMS data will be implemented as soon as it is identified and approved. Other mandatory and complementary controls were shown to be in place to ensure that the system’s environment meets Protected-B standards.
According to the MOU, users must have read and signed a declaration committing them to respect the security and privacy requirements of the Government of Canada. This is another initiative led by the Program Centre and is part of the “Common Configuration Project”. A Working Group has been mandated to find the best solution and leverage the work already done by Agriculture Canada (a Program Centre partner) concerning the privacy and security requirements. The group has provided a Business Requirement Document (BRD) with a “Privacy Notice Statement”. The document was reviewed and approved by Legal Affairs Branch in October 2010. The BRD is now being tabled at the Program Centre Operational Committee and will be developed and made accessible to all departments and agencies. Additionally, for the PeopleSoft team members, a security declaration was officially signed before they were provided with access to the data through Citrix Systems. Currently, the accessibility to different modules varies between jobs. HRMD has indicated that a standard accessibility procedure is being developed and implemented.
Based on job duties, individuals require varying levels of access to the system in order to input, edit and consult data. In the latter case, for instance, the data would be used in the production of reports. The level of authorized access (known as a “security profile”) is assigned based on job requirements. For new employees, the PSC’s HelpDesk is responsible for assigning the standard roles (self-service and managerial self-service). For HR users needing higher-level access a sign-off of the “PeopleSoft Security/Training Request Form” is required from the section chief. Each permission or role in the employee’s profile is revised according to the information received from the manager.
An arrival report is run every two days to ensure that all new employees receive the proper access rights to PeopleSoft. A departure report is in the process of being developed and will be run on the same frequency to ensure that accounts are deleted upon employee departures from the PSC. Currently, however, when HR users change roles within the organization the modification is made manually. There is no formal procedure for this yet and the revision of the profiles is based on observations by the PeopleSoft team.
Manual maintenance of the profiles could result in inappropriate employee access and conflicts of duty. HR users moving within HR or elsewhere in the PSC might not have their profiles realigned for their new roles in a timely manner and data integrity could be compromised. In some circumstances (e.g., assignments or certain types of extended leave), relying on informal, observational information could prevent users from obtaining or giving up the proper access. This could impede operations and create the possibility of violating privacy regulations as well as covenants in the MOU. Excessively broad profiles also make investigations in the event of a security compromise unnecessarily complex.
Recommendation
4. Human Resources Systems Division should put in place a systematic monitoring of user profiles to ensure that individuals have the access appropriate for their classification and role.
Management response
HR Systems will review and develop a formal internal procedure with HRMD managers and ITSD for the creation and maintenance of security accounts and profiles. A monthly monitoring report will be provided to the managers for their validation and sign off.
- Responsibility: Manager, HR Systems
- Timeline: End of November 2010
8.7 Disaster recovery
We expected to find reliable processes for ensuring a recovery from data loss and system failure.
Though data is adequately encrypted during transmission, it is unencrypted while in storage. Given the existing mitigating measures, management determined that this added level of control would be too costly. Additionally, back-ups are unencrypted and sent off-site using a commercial courier. As of September 2010, the PSC has documented its back-up and encryption requirements and communicated these to VAC. Management determined that the relatively low risk of back-up loss did not justify their encryption or the use of secure couriers for their shipment. However, management is also aware that any breach of the security of data of such a sensitive nature would be costly to the organization both in terms of reputation and of out-of-pocket costs to verify the profiles of all employees affected by such an incident.
The task of developing a Business Continuity Plan was designated to VAC in the previous and current MOUs. As VAC hosts all project infrastructure, they were appropriately placed for this task. There has not yet been any significant progress on a Business Continuity Plan or Disaster Recovery Plan. The absence of any continuity measures leaves PSC data open to risk.
Recommendation
5. Human Resources Management Directorate should develop a contingency plan to deal with the threats of:
- i. Loss of unencrypted data in storage;
- ii. Loss of back-ups; and
- iii. System disaster;
until the partnership has developed a solution or, alternatively, accepts the risks formally.
Management response
The PSC will request VAC’s proposed Disaster Recovery contingency plans by November 2010. The plans will be presented at the January 2011Joint Planning Committee for recommendation and subsequently presented at the March 2011 Steering Committee for approval and action.
- Responsibility: Manager, HR Systems,
- Secondary Responsibility: Director, IT Application Services
- Timeline: March 2011
Control objective #4 - During the post-implementation as well as on a production basis, external and internal environments are monitored to obtain information that may signal a need to re-evaluate the organization’s objectives or controls.
8.8 Monitoring
The overall transition to the new system was seamless to general users. The auditors found a comprehensive level of monitoring over the system environment. Regular and frequent evaluation was demonstrated at all levels, including joint committee-level discussions, transaction monitoring and HelpDesk ticket examination.
For application transactions, a monthly report is generated to identify anomalies for the PeopleSoft team to investigate. As well, ongoing HelpDesk support generates timely identification of user problems that are forwarded to the appropriate PeopleSoft team members, based on the technical or functional nature of the problem.
A post-mortem review was conducted to document the actual performance of the implementation and offer suggestions on how things can be improved. In its early stages, the audit found that there was a lack of a formal process for dealing with system changes. This was also recognized by the project team in the post-mortem review. As a solution, formal Change Management Guidelines were created and adopted. When a change is required, it follows a systematic and prescribed change management process developed in conjunction with VAC. Though some minor discrepancies were found in the change request documentation, the general process was found to be effective.
Resistance was expected to the introduction of the new application, given that many employees were comfortable with and had developed expertise in HRMIS and/or LIMS. The PeopleSoft team offered assistance and held working groups to assess needs. In response to a need for differentiated reports, other than those offered as standard by the system itself or by VAC, a reporting review exercise has begun.
The PeopleSoft system environment and project team were found to be ready to implement new functionalities. The Change Management Guidelines document includes a formal procedure for choosing and implementing new functionalities. This matter is also being discussed at the joint committee.
The PeopleSoft team is now preparing to implement Pay Interface and Pay Card functionalities. This major initiative will be treated as a distinct project because of its scope and budget. Contracts have been procured and work has begun on strategy and implementation documents.
HRMD has fully implemented PeopleSoft as a replacement for the technically non-supported HRMIS and LIMS applications. For this project, the PSC partnered with VAC. This approach helped mitigate the risks associated with the implementation and operation of a new system. This first of its kind venture for the PSC also resulted in cost economies and it achieved all strategic objectives. HR specialists were able to fulfil their operational duties both during and after implementation, while PSC employees experienced a seamless transition.
In order to maintain sustainability of PeopleSoft operations and the integration of new functionalities, some existing processes could be bolstered to reduce potential risks, enhance accountability and improve operations. In case of staff turnover, formal measures should be developed to facilitate the transfer of knowledge. Although risk management was an integral part of the project, better documentation at the oversight level would help ensure accountability in this shared environment. It was also found that additional work is needed in the areas of tracking training, system access and business continuity. In general, the successful implementation of PeopleSoft provides the PSC with an up-to-date application to manage HR effectively. Furthermore, the system can support additional functionalities which, taken together, will bring the Commission closer to becoming a model organization in both financial and HR management.
Management has worked in cooperation with IAD to expedite the audit and provide additional comments and information, as necessary. Management has provided actions that will address the weaknesses noted.
| Control Objectives | Audit Criteria |
|---|---|
| Control objective no. 1 An effective oversight body has been created with a clearly communicated mandate that includes roles for governance, risk management and controls. |
1.1 The mandate clearly defines the oversight body’s authority, responsibility and accountability. |
| Control objective no. 2 Objectives are established and communicated. |
2.1 A strategic planning structure is in place that defines, in co-operation with relevant stakeholders, how the project implementation will contribute to the corporate strategic objectives. 2.2 The organization identifies its current and future project resource requirements and analyzes them against HR competencies and capacities. 2.3 Detailed PeopleSoft training is provided to all PSC employees so that personnel can perform their duties. 2.4 The project risk identification and management processes are rigorous and consider both internal and external sources of risk, including dependencies and inter-relationships with other federal entities and parties. 2.5 Formal communication processes and mechanisms exist and support the sharing of timely, relevant and reliable information to users and other external stakeholders. |
| Control objective no. 3 Internal control, security and auditability measures exist during configuration and integration of the PeopleSoft application in order to protect systems, data and other resources and to ensure their availability and integrity. |
3.1 A data conversion process was established and accordingly conducted. 3.2 Testing is performed in accordance with a defined test plan at all appropriate and/or critical stages. 3.3 Policies and procedures are in place and used to identify and apply security requirements applicable to the receipt, processing, storage as well as the transfer and output of data to meet the organization’s security policy and regulatory requirements, specifically with regards to the encryption of data at the PSC and VAC. 3.4 Security techniques and related management procedures (e.g., firewalls, security applications, network segmentation, intrusion detection and physical security measures) are used to authorize access and control information flows to and from networks. 3.5 The statutory and regulatory requirements to the Access to Information Act and Privacy Act have been met. 3.6 Assets are protected and access to assets, records and information is limited to authorized individuals. 3.7 Procedures for effective and efficient data storage, retention, archiving and disposal are defined and implemented to meet the organization’s security policy and regulatory requirements. 3.8 A tested and operational business continuity plan exists. |
| Control objective no. 4 During the post-implementation phase as well as on a production basis, external and internal environments are monitored to obtain information that may signal a need to re-evaluate the organization’s objectives or controls. |
4.1 Transactions are accurate, complete and valid. 4.2 Performance is monitored against the targets and indicators identified in the organization’s objectives or controls. 4.3 There is a formal procedure, aligned with corporate objectives, for choosing new functionalities. 4.4 Management should periodically assess the effectiveness of controls in its organization and communicate the results to those to whom it is accountable. |
Page details
- Date modified: