Audit of PeopleSoft
Audit of PeopleSoft
August 2012
Key Dates
Opening conference (launch memo)
Audit plan sent to management
End of fieldwork / Closing conference (exit debrief)
Audit report sent to management
Management response received
Penultimate draft report approved by CAE
Audit committee recommended
Deputy Minister approval
List of Acronyms
ADM
CAAR
CASS
CSB
CIOB
EC
GC
HR
HRMIS
HRMS
HRSO
IES
PWGSC
RPS
SMS
SOP
Assistant Deputy Minister
July 2011
October 2011
March 2012
May 2012
June 2012
June 2012
June 2012
August 2012
Corporate Accountability and Administrative Renewal
Corporate Administrative Shared Services
Corporate Services Branch
Chief Information Officer Branch
Environment Canada
Government of Canada
Human Resources
Human Resources Management Information System
Human Resources Management System
Human Resources Senior Officer
Integrated Enterprise Services
Public Works and Government Services Canada
Regional Pay System
Salary Management System
Standard Operating Procedures
TBS
UPK
WFA
Treasury Board Secretariat
User Productivity Kit
Work Force Adjustment
Prepared by the Audit and Evaluation Team
Acknowledgments
The audit team, composed of Graça Rebelo Cabeceiras, Daniel Chenier, Lise Gravel,
Elizabeth Mountford and Kenneth Gourlay, under the direction of Jean Leclerc, would like to thank those individuals who contributed to this project and, particularly, employees who provided insights and comments as part of this audit.
Audit of PeopleSoft
Table of Contents
2 FINDINGS AND RECOMMENDATIONS .................................................................. 4
2.2 Key indicators of success were not formally evaluated ...................................... 5
Environment Canada
Audit of PeopleSoft
EXECUTIVE SUMMARY
This audit of PeopleSoft was included in the departmental Risk-based Audit and
Evaluation Plan 2011 –2014 as approved by the Deputy Minister, upon the recommendation of the External Audit Advisory Committee.
The purpose of the audit was to provide assurance that the governance surrounding the implementation, testing and operation of the PeopleSoft system was adequate.
PeopleSoft is the Government of Canada’s selected system for the management of human resources. As a result of the risks identified during the preliminary survey for this audit, the audit set out to provide assurance that the governance over the implementation of the system was adequate and to provide assurance that the governance of the data within the system during operations is adequate.
Using a combination of interviews, document reviews, data analyses and tests, we concluded that the implementation was, from an EC perspective, well governed. Using the same methodology, we also concluded that opportunities exist for improvement in the way that data are managed during operations.
Summary of Recommendations
1 The Assistant Deputy Minister (ADM) of the Human Resources (HR) Branch should assess (estimate) the quality of the information in PeopleSoft so that management can take the quality into consideration when using the information for decision making. Based on this assessment, the ADM should also define an approach for the continued improvement of the quality of the data.
2 The ADM of the HR Branch, in consultation with the ADMs of Finance Branch and Corporate Services Branch, should review and document the controls and processes related to the data issues that have been identified to ensure that weaknesses are corrected or risks adequately mitigated.
Management Response
We generally agree with the findings of this audit report and will address the recommendations in a management action plan that manages the risks in a cost-effective manner.
Environment Canada i
Audit of PeopleSoft
1 INTRODUCTION
This audit of PeopleSoft was included in the departmental Risk-based Audit and
Evaluation Plan 2011 –2014 as approved by the Deputy Minister, upon the recommendation of the External Audit Advisory Committee. It was included in the plan based on initial concerns about the duration and cost of implementing the PeopleSoft application and on concerns about whether the functionality that was finally delivered was the same as had been originally promised.
1.1 Background
In 2006, the Treasury Board Secretariat (TBS) identified the PeopleSoft Government of
Canada (GC) Human Resources Management System (HRMS) as the target system to be used for the management of human resources (HR) for all federal government departments. GC HRMS is the Government of Canada Human Resources Management
System and is not to be confused with HRMIS, which is Environment Canada’s (EC) legacy Human Resources Management Information System.
PeopleSoft is an information system that stores and enables the processing of departmental HR information such as the classification levels of positions, appointments to posts, and leave information. This system allows the Department to use its HR information in a more efficient and effective fashion in support of departmental decision-making.
In implementing PeopleSoft across government, the main goals were to reduce the number of HR systems requiring integration, to improve HR information management and to meet common requirements of all users for HR information (streamline and standardize). The anticipated result of achieving this goal was an overall reduction in cost and improvement in effectiveness of the HR function government-wide.
Phase 1: The CASS Initiative
The Corporate Administrative Shared Services (CASS) initiative was a TBS initiative that was already in place when EC became involved in 2005. It was meant to help all government departments install common systems for financial and HR management under the leadership of a specially appointed assistant comptroller general.
During that period, EC’s HRMIS (developed by EC in the 1980s) was nearing the end of its useful life and was becoming increasingly expensive to maintain. It was also becoming increasingly difficult to attract and retain employees to work on it; this raised concerns about the system’s ability to continue to support human resource activities across the Department.
EC managers viewed participation in the CASS initiative as an opportunity to upgrade the Department’s HR applications, to provide the Department with dedicated project funding, and to reduce future costs through expense and resource sharing with other federal government organizations. As a result, EC approved the implementation of
PeopleSoft, under the TBS CASS initiative, in 2006.
Participation in the CASS initiative for the implementation of PeopleSoft was really the first of two phases in the implementation. Internally, this phase was led by the Integrated
Enterprise Services (IES) group in Finance from 2005 –2006 to 2008–2009. During that period the Department spent $4.5 million, much of it on salaries, training and helping
Environment Canada 1
Audit of PeopleSoft develop common procedures for HR. One benefit accruing from this was that EC's contribution gave the Department a seat at the CASS table where decisions were being made regarding the government-wide PeopleSoft implementation. Further, given the financial component of CASS (the implementation of a new financial system), within EC the CASS initiative was included under the umbrella of EC’s Corporate Accountability and Administrative Renewal (CAAR) initiative.
Unfortunately, it proved difficult for the Department to access CASS funding during the years that EC participated in the CASS initiative. The CASS initiative also experienced numerous delays —beyond EC’s control—in replacing both the financial and the HR systems. By 2008 HRMIS had to be replaced as a matter of priority. It was no longer capable of providing support to critical HR functions.
Phase 2: the PeopleSoft Implementation Project
Given the lack of progress on the TBS CASS initiative, the diminishing likelihood of being able to access CASS funding and the urgent need to replace HRMIS early in
2009, EC decided to implement version 8.9
1 of PeopleSoft as a stand-alone project outside of the CASS initiative. The decision to implement GC HRMS on our own marked the beginning of a second phase in the implementation of PeopleSoft at EC.
This second phase of PeopleSoft implementation was managed by the HR Branch in collaboration with Corporate Services Branch (CSB).
2 The project had an approved budget of $4.9 million and involved the implementation of a scaled-down version of
PeopleSoft that would allow the HR Branch to meet its legal and policy commitments for managing leave and would allow the Department to decommission its aging legacy HR application (HRMIS). The new scope did not include the replacement of the Regional
Pay System (RPS) or the Salary Management System (SMS). The system was successfully implemented between April 2009 and March 2010 at a cost of $4.4 million — on time and within budget. The legacy HRMIS system was decommissioned in 2010.
To date, all of the components of PeopleSoft v8.9 that are necessary for employee leave management and other related functions have been implemented at EC. This includes modules for
base benefits
workforce administration
position management
leave self-serve which allows the employees to have more control over how they process and modify leave
recruiting (partial)
HR reporting from the corporate data warehouse using Discoverer software
Nakisa (a reporting tool for organizational charts)
UPK 3 for online help/training
some central agency interfaces 4
1 PeopleSoft version 8.9 is currently the official Government of Canada approved version of
PeopleSoft. It is also known as the GC Layer of PeopleSoft or simply as GC HRMS.
2 At the time the project was carried out the branch was known as the Chief Information Officer
Branch.
3 The User Productivity Kit (UPK) is the PeopleSoft online help and training facility.
Environment Canada 2
Audit of PeopleSoft
Since implementation, other modules have either been implemented or partially implemented, including a single sign-on solution (to enhance system security), multiple company structures (allowing one installation to support both EC and the Canadian
Environmental Assessment Agency) and an upgrade to the HRSO Portal.
5
EC has the fundamental modules in place and is in a position to add modules to expand the functionality of its PeopleSoft system. EC was scheduled to implement other modules after the initial roll-out, but funding and resource constraints have placed the implementation of most of those modules on hold. This includes the GC Pay Interface, e-Pay Card and the Enterprise Learning modules. In 2011, however, the priority management module was implemented and put into production to help the Department handle Work Force Adjustment (WFA) issues; EC is currently demonstrating this functionality to other government departments.
1.2 Objectives and Scope
The formal objectives for the audit were to provide assurance of the adequacy of the following:
key governance, risk management and control processes over system implementation (meant to ensure that the HR functionality that was delivered was based on the needs of the user community)
key governance, risk management and control processes over data confidentiality, integrity and accessibility, including controls over the interfaces with other government systems.
Even though the PeopleSoft implementation was carried out in two phases, the audit’s implementation objective only deals with the second phase of the implementation because the preliminary survey indicated that most of the risks associated with the first phase were outside the direct control of Environment Canada. Therefore, the first phase is presented only to provide context for the second phase of the implementation, which was managed by HR (in collaboration with CSB) between the project kick-off in
April 2009 and the implementation of an operational system in April 2010.
For the second objective on the governance of data during operations, the audit covered the period between system implementation (April 2010) and March 2012. As of the latter date PeopleSoft had been in operation for 24 months.
While this audit was national in scope, most of the fieldwork was carried out in the
National Capital Region. Interviews involving regional staff were carried out by teleconference.
1.3 Statement of Assurance
This audit has been conducted in accordance with the International Standards for the
Professional Practice of Internal Auditing and the Policy on Internal Audit of the Treasury
Board of Canada.
In our professional judgement, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the conclusions reached
4 Including the Office of the Chief Human Resources Officer in TBS.
5 The Human Resources Senior Officer (HRSO) Portal is a tool used by HR senior officers across the government for documenting standard operating procedures for HR.
Environment Canada 3
Audit of PeopleSoft and contained in this report. The conclusions were based on a comparison of the situations, as they existed at the end of the fieldwork in March 2012, against the audit criteria.
2 FINDINGS AND RECOMMENDATIONS
Overall, we found many good or best practices in the way that the PeopleSoft system was implemented and operated. We found a high level of engagement on the part of both the client (HR Branch) and the project team (HR Branch and CSB). We found good governance practices, including frequent status reporting to executive managers in a format that highlighted accomplishments, problems and risks and clearly identified where management support or decisions were required.
In operations, we found a widespread culture of respect for the confidentiality of data maintained in the system.
As detailed in Annex 1, of the 18 audit criteria that we examined, we found that the
Department had met 10 completely and had met another 5 with only minor issues. We did identify three issues of moderate concern, and the findings below deal with these issues.
2.1 Quality of some of the data migrated to PeopleSoft from
HRMIS was not assessed
In order for PeopleSoft to function as the system of record for management information about HR and to allow management to use that information for decision-making purposes, we expected to find that the managers knew to what degree they could trust the quality of data in the system. This implied that managers would be able to assess the reliability of the data for each of the implemented modules and for the critical data elements within those modules.
We found that when data were converted from the legacy HR system (HRMIS), a decision was taken to convert whatever data were in HRMIS without validating them against the paper files (the paper files are the current system of record for HR data).
Roughly 500 records had to be entered manually because the data quality would not allow the automated conversion process to complete successfully. Managers informed us that the strategy was to incrementally improve the quality of the converted data over time. HR staff indicated that whenever an HR file was opened to add or modify a transaction, the person doing the entry would look for inconsistencies between what was in the paper file and what was in the system and any errors would be corrected.
We found no evidence of any attempt to assess the quality of data (estimate the error rate) after conversion or to define a clear strategy or approach to fix the data over time.
Not knowing the quality of the information available for decision making might cause managers to make poor decisions related to HR.
Recommendation 1
The ADM of the HR Branch should assess (estimate) the quality of the information in
PeopleSoft so that management can take the quality into consideration when using the information for decision making. Based on this assessment the ADM should also define an approach for the continued improvement of the quality of the data.
Environment Canada 4
Audit of PeopleSoft
Management Response
While we generally agree with this finding, the HR Branch is confident that human resources data are quite reliable.
While it is true that some data was brought into the new system from the old HRMIS system, HR Branch has continually worked to improve the quality of that older HR data and we are also confident that any human resources data entered directly into the new system is quite reliable. Processes that are already established to ensure the reliability of data in our system for the purpose of decision making include:
Validating reports that are used for decision making against other sources to ensure their validity.
HR staff cleansing data for any file they work on during their day-to-day activities.
Reconciling EC data with corresponding data from central agencies
As well, our interaction with clients via the HR portal, the HR service desk, HR dashboards, self-service and ad-hoc reporting as well as the reconciliations undertaken with Finance data contribute to our confidence in the quality of the data and our ability to improve it over time.
Given the above, the HR Branch does not intend to do a further assessment of the quality of the data imported into PeopleSoft from HRMIS but we will continue to address other issues arising from this finding and recommendation in an action plan that will adequately manage any risks in a cost-effective manner.
2.2 Key indicators of success were not formally evaluated
We expected to see that a post-implementation review had been completed and that it included an evaluation of the performance against the initial key indicators identified in the project charter.
We found that the system was delivered on time and within budget and we found evidence that changes to the scope, project schedule, threats, accomplishments, risks and costs had been regularly reported to and approved by the ADM Steering Committee during the course of the implementation project.
We also found that a post-implementation review had been conducted at the end of the project. The resulting report, which was signed off by the client, states that the review was meant to address change management issues and any unmitigated security issues arising from the system implementation. While the report met those goals, the review did not follow up on the original key indicators of success for the project as outlined in the original project charter.
We note that the original key indicators had been defined before the project scope was defined, presented and approved. While a set of conditions for success was included in the scoping document, the original key indicators of success were not replaced or updated to reflect the changes to the scope. As a result some of the original key indicators were not entirely applicable to the scoped-down version of the project. Senior managers in HR did indicate that they were satisfied that the functionality provided by
PeopleSoft as implemented was what they expected given the revisions to the scope approved by the Steering Committee at the beginning of the second phase of the implementation.
Environment Canada 5
Audit of PeopleSoft
Closing the loop by reporting on the original key indicators of success at the end of a project gives an organization valuable information that can be used as "lessons learned" in the conduct of future projects. We suggest that this “loop” be closed in future projects so that continual learning can take place.
2.3 Data Integrity Issues
We identified a number of control-related issues that impact the integrity of the
PeopleSoft data:
We found weaknesses in the controls and procedures in PeopleSoft surrounding the approval of leave.
We found a number of generic user IDs in PeopleSoft that come from the GC
HRMS layer and that are not required in EC.
We found that the nature of the HR roles identified in the PeopleSoft system is not well documented.
We found a number of dormant accounts that were still active.
Additional information and details on these issues have been provided to the ADM of HR
Branch via a management letter.
Recommendation 2
The ADM of the HR Branch, in consultation with the ADMs of Finance Branch and
Corporate Services Branch, should review and document the controls and processes related to the data issues that have been identified to ensure that weaknesses are corrected or risks adequately mitigated.
Management Response
We agree with this finding and have already taken steps to address the associated recommendation in an action plan that will adequately manage any risks in a cost-effective manner.
3 CONCLUSION
Using a combination of interviews, document reviews, data analyses and tests we have concluded that the implementation of PeopleSoft (objective 1) was well governed from an EC perspective with only minor issues. The system, including the expected functionality, was delivered to the client on time and within the approved budget. Refer to the Audit Criteria chart in Annex 1 for further details on the findings for objective 1.
Using the same techniques, while we found many good practices in place to protect the confidentiality, integrity and availability of data during operations, we have concluded that opportunities exist for improvement in the way that data are governed during operations (objective 2). This is due to three areas of moderate risk that were identified in our review of the criteria for this objective. We note that two of these areas of moderate risk are the result of the same control weakness.
Environment Canada 6
Audit of PeopleSoft
For more details on our conclusion for the criteria related to objective 2, please refer to the Audit Criteria chart in Annex 1.
Environment Canada 7
Audit of PeopleSoft
Annex 1
Audit Methodology and Criteria
Audit Methodology
The methodology described in the section below was followed to address the audit criteria. The audit approach included the following:
reviewing relevant documentation such as Treasury Board Secretariat and
departmental policies, procedures and guidelines and central agency assessments conducting a data analysis of the PeopleSoft information developing interview guides to review processes and internal controls used in the
administration of PeopleSoft by HR staff, financial management staff and corporate staff flowcharting the standard process for the management of employee information with regard to the PeopleSoft system, including a walkthrough and test for accuracy and data security (segregation of duties) developing a testing tool to review a sample of the data integrity controls interviewing selected personnel testing of the security controls of the data in PeopleSoft (data integrity)
Audit Criteria
Audit Objective
1. Provide assurance that key governance, risk management and control processes over system implementation
(meant to ensure that the HR functionality that was delivered was based on the needs of the user community) are adequate.
Audit Criteria a) The project’s nature and scope were understood, documented and agreed to by the project sponsors before project initiation and the project’s resources were allocated in alignment with the
Department’s priorities. b) Authority, oversight, responsibility and accountability are clearly defined and communicated and are appropriate given the size and complexity of the project. c) Changes to the nature, scope, budget, timeline and requirements of the project are managed, communicated to the appropriate governance body for review and approval and are integrated into the overall project plan. d) Project performance is measured against key project performance criteria such as scope, schedule, quality, cost and risk criteria. Deviations from the plan are identified, assessed and reported to the appropriate governance body.
Met / Not Met
Met
Met
Met-minor issue
Refer to finding
Met-minor issue
Refer to finding
Environment Canada 8
Audit of PeopleSoft
Audit Objective
2. Provide assurance that key governance, risk management and control processes over data confidentiality, integrity and accessibility, including controls over the interfaces with other government systems, are adequate.
Audit Criteria e) Specific risks to the project’s objectives are identified, assessed, documented and managed. The risks and associated mitigation strategies are communicated to the appropriate governance body. f) Training needs and tools for project staff and stakeholders are identified, provided and evaluated. g) Project stakeholders perform final acceptance test and project sponsor approves promotion to production. a) Measures are in place to ensure the confidentiality, integrity and accessibility of the data in PeopleSoft. b) Roles-based access controls are in place to restrict access to those with a
“need to know” and respecting the “leastprivilege principle.” c) Data changes are limited to authorized employees.
Met / Not Met
Met
Met
Met
Not met – moderate issue
Refer to findings
Met – minor issue
Refer to finding
Not met – moderate issue
Refer to finding
Met d) Records and information are maintained in accordance with laws and regulations (confidentiality, retention, etc.). e) Data capture and conversion are monitored to ensure the accuracy and integrity of the data. Actions are taken to resolve discrepancies (HRMIS to HRMS, new employees, and any other form or type of information that is input). f) Effective controls exist to ensure that the data in PeopleSoft are accurate and consistent with data in other systems
(including departmental systems such as
SMS and Merlin and external systems such as the Regional Pay System [RPS] in PWGSC), within acceptable limits. g) Employee obligations are known/understood and communicated
(employees are expected to review leave balances and make known any anomalies), and employees and
Not met moderate issue
Refer to finding
Met
Met
–
– minor issue
Refer to finding
Environment Canada 9
Audit of PeopleSoft
Audit Objective Audit Criteria management periodically attest to the accuracy of the data. h) Transactions are coded and recorded accurately and in a timely manner. i) Key audit trails are maintained and monitored. j) Standard operating procedures (SOPs) exist, are documented, and are well communicated to all users.
Met / Not Met
Met
Met
Met – minor issue
Refer to finding
Met k) Effective controls exist to ensure that segregation of duties is maintained across interfaced systems.
Environment Canada 10
Audit of PeopleSoft
Environment Canada 11
