Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 1
1 | Executive summary
1.1 Auditor-General’s overview
Information systems are critical in all areas of government business. Good information technology
program management can provide among other benefits, achievement of strategic outcomes,
optimised costs and better management of risks.
The audit program this year included an audit of three whole of government information and
communication technology (ICT) programs at the Department of Public Works, as the whole of
government ICT provider (Corporate Solutions Program, ICT Consolidation Program and Identity,
Directory and Email Services Program). A major audit of the Queensland Health Implementation of
Continuity Project (SAP HR and payroll) was also undertaken. Other information systems audits
covered information technology governance within the Department of Education and Training,
patient information security within Queensland Health and information technology network security.
The development and implementation of ICT systems and solutions designed to address the
current business requirements of government are large, complex and expensive projects. In this
environment, it can be expected that projects may experience changes in personnel, technology,
scope and legislative frameworks. These issues need to be adequately managed.
In general, the results of these audits further emphasise the need for significant improvement in
program and project governance, including up front and ongoing scope management, vigorous
controls over budgets, and comprehensive testing and implementation regimes. Specific attention
must also be given to the development of robust benefit management plans to ensure that the
Government achieves appropriate returns on these multi million dollar investments.
1.1.1 Queensland Health Implementation of Continuity Project
The Corporate Solutions Program, a CorpTech managed program established to implement the
whole of government finance and HR systems, was included in the program management audit.
Queensland Health’s new payroll and rostering system is one of the projects within this program.
Significant problems have been experienced by the department since the Go-Live date of this
payroll system on 14 March 2010.
A Payroll Stabilisation Project has been established and action to identify and correct payment
irregularities is expected to continue for some time. The audit of these actions will be a significant
issue which will be further examined during the finalisation of the auditor’s opinion for the 2009-10
financial statements for Queensland Health.
2 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
The experience from the audit of this project leads me to conclude that there is no clear
understanding of the accountabilities of individual Accountable Officers impacted by the Shared
Service Initiative. Whilst the accountability for payment of staff within Queensland Health ultimately
lies with the Director-General, Queensland Health, I consider that the governance of the project was
unclear between his responsibilities and the responsibilities of the Director-General, Department of
Public Works as the Accountable Officer responsible for the management of CorpTech and its
responsibility for the implementation of the whole of government HR solution. This confusion limited
Queensland Health’s ability to influence some of the decisions affecting the outcome of the project
as well as limiting transparency of decision making for parts of the project.
The roles and responsibilities of Accountable Officers in this environment should be clarified
as a high priority.
This system’s significance is highlighted by the fact that to the end of March 2010, approximately
$65m of costs can be directly attributed to it. Audit found that project governance, including
managing relationships with key stakeholders was not effective in ensuring roles and
responsibilities were clearly articulated and in ensuring there was clear accountability for the
efficient and effective implementation of the system.
Prior to the introduction of the new system, Queensland Health used the LATTICE payroll and the
ESP rostering systems, which had been in place since 1997. It was recognised that the LATTICE
payroll system needed to be replaced as it would no longer be supported by its supplier from July
- In addition, there were difficulties in implementing new payroll requirements arising from new
employment agreements and other payroll related changes.
CorpTech, through the services of a prime contractor, was undertaking the implementation of a
standardised SAP HR system across the Queensland public sector. This was a continuation of the
Shared Services process which had commenced in 2002. Queensland Health was originally
scheduled to receive the new system in 2006, however the whole of government implementation
process had been delayed.
A decision was made in late 2007 by Queensland Health and CorpTech to escalate the
implementation of the Queensland Health payroll system due to the risks associated with the
continued use of the LATTICE payroll system.
Figure 1A provides details of the key participants and their roles within the project. A timeline of the
key events is included in Section 5.5.
Figure 1A – Key project participants
CorpTech Specialised business unit of Treasury Department and subsequently
Department of Public Works providing a whole of government role over
the acquisition of information technology. CorpTech is the owner of the
SAP HR and WorkBrain systems. The primary responsibility during this
project was to manage the prime contract.
IBM Prime contractor to CorpTech selected under a formal tender
arrangement to direct, manage and control the project and to implement
SAP HR and WorkBrain solution to replace LATTICE.
Queensland Health Business user of the SAP HR and WorkBrain systems responsible for the
payment of Queensland Health employee entitlements. Primarily
responsible for ensuring business requirements were reflected in the
scope of works, undertake data cleansing and migration, user
acceptance processes, staff training and ensure business processes and
practices were ready to utilise the new system.
Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 3
Key findings from the audit of the system implementation include:
The Queensland Health payroll system has complex award structures. There are 13 awards and
multiple industrial agreements which provide for over 200 different allowances, and in excess of
24,000 different combinations of calculation groups and rules for Queensland Health employees
who on average total around 78,000.
The governance structure for the system implementation, as it related to CorpTech, the prime
contractor and Queensland Health, was not clear, causing confusion over the roles and
responsibilities of the various parties.
There was inadequate documentation of business requirements at the commencement
of the project.
The time taken to reach Go-Live status increased from eight months to 26 months.
The absence of a periodic review of the business needs contributed to subsequent difficulties
with system testing and the implementation of a system which did not meet the needs of
Queensland Health’s operating environment.
System and process testing prior to Go-Live had not identified a number of significant
implementation risks and therefore the extent of the potential impact on the effective operation
of the payroll system had not been fully understood and quantified.
System useability testing and the validation of the new processes in the business environment
was not performed. As a result, Queensland Health had not determined whether systems,
processes and infrastructure were in place for the effective operation of the new system.
A number of critical business readiness activities and practices were not fully developed prior to
the implementation of the new system. This was in part a reflection of the view of Queensland
Health staff that the project involved a ‘like for like’ replacement of the LATTICE system and the
lack of an awareness of the full impact of the business rules configured into the new system.
Business continuity plans were not available and able to be quickly implemented to address
payroll issues as they emerged.
Key system performance reports for use by CorpTech were not available during the completion
of the initial payroll processing.
Several changes to the payroll administration practices, such as a new fax server and a
re-allocation of processing duties within the Queensland Health Shared Services Provider, were
introduced at the same time as the release of the SAP HR and WorkBrain systems.
There are many lessons to be learnt from the experience of the Queensland Health Implementation
of Continuity Project for future systems implementations. The following issues should be considered
for future payroll system implementations:
Where possible, simplify award structures prior to implementing a new payroll system to remove
complexities which will impact on the effectiveness and efficiency of the payroll process.
Establish clear lines of accountability and roles and responsibilities at the initiation of the project
to ensure an end to end governance structure.
Ensure the full impact of system change is assessed on the end to end business process.
Ensure the ultimate decision to Go-Live is based on the readiness of the business and that the
system’s application within the business is fully tested.
Identify all project and systems risks and have in place robust contingency plans and risk
management strategies to address risks in the event of unexpected system issues.
4 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
1.1.2 Program management and governance
Program management is the coordinated organisation, direction and implementation of a group of
projects and activities that together achieve the outcomes and realise benefits that are of strategic
importance. An audit was undertaken of three whole of government information and communication
technology (ICT) programs at the Department of Public Works as the whole of government ICT
provider. While the audit found that the Queensland Government Program Management
Methodology was being progressively implemented, all programs were behind schedule.
Overall, the governance of IT program management across all three programs needed
improvement. The department could not demonstrate to audit whether the government would
realise the full benefits, including savings, that were expected from the large scale investment of an
estimated $545m across all three programs. In addition there was a lack of transparency in relation
to key decisions and the way these decisions would impact on client agencies. Action needs to be
taken by the Department of Public Works to address the identified deficiencies.
1.1.3 Information system security audits
In addition to the audit of information technology program management and governance, this year’s
audit program also included an examination of the controls within public sector entities’ information
technology environments. I have reported to Parliament over an extended period on information
systems security and general computer control issues. By failing to address fundamental control
weaknesses, public sector entities leave themselves vulnerable to computer system failures,
unauthorised access to information, loss of information and fraudulent activity.
In Auditor-General Report No 4 for 2009 – Results of audits at 31 May 2009, I reported on
the results of an audit of information technology network security and made a number of
recommendations for improvement. This year, the progress of the implementation of the
recommendations by the audited entities has been followed up and is reported in Section 4.2.
While there has been some improvement in control with 34 per cent of the recommendations
implemented, it is disappointing that more urgent action has not been taken by individual agencies
to address the issues. Some entities are continuing to place insufficient priority on the importance of
effectively managing and protecting their information networks. At a whole of government level, an
information technology security committee was established in October 2009 with specific goals to
implement network security risk mitigation strategies. I encourage all agencies to participate in the
whole of government program by implementing the controls in accordance with the plans.
An audit was conducted of the security of patient information within the information technology
environment for which Queensland Health is responsible to determine whether there are suitable
systems and frameworks in place to ensure the effective safeguarding of patient information. The
scope of this audit was limited to security of patient information within the information technology
environment at the corporate office in Brisbane and the Emergency Departments at Princess
Alexandra and Redland Hospitals.
It is critical that the privacy of patient information is assured. As outlined in Section 4.1, the audit
found that there are some opportunities to improve the efficiency and effectiveness of the collection,
retrieval and storage of patient information. In particular, the paper based clinical information
recorded and maintained separately by each hospital carries an inherent risk of delays in retrieving
records when a patient presents at the hospital. It was found that this risk is significantly higher
when patient records are stored at a different Queensland Health facility.
Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 5
Although Queensland Health has advised that the e-Health strategy, when implemented, should
improve the availability and accessibility of patient information, the department should ensure that
any risks are adequately addressed in the interim.
1.1.4 Information technology governance
An audit in 2009 of information technology governance at the Department of Education and
Training found that the information technology governance framework, including risk management,
project management and business continuity management across the whole of the department
The latest audit in 2010 found that action is being taken by the Department of Education and
Training to address all the recommendations made during the previous audit. Information
technology governance has been assessed by audit as being at a developing stage with the initial
steps for the establishment of an information technology governance framework having been
undertaken. The status of information technology governance and the OneSchool project is
discussed further in Section 3.2.
1.2.1 Queensland Health Implementation of Continuity Project
- The current action to stabilise the Queensland Health payroll and rostering systems be
continued to ensure Queensland Health employees are correctly paid.
Any mismatches between business practices and business rules configured within the
system need to be analysed and appropriate changes made to address defects or to
improve the accuracy or effectiveness of the payroll output.
Technological changes should be performed through strict change management
processes and testing regimes to ensure that system stability is maintained.
- Queensland Health should reconsider its current business model to determine the most
effective and efficient strategy to deliver payroll services. To mitigate the risk of payroll
inaccuracies, simplification of award structures and pay rules need to be considered.
Reengineering the payroll process should be undertaken to provide an appropriate blend
of local decision making and action and the efficiencies of centralised processing.
System reporting to enable effective performance management for both local and central
processing hubs is an essential component of any business process reengineering.
It is suggested that a staged approach be used for the implementation of any new
- The roles and responsibilities of departmental Accountable Officers involved in the
Shared Service Initiative be reviewed so that the ultimate responsibility of departmental
Accountable Officers for all expenditure by their departments is reinforced. The agreed
responsibilities should be clarified in either the Financial Accountability Act 2009 or in
the Financial and Performance Management Standard 2009.
6 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
1.2.2 Information technology governance and security
- The Queensland Government Chief Information Office program and project management
methodologies be rigorously applied for the development and implementation of all new
information system programs. Some of the critical success factors include:
– Formal documentation of roles, responsibilities, accountabilities and key performance
indicators of all relevant parties which should be signed by all key stakeholders.
This document needs to be a living document that is periodically reviewed and
updated for relevance.
– Formal documentation of the program being divided into tranches (groups of projects
that deliver the final outcome). End of tranche reviews need to be performed to assess
the ongoing viability of programs and to assess the effectiveness of program
processes in managing risks, issues, benefits, program management activities and
– Clear definition of the project scope and timeline, including key stakeholder sign off.
The project scope needs to be tightly managed throughout the life of the project.
– Large projects should be divided into stages, with each stage clearly planned,
controlled and end stage reviews performed. The end stage reports should provide an
input into the planning processes for the next stage(s). Some examples of
Queensland Health project stages could include: project scope definition; business
requirements definition; system development; user acceptance testing; parallel
testing; system useability test and validation of business processes; business
process re-definition; Go-Live and post-implementation processes.
– Quality assurance role of the Project Board needs to be clearly documented and
implemented. The quality assurance processes need to be implemented at all levels
of programs and projects.
– Rigorous budget management processes should be implemented with budgets
approved and monitored by the relevant governance boards.
- Information technology governance frameworks, practices and processes need to be
implemented at a whole of government level so that business outcomes and benefits
from IT programs are achieved, measured and reported by individual agencies using a
consistent approach. These can then be consolidated at the whole of government level
through the recently established ICT governance committees for improved transparency
of ICT programs and projects.
- For whole of government programs/projects, specific attention needs to be placed on
ensuring that end to end governance structures are implemented and ensuring that there
is transparency of decisions that are made and the impact of those decisions on
- Information technology security risk assessment, mitigation strategies and control
mechanisms need to be documented and implemented at the agency level and
co-ordinated at the whole of government level through the recently established
information security committee.
Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 7
1.3 Stakeholders’ responses
1.3.1 Department of Public Works and Queensland Health
The Director-General, Department of Public Works and the Director-General, Queensland Health
provided the following response:
Section 1.1 Auditor-General’s overview
It is acknowledged that governance improvements can be made in respect of all programs audited.
As the Chief Information Officer I am committed to the rigorous implementation of the QGCIO
program and project methodologies. My officers will work collaboratively with all agencies to ensure
these methodologies are applied to existing and future system implementations so that expected
benefits are realised from the significant investments being made by government.
Section 1.1.1 Queensland Health Implementation of Continuity Project
The project was complex and faced the challenge of an ageing payroll system that was in urgent
need of replacement with the withdrawal of vendor support. This influenced deliberations of the
Project Board as there was the constant risk of catastrophic payroll failure and the possibility of
all Queensland Health employees not being paid.
As indicated in the report, Queensland Health has established the Payroll Stabilisation Project
to ensure that the issues that have occurred post Go-Live, particularly pay-related issues, are
addressed as quickly as possible. CorpTech is supporting Queensland Health in its endeavours
to ensure that all Queensland Health employees are paid correctly.
In addition, Queensland Health has engaged KPMG to provide advice regarding the options for the
Payroll Operating Model, and the development of a roadmap that describes the way the preferred
model should be implemented. CorpTech will work closely with Queensland Health to action any
necessary computing system changes required to support the Queensland Health revised Payroll
Operating Model once approved.
Recommendations 1 and 2 – Health Payroll
- Queensland Health has put the Payroll Stabilisation Project in place to stabilise the current
solution, address defects within the system and identify and implement improvements that can
be made in current business practices.
- A payroll process reengineering activity forms part of the Payroll Stabilisation Project.
Queensland Health notes the suggestion regarding the simplification of award structures and
pay rules. Queensland Health also notes the suggestion regarding a staged approach for the
implementation of any future new business models.
8 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
Section 2 – Queensland Health Implementation of Continuity Project
It is acknowledged that the governance arrangement for this project could have been improved and
clarified. The transition from a whole of government implementation governance arrangement to a
project governance arrangement in June 2009 did provide for a clearer focus for oversight of the
project related work programs of IBM, Queensland Health and CorpTech and the associated
decisions by the Project Board members.
CorpTech has reviewed the governance arrangements for the delivery of the Corporate Solutions
Program which will see the establishment of revised formats for program and project boards. There
will be an induction program conducted to ensure members have an understanding and sign off on
their roles, responsibilities and accountabilities.
Prime Contract Management and stakeholder engagement
CorpTech agrees that there is a need to ensure that there is appropriate involvement of
stakeholders. CorpTech did undertake significant consultation and engagement of stakeholders
throughout the project.
Procedural changes will be made to ensure that stakeholders formally sign-off deliverables and
contract variations as this will reinforce the understanding of roles, responsibilities and
Business Readiness Activities
The view that the QHIC Project replacement would be implemented with minimal business process
change was constantly reinforced during the project through a number of artefacts:
● IBM’s original scope statement;
● Deloitte’s Change Strategy; and
● IBM’s Impact Assessment Completion report.
A range of activities were put in place to ensure business readiness. These included:
● Presentations to Line Managers and senior staff to outline the new and changed processes
were held in all Districts;
● Line Managers were sent a “Manager Information Pack” on all new processes and forms;
● A DVD “Information for Managers” was sent to all Line Managers;
● A Payroll and Rostering intranet site was available for all staff explaining the new forms and
● Line Manager Updates and information sheets were provided and were available on the
project’s intranet site.
Parallel and user acceptance testing
It needs to be noted that a number of testing activities were carried out including:
● Parallel Payroll Run Test on a sample of 10% of employee population;
● Four iterations of User Acceptance Testing (UAT);
● Five iterations of Payroll Performance Validation (PPV);
● Several iterations of Stress & Volume testing (S&V);
● Two iterations of Pay Cycle Validation (PCV) tests; and
● Penetration testing (security assurance).
Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 9
Business Go-Live decision
The members of the QHIC Board were faced with a difficult choice of accepting the new solution
with residual risks or deferring the implementation. The Go-Live decision was based on a number of
● Advice received from IBM and CorpTech on the technical readiness of the solution;
● Advice from the business that the management plan for the outstanding defects was acceptable;
● Advice from a risk and assurance consultant contracted to provide independent assessment
affirming Go-Live risk was less than continuing the project given the risk of failure of the old
system, LATTICE; and
● Significant contractual and commercial challenges if the project was further delayed.
Queensland Health acknowledges that there were performance issues during the processing of the
first pay run, and wishes to clarify that there was a contingency plan in place. All key project
participants had weekly meetings to monitor the progress of the plan. The cutover plan also
included a roll back strategy for the first pay period that allowed for a roll back to the LATTICE
system up to the first pay production. Also during the payroll processing cycle a number of
simulations occurred to allow error correction. However, the poor system performance especially
that of WorkBrain, led to a compressed payroll processing window immediately following cut over
resulting in an additional backlog of adjustments.
Post Go-Live issues
Queensland Health acknowledges the comments made in relation to the post Go-Live issues.
The report acknowledges much of the corrective action that Queensland Health has put in place
since 14 March 2010 to address issues that arose with the implementation of the system.
Queensland Health has put in place the Payroll Stabilisation Project to address business issues
with the assistance of KPMG.
Section 1.1.2 Program management and governance
As previously acknowledged, governance improvements can and will be made in respect of the
three programs audited.
With respect to both the ICT Consolidation Program (ICTC) and the Identity, Directory and Email
Services (IDES) Program, a Benefits Management Framework is being developed in accordance
with the QGCIO methodology. This Framework will identify and quantify program benefits to
demonstrate significant benefits resulting from the investment being made by government in
In relation to ICTC, the following action has been taken:
External Board representation –
● A Program Board has been reconstituted with representation from agencies (Queensland
Health, Education and Training, Infrastructure and Planning),
● The Board’s terms of reference have been revised to reflect the revised role of the Board; and
● The first meeting of the reconstituted Board was held on 13 May 2010.
10 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
Formal reviews of program –
● Four End-of-Tranche Reviews were conducted throughout the program prior to its transition
● A decision was made not to conduct a review in October 2009 as the scope and definition of
the Program was under review;
● An End -of-Tranche Review was conducted in May 2010 by Deloittes; and
● Internal Audit has recently conducted a review of the procurement process, probity and
governance around the Foundation Infrastructure Program tenders.
Formal process to measure and monitor stakeholder engagement –
● The Strategic Programs Board (SPB – internal to CITEC) reviews progress of the
Program on a fortnightly/monthly basis;
● To date in excess of 70 workshops have been conducted on establishing a
Consolidation Strategy for each agency; and
● Four agencies have completed Consolidation Strategy Documentation and three of these
agencies have commenced detailed migration planning.
In relation to IDES, the following action has been taken:
External Board representation –
● The program Board has been reconstituted with representation from external agencies
(DEEDI, Queensland Police Service, Department of Community Safety);
● The first meeting of the reconstituted Board was held on 27 May 2009; and
● The terms of reference have been amended to reflect the revised role of the Board.
Formal review of Program effectiveness –
● Reviews of the program performance were conducted in November 2009 relating to program
strategy, financial analysis and operational feasibility; and
● The Strategic Programs Board (CITEC internal) are held fortnightly/monthly and monitor
program status, milestones, risks and issues.
With respect to the Corporate Solutions Program (CSP), program and project management controls
are being enhanced and continue to progressively work towards meeting the Program and Project
maturity targets set by the Public Sector ICT Development Office.
Agree with the recommendation however with respect to matters impacting either the Financial
Accountability Act 2009 or the Financial and Performance Management Standard 2009 it is
suggested discussions be held between the Auditor-General and the Under Treasurer.
Recommendations 4, 5 and 6
Agree with the recommendations. As previously stated, the Department is committed to the rigorous
implementation of the QGCIO program and project methodologies and will work towards ensuring
these methodologies are applied to these current system implementations.
Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 11
Section 1.1.3 Information system security audits
The importance of comprehensive and robust controls in relation to network security is
acknowledged. In addition to the establishment of a whole of Government security committee in
late 2009 to improve such controls across the sector, the Department has also undertaken a review
of the assessment of security controls published by the Cyber Security Operations Centre, Defence
Signals Directorate, Department of Defence (CSOC) in February 2010. It is proposed to investigate
the most effective prevention and detection controls identified by CSOC for application to the
systems concerned. In addition, the finalisation of the Foundation Infrastructure Project (FIP)
procurement phase, part of the whole-of-Government Consolidation (ICTC) Program, will also
establish a supply panel for security incident detection and management tools to address this issue.
Agree with recommendation.
Section 4.1 Management and security of patient information
Queensland Health notes that the report also contains information regarding audit findings from the
Queensland Audit Office’s (QAO’s) audit of the security of patient information which was
commenced in March 2010.
Queensland Health acknowledges and welcomes the QAO opinion that the department “appears to
have established a satisfactory control environment”.
Queensland Health is implementing a number of the enhancements proposed and investigating
further opportunities for continuous improvement, and has adopted a risk-based approach to the
management and security of its patient information. The Department has sought to balance the
appropriate and timely access to confidential information, for the best patient healthcare outcomes,
with the need to maintain public trust in the systems used to safeguard that same information and
meet legislative requirements.
It should also be noted that traditional methods of ensuring patient safety have always relied upon
the vigilance of clinical practitioners, and are based on taking a comprehensive medical history
and examination of the patient. This continues to be a professional benchmark to which clinicians
As the report acknowledges, there may be delays in retrieving paper based records at hospitals and
this will be more of a risk after normal business hours or on weekends. Hospitals have a system in
place for the delivery of records for patient treatment specifically within the Emergency Department
with timeframes for delivery ranging from immediate to within 60 minutes. Doctors also have the
ability to speak to colleagues at other hospitals to have relevant information provided over the
telephone or faxed to them.
Queensland Health is currently investing in a significant e-Health Program, which will result in a
stronger reliance on electronic records, rather than paper documents, with the associated benefits
of improving access to the “right information to the right person (e.g. clinician) at the right time”. The
Department acknowledges the subsequent need for improved security of systems, including people,
processes and technology operating effectively together, to underpin high-quality patient healthcare
services. In response, Queensland Health is actively working towards planning and implementing
secure information management practices which can be relied upon to meet these requirements.
It is pleasing to see that the audit acknowledges that preventative controls for external network
access are in place. Queensland Health will continue to base business decisions for its information
system and networks on a cost benefit and risk based approach.’
12 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
1.3.2 Department of Education and Training
The Director-General provided the following response:
I am pleased to note that the QAO has assessed that appropriate action is being taken by the
Department to address all recommendations made during the 2009 audit. The Information and
Technologies Branch (ITB) have made a concerted effort towards improving ICT Governance and
Information Technology Governance
The ITS completed the Business Continuity and Disaster Recovery Plans in May. These plans
are now progressing through the internal governance processes for endorsement and approval.
In addition, a new Business Continuity and. Risk Unit has been established within the Application
Services unit to formalise responses and ensure continuity of service to business units, schools
Action has been taken to address the implementation of operational security responsibilities.
An ITB information Security Committee has been initiated and is reviewing risks, Issues and
business continuity and disaster recovery planning requirements.
The new Manager, Operational Security has been working with the Manager, Information
Security Policy to ensure the Information Security action plan addresses both operational and
policy requirements. The Operational Security Plan and draft Security Policy Action Plan are being
merged into a single plan and will be presented to the ITB Information Security Committee for
endorsement at the June 2010 committee meeting.
The Department’s Information Security policy has been redrafted to reflect the separation of duties
between policy and operational security roles. The policy is currently with the ITB information
Security Committee for comment, and will be presented at the July 2010 Information Steering
Committee meeting for endorsement.
Information Technology Project Management
I was pleased to note, in the follow up review conducted on the project management of
OneSchool, that the QAO found satisfactory progress has been made towards implementing
audit recommendations. The inclusion of all key documentation into the OneSchool Document
Register and the Department’s electronic document records management system is progressing
and will be completed by 30 June 2010…
…The Department of Education and Training is committed, to ensuring that sound ICT governance
and project management practices are in place to enable achievement of the Department’s
information and knowledge goal of creating a capable, agile and sustainable organisation where
innovative and efficient business solutions underpin the achievement of priorities.
1.3.3 IBM Australia Limited
Relevant extracts of the report were provided to IBM Australia Limited for their information.
The comments received from the company have been considered in the finalisation of this report.
Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 13
2 | Queensland Health Implementation
of Continuity Project
On 14 March 2010, Queensland Health went live with a new payroll system (SAP HR) for the
processing of payments for all departmental employees. Difficulties were experienced with the
system implementation and an audit has been undertaken of the major factors which adversely
impacted on the system implementation.
The Queensland Health payroll system has complex award structures. The system needs to
address the requirements of 13 awards and multiple industrial agreements which provide for
over 200 different allowances and in excess of 24,000 different combinations of calculation
groups and rules for the approximately 78,000 Queensland Health employees.
The governance structure for the system implementation by CorpTech and IBM, the prime
contractor and Queensland Health was not clear, causing confusion over the roles and
responsibilities of the various parties.
Inadequate documentation and agreement of business requirements contributed to the
significant increase in the system development costs and timeframe.
System and process testing had not identified a number of significant implementation risks.
Therefore the extent of the potential impact on the effective operation of the payroll system
had not been fully understood and quantified prior to Go-Live.
System useability testing and the validation of the new processes in the business environment
was not performed. As a result, Queensland Health had not determined whether systems,
processes and infrastructure were in place for the effective operation of the new system.
Key system performance reports for use by CorpTech were not available during the
completion of the initial payroll processing.
Several changes to the payroll administration practices such as the deployment of a new
fax server and a re-allocation of processing duties within the Queensland Health Shared
Services Provider were introduced at the same time as the release of the SAP HR and
14 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
2.1 Project overview
Queensland Health pays its workforce, of approximately 78,000 people, every second Wednesday,
for all work completed and allowances owing in the fortnight ending at midnight on the previous
Sunday. The logistics of achieving this include having all rosters, shift changes, allowances, sick
and recreation leave entered into the payroll system for all transactions up until midnight Sunday for
the payroll fortnight. The actual pay run to generate and calculate the fortnightly pay commences on
Sunday. This allows information to be provided to a contracted firm to produce printed payslips.
Queensland Health is one of the few government departments that produce a printed payslip as not
all of the department’s workforce regularly use a computer. This was an employee condition agreed
with the various Unions that represent Queensland Health’s workforce.
Pay day occurs less than 48 hours after the pay run finishes. There is a small time period available
on Monday and Tuesday mornings to perform pay run corrections and ad hoc pay runs for cases
where adjustments are required due to late shift changes or missing documentation. An electronic
file is produced on Tuesday and provided to the various banking institutions for employees pay to
be distributed to their nominated bank accounts. While the majority of banks distribute the cash to
employees’ nominated bank accounts either immediately or within a few hours, it can take up to
two or three days with some banking institutions.
The ability to run ad hoc pays on Monday and Tuesday morning before the electronic bank transfer
file is finalised results in some employees receiving a payslip which indicates net pay that is
different to the amount deposited in an employee’s account. This is because the payslip has
already been generated by the normal Sunday pay run. (Ad hoc pay runs do not result in the
production of a new payslip. The payslip is produced in a subsequent pay run.). Ad hoc pays and
differences between the net pay shown on the payslip and the amount deposited in the employee’s
bank account have been a normal part of the Queensland Health payroll process. In the current
environment of increased uncertainty, this issue has led to an increase in the rate of errors reported
by employees. Queensland Health’s policy is to ensure the payment of wages closely follows the
actual performance of the work. This practice is a contributing factor in the significant number of ad
hoc pay runs. Figure 2A highlights the variables that affect Queensland Health’s payroll.
Figure 2A – Payroll variables*
Approximate number of Queensland Health employees paid in an average fortnightly
Average fortnightly gross payroll amount $210m
Approximate number of individual work sites where Queensland Health employees are
located (includes 183 hospitals)
Number of awards 13
Number of industrial agreements 5
Number of separate allowances across the awards and agreements 205
Number of different calculation groups of Queensland Health employees 223
Number of different calculation rules that can apply to each calculation group 146
Approximate number of different combinations of calculation groups and rules 24,000
Average number of ‘reworks’ required after each pay run in a pre-SAP/HR payroll 15,000
Approximate number of new starters and leavers in a standard fortnight 1070
*All the figures provided by Queensland Health.
Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 15
As the LATTICE payroll system had a smaller defined rule set and less structure, a significant
amount of manual intervention was required. Such manual intervention (referred to as rework)
was open to interpretation of awards and allowances by payroll staff. Due to the limitations of the
LATTICE payroll system and the underlying complexity of the Queensland Health awards and
allowances, a significant number of pays produced in each pay cycle under the previous system
required adjustment or rework. The final eight pay cycles in LATTICE, before cut-over to SAP HR,
had an average rework rate of approximately 20 per cent of total payees. Given the high number of
employees paid in each pay cycle, the burden of this rework rate was significant and the situation
needed to be addressed.
In addition, vendor support for the LATTICE payroll system had expired in June 2008 and there
were no viable vendor supplied technical upgrades. Queensland Health organised for extended
vendor support until September 2008. This meant that legislative and other substantive payroll
changes including revised payroll taxes and new enterprise bargaining provisions would not be
supplied by the vendor after September 2008. Consequently, there was an urgent need for
Queensland Health to replace this system.
2.2 LATTICE system replacement project
As part of the Shared Service Initiative established to design and build a whole of government
finance and human resources (HR) solution, Queensland Government agencies were mandated to
implement a standard software suite, including SAP HR, WorkBrain rostering software and SAP
Finance. The first SAP HR system within this initiative was implemented as a pilot project at the
then Department of Housing in March 2007.
Queensland Health payroll and rostering systems were selected to be the next implementation
within the Shared Service Initiative. Following a tender process, IBM was selected as the prime
contractor to both manage and implement systems for the remaining Queensland Government
agencies within the Shared Services model. The State Government contract with the prime
contractor was signed on 5 December 2007.
Key aspects arising from project included:
Under the contract, the first phase for Release 6 of the program was for the implementation of
SAP HR at four agencies and completing the implementation of SAP Finance at one agency that
was then underway.
While the prime contractor was estimating the level of work to be performed in the
implementation of the SAP systems at four agencies, planning work was also underway by the
prime contractor on the project for replacing the LATTICE payroll system and the ESP rostering
system. The strategy for replacing Queensland Health’s payroll system was to implement the
Department of Housing model of SAP HR with very little customisation, and full WorkBrain
rostering functionality. It was envisaged that the interim solution would be transitioned onto the
whole of government solution as part of the overall program schedule.
The initial planning and scoping of the LATTICE replacement interim solution was approved
by CorpTech and subsequently undertaken and completed during November 2007 to
Basic rostering functions were documented in a Statement of Work (No. 12) and used as a basis
for the Queensland Health implementation. In addition, basic award interpretation was built
under Statement of Work (No. 5) however, a contract change request was processed to move
some components of the award interpretation build to the specific Statement of Work related to
16 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
The design, configuration, build, testing and implementation specification was documented in a
Statement of Work for the LATTICE replacement interim solution. This Statement of Work was
approved by CorpTech on 18 January 2008, with system completion initially scheduled for
August 2008 at a cost of $6.19m for work to be completed by IBM. Queensland Health and
CorpTech would meet their own additional costs.
In June 2008, IBM submitted a proposal to implement the full LATTICE replacement system
for Queensland Health. This change request reset the scope and final cost of the project.
During October 2008, detailed planning revealed that the size, complexity and scope of this
phase of the program had been severely underestimated, with the consequence that its revised
implementation cost estimates significantly exceeded the original tender proposal.
A key component of the reviewed implementation approach noted by the Cabinet Budget
Review Committee in August 2009 was for the prime contractor to only complete the
implementation of Queensland Health’s payroll system.
From February 2008 to March 2010, the prime contractor submitted over 47 change requests
which were approved by CorpTech. In general, these change requests were mainly due to the
business requirements not being clearly articulated and agreed to at the outset of the project.
As a result, the solution deployed for user acceptance testing continued to fail the test criteria
and there were delays in the project schedule.
The effective Go-Live date for the LATTICE replacement interim system was 14 March 2010,
following approval provided by the Queensland Health Implementation of Continuity Project
Board. The system implementation was over 18 months after the scheduled Go-Live date and
approximately 300 per cent over the original cost budget for the prime contractor to deliver the
interim LATTICE replacement solution. To date, amounts paid to the prime contractor for the
implementation have totalled over $21m.
Total program implementation costs incurred by all agencies in the development of the
Queensland Health HR LATTICE replacement project are $64.5m. In addition, a further
$37.5m has been paid to IBM for activities related to the whole of government system solutions.
Key aspects arising from the system implementation include:
Difficulties in system development resulted in delays in the finalisation of parallel and user
acceptance testing that impacted on the quality of testing.
Exception reports were not provided to business for the first payroll process to determine any
anomalies produced by the new system.
No contingency plans were prepared for business cut-over and no testing was undertaken in the
production environment to determine whether the pays were correct prior to the first live payroll
Some of the Enterprise Bargaining Agreement conditions and business policies placed an
unrealistic pressure on the time available for payroll processing.
The new system has far tighter business rules for many of the processes undertaken during the
pay cycle. The full impact of those stricter business rules was not identified and included in the
changed business practices needed for the new system.