Executive summary

Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 1
1 | Executive summary
1.1 Auditor-General’s overview
Information systems are critical in all areas of government business. Good information technology
program management can provide among other benefits, achievement of strategic outcomes,
optimised costs and better management of risks.
The audit program this year included an audit of three whole of government information and
communication technology (ICT) programs at the Department of Public Works, as the whole of
government ICT provider (Corporate Solutions Program, ICT Consolidation Program and Identity,
Directory and Email Services Program). A major audit of the Queensland Health Implementation of
Continuity Project (SAP HR and payroll) was also undertaken. Other information systems audits
covered information technology governance within the Department of Education and Training,
patient information security within Queensland Health and information technology network security.
The development and implementation of ICT systems and solutions designed to address the
current business requirements of government are large, complex and expensive projects. In this
environment, it can be expected that projects may experience changes in personnel, technology,
scope and legislative frameworks. These issues need to be adequately managed.
In general, the results of these audits further emphasise the need for significant improvement in
program and project governance, including up front and ongoing scope management, vigorous
controls over budgets, and comprehensive testing and implementation regimes. Specific attention
must also be given to the development of robust benefit management plans to ensure that the
Government achieves appropriate returns on these multi million dollar investments.
1.1.1 Queensland Health Implementation of Continuity Project
The Corporate Solutions Program, a CorpTech managed program established to implement the
whole of government finance and HR systems, was included in the program management audit.
Queensland Health’s new payroll and rostering system is one of the projects within this program.
Significant problems have been experienced by the department since the Go-Live date of this
payroll system on 14 March 2010.
A Payroll Stabilisation Project has been established and action to identify and correct payment
irregularities is expected to continue for some time. The audit of these actions will be a significant
issue which will be further examined during the finalisation of the auditor’s opinion for the 2009-10
financial statements for Queensland Health.
2 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
The experience from the audit of this project leads me to conclude that there is no clear
understanding of the accountabilities of individual Accountable Officers impacted by the Shared
Service Initiative. Whilst the accountability for payment of staff within Queensland Health ultimately
lies with the Director-General, Queensland Health, I consider that the governance of the project was
unclear between his responsibilities and the responsibilities of the Director-General, Department of
Public Works as the Accountable Officer responsible for the management of CorpTech and its
responsibility for the implementation of the whole of government HR solution. This confusion limited
Queensland Health’s ability to influence some of the decisions affecting the outcome of the project
as well as limiting transparency of decision making for parts of the project.
The roles and responsibilities of Accountable Officers in this environment should be clarified
as a high priority.
This system’s significance is highlighted by the fact that to the end of March 2010, approximately
$65m of costs can be directly attributed to it. Audit found that project governance, including
managing relationships with key stakeholders was not effective in ensuring roles and
responsibilities were clearly articulated and in ensuring there was clear accountability for the
efficient and effective implementation of the system.
Prior to the introduction of the new system, Queensland Health used the LATTICE payroll and the
ESP rostering systems, which had been in place since 1997. It was recognised that the LATTICE
payroll system needed to be replaced as it would no longer be supported by its supplier from July

  1. In addition, there were difficulties in implementing new payroll requirements arising from new
    employment agreements and other payroll related changes.
    CorpTech, through the services of a prime contractor, was undertaking the implementation of a
    standardised SAP HR system across the Queensland public sector. This was a continuation of the
    Shared Services process which had commenced in 2002. Queensland Health was originally
    scheduled to receive the new system in 2006, however the whole of government implementation
    process had been delayed.
    A decision was made in late 2007 by Queensland Health and CorpTech to escalate the
    implementation of the Queensland Health payroll system due to the risks associated with the
    continued use of the LATTICE payroll system.
    Figure 1A provides details of the key participants and their roles within the project. A timeline of the
    key events is included in Section 5.5.
    Figure 1A – Key project participants
    Agency Role
    CorpTech Specialised business unit of Treasury Department and subsequently
    Department of Public Works providing a whole of government role over
    the acquisition of information technology. CorpTech is the owner of the
    SAP HR and WorkBrain systems. The primary responsibility during this
    project was to manage the prime contract.
    IBM Prime contractor to CorpTech selected under a formal tender
    arrangement to direct, manage and control the project and to implement
    SAP HR and WorkBrain solution to replace LATTICE.
    Queensland Health Business user of the SAP HR and WorkBrain systems responsible for the
    payment of Queensland Health employee entitlements. Primarily
    responsible for ensuring business requirements were reflected in the
    scope of works, undertake data cleansing and migration, user
    acceptance processes, staff training and ensure business processes and
    practices were ready to utilise the new system.
    Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 3
    Key findings from the audit of the system implementation include:
     The Queensland Health payroll system has complex award structures. There are 13 awards and
    multiple industrial agreements which provide for over 200 different allowances, and in excess of
    24,000 different combinations of calculation groups and rules for Queensland Health employees
    who on average total around 78,000.
     The governance structure for the system implementation, as it related to CorpTech, the prime
    contractor and Queensland Health, was not clear, causing confusion over the roles and
    responsibilities of the various parties.
     There was inadequate documentation of business requirements at the commencement
    of the project.
     The time taken to reach Go-Live status increased from eight months to 26 months.
     The absence of a periodic review of the business needs contributed to subsequent difficulties
    with system testing and the implementation of a system which did not meet the needs of
    Queensland Health’s operating environment.
     System and process testing prior to Go-Live had not identified a number of significant
    implementation risks and therefore the extent of the potential impact on the effective operation
    of the payroll system had not been fully understood and quantified.
     System useability testing and the validation of the new processes in the business environment
    was not performed. As a result, Queensland Health had not determined whether systems,
    processes and infrastructure were in place for the effective operation of the new system.
     A number of critical business readiness activities and practices were not fully developed prior to
    the implementation of the new system. This was in part a reflection of the view of Queensland
    Health staff that the project involved a ‘like for like’ replacement of the LATTICE system and the
    lack of an awareness of the full impact of the business rules configured into the new system.
     Business continuity plans were not available and able to be quickly implemented to address
    payroll issues as they emerged.
     Key system performance reports for use by CorpTech were not available during the completion
    of the initial payroll processing.
     Several changes to the payroll administration practices, such as a new fax server and a
    re-allocation of processing duties within the Queensland Health Shared Services Provider, were
    introduced at the same time as the release of the SAP HR and WorkBrain systems.
    There are many lessons to be learnt from the experience of the Queensland Health Implementation
    of Continuity Project for future systems implementations. The following issues should be considered
    for future payroll system implementations:
     Where possible, simplify award structures prior to implementing a new payroll system to remove
    complexities which will impact on the effectiveness and efficiency of the payroll process.
     Establish clear lines of accountability and roles and responsibilities at the initiation of the project
    to ensure an end to end governance structure.
     Ensure the full impact of system change is assessed on the end to end business process.
     Ensure the ultimate decision to Go-Live is based on the readiness of the business and that the
    system’s application within the business is fully tested.
     Identify all project and systems risks and have in place robust contingency plans and risk
    management strategies to address risks in the event of unexpected system issues.
    4 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
    1.1.2 Program management and governance
    Program management is the coordinated organisation, direction and implementation of a group of
    projects and activities that together achieve the outcomes and realise benefits that are of strategic
    importance. An audit was undertaken of three whole of government information and communication
    technology (ICT) programs at the Department of Public Works as the whole of government ICT
    provider. While the audit found that the Queensland Government Program Management
    Methodology was being progressively implemented, all programs were behind schedule.
    Overall, the governance of IT program management across all three programs needed
    improvement. The department could not demonstrate to audit whether the government would
    realise the full benefits, including savings, that were expected from the large scale investment of an
    estimated $545m across all three programs. In addition there was a lack of transparency in relation
    to key decisions and the way these decisions would impact on client agencies. Action needs to be
    taken by the Department of Public Works to address the identified deficiencies.
    1.1.3 Information system security audits
    In addition to the audit of information technology program management and governance, this year’s
    audit program also included an examination of the controls within public sector entities’ information
    technology environments. I have reported to Parliament over an extended period on information
    systems security and general computer control issues. By failing to address fundamental control
    weaknesses, public sector entities leave themselves vulnerable to computer system failures,
    unauthorised access to information, loss of information and fraudulent activity.
    In Auditor-General Report No 4 for 2009 – Results of audits at 31 May 2009, I reported on
    the results of an audit of information technology network security and made a number of
    recommendations for improvement. This year, the progress of the implementation of the
    recommendations by the audited entities has been followed up and is reported in Section 4.2.
    While there has been some improvement in control with 34 per cent of the recommendations
    implemented, it is disappointing that more urgent action has not been taken by individual agencies
    to address the issues. Some entities are continuing to place insufficient priority on the importance of
    effectively managing and protecting their information networks. At a whole of government level, an
    information technology security committee was established in October 2009 with specific goals to
    implement network security risk mitigation strategies. I encourage all agencies to participate in the
    whole of government program by implementing the controls in accordance with the plans.
    An audit was conducted of the security of patient information within the information technology
    environment for which Queensland Health is responsible to determine whether there are suitable
    systems and frameworks in place to ensure the effective safeguarding of patient information. The
    scope of this audit was limited to security of patient information within the information technology
    environment at the corporate office in Brisbane and the Emergency Departments at Princess
    Alexandra and Redland Hospitals.
    It is critical that the privacy of patient information is assured. As outlined in Section 4.1, the audit
    found that there are some opportunities to improve the efficiency and effectiveness of the collection,
    retrieval and storage of patient information. In particular, the paper based clinical information
    recorded and maintained separately by each hospital carries an inherent risk of delays in retrieving
    records when a patient presents at the hospital. It was found that this risk is significantly higher
    when patient records are stored at a different Queensland Health facility.
    Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 5
    Although Queensland Health has advised that the e-Health strategy, when implemented, should
    improve the availability and accessibility of patient information, the department should ensure that
    any risks are adequately addressed in the interim.
    1.1.4 Information technology governance
    An audit in 2009 of information technology governance at the Department of Education and
    Training found that the information technology governance framework, including risk management,
    project management and business continuity management across the whole of the department
    required strengthening.
    The latest audit in 2010 found that action is being taken by the Department of Education and
    Training to address all the recommendations made during the previous audit. Information
    technology governance has been assessed by audit as being at a developing stage with the initial
    steps for the establishment of an information technology governance framework having been
    undertaken. The status of information technology governance and the OneSchool project is
    discussed further in Section 3.2.
    1.2 Recommendations
    1.2.1 Queensland Health Implementation of Continuity Project
    Queensland Health
  2. The current action to stabilise the Queensland Health payroll and rostering systems be
    continued to ensure Queensland Health employees are correctly paid.
    Any mismatches between business practices and business rules configured within the
    system need to be analysed and appropriate changes made to address defects or to
    improve the accuracy or effectiveness of the payroll output.
    Technological changes should be performed through strict change management
    processes and testing regimes to ensure that system stability is maintained.
  3. Queensland Health should reconsider its current business model to determine the most
    effective and efficient strategy to deliver payroll services. To mitigate the risk of payroll
    inaccuracies, simplification of award structures and pay rules need to be considered.
    Reengineering the payroll process should be undertaken to provide an appropriate blend
    of local decision making and action and the efficiencies of centralised processing.
    System reporting to enable effective performance management for both local and central
    processing hubs is an essential component of any business process reengineering.
    It is suggested that a staged approach be used for the implementation of any new
    business model.
    Shared Services
  4. The roles and responsibilities of departmental Accountable Officers involved in the
    Shared Service Initiative be reviewed so that the ultimate responsibility of departmental
    Accountable Officers for all expenditure by their departments is reinforced. The agreed
    responsibilities should be clarified in either the Financial Accountability Act 2009 or in
    the Financial and Performance Management Standard 2009.
    6 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
    1.2.2 Information technology governance and security
  5. The Queensland Government Chief Information Office program and project management
    methodologies be rigorously applied for the development and implementation of all new
    information system programs. Some of the critical success factors include:
    – Formal documentation of roles, responsibilities, accountabilities and key performance
    indicators of all relevant parties which should be signed by all key stakeholders.
    This document needs to be a living document that is periodically reviewed and
    updated for relevance.
    – Formal documentation of the program being divided into tranches (groups of projects
    that deliver the final outcome). End of tranche reviews need to be performed to assess
    the ongoing viability of programs and to assess the effectiveness of program
    processes in managing risks, issues, benefits, program management activities and
    lessons learnt.
    – Clear definition of the project scope and timeline, including key stakeholder sign off.
    The project scope needs to be tightly managed throughout the life of the project.
    – Large projects should be divided into stages, with each stage clearly planned,
    controlled and end stage reviews performed. The end stage reports should provide an
    input into the planning processes for the next stage(s). Some examples of
    Queensland Health project stages could include: project scope definition; business
    requirements definition; system development; user acceptance testing; parallel
    testing; system useability test and validation of business processes; business
    process re-definition; Go-Live and post-implementation processes.
    – Quality assurance role of the Project Board needs to be clearly documented and
    implemented. The quality assurance processes need to be implemented at all levels
    of programs and projects.
    – Rigorous budget management processes should be implemented with budgets
    approved and monitored by the relevant governance boards.
  6. Information technology governance frameworks, practices and processes need to be
    implemented at a whole of government level so that business outcomes and benefits
    from IT programs are achieved, measured and reported by individual agencies using a
    consistent approach. These can then be consolidated at the whole of government level
    through the recently established ICT governance committees for improved transparency
    of ICT programs and projects.
  7. For whole of government programs/projects, specific attention needs to be placed on
    ensuring that end to end governance structures are implemented and ensuring that there
    is transparency of decisions that are made and the impact of those decisions on
    government agencies.
  8. Information technology security risk assessment, mitigation strategies and control
    mechanisms need to be documented and implemented at the agency level and
    co-ordinated at the whole of government level through the recently established
    information security committee.
    Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 7
    1.3 Stakeholders’ responses
    1.3.1 Department of Public Works and Queensland Health
    The Director-General, Department of Public Works and the Director-General, Queensland Health
    provided the following response:
    Section 1.1 Auditor-General’s overview
    It is acknowledged that governance improvements can be made in respect of all programs audited.
    As the Chief Information Officer I am committed to the rigorous implementation of the QGCIO
    program and project methodologies. My officers will work collaboratively with all agencies to ensure
    these methodologies are applied to existing and future system implementations so that expected
    benefits are realised from the significant investments being made by government.
    Section 1.1.1 Queensland Health Implementation of Continuity Project
    The project was complex and faced the challenge of an ageing payroll system that was in urgent
    need of replacement with the withdrawal of vendor support. This influenced deliberations of the
    Project Board as there was the constant risk of catastrophic payroll failure and the possibility of
    all Queensland Health employees not being paid.
    As indicated in the report, Queensland Health has established the Payroll Stabilisation Project
    to ensure that the issues that have occurred post Go-Live, particularly pay-related issues, are
    addressed as quickly as possible. CorpTech is supporting Queensland Health in its endeavours
    to ensure that all Queensland Health employees are paid correctly.
    In addition, Queensland Health has engaged KPMG to provide advice regarding the options for the
    Payroll Operating Model, and the development of a roadmap that describes the way the preferred
    model should be implemented. CorpTech will work closely with Queensland Health to action any
    necessary computing system changes required to support the Queensland Health revised Payroll
    Operating Model once approved.
    Recommendations 1 and 2 – Health Payroll
  9. Queensland Health has put the Payroll Stabilisation Project in place to stabilise the current
    solution, address defects within the system and identify and implement improvements that can
    be made in current business practices.
  10. A payroll process reengineering activity forms part of the Payroll Stabilisation Project.
    Queensland Health notes the suggestion regarding the simplification of award structures and
    pay rules. Queensland Health also notes the suggestion regarding a staged approach for the
    implementation of any future new business models.
    8 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
    Section 2 – Queensland Health Implementation of Continuity Project
    Project Governance
    It is acknowledged that the governance arrangement for this project could have been improved and
    clarified. The transition from a whole of government implementation governance arrangement to a
    project governance arrangement in June 2009 did provide for a clearer focus for oversight of the
    project related work programs of IBM, Queensland Health and CorpTech and the associated
    decisions by the Project Board members.
    CorpTech has reviewed the governance arrangements for the delivery of the Corporate Solutions
    Program which will see the establishment of revised formats for program and project boards. There
    will be an induction program conducted to ensure members have an understanding and sign off on
    their roles, responsibilities and accountabilities.
    Prime Contract Management and stakeholder engagement
    CorpTech agrees that there is a need to ensure that there is appropriate involvement of
    stakeholders. CorpTech did undertake significant consultation and engagement of stakeholders
    throughout the project.
    Procedural changes will be made to ensure that stakeholders formally sign-off deliverables and
    contract variations as this will reinforce the understanding of roles, responsibilities and
    accountabilities.
    Business Readiness Activities
    The view that the QHIC Project replacement would be implemented with minimal business process
    change was constantly reinforced during the project through a number of artefacts:
    ● IBM’s original scope statement;
    ● Deloitte’s Change Strategy; and
    ● IBM’s Impact Assessment Completion report.
    A range of activities were put in place to ensure business readiness. These included:
    ● Presentations to Line Managers and senior staff to outline the new and changed processes
    were held in all Districts;
    ● Line Managers were sent a “Manager Information Pack” on all new processes and forms;
    ● A DVD “Information for Managers” was sent to all Line Managers;
    ● A Payroll and Rostering intranet site was available for all staff explaining the new forms and
    processes; and
    ● Line Manager Updates and information sheets were provided and were available on the
    project’s intranet site.
    Parallel and user acceptance testing
    It needs to be noted that a number of testing activities were carried out including:
    ● Parallel Payroll Run Test on a sample of 10% of employee population;
    ● Four iterations of User Acceptance Testing (UAT);
    ● Five iterations of Payroll Performance Validation (PPV);
    ● Several iterations of Stress & Volume testing (S&V);
    ● Two iterations of Pay Cycle Validation (PCV) tests; and
    ● Penetration testing (security assurance).
    Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 9
    Business Go-Live decision
    The members of the QHIC Board were faced with a difficult choice of accepting the new solution
    with residual risks or deferring the implementation. The Go-Live decision was based on a number of
    factors including:
    ● Advice received from IBM and CorpTech on the technical readiness of the solution;
    ● Advice from the business that the management plan for the outstanding defects was acceptable;
    ● Advice from a risk and assurance consultant contracted to provide independent assessment
    affirming Go-Live risk was less than continuing the project given the risk of failure of the old
    system, LATTICE; and
    ● Significant contractual and commercial challenges if the project was further delayed.
    Queensland Health acknowledges that there were performance issues during the processing of the
    first pay run, and wishes to clarify that there was a contingency plan in place. All key project
    participants had weekly meetings to monitor the progress of the plan. The cutover plan also
    included a roll back strategy for the first pay period that allowed for a roll back to the LATTICE
    system up to the first pay production. Also during the payroll processing cycle a number of
    simulations occurred to allow error correction. However, the poor system performance especially
    that of WorkBrain, led to a compressed payroll processing window immediately following cut over
    resulting in an additional backlog of adjustments.
    Post Go-Live issues
    Queensland Health acknowledges the comments made in relation to the post Go-Live issues.
    The report acknowledges much of the corrective action that Queensland Health has put in place
    since 14 March 2010 to address issues that arose with the implementation of the system.
    Queensland Health has put in place the Payroll Stabilisation Project to address business issues
    with the assistance of KPMG.
    Section 1.1.2 Program management and governance
    As previously acknowledged, governance improvements can and will be made in respect of the
    three programs audited.
    With respect to both the ICT Consolidation Program (ICTC) and the Identity, Directory and Email
    Services (IDES) Program, a Benefits Management Framework is being developed in accordance
    with the QGCIO methodology. This Framework will identify and quantify program benefits to
    demonstrate significant benefits resulting from the investment being made by government in
    these programs.
    In relation to ICTC, the following action has been taken:
    External Board representation –
    ● A Program Board has been reconstituted with representation from agencies (Queensland
    Health, Education and Training, Infrastructure and Planning),
    ● The Board’s terms of reference have been revised to reflect the revised role of the Board; and
    ● The first meeting of the reconstituted Board was held on 13 May 2010.
    10 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
    Formal reviews of program –
    ● Four End-of-Tranche Reviews were conducted throughout the program prior to its transition
    to CITEC;
    ● A decision was made not to conduct a review in October 2009 as the scope and definition of
    the Program was under review;
    ● An End -of-Tranche Review was conducted in May 2010 by Deloittes; and
    ● Internal Audit has recently conducted a review of the procurement process, probity and
    governance around the Foundation Infrastructure Program tenders.
    Formal process to measure and monitor stakeholder engagement –
    ● The Strategic Programs Board (SPB – internal to CITEC) reviews progress of the
    Program on a fortnightly/monthly basis;
    ● To date in excess of 70 workshops have been conducted on establishing a
    Consolidation Strategy for each agency; and
    ● Four agencies have completed Consolidation Strategy Documentation and three of these
    agencies have commenced detailed migration planning.
    In relation to IDES, the following action has been taken:
    External Board representation –
    ● The program Board has been reconstituted with representation from external agencies
    (DEEDI, Queensland Police Service, Department of Community Safety);
    ● The first meeting of the reconstituted Board was held on 27 May 2009; and
    ● The terms of reference have been amended to reflect the revised role of the Board.
    Formal review of Program effectiveness –
    ● Reviews of the program performance were conducted in November 2009 relating to program
    strategy, financial analysis and operational feasibility; and
    ● The Strategic Programs Board (CITEC internal) are held fortnightly/monthly and monitor
    program status, milestones, risks and issues.
    With respect to the Corporate Solutions Program (CSP), program and project management controls
    are being enhanced and continue to progressively work towards meeting the Program and Project
    maturity targets set by the Public Sector ICT Development Office.
    Recommendation 3
    Agree with the recommendation however with respect to matters impacting either the Financial
    Accountability Act 2009 or the Financial and Performance Management Standard 2009 it is
    suggested discussions be held between the Auditor-General and the Under Treasurer.
    Recommendations 4, 5 and 6
    Agree with the recommendations. As previously stated, the Department is committed to the rigorous
    implementation of the QGCIO program and project methodologies and will work towards ensuring
    these methodologies are applied to these current system implementations.
    Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 11
    Section 1.1.3 Information system security audits
    The importance of comprehensive and robust controls in relation to network security is
    acknowledged. In addition to the establishment of a whole of Government security committee in
    late 2009 to improve such controls across the sector, the Department has also undertaken a review
    of the assessment of security controls published by the Cyber Security Operations Centre, Defence
    Signals Directorate, Department of Defence (CSOC) in February 2010. It is proposed to investigate
    the most effective prevention and detection controls identified by CSOC for application to the
    systems concerned. In addition, the finalisation of the Foundation Infrastructure Project (FIP)
    procurement phase, part of the whole-of-Government Consolidation (ICTC) Program, will also
    establish a supply panel for security incident detection and management tools to address this issue.
    Recommendation 7
    Agree with recommendation.
    Section 4.1 Management and security of patient information
    Queensland Health notes that the report also contains information regarding audit findings from the
    Queensland Audit Office’s (QAO’s) audit of the security of patient information which was
    commenced in March 2010.
    Queensland Health acknowledges and welcomes the QAO opinion that the department “appears to
    have established a satisfactory control environment”.
    Queensland Health is implementing a number of the enhancements proposed and investigating
    further opportunities for continuous improvement, and has adopted a risk-based approach to the
    management and security of its patient information. The Department has sought to balance the
    appropriate and timely access to confidential information, for the best patient healthcare outcomes,
    with the need to maintain public trust in the systems used to safeguard that same information and
    meet legislative requirements.
    It should also be noted that traditional methods of ensuring patient safety have always relied upon
    the vigilance of clinical practitioners, and are based on taking a comprehensive medical history
    and examination of the patient. This continues to be a professional benchmark to which clinicians
    are measured.
    As the report acknowledges, there may be delays in retrieving paper based records at hospitals and
    this will be more of a risk after normal business hours or on weekends. Hospitals have a system in
    place for the delivery of records for patient treatment specifically within the Emergency Department
    with timeframes for delivery ranging from immediate to within 60 minutes. Doctors also have the
    ability to speak to colleagues at other hospitals to have relevant information provided over the
    telephone or faxed to them.
    Queensland Health is currently investing in a significant e-Health Program, which will result in a
    stronger reliance on electronic records, rather than paper documents, with the associated benefits
    of improving access to the “right information to the right person (e.g. clinician) at the right time”. The
    Department acknowledges the subsequent need for improved security of systems, including people,
    processes and technology operating effectively together, to underpin high-quality patient healthcare
    services. In response, Queensland Health is actively working towards planning and implementing
    secure information management practices which can be relied upon to meet these requirements.
    It is pleasing to see that the audit acknowledges that preventative controls for external network
    access are in place. Queensland Health will continue to base business decisions for its information
    system and networks on a cost benefit and risk based approach.’
    12 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
    1.3.2 Department of Education and Training
    The Director-General provided the following response:
    I am pleased to note that the QAO has assessed that appropriate action is being taken by the
    Department to address all recommendations made during the 2009 audit. The Information and
    Technologies Branch (ITB) have made a concerted effort towards improving ICT Governance and
    Project Management.
    Information Technology Governance
    The ITS completed the Business Continuity and Disaster Recovery Plans in May. These plans
    are now progressing through the internal governance processes for endorsement and approval.
    In addition, a new Business Continuity and. Risk Unit has been established within the Application
    Services unit to formalise responses and ensure continuity of service to business units, schools
    and TAFEs.
    Action has been taken to address the implementation of operational security responsibilities.
    An ITB information Security Committee has been initiated and is reviewing risks, Issues and
    business continuity and disaster recovery planning requirements.
    The new Manager, Operational Security has been working with the Manager, Information
    Security Policy to ensure the Information Security action plan addresses both operational and
    policy requirements. The Operational Security Plan and draft Security Policy Action Plan are being
    merged into a single plan and will be presented to the ITB Information Security Committee for
    endorsement at the June 2010 committee meeting.
    The Department’s Information Security policy has been redrafted to reflect the separation of duties
    between policy and operational security roles. The policy is currently with the ITB information
    Security Committee for comment, and will be presented at the July 2010 Information Steering
    Committee meeting for endorsement.
    Information Technology Project Management
    I was pleased to note, in the follow up review conducted on the project management of
    OneSchool, that the QAO found satisfactory progress has been made towards implementing
    audit recommendations. The inclusion of all key documentation into the OneSchool Document
    Register and the Department’s electronic document records management system is progressing
    and will be completed by 30 June 2010…
    …The Department of Education and Training is committed, to ensuring that sound ICT governance
    and project management practices are in place to enable achievement of the Department’s
    information and knowledge goal of creating a capable, agile and sustainable organisation where
    innovative and efficient business solutions underpin the achievement of priorities.
    1.3.3 IBM Australia Limited
    Relevant extracts of the report were provided to IBM Australia Limited for their information.
    The comments received from the company have been considered in the finalisation of this report.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 13
    2 | Queensland Health Implementation
    of Continuity Project
    Summary
    Background
    On 14 March 2010, Queensland Health went live with a new payroll system (SAP HR) for the
    processing of payments for all departmental employees. Difficulties were experienced with the
    system implementation and an audit has been undertaken of the major factors which adversely
    impacted on the system implementation.
    Key findings
     The Queensland Health payroll system has complex award structures. The system needs to
    address the requirements of 13 awards and multiple industrial agreements which provide for
    over 200 different allowances and in excess of 24,000 different combinations of calculation
    groups and rules for the approximately 78,000 Queensland Health employees.
     The governance structure for the system implementation by CorpTech and IBM, the prime
    contractor and Queensland Health was not clear, causing confusion over the roles and
    responsibilities of the various parties.
     Inadequate documentation and agreement of business requirements contributed to the
    significant increase in the system development costs and timeframe.
     System and process testing had not identified a number of significant implementation risks.
    Therefore the extent of the potential impact on the effective operation of the payroll system
    had not been fully understood and quantified prior to Go-Live.
     System useability testing and the validation of the new processes in the business environment
    was not performed. As a result, Queensland Health had not determined whether systems,
    processes and infrastructure were in place for the effective operation of the new system.
     Key system performance reports for use by CorpTech were not available during the
    completion of the initial payroll processing.
     Several changes to the payroll administration practices such as the deployment of a new
    fax server and a re-allocation of processing duties within the Queensland Health Shared
    Services Provider were introduced at the same time as the release of the SAP HR and
    WorkBrain system.
    14 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
    2.1 Project overview
    Queensland Health pays its workforce, of approximately 78,000 people, every second Wednesday,
    for all work completed and allowances owing in the fortnight ending at midnight on the previous
    Sunday. The logistics of achieving this include having all rosters, shift changes, allowances, sick
    and recreation leave entered into the payroll system for all transactions up until midnight Sunday for
    the payroll fortnight. The actual pay run to generate and calculate the fortnightly pay commences on
    Sunday. This allows information to be provided to a contracted firm to produce printed payslips.
    Queensland Health is one of the few government departments that produce a printed payslip as not
    all of the department’s workforce regularly use a computer. This was an employee condition agreed
    with the various Unions that represent Queensland Health’s workforce.
    Pay day occurs less than 48 hours after the pay run finishes. There is a small time period available
    on Monday and Tuesday mornings to perform pay run corrections and ad hoc pay runs for cases
    where adjustments are required due to late shift changes or missing documentation. An electronic
    file is produced on Tuesday and provided to the various banking institutions for employees pay to
    be distributed to their nominated bank accounts. While the majority of banks distribute the cash to
    employees’ nominated bank accounts either immediately or within a few hours, it can take up to
    two or three days with some banking institutions.
    The ability to run ad hoc pays on Monday and Tuesday morning before the electronic bank transfer
    file is finalised results in some employees receiving a payslip which indicates net pay that is
    different to the amount deposited in an employee’s account. This is because the payslip has
    already been generated by the normal Sunday pay run. (Ad hoc pay runs do not result in the
    production of a new payslip. The payslip is produced in a subsequent pay run.). Ad hoc pays and
    differences between the net pay shown on the payslip and the amount deposited in the employee’s
    bank account have been a normal part of the Queensland Health payroll process. In the current
    environment of increased uncertainty, this issue has led to an increase in the rate of errors reported
    by employees. Queensland Health’s policy is to ensure the payment of wages closely follows the
    actual performance of the work. This practice is a contributing factor in the significant number of ad
    hoc pay runs. Figure 2A highlights the variables that affect Queensland Health’s payroll.
    Figure 2A – Payroll variables*
    Variables Statistics
    Approximate number of Queensland Health employees paid in an average fortnightly
    payroll run
    78,000
    Average fortnightly gross payroll amount $210m
    Approximate number of individual work sites where Queensland Health employees are
    located (includes 183 hospitals)
    300
    Number of awards 13
    Number of industrial agreements 5
    Number of separate allowances across the awards and agreements 205
    Number of different calculation groups of Queensland Health employees 223
    Number of different calculation rules that can apply to each calculation group 146
    Approximate number of different combinations of calculation groups and rules 24,000
    Average number of ‘reworks’ required after each pay run in a pre-SAP/HR payroll 15,000
    Approximate number of new starters and leavers in a standard fortnight 1070
    *All the figures provided by Queensland Health.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 15
    As the LATTICE payroll system had a smaller defined rule set and less structure, a significant
    amount of manual intervention was required. Such manual intervention (referred to as rework)
    was open to interpretation of awards and allowances by payroll staff. Due to the limitations of the
    LATTICE payroll system and the underlying complexity of the Queensland Health awards and
    allowances, a significant number of pays produced in each pay cycle under the previous system
    required adjustment or rework. The final eight pay cycles in LATTICE, before cut-over to SAP HR,
    had an average rework rate of approximately 20 per cent of total payees. Given the high number of
    employees paid in each pay cycle, the burden of this rework rate was significant and the situation
    needed to be addressed.
    In addition, vendor support for the LATTICE payroll system had expired in June 2008 and there
    were no viable vendor supplied technical upgrades. Queensland Health organised for extended
    vendor support until September 2008. This meant that legislative and other substantive payroll
    changes including revised payroll taxes and new enterprise bargaining provisions would not be
    supplied by the vendor after September 2008. Consequently, there was an urgent need for
    Queensland Health to replace this system.
    2.2 LATTICE system replacement project
    As part of the Shared Service Initiative established to design and build a whole of government
    finance and human resources (HR) solution, Queensland Government agencies were mandated to
    implement a standard software suite, including SAP HR, WorkBrain rostering software and SAP
    Finance. The first SAP HR system within this initiative was implemented as a pilot project at the
    then Department of Housing in March 2007.
    Queensland Health payroll and rostering systems were selected to be the next implementation
    within the Shared Service Initiative. Following a tender process, IBM was selected as the prime
    contractor to both manage and implement systems for the remaining Queensland Government
    agencies within the Shared Services model. The State Government contract with the prime
    contractor was signed on 5 December 2007.
    Key aspects arising from project included:
     Under the contract, the first phase for Release 6 of the program was for the implementation of
    SAP HR at four agencies and completing the implementation of SAP Finance at one agency that
    was then underway.
     While the prime contractor was estimating the level of work to be performed in the
    implementation of the SAP systems at four agencies, planning work was also underway by the
    prime contractor on the project for replacing the LATTICE payroll system and the ESP rostering
    system. The strategy for replacing Queensland Health’s payroll system was to implement the
    Department of Housing model of SAP HR with very little customisation, and full WorkBrain
    rostering functionality. It was envisaged that the interim solution would be transitioned onto the
    whole of government solution as part of the overall program schedule.
     The initial planning and scoping of the LATTICE replacement interim solution was approved
    by CorpTech and subsequently undertaken and completed during November 2007 to
    January 2008.
     Basic rostering functions were documented in a Statement of Work (No. 12) and used as a basis
    for the Queensland Health implementation. In addition, basic award interpretation was built
    under Statement of Work (No. 5) however, a contract change request was processed to move
    some components of the award interpretation build to the specific Statement of Work related to
    Queensland Health.
    16 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
     The design, configuration, build, testing and implementation specification was documented in a
    Statement of Work for the LATTICE replacement interim solution. This Statement of Work was
    approved by CorpTech on 18 January 2008, with system completion initially scheduled for
    August 2008 at a cost of $6.19m for work to be completed by IBM. Queensland Health and
    CorpTech would meet their own additional costs.
     In June 2008, IBM submitted a proposal to implement the full LATTICE replacement system
    for Queensland Health. This change request reset the scope and final cost of the project.
     During October 2008, detailed planning revealed that the size, complexity and scope of this
    phase of the program had been severely underestimated, with the consequence that its revised
    implementation cost estimates significantly exceeded the original tender proposal.
     A key component of the reviewed implementation approach noted by the Cabinet Budget
    Review Committee in August 2009 was for the prime contractor to only complete the
    implementation of Queensland Health’s payroll system.
     From February 2008 to March 2010, the prime contractor submitted over 47 change requests
    which were approved by CorpTech. In general, these change requests were mainly due to the
    business requirements not being clearly articulated and agreed to at the outset of the project.
    As a result, the solution deployed for user acceptance testing continued to fail the test criteria
    and there were delays in the project schedule.
     The effective Go-Live date for the LATTICE replacement interim system was 14 March 2010,
    following approval provided by the Queensland Health Implementation of Continuity Project
    Board. The system implementation was over 18 months after the scheduled Go-Live date and
    approximately 300 per cent over the original cost budget for the prime contractor to deliver the
    interim LATTICE replacement solution. To date, amounts paid to the prime contractor for the
    implementation have totalled over $21m.
     Total program implementation costs incurred by all agencies in the development of the
    Queensland Health HR LATTICE replacement project are $64.5m. In addition, a further
    $37.5m has been paid to IBM for activities related to the whole of government system solutions.
    Key aspects arising from the system implementation include:
     Difficulties in system development resulted in delays in the finalisation of parallel and user
    acceptance testing that impacted on the quality of testing.
     Exception reports were not provided to business for the first payroll process to determine any
    anomalies produced by the new system.
     No contingency plans were prepared for business cut-over and no testing was undertaken in the
    production environment to determine whether the pays were correct prior to the first live payroll
    being produced.
     Some of the Enterprise Bargaining Agreement conditions and business policies placed an
    unrealistic pressure on the time available for payroll processing.
     The new system has far tighter business rules for many of the processes undertaken during the
    pay cycle. The full impact of those stricter business rules was not identified and included in the
    changed business practices needed for the new system.

Leave a Reply

Your email address will not be published.