Information systems governance and control

Report to Parliament No. 7 for 2010
Information systems governance and control,
including the Queensland Health
Implementation of Continuity Project
Financial and Compliance audits
Auditor-General
of Queensland
Report to Parliament No. 7 for 2010
Information systems governance and control,
including the Queensland Health
Implementation of Continuity Project
Financial and Compliance audits
© The State of Queensland. Queensland Audit Office (2010)
Copyright protects this publication except for purposes permitted by the Copyright Act. Reproduction by whatever
means is prohibited without the prior written permission of the Auditor-General of Queensland. Reference to this
document is permitted only with appropriate acknowledgement.
Queensland Audit Office
Level 14, 53 Albert Street, Brisbane Qld 4000
GPO Box 1139, Brisbane Qld 4001
Phone 07 3149 6000
Fax 07 3149 6011
Email [email protected]
Web www.qao.qld.gov.au
ISSN 1834-1136
Publications are available at www.qao.qld.gov.au or by phone on 07 3149 6000.
Auditor-General
of Queensland
June 2010
The Honourable R J Mickel MP
Speaker of the Legislative Assembly
Parliament House
BRISBANE QLD 4000
Dear Mr Speaker
This report is prepared under Part 3 Division 3 of the Auditor-General Act 2009, and
is titled Information systems governance and control, including the Queensland Health
Implementation of Continuity Project. It is number seven in the series of Auditor-General Reports
to Parliament for 2010.
In accordance with s.67 of the Act, would you please arrange for the report to be tabled in the
Legislative Assembly.
Yours sincerely
Glenn Poole
Auditor-General
Level 14, 53 Albert St, Brisbane Qld 4000
GPO Box 1139, Brisbane Qld 4001
Phone: 07 3149 6000
Fax: 07 3149 6011
Email: [email protected]
Web: www.qao.qld.gov.au

Contents
1 | Executive summary……………………………………………………………………………….1
1.1 Auditor-General’s overview……………………………………………………………………………………. 1
1.2 Recommendations……………………………………………………………………………………………….. 5
1.3 Stakeholders’ responses ………………………………………………………………………………………. 7
2 | Queensland Health Implementation of Continuity Project………………………….13
2.1 Project overview ………………………………………………………………………………………………… 14
2.2 LATTICE system replacement project …………………………………………………………………… 15
2.3 Audit scope……………………………………………………………………………………………………….. 17
2.4 Audit findings …………………………………………………………………………………………………….. 18
2.5 Post Go-Live issues……………………………………………………………………………………………. 33
3 | Program management and governance………………………………………………….35
3.1 Program management at Department of Public Works…………………………………………….. 36
3.2 Information technology project governance and project management
at Department of Education and Training ………………………………………………………………. 45
4 | Information security……………………………………………………………………………..47
4.1 Patient information security at Queensland Health………………………………………………….. 48
4.2 Information technology network security………………………………………………………………… 50
5 | Appendices ………………………………………………………………………………………..53
5.1 What is an information systems audit? ………………………………………………………………….. 53
5.2 Acronyms………………………………………………………………………………………………………….. 53
5.3 Glossary …………………………………………………………………………………………………………… 54
5.4 References ……………………………………………………………………………………………………….. 55
5.5 Corporate Solutions Program timeline of key events……………………………………………….. 56
6 | Auditor-General Reports to Parliament …………………………………………………..57
6.1 Tabled in 2010…………………………………………………………………………………………………… 57

Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 1
1 | Executive summary
1.1 Auditor-General’s overview
Information systems are critical in all areas of government business. Good information technology
program management can provide among other benefits, achievement of strategic outcomes,
optimised costs and better management of risks.
The audit program this year included an audit of three whole of government information and
communication technology (ICT) programs at the Department of Public Works, as the whole of
government ICT provider (Corporate Solutions Program, ICT Consolidation Program and Identity,
Directory and Email Services Program). A major audit of the Queensland Health Implementation of
Continuity Project (SAP HR and payroll) was also undertaken. Other information systems audits
covered information technology governance within the Department of Education and Training,
patient information security within Queensland Health and information technology network security.
The development and implementation of ICT systems and solutions designed to address the
current business requirements of government are large, complex and expensive projects. In this
environment, it can be expected that projects may experience changes in personnel, technology,
scope and legislative frameworks. These issues need to be adequately managed.
In general, the results of these audits further emphasise the need for significant improvement in
program and project governance, including up front and ongoing scope management, vigorous
controls over budgets, and comprehensive testing and implementation regimes. Specific attention
must also be given to the development of robust benefit management plans to ensure that the
Government achieves appropriate returns on these multi million dollar investments.
1.1.1 Queensland Health Implementation of Continuity Project
The Corporate Solutions Program, a CorpTech managed program established to implement the
whole of government finance and HR systems, was included in the program management audit.
Queensland Health’s new payroll and rostering system is one of the projects within this program.
Significant problems have been experienced by the department since the Go-Live date of this
payroll system on 14 March 2010.
A Payroll Stabilisation Project has been established and action to identify and correct payment
irregularities is expected to continue for some time. The audit of these actions will be a significant
issue which will be further examined during the finalisation of the auditor’s opinion for the 2009-10
financial statements for Queensland Health.
2 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
The experience from the audit of this project leads me to conclude that there is no clear
understanding of the accountabilities of individual Accountable Officers impacted by the Shared
Service Initiative. Whilst the accountability for payment of staff within Queensland Health ultimately
lies with the Director-General, Queensland Health, I consider that the governance of the project was
unclear between his responsibilities and the responsibilities of the Director-General, Department of
Public Works as the Accountable Officer responsible for the management of CorpTech and its
responsibility for the implementation of the whole of government HR solution. This confusion limited
Queensland Health’s ability to influence some of the decisions affecting the outcome of the project
as well as limiting transparency of decision making for parts of the project.
The roles and responsibilities of Accountable Officers in this environment should be clarified
as a high priority.
This system’s significance is highlighted by the fact that to the end of March 2010, approximately
$65m of costs can be directly attributed to it. Audit found that project governance, including
managing relationships with key stakeholders was not effective in ensuring roles and
responsibilities were clearly articulated and in ensuring there was clear accountability for the
efficient and effective implementation of the system.
Prior to the introduction of the new system, Queensland Health used the LATTICE payroll and the
ESP rostering systems, which had been in place since 1997. It was recognised that the LATTICE
payroll system needed to be replaced as it would no longer be supported by its supplier from July

  1. In addition, there were difficulties in implementing new payroll requirements arising from new
    employment agreements and other payroll related changes.
    CorpTech, through the services of a prime contractor, was undertaking the implementation of a
    standardised SAP HR system across the Queensland public sector. This was a continuation of the
    Shared Services process which had commenced in 2002. Queensland Health was originally
    scheduled to receive the new system in 2006, however the whole of government implementation
    process had been delayed.
    A decision was made in late 2007 by Queensland Health and CorpTech to escalate the
    implementation of the Queensland Health payroll system due to the risks associated with the
    continued use of the LATTICE payroll system.
    Figure 1A provides details of the key participants and their roles within the project. A timeline of the
    key events is included in Section 5.5.
    Figure 1A – Key project participants
    Agency Role
    CorpTech Specialised business unit of Treasury Department and subsequently
    Department of Public Works providing a whole of government role over
    the acquisition of information technology. CorpTech is the owner of the
    SAP HR and WorkBrain systems. The primary responsibility during this
    project was to manage the prime contract.
    IBM Prime contractor to CorpTech selected under a formal tender
    arrangement to direct, manage and control the project and to implement
    SAP HR and WorkBrain solution to replace LATTICE.
    Queensland Health Business user of the SAP HR and WorkBrain systems responsible for the
    payment of Queensland Health employee entitlements. Primarily
    responsible for ensuring business requirements were reflected in the
    scope of works, undertake data cleansing and migration, user
    acceptance processes, staff training and ensure business processes and
    practices were ready to utilise the new system.
    Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 3
    Key findings from the audit of the system implementation include:
     The Queensland Health payroll system has complex award structures. There are 13 awards and
    multiple industrial agreements which provide for over 200 different allowances, and in excess of
    24,000 different combinations of calculation groups and rules for Queensland Health employees
    who on average total around 78,000.
     The governance structure for the system implementation, as it related to CorpTech, the prime
    contractor and Queensland Health, was not clear, causing confusion over the roles and
    responsibilities of the various parties.
     There was inadequate documentation of business requirements at the commencement
    of the project.
     The time taken to reach Go-Live status increased from eight months to 26 months.
     The absence of a periodic review of the business needs contributed to subsequent difficulties
    with system testing and the implementation of a system which did not meet the needs of
    Queensland Health’s operating environment.
     System and process testing prior to Go-Live had not identified a number of significant
    implementation risks and therefore the extent of the potential impact on the effective operation
    of the payroll system had not been fully understood and quantified.
     System useability testing and the validation of the new processes in the business environment
    was not performed. As a result, Queensland Health had not determined whether systems,
    processes and infrastructure were in place for the effective operation of the new system.
     A number of critical business readiness activities and practices were not fully developed prior to
    the implementation of the new system. This was in part a reflection of the view of Queensland
    Health staff that the project involved a ‘like for like’ replacement of the LATTICE system and the
    lack of an awareness of the full impact of the business rules configured into the new system.
     Business continuity plans were not available and able to be quickly implemented to address
    payroll issues as they emerged.
     Key system performance reports for use by CorpTech were not available during the completion
    of the initial payroll processing.
     Several changes to the payroll administration practices, such as a new fax server and a
    re-allocation of processing duties within the Queensland Health Shared Services Provider, were
    introduced at the same time as the release of the SAP HR and WorkBrain systems.
    There are many lessons to be learnt from the experience of the Queensland Health Implementation
    of Continuity Project for future systems implementations. The following issues should be considered
    for future payroll system implementations:
     Where possible, simplify award structures prior to implementing a new payroll system to remove
    complexities which will impact on the effectiveness and efficiency of the payroll process.
     Establish clear lines of accountability and roles and responsibilities at the initiation of the project
    to ensure an end to end governance structure.
     Ensure the full impact of system change is assessed on the end to end business process.
     Ensure the ultimate decision to Go-Live is based on the readiness of the business and that the
    system’s application within the business is fully tested.
     Identify all project and systems risks and have in place robust contingency plans and risk
    management strategies to address risks in the event of unexpected system issues.
    4 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
    1.1.2 Program management and governance
    Program management is the coordinated organisation, direction and implementation of a group of
    projects and activities that together achieve the outcomes and realise benefits that are of strategic
    importance. An audit was undertaken of three whole of government information and communication
    technology (ICT) programs at the Department of Public Works as the whole of government ICT
    provider. While the audit found that the Queensland Government Program Management
    Methodology was being progressively implemented, all programs were behind schedule.
    Overall, the governance of IT program management across all three programs needed
    improvement. The department could not demonstrate to audit whether the government would
    realise the full benefits, including savings, that were expected from the large scale investment of an
    estimated $545m across all three programs. In addition there was a lack of transparency in relation
    to key decisions and the way these decisions would impact on client agencies. Action needs to be
    taken by the Department of Public Works to address the identified deficiencies.
    1.1.3 Information system security audits
    In addition to the audit of information technology program management and governance, this year’s
    audit program also included an examination of the controls within public sector entities’ information
    technology environments. I have reported to Parliament over an extended period on information
    systems security and general computer control issues. By failing to address fundamental control
    weaknesses, public sector entities leave themselves vulnerable to computer system failures,
    unauthorised access to information, loss of information and fraudulent activity.
    In Auditor-General Report No 4 for 2009 – Results of audits at 31 May 2009, I reported on
    the results of an audit of information technology network security and made a number of
    recommendations for improvement. This year, the progress of the implementation of the
    recommendations by the audited entities has been followed up and is reported in Section 4.2.
    While there has been some improvement in control with 34 per cent of the recommendations
    implemented, it is disappointing that more urgent action has not been taken by individual agencies
    to address the issues. Some entities are continuing to place insufficient priority on the importance of
    effectively managing and protecting their information networks. At a whole of government level, an
    information technology security committee was established in October 2009 with specific goals to
    implement network security risk mitigation strategies. I encourage all agencies to participate in the
    whole of government program by implementing the controls in accordance with the plans.
    An audit was conducted of the security of patient information within the information technology
    environment for which Queensland Health is responsible to determine whether there are suitable
    systems and frameworks in place to ensure the effective safeguarding of patient information. The
    scope of this audit was limited to security of patient information within the information technology
    environment at the corporate office in Brisbane and the Emergency Departments at Princess
    Alexandra and Redland Hospitals.
    It is critical that the privacy of patient information is assured. As outlined in Section 4.1, the audit
    found that there are some opportunities to improve the efficiency and effectiveness of the collection,
    retrieval and storage of patient information. In particular, the paper based clinical information
    recorded and maintained separately by each hospital carries an inherent risk of delays in retrieving
    records when a patient presents at the hospital. It was found that this risk is significantly higher
    when patient records are stored at a different Queensland Health facility.
    Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 5
    Although Queensland Health has advised that the e-Health strategy, when implemented, should
    improve the availability and accessibility of patient information, the department should ensure that
    any risks are adequately addressed in the interim.
    1.1.4 Information technology governance
    An audit in 2009 of information technology governance at the Department of Education and
    Training found that the information technology governance framework, including risk management,
    project management and business continuity management across the whole of the department
    required strengthening.
    The latest audit in 2010 found that action is being taken by the Department of Education and
    Training to address all the recommendations made during the previous audit. Information
    technology governance has been assessed by audit as being at a developing stage with the initial
    steps for the establishment of an information technology governance framework having been
    undertaken. The status of information technology governance and the OneSchool project is
    discussed further in Section 3.2.
    1.2 Recommendations
    1.2.1 Queensland Health Implementation of Continuity Project
    Queensland Health
  2. The current action to stabilise the Queensland Health payroll and rostering systems be
    continued to ensure Queensland Health employees are correctly paid.
    Any mismatches between business practices and business rules configured within the
    system need to be analysed and appropriate changes made to address defects or to
    improve the accuracy or effectiveness of the payroll output.
    Technological changes should be performed through strict change management
    processes and testing regimes to ensure that system stability is maintained.
  3. Queensland Health should reconsider its current business model to determine the most
    effective and efficient strategy to deliver payroll services. To mitigate the risk of payroll
    inaccuracies, simplification of award structures and pay rules need to be considered.
    Reengineering the payroll process should be undertaken to provide an appropriate blend
    of local decision making and action and the efficiencies of centralised processing.
    System reporting to enable effective performance management for both local and central
    processing hubs is an essential component of any business process reengineering.
    It is suggested that a staged approach be used for the implementation of any new
    business model.
    Shared Services
  4. The roles and responsibilities of departmental Accountable Officers involved in the
    Shared Service Initiative be reviewed so that the ultimate responsibility of departmental
    Accountable Officers for all expenditure by their departments is reinforced. The agreed
    responsibilities should be clarified in either the Financial Accountability Act 2009 or in
    the Financial and Performance Management Standard 2009.
    6 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
    1.2.2 Information technology governance and security
  5. The Queensland Government Chief Information Office program and project management
    methodologies be rigorously applied for the development and implementation of all new
    information system programs. Some of the critical success factors include:
    – Formal documentation of roles, responsibilities, accountabilities and key performance
    indicators of all relevant parties which should be signed by all key stakeholders.
    This document needs to be a living document that is periodically reviewed and
    updated for relevance.
    – Formal documentation of the program being divided into tranches (groups of projects
    that deliver the final outcome). End of tranche reviews need to be performed to assess
    the ongoing viability of programs and to assess the effectiveness of program
    processes in managing risks, issues, benefits, program management activities and
    lessons learnt.
    – Clear definition of the project scope and timeline, including key stakeholder sign off.
    The project scope needs to be tightly managed throughout the life of the project.
    – Large projects should be divided into stages, with each stage clearly planned,
    controlled and end stage reviews performed. The end stage reports should provide an
    input into the planning processes for the next stage(s). Some examples of
    Queensland Health project stages could include: project scope definition; business
    requirements definition; system development; user acceptance testing; parallel
    testing; system useability test and validation of business processes; business
    process re-definition; Go-Live and post-implementation processes.
    – Quality assurance role of the Project Board needs to be clearly documented and
    implemented. The quality assurance processes need to be implemented at all levels
    of programs and projects.
    – Rigorous budget management processes should be implemented with budgets
    approved and monitored by the relevant governance boards.
  6. Information technology governance frameworks, practices and processes need to be
    implemented at a whole of government level so that business outcomes and benefits
    from IT programs are achieved, measured and reported by individual agencies using a
    consistent approach. These can then be consolidated at the whole of government level
    through the recently established ICT governance committees for improved transparency
    of ICT programs and projects.
  7. For whole of government programs/projects, specific attention needs to be placed on
    ensuring that end to end governance structures are implemented and ensuring that there
    is transparency of decisions that are made and the impact of those decisions on
    government agencies.
  8. Information technology security risk assessment, mitigation strategies and control
    mechanisms need to be documented and implemented at the agency level and
    co-ordinated at the whole of government level through the recently established
    information security committee.
    Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 7
    1.3 Stakeholders’ responses
    1.3.1 Department of Public Works and Queensland Health
    The Director-General, Department of Public Works and the Director-General, Queensland Health
    provided the following response:
    Section 1.1 Auditor-General’s overview
    It is acknowledged that governance improvements can be made in respect of all programs audited.
    As the Chief Information Officer I am committed to the rigorous implementation of the QGCIO
    program and project methodologies. My officers will work collaboratively with all agencies to ensure
    these methodologies are applied to existing and future system implementations so that expected
    benefits are realised from the significant investments being made by government.
    Section 1.1.1 Queensland Health Implementation of Continuity Project
    The project was complex and faced the challenge of an ageing payroll system that was in urgent
    need of replacement with the withdrawal of vendor support. This influenced deliberations of the
    Project Board as there was the constant risk of catastrophic payroll failure and the possibility of
    all Queensland Health employees not being paid.
    As indicated in the report, Queensland Health has established the Payroll Stabilisation Project
    to ensure that the issues that have occurred post Go-Live, particularly pay-related issues, are
    addressed as quickly as possible. CorpTech is supporting Queensland Health in its endeavours
    to ensure that all Queensland Health employees are paid correctly.
    In addition, Queensland Health has engaged KPMG to provide advice regarding the options for the
    Payroll Operating Model, and the development of a roadmap that describes the way the preferred
    model should be implemented. CorpTech will work closely with Queensland Health to action any
    necessary computing system changes required to support the Queensland Health revised Payroll
    Operating Model once approved.
    Recommendations 1 and 2 – Health Payroll
  9. Queensland Health has put the Payroll Stabilisation Project in place to stabilise the current
    solution, address defects within the system and identify and implement improvements that can
    be made in current business practices.
  10. A payroll process reengineering activity forms part of the Payroll Stabilisation Project.
    Queensland Health notes the suggestion regarding the simplification of award structures and
    pay rules. Queensland Health also notes the suggestion regarding a staged approach for the
    implementation of any future new business models.
    8 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
    Section 2 – Queensland Health Implementation of Continuity Project
    Project Governance
    It is acknowledged that the governance arrangement for this project could have been improved and
    clarified. The transition from a whole of government implementation governance arrangement to a
    project governance arrangement in June 2009 did provide for a clearer focus for oversight of the
    project related work programs of IBM, Queensland Health and CorpTech and the associated
    decisions by the Project Board members.
    CorpTech has reviewed the governance arrangements for the delivery of the Corporate Solutions
    Program which will see the establishment of revised formats for program and project boards. There
    will be an induction program conducted to ensure members have an understanding and sign off on
    their roles, responsibilities and accountabilities.
    Prime Contract Management and stakeholder engagement
    CorpTech agrees that there is a need to ensure that there is appropriate involvement of
    stakeholders. CorpTech did undertake significant consultation and engagement of stakeholders
    throughout the project.
    Procedural changes will be made to ensure that stakeholders formally sign-off deliverables and
    contract variations as this will reinforce the understanding of roles, responsibilities and
    accountabilities.
    Business Readiness Activities
    The view that the QHIC Project replacement would be implemented with minimal business process
    change was constantly reinforced during the project through a number of artefacts:
    ● IBM’s original scope statement;
    ● Deloitte’s Change Strategy; and
    ● IBM’s Impact Assessment Completion report.
    A range of activities were put in place to ensure business readiness. These included:
    ● Presentations to Line Managers and senior staff to outline the new and changed processes
    were held in all Districts;
    ● Line Managers were sent a “Manager Information Pack” on all new processes and forms;
    ● A DVD “Information for Managers” was sent to all Line Managers;
    ● A Payroll and Rostering intranet site was available for all staff explaining the new forms and
    processes; and
    ● Line Manager Updates and information sheets were provided and were available on the
    project’s intranet site.
    Parallel and user acceptance testing
    It needs to be noted that a number of testing activities were carried out including:
    ● Parallel Payroll Run Test on a sample of 10% of employee population;
    ● Four iterations of User Acceptance Testing (UAT);
    ● Five iterations of Payroll Performance Validation (PPV);
    ● Several iterations of Stress & Volume testing (S&V);
    ● Two iterations of Pay Cycle Validation (PCV) tests; and
    ● Penetration testing (security assurance).
    Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 9
    Business Go-Live decision
    The members of the QHIC Board were faced with a difficult choice of accepting the new solution
    with residual risks or deferring the implementation. The Go-Live decision was based on a number of
    factors including:
    ● Advice received from IBM and CorpTech on the technical readiness of the solution;
    ● Advice from the business that the management plan for the outstanding defects was acceptable;
    ● Advice from a risk and assurance consultant contracted to provide independent assessment
    affirming Go-Live risk was less than continuing the project given the risk of failure of the old
    system, LATTICE; and
    ● Significant contractual and commercial challenges if the project was further delayed.
    Queensland Health acknowledges that there were performance issues during the processing of the
    first pay run, and wishes to clarify that there was a contingency plan in place. All key project
    participants had weekly meetings to monitor the progress of the plan. The cutover plan also
    included a roll back strategy for the first pay period that allowed for a roll back to the LATTICE
    system up to the first pay production. Also during the payroll processing cycle a number of
    simulations occurred to allow error correction. However, the poor system performance especially
    that of WorkBrain, led to a compressed payroll processing window immediately following cut over
    resulting in an additional backlog of adjustments.
    Post Go-Live issues
    Queensland Health acknowledges the comments made in relation to the post Go-Live issues.
    The report acknowledges much of the corrective action that Queensland Health has put in place
    since 14 March 2010 to address issues that arose with the implementation of the system.
    Queensland Health has put in place the Payroll Stabilisation Project to address business issues
    with the assistance of KPMG.
    Section 1.1.2 Program management and governance
    As previously acknowledged, governance improvements can and will be made in respect of the
    three programs audited.
    With respect to both the ICT Consolidation Program (ICTC) and the Identity, Directory and Email
    Services (IDES) Program, a Benefits Management Framework is being developed in accordance
    with the QGCIO methodology. This Framework will identify and quantify program benefits to
    demonstrate significant benefits resulting from the investment being made by government in
    these programs.
    In relation to ICTC, the following action has been taken:
    External Board representation –
    ● A Program Board has been reconstituted with representation from agencies (Queensland
    Health, Education and Training, Infrastructure and Planning),
    ● The Board’s terms of reference have been revised to reflect the revised role of the Board; and
    ● The first meeting of the reconstituted Board was held on 13 May 2010.
    10 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
    Formal reviews of program –
    ● Four End-of-Tranche Reviews were conducted throughout the program prior to its transition
    to CITEC;
    ● A decision was made not to conduct a review in October 2009 as the scope and definition of
    the Program was under review;
    ● An End -of-Tranche Review was conducted in May 2010 by Deloittes; and
    ● Internal Audit has recently conducted a review of the procurement process, probity and
    governance around the Foundation Infrastructure Program tenders.
    Formal process to measure and monitor stakeholder engagement –
    ● The Strategic Programs Board (SPB – internal to CITEC) reviews progress of the
    Program on a fortnightly/monthly basis;
    ● To date in excess of 70 workshops have been conducted on establishing a
    Consolidation Strategy for each agency; and
    ● Four agencies have completed Consolidation Strategy Documentation and three of these
    agencies have commenced detailed migration planning.
    In relation to IDES, the following action has been taken:
    External Board representation –
    ● The program Board has been reconstituted with representation from external agencies
    (DEEDI, Queensland Police Service, Department of Community Safety);
    ● The first meeting of the reconstituted Board was held on 27 May 2009; and
    ● The terms of reference have been amended to reflect the revised role of the Board.
    Formal review of Program effectiveness –
    ● Reviews of the program performance were conducted in November 2009 relating to program
    strategy, financial analysis and operational feasibility; and
    ● The Strategic Programs Board (CITEC internal) are held fortnightly/monthly and monitor
    program status, milestones, risks and issues.
    With respect to the Corporate Solutions Program (CSP), program and project management controls
    are being enhanced and continue to progressively work towards meeting the Program and Project
    maturity targets set by the Public Sector ICT Development Office.
    Recommendation 3
    Agree with the recommendation however with respect to matters impacting either the Financial
    Accountability Act 2009 or the Financial and Performance Management Standard 2009 it is
    suggested discussions be held between the Auditor-General and the Under Treasurer.
    Recommendations 4, 5 and 6
    Agree with the recommendations. As previously stated, the Department is committed to the rigorous
    implementation of the QGCIO program and project methodologies and will work towards ensuring
    these methodologies are applied to these current system implementations.
    Auditor-General Report to Parliament No. 7 for 2010 | Executive summary 11
    Section 1.1.3 Information system security audits
    The importance of comprehensive and robust controls in relation to network security is
    acknowledged. In addition to the establishment of a whole of Government security committee in
    late 2009 to improve such controls across the sector, the Department has also undertaken a review
    of the assessment of security controls published by the Cyber Security Operations Centre, Defence
    Signals Directorate, Department of Defence (CSOC) in February 2010. It is proposed to investigate
    the most effective prevention and detection controls identified by CSOC for application to the
    systems concerned. In addition, the finalisation of the Foundation Infrastructure Project (FIP)
    procurement phase, part of the whole-of-Government Consolidation (ICTC) Program, will also
    establish a supply panel for security incident detection and management tools to address this issue.
    Recommendation 7
    Agree with recommendation.
    Section 4.1 Management and security of patient information
    Queensland Health notes that the report also contains information regarding audit findings from the
    Queensland Audit Office’s (QAO’s) audit of the security of patient information which was
    commenced in March 2010.
    Queensland Health acknowledges and welcomes the QAO opinion that the department “appears to
    have established a satisfactory control environment”.
    Queensland Health is implementing a number of the enhancements proposed and investigating
    further opportunities for continuous improvement, and has adopted a risk-based approach to the
    management and security of its patient information. The Department has sought to balance the
    appropriate and timely access to confidential information, for the best patient healthcare outcomes,
    with the need to maintain public trust in the systems used to safeguard that same information and
    meet legislative requirements.
    It should also be noted that traditional methods of ensuring patient safety have always relied upon
    the vigilance of clinical practitioners, and are based on taking a comprehensive medical history
    and examination of the patient. This continues to be a professional benchmark to which clinicians
    are measured.
    As the report acknowledges, there may be delays in retrieving paper based records at hospitals and
    this will be more of a risk after normal business hours or on weekends. Hospitals have a system in
    place for the delivery of records for patient treatment specifically within the Emergency Department
    with timeframes for delivery ranging from immediate to within 60 minutes. Doctors also have the
    ability to speak to colleagues at other hospitals to have relevant information provided over the
    telephone or faxed to them.
    Queensland Health is currently investing in a significant e-Health Program, which will result in a
    stronger reliance on electronic records, rather than paper documents, with the associated benefits
    of improving access to the “right information to the right person (e.g. clinician) at the right time”. The
    Department acknowledges the subsequent need for improved security of systems, including people,
    processes and technology operating effectively together, to underpin high-quality patient healthcare
    services. In response, Queensland Health is actively working towards planning and implementing
    secure information management practices which can be relied upon to meet these requirements.
    It is pleasing to see that the audit acknowledges that preventative controls for external network
    access are in place. Queensland Health will continue to base business decisions for its information
    system and networks on a cost benefit and risk based approach.’
    12 Auditor-General Report to Parliament No. 7 for 2010 | Executive summary
    1.3.2 Department of Education and Training
    The Director-General provided the following response:
    I am pleased to note that the QAO has assessed that appropriate action is being taken by the
    Department to address all recommendations made during the 2009 audit. The Information and
    Technologies Branch (ITB) have made a concerted effort towards improving ICT Governance and
    Project Management.
    Information Technology Governance
    The ITS completed the Business Continuity and Disaster Recovery Plans in May. These plans
    are now progressing through the internal governance processes for endorsement and approval.
    In addition, a new Business Continuity and. Risk Unit has been established within the Application
    Services unit to formalise responses and ensure continuity of service to business units, schools
    and TAFEs.
    Action has been taken to address the implementation of operational security responsibilities.
    An ITB information Security Committee has been initiated and is reviewing risks, Issues and
    business continuity and disaster recovery planning requirements.
    The new Manager, Operational Security has been working with the Manager, Information
    Security Policy to ensure the Information Security action plan addresses both operational and
    policy requirements. The Operational Security Plan and draft Security Policy Action Plan are being
    merged into a single plan and will be presented to the ITB Information Security Committee for
    endorsement at the June 2010 committee meeting.
    The Department’s Information Security policy has been redrafted to reflect the separation of duties
    between policy and operational security roles. The policy is currently with the ITB information
    Security Committee for comment, and will be presented at the July 2010 Information Steering
    Committee meeting for endorsement.
    Information Technology Project Management
    I was pleased to note, in the follow up review conducted on the project management of
    OneSchool, that the QAO found satisfactory progress has been made towards implementing
    audit recommendations. The inclusion of all key documentation into the OneSchool Document
    Register and the Department’s electronic document records management system is progressing
    and will be completed by 30 June 2010…
    …The Department of Education and Training is committed, to ensuring that sound ICT governance
    and project management practices are in place to enable achievement of the Department’s
    information and knowledge goal of creating a capable, agile and sustainable organisation where
    innovative and efficient business solutions underpin the achievement of priorities.
    1.3.3 IBM Australia Limited
    Relevant extracts of the report were provided to IBM Australia Limited for their information.
    The comments received from the company have been considered in the finalisation of this report.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 13
    2 | Queensland Health Implementation
    of Continuity Project
    Summary
    Background
    On 14 March 2010, Queensland Health went live with a new payroll system (SAP HR) for the
    processing of payments for all departmental employees. Difficulties were experienced with the
    system implementation and an audit has been undertaken of the major factors which adversely
    impacted on the system implementation.
    Key findings
     The Queensland Health payroll system has complex award structures. The system needs to
    address the requirements of 13 awards and multiple industrial agreements which provide for
    over 200 different allowances and in excess of 24,000 different combinations of calculation
    groups and rules for the approximately 78,000 Queensland Health employees.
     The governance structure for the system implementation by CorpTech and IBM, the prime
    contractor and Queensland Health was not clear, causing confusion over the roles and
    responsibilities of the various parties.
     Inadequate documentation and agreement of business requirements contributed to the
    significant increase in the system development costs and timeframe.
     System and process testing had not identified a number of significant implementation risks.
    Therefore the extent of the potential impact on the effective operation of the payroll system
    had not been fully understood and quantified prior to Go-Live.
     System useability testing and the validation of the new processes in the business environment
    was not performed. As a result, Queensland Health had not determined whether systems,
    processes and infrastructure were in place for the effective operation of the new system.
     Key system performance reports for use by CorpTech were not available during the
    completion of the initial payroll processing.
     Several changes to the payroll administration practices such as the deployment of a new
    fax server and a re-allocation of processing duties within the Queensland Health Shared
    Services Provider were introduced at the same time as the release of the SAP HR and
    WorkBrain system.
    14 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
    2.1 Project overview
    Queensland Health pays its workforce, of approximately 78,000 people, every second Wednesday,
    for all work completed and allowances owing in the fortnight ending at midnight on the previous
    Sunday. The logistics of achieving this include having all rosters, shift changes, allowances, sick
    and recreation leave entered into the payroll system for all transactions up until midnight Sunday for
    the payroll fortnight. The actual pay run to generate and calculate the fortnightly pay commences on
    Sunday. This allows information to be provided to a contracted firm to produce printed payslips.
    Queensland Health is one of the few government departments that produce a printed payslip as not
    all of the department’s workforce regularly use a computer. This was an employee condition agreed
    with the various Unions that represent Queensland Health’s workforce.
    Pay day occurs less than 48 hours after the pay run finishes. There is a small time period available
    on Monday and Tuesday mornings to perform pay run corrections and ad hoc pay runs for cases
    where adjustments are required due to late shift changes or missing documentation. An electronic
    file is produced on Tuesday and provided to the various banking institutions for employees pay to
    be distributed to their nominated bank accounts. While the majority of banks distribute the cash to
    employees’ nominated bank accounts either immediately or within a few hours, it can take up to
    two or three days with some banking institutions.
    The ability to run ad hoc pays on Monday and Tuesday morning before the electronic bank transfer
    file is finalised results in some employees receiving a payslip which indicates net pay that is
    different to the amount deposited in an employee’s account. This is because the payslip has
    already been generated by the normal Sunday pay run. (Ad hoc pay runs do not result in the
    production of a new payslip. The payslip is produced in a subsequent pay run.). Ad hoc pays and
    differences between the net pay shown on the payslip and the amount deposited in the employee’s
    bank account have been a normal part of the Queensland Health payroll process. In the current
    environment of increased uncertainty, this issue has led to an increase in the rate of errors reported
    by employees. Queensland Health’s policy is to ensure the payment of wages closely follows the
    actual performance of the work. This practice is a contributing factor in the significant number of ad
    hoc pay runs. Figure 2A highlights the variables that affect Queensland Health’s payroll.
    Figure 2A – Payroll variables*
    Variables Statistics
    Approximate number of Queensland Health employees paid in an average fortnightly
    payroll run
    78,000
    Average fortnightly gross payroll amount $210m
    Approximate number of individual work sites where Queensland Health employees are
    located (includes 183 hospitals)
    300
    Number of awards 13
    Number of industrial agreements 5
    Number of separate allowances across the awards and agreements 205
    Number of different calculation groups of Queensland Health employees 223
    Number of different calculation rules that can apply to each calculation group 146
    Approximate number of different combinations of calculation groups and rules 24,000
    Average number of ‘reworks’ required after each pay run in a pre-SAP/HR payroll 15,000
    Approximate number of new starters and leavers in a standard fortnight 1070
    *All the figures provided by Queensland Health.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 15
    As the LATTICE payroll system had a smaller defined rule set and less structure, a significant
    amount of manual intervention was required. Such manual intervention (referred to as rework)
    was open to interpretation of awards and allowances by payroll staff. Due to the limitations of the
    LATTICE payroll system and the underlying complexity of the Queensland Health awards and
    allowances, a significant number of pays produced in each pay cycle under the previous system
    required adjustment or rework. The final eight pay cycles in LATTICE, before cut-over to SAP HR,
    had an average rework rate of approximately 20 per cent of total payees. Given the high number of
    employees paid in each pay cycle, the burden of this rework rate was significant and the situation
    needed to be addressed.
    In addition, vendor support for the LATTICE payroll system had expired in June 2008 and there
    were no viable vendor supplied technical upgrades. Queensland Health organised for extended
    vendor support until September 2008. This meant that legislative and other substantive payroll
    changes including revised payroll taxes and new enterprise bargaining provisions would not be
    supplied by the vendor after September 2008. Consequently, there was an urgent need for
    Queensland Health to replace this system.
    2.2 LATTICE system replacement project
    As part of the Shared Service Initiative established to design and build a whole of government
    finance and human resources (HR) solution, Queensland Government agencies were mandated to
    implement a standard software suite, including SAP HR, WorkBrain rostering software and SAP
    Finance. The first SAP HR system within this initiative was implemented as a pilot project at the
    then Department of Housing in March 2007.
    Queensland Health payroll and rostering systems were selected to be the next implementation
    within the Shared Service Initiative. Following a tender process, IBM was selected as the prime
    contractor to both manage and implement systems for the remaining Queensland Government
    agencies within the Shared Services model. The State Government contract with the prime
    contractor was signed on 5 December 2007.
    Key aspects arising from project included:
     Under the contract, the first phase for Release 6 of the program was for the implementation of
    SAP HR at four agencies and completing the implementation of SAP Finance at one agency that
    was then underway.
     While the prime contractor was estimating the level of work to be performed in the
    implementation of the SAP systems at four agencies, planning work was also underway by the
    prime contractor on the project for replacing the LATTICE payroll system and the ESP rostering
    system. The strategy for replacing Queensland Health’s payroll system was to implement the
    Department of Housing model of SAP HR with very little customisation, and full WorkBrain
    rostering functionality. It was envisaged that the interim solution would be transitioned onto the
    whole of government solution as part of the overall program schedule.
     The initial planning and scoping of the LATTICE replacement interim solution was approved
    by CorpTech and subsequently undertaken and completed during November 2007 to
    January 2008.
     Basic rostering functions were documented in a Statement of Work (No. 12) and used as a basis
    for the Queensland Health implementation. In addition, basic award interpretation was built
    under Statement of Work (No. 5) however, a contract change request was processed to move
    some components of the award interpretation build to the specific Statement of Work related to
    Queensland Health.
    16 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
     The design, configuration, build, testing and implementation specification was documented in a
    Statement of Work for the LATTICE replacement interim solution. This Statement of Work was
    approved by CorpTech on 18 January 2008, with system completion initially scheduled for
    August 2008 at a cost of $6.19m for work to be completed by IBM. Queensland Health and
    CorpTech would meet their own additional costs.
     In June 2008, IBM submitted a proposal to implement the full LATTICE replacement system
    for Queensland Health. This change request reset the scope and final cost of the project.
     During October 2008, detailed planning revealed that the size, complexity and scope of this
    phase of the program had been severely underestimated, with the consequence that its revised
    implementation cost estimates significantly exceeded the original tender proposal.
     A key component of the reviewed implementation approach noted by the Cabinet Budget
    Review Committee in August 2009 was for the prime contractor to only complete the
    implementation of Queensland Health’s payroll system.
     From February 2008 to March 2010, the prime contractor submitted over 47 change requests
    which were approved by CorpTech. In general, these change requests were mainly due to the
    business requirements not being clearly articulated and agreed to at the outset of the project.
    As a result, the solution deployed for user acceptance testing continued to fail the test criteria
    and there were delays in the project schedule.
     The effective Go-Live date for the LATTICE replacement interim system was 14 March 2010,
    following approval provided by the Queensland Health Implementation of Continuity Project
    Board. The system implementation was over 18 months after the scheduled Go-Live date and
    approximately 300 per cent over the original cost budget for the prime contractor to deliver the
    interim LATTICE replacement solution. To date, amounts paid to the prime contractor for the
    implementation have totalled over $21m.
     Total program implementation costs incurred by all agencies in the development of the
    Queensland Health HR LATTICE replacement project are $64.5m. In addition, a further
    $37.5m has been paid to IBM for activities related to the whole of government system solutions.
    Key aspects arising from the system implementation include:
     Difficulties in system development resulted in delays in the finalisation of parallel and user
    acceptance testing that impacted on the quality of testing.
     Exception reports were not provided to business for the first payroll process to determine any
    anomalies produced by the new system.
     No contingency plans were prepared for business cut-over and no testing was undertaken in the
    production environment to determine whether the pays were correct prior to the first live payroll
    being produced.
     Some of the Enterprise Bargaining Agreement conditions and business policies placed an
    unrealistic pressure on the time available for payroll processing.
     The new system has far tighter business rules for many of the processes undertaken during the
    pay cycle. The full impact of those stricter business rules was not identified and included in the
    changed business practices needed for the new system.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 17
    2.3 Audit scope
    The audit assessed whether suitable controls and mechanisms were in place at the Department
    of Public Works and Queensland Health to support the effective delivery of the Queensland Health
    Implementation of Continuity Project.
    The scope of this audit was to evaluate the effectiveness of the Department of Public Work’s
    program and project management processes, and Queensland Health’s processes, in relation to
    the business readiness of, and transition to, new systems. The audit examined:
     the operation of program and project governance processes established to monitor and control
    the project and related aspects of the Department of Public Work’s Corporate Solutions Program
     a high level review of business process issues encountered after the system was implemented.
    The audit tested project management controls at the Department of Public Works and Queensland
    Health, including examining:
     project governance
     contract management of the prime contractor
     user acceptance and data conversion testing
     system and business readiness at the time of the Go-Live decision
     lessons learnt that could be applied to other government projects.
    While discussions have taken place with IBM, this audit did not include assessment of specific
    project processes and procedures undertaken within IBM. The management of IBM’s role is a
    responsibility of CorpTech.
    The audit assessed whether the information technology governance practices employed were
    consistent with practices outlined in international standards, and Queensland Government
    Information Standards. References used in the development of audit criteria included:
     Australian Standard 8015:2005 – Corporate Governance of Information and Communication
    Technology (ICT)
     Australian Standard 4360:2004 – Risk Management
     ISO/IEC 38500:2008 – Corporate Governance of Information Technology
     Queensland Government Program Management Methodology
     Managing Successful Programs, Office of Government Commerce, United Kingdom
     Queensland Government Project Management Methodology.
    18 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
    2.4 Audit findings
    2.4.1 Project governance
    Background
    The governance structures of this project were complicated and in my view ineffective in
    establishing a shared understanding of stakeholder expectations in relation to the quality of project
    deliverables. When questioned by audit about the governance structure and the changes to the
    structure over the life of the project, different responses were provided by each stakeholder.
    Various versions documenting the governance structures were found to exist. The documented
    governance structure shown in Figure 2B was presented to and approved by the Executive Steering
    Committee (established in February 2008) on 19 June 2008.
    Figure 2B – Structure approved by Executive Steering Committee
    This governance structure was established to oversee the prime contractor model for the whole of
    government implementation. In October 2008, IBM advised that they had underestimated the size,
    complexity and scope of the whole of government implementation and that the revised cost
    estimate significantly exceeded its tendered cost and allocated funds. This later resulted in IBM’s
    role being revised to only the implementation of LATTICE replacement for Queensland Health.
    As the project progressed, it was found that the LATTICE replacement was a major project and
    therefore the whole of government organisational structure was not effective in controlling the
    Queensland Health project.
    Delivery Teams
    CEO Sponsor Group
    Executive Director, CorpTech
    Executive Steering Committee
    Program Delivery Director
    Strategic Program Offi ce
    Solution Design Authority Solution Steering
    Committee
    SSA Release CAB
    Committee1
    Health SSP
    Release
    Committee
    CAPS
    Release
    Committee
    CAB CAB CAB
    IBM

    SSP – chair and member of the Executive
    Steering Committee
    SDA Director – chair
    SDA representative
    ICAB – Infrastructure Change Advisory Board
    APCAB – Applications Change Advisory Board
    1 To meet program requirements SSA may
    establish multiple Release Committees.

    CAB = Change Advisory Board
    SDA = Solution Design Authority
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 19
    A new structure was established in June 2009, with the governing board known as the Queensland
    Health Implementation of Continuity (QHIC) Project Board. The Go-Live decision was made by the
    QHIC Project Board which became responsible for project delivery. The board comprised senior
    executives from Queensland Health, CorpTech and the prime contractor. Figure 2C shows the
    revised structure based on the documentation in the IBM contract change request.
    Figure 2C – Governing structure from June 2009 to March 2010
    QHIC Project Board
    (comprises senior offi cers
    from Queensland Health
    CorpTech and IBM)
    Portfolio
    Assurance
    Queensland
    Health Team
    Queensland
    Health SSP
    Team
    CorpTech Team Project Accountabilities
    Program
    Assurance
    Agency/Department Line
    Management Reporting
    Queensland
    Health
    Queensland
    Health SSP CorpTech
    Project Manager
    IBM
    Who was responsible?
    The program delivery office within IBM was responsible under the Prime Contractor Head
    Agreement for the whole of government HR and finance implementation, to take responsibility for
    stakeholder management, resource management, quality management and scope/change control
    management. For each agency implementation, a project governance structure was required to be
    established. One governance structure was documented in a Project Execution Plan produced by
    the prime contractor and signed off by CorpTech. Evidence of this document being circulated to
    Queensland Health representatives was not recorded in the document.
    CorpTech provides a whole of government role over the acquisition of information technology and
    is the owner of the SAP HR and WorkBrain systems. CorpTech’s role was to manage the prime
    contract with the prime contractor and be responsible for ensuring that deliverables from the prime
    contractor met the required time, cost and quality criteria for the agreed scope. As CorpTech or the
    prime contractor did not have authority over the Queensland Health project team, the
    implementation of governance structures was challenging.
    20 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
    Queensland Health was the customer responsible for providing input to IBM in defining and
    negotiating business requirements and receiving the products after they met the quality criteria of
    CorpTech, the contract manager. The role of Queensland Health within the project included:
     to negotiate and sign off on business requirements
     to perform user acceptance testing ensuring that the system met the agreed business
    requirements
     to perform data conversion testing ensuring that data from the LATTICE payroll system had
    been completely and accurately converted to the new SAP HR and WorkBrain systems
     to train staff in using the SAP HR and WorkBrain systems
     to ensure the business readiness and action plan had been executed
     to ensure that the end user interface and system was suitable to support the Queensland Health
    Shared Services business model and processes.
    In addition, Queensland Health was responsible for ensuring that all employees would be correctly
    paid in accordance with award agreements.
    What went wrong?
    The responsibility for implementation and effective operation of the governance structures should
    be performed by government agencies involved in the project. The responsibility for development
    and implementation of project governance structures was included in the IBM contract. It is
    acknowledged that CorpTech took leadership and established the Executive Steering Committee in
    February 2008.
    The prime contractor was responsible for both managing the project and being the main supplier of
    services (including the establishment of business scope and requirements, developing project
    schedule, developing and configuring the system) to the project. Audit’s observation is that this type
    of arrangement creates difficulties in resolving issues that arise in contract management and there
    is also a potential for conflict of interest.
    With the exception of the Project Steering Committee and the Executive Steering Committee, there
    was no evidence of documented and approved terms of reference for various project related
    committees. Roles, responsibilities, accountabilities and authorities in relation to system ownership,
    data and processes were not clearly articulated and communicated to all parties at the outset
    of the project.
    A specific project management methodology was not applied throughout the life of the project by
    either the Department of Public Works or Queensland Health. Coupled with the complex tripartite
    arrangement consisting of IBM as the prime contractor, CorpTech and Queensland Health, resulted
    in various parties not always being clear about their responsibilities, authority and accountabilities.
    As a result there was at times confusion surrounding control and approval processes of the project.
    Shared Services is a complex arrangement. While numerous attempts were made to clarify roles
    and responsibilities, there still existed some tension between Queensland Health as owners of data
    and business processes, and the Department of Public Works as owner of the system.
    Responsibilities for different parts of the project were shared and in my opinion, it was not clear
    which Accountable Officer had responsibility for the overall governance and successful completion
    of the whole project.
    There was also disagreement within Queensland Health, as the key stakeholder agency, and the
    Queensland Health Shared Service Provider relating to ownership of HR and finance data,
    processes, and supporting systems and interfaces. This caused additional confusion among
    stakeholders in relation to roles and responsibilities, accountabilities and coordination.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 21
    Customer or key stakeholder buy-in has been described as a key success factor in project
    management, software development and implementation methodologies. The identification of the
    customer in this project was confusing. CorpTech signed all contract and project documents with
    the prime contractor. Sign-offs from Queensland Health for changes to the formal contract
    approved by CorpTech and project deliverables were not readily evident. For example, the
    conditions within contracts were signed by CorpTech, the prime contractor and the project scope
    document was signed by CorpTech and the prime contractor, with no documented endorsement
    by Queensland Health.
    The project scope was not formally agreed to by Queensland Health, and negotiations over the
    scope occurred throughout the project, resulting in over 47 change requests. In general, these
    change requests were required mainly due to the business requirements not being clearly
    articulated and agreed to at the outset of the project. As a result, the solution deployed for user
    acceptance testing continued to fail the test criteria, and there were delays in the project schedule,
    increasing the total IBM contract price from $6.19m to $24m. The concept of a fixed price contract
    in order to deliver certainty over cost to government was severely compromised due to the absence
    of an agreed scope from all key stakeholders from the beginning of the project.
    Learnings for future agency implementations
     For Shared Services systems implementation to be efficient and effective, the governance
    structure should cover all related parties. An end to end governance structure, including a
    project board, should be established at the outset of the project. The Queensland Government
    project management methodology should be used to guide the project through a controlled, well
    managed, transparent set of activities, to achieve the desired results. The membership of the
    project board should be carefully selected to include business transition or change managers to
    ensure smooth business transition occurs with the implementation of new systems.
     The governance structure, including roles, responsibilities, accountabilities and key performance
    indicators of all parties needs to be documented and signed by all key stakeholders. This should
    be approved and communicated effectively to all key stakeholders to ensure that everyone is
    clear about the intended outcome, how the outcomes are to be achieved and what
    responsibilities each party needs to fulfil in order to deliver those outcomes.
     A key component of the role of a project manager is to control the budget, schedule and most
    importantly, the scope of the project. In a large multi-million dollar project, it is important to
    implement segregation of duties between the senior supplier and the project manager to
    minimise the risk of a potential for conflict of interest.
     Complex relationships exist within Shared Services. Roles, responsibilities and accountabilities
    need to be clearly articulated and revisited throughout the life of the project to ensure there is
    continued clarity. The role of the Department of Public Works as the system owner needs to be
    exercised with rigour to ensure good practice systems development methodology is used to
    develop systems that can be supported and maintained efficiently. The role of the owner of
    relevant business processes, in this case the Queensland Health Shared Service Provider,
    need to be clearly articulated and exercised rigorously to ensure the smooth transition of
    business processes to new systems. The Queensland Health agency role as owner of their
    own related business processes and the party with the sole responsibility of ensuring that
    business outcomes are achieved needs to be clearly articulated and understood by all parties.
    A leadership role should be undertaken by each of the parties and any competing interests need
    to be resolved appropriately and in a timely manner so that the overall outcomes of the project
    can be achieved successfully.
    22 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
     A formal and structured project organisation change management process needs to be
    implemented. For example, when changes are made to governance structures, it should be
    clearly documented, approved and communicated to all parties so that there is a shared
    understanding of roles and responsibilities at all stages of the project.
     In accordance with the Queensland Government project management methodology, higher risk
    projects need to be periodically reviewed to ensure that risks are controlled and the project is on
    track. To provide a mechanism for this, the project needs to be broken up in to stages.
    End-stage reviews can then be performed so that the Project Board and departmental senior
    management can monitor and assess the continued viability of the project.
     In order to implement the review process, a structured project management methodology, such
    as the Queensland Government project management methodology needs to be implemented.
    This will enable consistency in the application of project management principles and an efficient
    and easy review process.
    2.4.2 Prime contract management and stakeholder engagement
    Background
    In August 2007, a review of the Shared Services implementation program known as the
    Corporate Solutions Program found that there were problems with the governance of the program
    and that the project timeframes would not be met within the original estimated budget. The review
    recommended that an experienced external organisation be appointed to complete the remaining
    system implementations required to consolidate finance and payroll systems. One of the key drivers
    for adopting the ‘prime contractor’ approach was to introduce higher certainty in both the time and
    cost to complete the Shared Services HR and finance implementation program.
    Following a tender process, IBM was selected as the preferred contractor under this ‘prime
    contractor’ approach in November 2007. The prime contractor’s responsibility was to take over the
    administrative role for project management, as well as the role of configuring and implementing the
    systems. The contract included a Head Agreement which documented the responsibilities of the
    parties, and that each piece of work would be conducted under a number of Statements of Works,
    which were appended to the contract.
    It was envisaged that the HR solution for Queensland Health would be based on the Department of
    Housing’s SAP payroll system, with minimal changes required for Queensland Health. In addition,
    there was the complexity of integrating the new SAP systems and the old Queensland Health
    finance system.
    To accelerate the implementation, the prime contractor proposed the use of the WorkBrain Awards
    Interpreter engine, which IBM advised would significantly reduce the development effort required to
    configure awards. WorkBrain interprets all the conditions of employment required to pay an
    employee’s entitlement.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 23
    The Department of Housing experience was also included in the prime contractor’s contract.
    Specifically, the prime contractor undertook to put in place strategies in the Queensland Health
    project in relation to the following issues that were noted as learnings from the Department of
    Housing implementation. These included:
     the Department of Housing was not adequately advised of the implementation activities and did
    not fully understand the impact of the change.
     post Go-Live support was not adequate and large numbers of adjustment transactions were not
    processed prior to Go-Live.
     payroll run times were too long and effectively locked users out of the system.
    All of the above issues manifested again in the Queensland Health payroll system implementation.
    What went wrong?
    The structure of the contract between the State and the prime contractor, managed by CorpTech,
    greatly contributed to the confusion of roles, responsibilities and execution of the project. As the
    contract administrator, CorpTech had the sole relationship with the prime contractor. This made
    Queensland Health’s roles and responsibility as a key stakeholder in the project unclear. For
    example, it was noted that change request documents only contained signed approvals from
    CorpTech and the prime contractor, with no approval or endorsement by Queensland Health.
    Stakeholder engagement was a key issue within the project. There was no process in place to
    ensure that Queensland Health signed off on key deliverables and therefore a shared
    understanding of each party’s requirements was not achieved.
    The prime contractor developed a statement of scope as one of the first deliverables and provided a
    best estimate of $6.13m to replace Queensland Health’s LATTICE payroll system. The assumption
    was that there would be a ‘like for like’ replacement, using the Department of Housing’s SAP
    system with very little customisation. Audit notes that the requirements of Queensland Health were
    significantly more complex than that of the Department of Housing because of the number of staff to
    be paid and the more complex award and rostering requirements of Queensland Health.
    The prime contractor then performed more detailed analysis of the work that would be required and
    developed, at a cost of $0.926m, the Statement of Work for LATTICE payroll system replacement.
    It is noted that after $0.926m of planning, the assumptions of ‘like for like’ replacement and very
    little customisation of the Department of Housing’s SAP system did not change. A fixed price
    contract for $6.194m was entered in to. The concept of a fixed price contract in order to deliver
    certainty over cost to government was not effective due to the absence of a fixed and signed off
    scope by Queensland Health from the outset of the project.
    The prime contractor did not meet the November 2008 implementation date. There was a lack of
    understanding and documentation of the comprehensive set of user requirements, and a new
    implementation date of May 2009 was established.
    24 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
    However, an excessive number of high severity defects existed and the system was not stable.
    June, August and November 2009 implementation dates were also missed and the system was
    finally implemented in March 2010. The cost estimates escalated and at March 2010, the cost of the
    contract with the prime contractor for the delivery of the project was estimated to be in excess of
    $24m. IBM advised that there was significant tension in negotiating and managing the defect
    categorisation and resolution. In addition, IBM confirmed that there was a lack of clarity of roles and
    responsibilities of various stakeholders.
    The prime contractor also performed preparatory work for future implementations of the standard
    systems. As a result, a range of SAP libraries that CorpTech advised can potentially be used in
    future finance and HR implementation was delivered as part of the prime contractor’s engagement.
    Learnings for future implementations
     The structure of any future contracts within Shared Services needs to be carefully designed so
    that all key stakeholders have responsibilities assigned to them for the acceptance and sign-off
    of deliverables. As the Shared Services environment is complex, it is important to use structured
    methodology that allow for sophisticated relationships and complex co-ordination activities to be
    managed appropriately.
     Assumptions in the planning phase of projects need to be challenged rigorously by all
    stakeholders at various stages of the project.
     Statements of Works should be clearly articulated so that there is a shared understanding of
    both deliverables and key performance indicators.
     There needs to be tight controls over signing of scopes and requirements when entering into
    a contract for a third party.
    2.4.3 Business requirement and scope change control
    Background
    The initial specification of the business requirements for Queensland Health developed prior to the
    request for tender was inadequate. Within a systems development life cycle, there are many
    opportunities throughout the project, including the planning and design phases, to verify the
    requirements and re-assess assumptions. However, this process did not result in corrections to
    the original assumptions. The business requirements and business process mapping were not
    documented and signed off.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 25
    What went wrong?
    The underlying assumption stated by IBM in the Statement of Scope was: ‘Our understanding is
    that there is a relatively small amount of functionality required as a minimum to make the interim
    solution functional for Queensland Health that it is relatively small in nature’. 1 This assumption
    proved invalid mainly due to differences in the Queensland Health business requirements, including
    varied and complex award structures. While the Department of Housing’s implementation involved
    1200-1300 employees and one award structure, the Queensland Health payroll system
    implementation entailed approximately 78,000 employees and multiple award structures.
    Another key assumption was that the solution would be a ‘like for like’ replacement for the previous
    LATTICE payroll system. This assumption proved invalid as the foundation business rules of both
    systems are different. For example, more rigour and discipline is required in ensuring all rosters are
    uploaded into SAP HR before payments are made. In addition, there were a significant number of
    workarounds in processing pays through the LATTICE payroll system. These included other
    peripheral systems, which were not included in the ‘like for like’ system replacement.
    A planning exercise was undertaken to develop a Statement of Work for the LATTICE payroll
    system replacement project. This was an opportunity to challenge and revise original assumptions.
    These assumptions were not revised.
    A fixed price contract for this work was then entered into with IBM at a cost of $6.19m. However,
    the scope definition document that was delivered to form the basis of this fixed price document was
    not approved by all key stakeholders. CorpTech accepted the scope definition deliverable to enable
    work to progress, leaving scope clarification to be a matter of continued negotiation through change
    requests. The fixed price contract clearly documented that there were open issues, and further
    change requests would be required to clarify scope.
    It was not until September 2009, 20 months after the commencement of the project that the scope
    definition was formally approved by Queensland Health. The most significant change request was
    for an increase of $9m. This request was approved by the Department of Public Works on 30 June
  11. However, audit noted that the documentation of the scope change justifying the increase of
    $9m was delivered by the prime contractor after this date, on 17 July 2009, and was only formally
    accepted by the Queensland Health Project Directorate on 29 September 2009. Audit was advised
    that these time delays were the result of ongoing change requests in the interim.
    When the project moved into design phase, there was further opportunity to clarify scope however,
    this also proved to be ineffective. During user acceptance testing, a large number of defects were
    identified and there was frequent tension between the parties over whether the defects were actual
    defects or changes in business requirements, which ultimately led to further change requests and
    increased project costs.
    1 Statement of Scope 1 LATTICE Replacement Design, Implement, and Deploy.
    26 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
    Learnings for future implementations
     Project scope is a critical component of the project initiation document within the Queensland
    Government project management methodology. It should be agreed upon and signed off by all
    key stakeholders as part of the project initiation phase.
     Business requirements should be clearly articulated, agreed upon and understood by all key
    stakeholders as part of the project initiation document. The business requirements and a draft
    contract should be included in the request for tender.
     The inherent risks with a ‘like for like’ replacement of one system with a different system should
    be analysed and managed. In particular, business process mapping needs to be performed to
    analyse the impact of the new system and assess how well the existing business processes,
    including any system workarounds, will be supported.
     A more effective contractual structure that required formal agreement of detailed design prior to
    system implementation would have identified a more accurate estimation of the expected costs
    of system implementation, prior to work being commenced.
     The Queensland Health SAP HR system being implemented as a separate instance, with a
    range of processes that are different from other agencies, is a clear example of the difficulties in
    standardising systems and processes. Large departments, like Queensland Health, need to
    review business processes with a view to standardising them across the department in the first
    instance and then, to the extent possible, with the rest of government agencies. In addition,
    manual processes, such as those currently used for leave applications, should be reviewed with
    a view to increased automation.
    2.4.4 Cost control and accountability
    Background
    Funding of $153m was approved by the Cabinet Budget Review Committee for program costs for
    the implementation of new financial and human resource systems (Corporate Solutions Program)
    across the Queensland Government on 22 November 2007. During this program, it was initially
    expected that a new HR system would be implemented at four agencies, together with the
    completion of the financial system implementations then underway. Subject to funding, HR and
    finance system implementations in a further four agencies were also expected to occur.
    Following detailed planning undertaken by the prime contractor, which was finalised in
    October 2008, a significantly reduced implementation approach was noted by the Cabinet Budget
    Review Committee on 21 September 2009, with the prime contractor to only complete the
    implementation of Queensland Health’s payroll system.
    Over the course of the project, CorpTech and Queensland Health were incurring, managing and
    monitoring their own project costs. This was in addition to CorpTech making progress payments to
    the prime contractor for their services.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 27
    What has the project cost?
    Figure 2D provides a summary of project implementation and other program costs incurred
    by all agencies. The effective Go-Live date for the LATTICE payroll system replacement was
    14 March 2010. The amounts paid to the prime contractor for the implementation have totalled
    over $21m, as indicated in Figure 2D.
    An amount of $3.3m is outstanding for commitments due upon system acceptance. The Go-Live
    date was 18 months after the original Go-Live date of August 2008 and approximately 300 per cent
    over the original cost budget of $6.19m.
    Figure 2D – Project implementation costs
    Agency Purpose Amounts paid
    to date $m
    CorpTech CorpTech resources provided $4.004
    Statement of Works 7 – Define the project scope $0.576
    Statement of Works 8 and 8A – Implement LATTICE replacement $21.029
    Queensland
    Health
    Health resources provided $38.900
    QHIC costs $64.509
    Paid to the prime
    contractor
    (other works)
    Statement of Works 1, 2, 3, 4, 5, 6, 11, 11A, 11B, 12, 13, 15, 24,
    and 40
    $37.449
    Total costs to end of March 2010 $101.958
    For the total cost of over $101.958m, the LATTICE replacement HR system at Queensland Health,
    together with a range of SAP technical libraries which could be used in future finance and HR
    systems implementation, have been delivered. CorpTech advised that these libraries have not
    translated into actual implementations at this stage.
    What went wrong?
    There was no one entity or officer monitoring and managing total project budget versus costs
    being incurred by all of the various stakeholders for the LATTICE payroll system replacement
    implementation. Therefore value for money and overall accountability for the project costs have
    not been regularly assessed and managed.
    Learnings for future implementations
     In accordance with the better practices outlined in the Queensland Government project
    management methodology, cost estimates should be based on the project’s product breakdown
    structure. That is, cost estimates should be dissected and outlined for each product in the
    product breakdown structure. These costs should then be monitored and reviewed at several
    points during the system implementation process. The allocation of total project funding to
    individual products in accordance with planned production schedules is a key control measure.
     Full project costs should be regularly reviewed and monitored by the Project Board.
    28 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
    2.4.5 Parallel and user acceptance testing
    Background
    Parallel payroll testing was performed at the same time as user acceptance testing in July 2009.
    This parallel test included individual pay comparisons between the LATTICE payroll system and
    the SAP HR system for a sample of ten per cent of employees across all employee types. Two
    additional parallel testing activities were performed but individual pays were not compared, rather
    the average of the fortnightly totals was compared. There was a $1.2m discrepancy after
    adjustments between the two systems after the first stage of parallel testing was conducted. The
    second stage of parallel testing performed in February 2010 did not include casuals and overtime
    and the average gross fortnightly totals difference was only $30,000. It is noted that since Go-Live,
    significant issues have been reported by casual staff in relation to the process of their roster
    and pay details.
    User acceptance testing was primarily performed to enable Queensland Health users to test the
    end to end functionality of the system and to provide them with the confidence that the system met
    the business requirements. The user acceptance testing was performed over an estimated
    coverage of 60 per cent of the functionality of the new system, which was considered best practice
    by the independent software testing consultants engaged by Queensland Health. The methods
    employed throughout user acceptance testing included the use of automated testing tools such
    as Mercury Quality Centre and the execution of a substantial volume of test scripts created by
    business users.
    Defects found during the user acceptance testing were classified against a number of severity
    definitions which helped the project to prioritise their resolution. These definitions were:
     Severity 1 defect – show stopper
     Severity 2 defect – major
     Severity 3 defect – minor
     Severity 4 defect – cosmetic.
    During the third iteration of user acceptance testing, the Project Board agreed at their 9 July 2009
    meeting to revise the defect severity definitions. This decision resulted in a number of Severity 2
    defects being downgraded to Severity 3 defects. The Project Board also agreed to change the exit
    criteria for the fourth iteration of user acceptance testing to identifying no Severity 1 defects and
    putting in place a comprehensive management plan (Solution and Defect Management Plan) for
    Severity 2, 3 and 4 defects. The Project Board was of the opinion that a number of Severity 2
    defects had acceptable workarounds and would not result in incorrect pay calculations.
    These changes had a significant effect on allowing the project to pass the exit criteria for user
    acceptance testing. The outstanding Severity 2, 3 and 4 defects were to be resolved progressively
    post Go-Live with the first fixes to be implemented in production prior to the first pay run.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 29
    What went wrong?
    The parallel testing to verify individual pays was conducted over eight months before the Go-Live
    date of 14 March 2010. Many changes were made to the system after this testing however, no
    further parallel tests were done to compare individual employee pays.
    SAP recommended a full parallel pay run comparison between the LATTICE payroll system and the
    SAP HR system be planned and implemented prior to Go-Live. This recommendation was not
    accepted by the Project Board due to the size and complexity of undertaking this task. The Project
    Board assessed that there was no ability to do this on a standard pay run, and fortnightly average
    gross totals were compared. In making this decision, the Project Board did not implement other
    compensating assurance processes as to the capacity of the SAP HR system to operate as
    required in the processing of the departmental payroll. The absence of this level of assurance was
    not addressed through the preparation of specific performance reports and business contingency
    plans prior to the commencement of the new system.
    User acceptance testing was conducted for an extensive period. It was originally planned for
    11 weeks commencing from 28 November 2008, but continued during the period to
    10 February 2010. Significant time was spent on testing defects rather than on developing core
    business processes or functions to support the system. As the business requirements were not
    adequately defined, there was tension over whether the failed tests were actual defects or were
    a change in project scope.
    During execution of user acceptance testing, a significant number of defects were identified. Four
    iterations of user acceptance testing were carried out, with each attempt revealing many defects
    and user acceptance testing not meeting exit criteria. It is important to note that each iteration of
    user acceptance testing was performed within tight timeframes. In addition, the Project Board
    agreed to revise the definition of Severity 1 and Severity 2 defects that must be fixed prior to
    Go-Live to those defects affecting ‘pay only’, to help the project to pass the exit criteria for the fourth
    iteration of user acceptance testing. A defect management plan including manual workarounds was
    developed to overcome the impact of the outstanding defects.
    A testing specialist company was engaged by Queensland Health and was responsible for
    overseeing the management of user acceptance testing. In their completion report presented to the
    Queensland Health Project Directorate, they made the observation that there were too many
    functional defects in a system that was handed over as ready to Go-Live. In addition, they
    commented that planning and execution of testing was inefficient due to the drive to fix defects
    and perform testing in parallel.
    In January 2010, the testing company concluded the rollout could either be delayed until a full
    system and integration test was conducted or to accept the risk that functional scenarios not tested
    may not perform as expected. On 22 January 2010, the Project Board agreed to formally exit the
    fourth iteration of user acceptance testing and move onto technical cut-over activities.
    30 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
    Learnings for future implementations
     Considering the number of defects identified in the eight month period prior to Go-Live and the
    subsequent changes to the system, there should have been an additional parallel test performed
    to compare individual pay results for a sample of employees.
     Business requirements, functional specification and technical design documents should
    be clearly documented and signed off. These should be used as the basis for preparing
    test plans.
     Adequate time should be allowed for data preparation and data migration.
     A more detailed risk analysis should be performed and documented prior to changing ratings on
    user acceptance criteria.
     Strict change control procedures should be implemented so that a stable user acceptance
    testing environment can be maintained for its duration.
     System useability testing of end to end business processes is absolutely essential in
    implementing a payroll system of this size and complexity. This testing would ensure that those
    users who prepare data for entry into the system are also involved in the testing phase and the
    system is tested in the environment similar to that in place once the system is implemented.
    2.4.6 System Go-Live decision
    Background
    After user acceptance testing exit criteria were met, the project moved into cut-over activities.
    These cut-over activities formed the basis for the final decision to Go-Live with the new system.
    The Project Board responsible for the Go-Live decision assessed that the three specific ‘gates’ and
    associated criteria were achieved in order for the system to Go-Live. The first gate was the approval
    to proceed to technical cut-over, followed by the gate to proceed into business cut-over and finally
    the gate to proceed to Go-Live.
    What went wrong?
    While a small number of criteria were not completed, the Project Board, on advice from the
    Project Directorate, agreed to progress to technical cut-over on the basis that these criteria were
    manageable risks and could be completed in time for the final Go-Live. A full risk profile and
    subsequent mitigation plan were created by the Project Directorate and presented to the Project
    Board for approval. However, the risks were not quantified to indicate the extent of the problem,
    should the risk materialise, that is, how many or what category of staff may not be paid.
    Recommendations for action in relation to the performance of WorkBrain were made and the risks
    relating to the scalability of WorkBrain were also accepted.
    Outstanding defects were transferred to the Defect and Solution Management Plan with critical fixes
    to the code to be migrated into the production environment after the system went live, and before
    the first pay run. It is not considered good practice to migrate code fixes into the production
    environment prior to the business cut-over. This increased the risk that the live system could
    become unstable, as only limited testing can be performed within a short period of time.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 31
    Learnings for future implementations
     Outstanding defects should be carefully considered with a risk and impact analysis to be
    performed for each defect. The risk should be quantified so that appropriate contingency plans
    can be developed and implemented.
     System performance issues should be actioned and properly tested, especially in systems that
    process large volumes of data.
     Post Go-Live code changes should be subjected to rigorous testing prior to business Go-Live
    until the system is stable and operating effectively.
    2.4.7 Business Go-Live decision
    Background
    It has been noted that significant rework has occurred as normal business practice within
    Queensland Health’s payroll processing. For example, in the eight pay periods prior to Go-Live,
    there was approximately 20 per cent rework of pays to ensure that pays were correct and in
    accordance with the Enterprise Bargaining Agreement. Staff were familiar with the LATTICE payroll
    system reports and the subsequent workarounds therefore recognising rework requirements and
    the subsequent procedures were performed as a routine task under the LATTICE payroll system.
    A number of different forms are used by districts for time sheets and rosters. Payroll staff using the
    LATTICE payroll system were familiar with these forms, therefore data entry was reasonably
    efficient in the LATTICE payroll system. The lack of familiarity of payroll staff with the changes
    resulting from the new system contributed to the slow processing that was experienced in the first
    few pay runs.
    What went wrong?
    Exception reports were not provided to business for the first pay run to determine anomalies in
    individual pays. In addition, staff were not familiar with the new system and procedures. As a result,
    anomalies in pay were not identified or rectified in time. Exception reports are now being produced
    and more checking is occurring to identify issues and make alternate arrangements for paying
    affected staff. A Payroll Stabilisation Project has been established for this purpose.
    There was no contingency planning for business cut-over. For example, there was no planning to
    test for different categories of staff or awards in the production environment when the system went
    live to determine whether the pays were correct and then subsequently, for handling ‘no pays’ or
    ‘incorrect pays’ should this risk materialise. These processes have now been put in place through
    the Payroll Stabilisation Project.
    Queensland Health processes in relation to preparing data for input into the system are dispersed
    across the State. A number of different forms for timesheets and rosters are used by various
    districts and sent to the Queensland Health Shared Service Provider for processing. The forms are
    not standardised therefore, with a new system that had a different ‘look’ and ‘feel’, the process of
    data entry became slower.
    Some of the current Enterprise Bargaining Agreements put unrealistic pressure on the time
    available for payroll processing. Some awards are complex and not able to be interpreted fully by
    the system, requiring an increased number of workarounds and adjustments which need to be
    made in each pay cycle within the short period between the pay run and the time that the pay
    needs to be banked. There are also 24,000 different combinations of how Queensland Health
    staff can be paid.
    32 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
    There were significant pressures on the Queensland Health Shared Service Provider to process
    payroll transactions for the first pay under the new system within a reduced processing window of
    one week instead of two weeks. Although the processing window for the first use of a new payroll
    system would normally be reduced, the need for the implementation of some system changes to
    address anomalies identified in testing further reduced the effective time available for data entry for
    the first pay run. This resulted in a significant backlog of unprocessed transactions at the time the
    system was implemented on 14 March 2010.
    The new system has strict business rules and does not allow processing to continue unless
    there is compliance with these rules. For example, ‘no roster, no pay’, was a key message sent
    out to payroll processing areas and yet there were still a number of rosters that had not been
    entered into the system prior to the Go-Live implementation. Also, if the rostered hours are more
    than award requirements, the roster will be rejected. This issue is referred to line managers who
    must change the rosters before they can be re-entered into the system. Additionally, if staff
    movements and new hires are not processed in SAP HR, a valid roster could not be generated in
    WorkBrain. These activities are time consuming and have contributed to the continued backlog in
    payroll processing.
    Learnings for Queensland Health and future implementations
     Trial pay runs and exception reports are key internal controls and should form an
    integral component of system development and implementation along with the related
    business processes.
     A production testing plan should be put in place and performed alongside normal operations,
    after Go-Live for a pre-defined number of cycles to ensure accuracy and completeness of the
    system results. Critical systems implementation like payroll should have extensive business
    continuity plans developed and implemented prior to Go-Live.
     Processing backlogs should be minimised prior to Go-Live with a new system. This was a key
    issue which also impacted the Department of Housing implementation.
     Queensland Health payroll processes, including forms, need to be reviewed for consistency.
    Processes should be automated as much as possible to improve efficiency. For example, other
    government departments have implemented Employee Self Service, which allows for simple
    tasks like leave applications to be completed on-line.
     Consideration needs to be given to simplifying the award structures so that they can be fully
    automated. The number of payroll calculation groups and pay rules should also be examined
    with a view to reducing the number of different combinations in which an employee can be paid.
    This will increase the effectiveness and efficiency of the payroll process.
    Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project 33
    2.5 Post Go-Live issues
    There are a number of serious issues which existed at the time of implementation of the system
    on 14 March 2010 which have or are in the process of being addressed by Queensland Health.
    These include:
     The rostering system had serious performance issues during the processing of the first pay run.
    It was running slowly in some regional centres, significantly increasing the time taken to load
    employee rosters. A defect relating to the performance of WorkBrain when publishing rosters
    was identified as a Severity 2 defect but downgraded to Severity 3 in the defect management
    plan. This defect had not been fixed prior to Go-Live, but has since been fixed. It was found to
    be a contributor in slow WorkBrain performance at the time of Go-Live.
     Rostering to payroll integration issues resulted from slow system performance. The system has
    now been adjusted and there has been some improvement in performance.
     Overnight batch jobs were taking longer than expected, and larger than expected numbers of
    records were being processed, reducing the available time for Queensland Health staff to enter
    payroll adjustments. This batch processing time is now being monitored closely and has been
    improved in order to complete processes within acceptable timeframes.
     Due to payroll processing issues, there was a backlog of exceptions, new starters, terminations
    and staff movements to be processed by the Queensland Health Shared Service Provider.
    The backlog is currently being addressed through the Payroll Stabilisation Project.
     The Queensland Health Shared Service Provider changed some key business processes as
    part of Go-Live of the system, including the introduction of new fax servers to transmit roster
    information to the payroll processing hubs and separating employee duties between rostering
    and payroll systems. These issues had the effect of reducing the ability of Queensland Health
    regional staff to respond quickly to local pay queries and issues from staff.
     There was incorrect classification of some employees within the SAP HR enterprise
    structure and calculation groups. If an employee was not in the correct enterprise structure
    and calculation group, the employee would not have been paid correctly. This issue has now
    been addressed.
     There were some data conversion issues whereby temporary employees did not have their
    employment end dates updated and these employees did not get paid. This issue has now
    been addressed.
     A sample of the payroll anomalies identified by Queensland Health staff since Go-Live has been
    reviewed by audit. These anomalies have occurred in a pressured environment where the
    number of payroll staff has been significantly increased in a relatively short period of time to
    address the workload volume. The causes of the issues generally related to:
    – Adjustments not being processed prior to a pay run due to the work backlog at the
    Queensland Health Shared Service Provider. The pays for subsequent periods have then
    been incorrect until the adjustment notification is processed and corrections made for the
    whole period.
    – Roster and other pay adjustments being incorrectly processed into the system due to a
    number of causes.
    – Manual adjustments to reflect non-standard payment conditions being made incorrectly due
    to error.
    – Difficulties in the interpretation of award and roster provisions and their application for
    individual employees whose entitlements may vary from period to period.
    34 Auditor-General Report to Parliament No. 7 for 2010 | Queensland Health Implementation of Continuity Project
    – Difficulty for staff in understanding the complexity of the information contained in the payslip.
    – The lack of clarity for some staff about the implications of the ad hoc pay arrangements and
    the reconciliation between the receipt of payment in one pay cycle and the related payslips
    which are received in a different pay cycle.
     It has been noted that the post Go-Live governance structures lack a clear end to end process
    focus which can make decisions at a whole of program level to ensure proper accountabilities
    for resolution of business issues, technical system modifications and management of the prime
    contractor in the post Go-Live environment.
     It is noted that CorpTech is pursing remedies available to the State under the contractual
    arrangements with the prime contractor for this project.
    The Payroll Stabilisation Project has addressed a range of issues resulting in inaccurate payments
    to staff. The extent of incorrect payments to individual staff continues to be identified. Action to
    identify and correct these payments is expected to continue for some time. The audit of this action
    will be a significant issue which will be further examined during the finalisation of the auditor’s
    opinion for the 2009-10 financial statements for Queensland Health.
    Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance 35
    3 | Program management
    and governance
    Summary
    Background
    Program management is the coordinated organisation, direction and implementation of a group of
    projects and activities that together achieve the outcomes and realise benefits that are of strategic
    importance. The projects in the program should be managed in a coordinated way to obtain
    benefits and a level of control not available from managing the projects individually.
    Programs should be designed to deliver both outcomes and benefits. Outcomes are delivered
    through implementation of project outputs and may eventually lead to benefits such as
    improvement in performance or capacity. Program management requires resourcing with
    appropriately skilled and experienced individuals, in order to take on the responsibilities and
    carry out the management activities involved in successful performance.
    Key findings
     Program management at Department of Public Works: The audit of three major programs
    examined at Department of Public Works found that the Queensland Government Program
    Management Methodology was being progressively implemented. However, all programs were
    behind schedule and governance of the programs needed improvement. The implementation
    of governance processes that are visible to key stakeholders will improve the transparency of
    decisions made and ensure that management action can be taken at key points in the
    program. In addition, whole of government programs need to have comprehensive benefits
    management frameworks and processes in place to measure and report overall business
    value achieved by the Government.
     Information technology project governance and project management at Department of
    Education and Training: Following the 2009 audit, information technology governance at
    Department of Education and Training is developing with the initial steps for the establishment
    of a governance framework being undertaken. The implementation of recommendations to
    improve OneSchool’s project management is progressing satisfactorily with action taken to
    address all issues.
    36 Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance
    3.1 Program management at
    Department of Public Works
    3.1.1 Audit overview
    Large corporations and government have recognised the need to define program management
    methodologies to ensure related projects deliver synergies and tangible business benefits.
    Historically, information technology related programs and projects have experienced a high failure
    rate and so are of significant interest.
    A program often consists of several inter-related projects with each project designed to deliver a
    specific capability. Effective program management entails the coordination of a number of projects
    and oversees the realisation of the benefit from the investment, such as ensuring the right
    capabilities are delivered and are integrated into the organisation.
    The governance and management controls of three programs at the Department of Public Works
    were audited as at February 2010. The Queensland Government Program Management
    Methodology was used as a good practice benchmark against which each of the programs was
    assessed. These programs were established to manage expenditure of approximately $545m in
    information technology related capabilities. The programs were initiated with the expectation of
    significant financial savings and other benefits to government.
    3.1.2 Audit opinion
    Overall, the audit found that the Queensland Government Program Management Methodology was
    being progressively implemented. However, all three programs were behind schedule and the
    governance needed improvement. Key mechanisms to ensure that the programs remained viable,
    and that government obtained the full benefits from the investments, were not fully implemented. As
    a result, the department could not demonstrate to audit whether the government would realise the
    full benefits, including savings that were expected from the estimated $545m of expenditure.
    In particular, the governance frameworks for two of the programs were established at the business
    unit level and were largely focused on implementing the technology rather than delivering whole of
    government business outcomes. In addition, the program boards of these two programs did not
    include representative stakeholders that had the authority to drive the program forward and to
    enable the necessary end to end business transformation. This also resulted in a lack of
    transparency in relation to reasons for key decisions and the way that these decisions would
    impact on client agencies.
    The governance structure for the third program was set up differently, with more input from the
    client agencies on business outcomes. However, from a program perspective, it appeared to be
    a series of separate projects rather than a coordinated program. This program has undergone
    significant changes in its delivery methods and this has resulted in significant delays in achieving
    outcomes. During the audit, it was noted that management had recognised and was committed to
    strengthening the governance arrangements for the next phase of this program.
    Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance 37
    3.1.3 Audit scope
    The objectives of the audit were to determine whether appropriate governance and management
    controls were implemented over three major programs. The main focus was to ascertain whether
    processes existed to ensure corresponding benefits were realised from the major investments.
    The following programs were examined:
     ICT Consolidation Program (ICTC), previously known as the Technology Transformation
    Program (TTP)
     Identity, Directory and Email Services (IDES)
     Corporate Solutions Program (CSP).
    The scope of the audit did not include examining the probity of procurement decisions made as part
    of managing these projects.
    3.1.4 Audit findings
    While each of the programs were established to achieve different outcomes, the governance issues
    noted were similar across all three programs albeit at varying degrees of significance within the
    range of control aspects that were audited. The key findings included:
     Each program was delayed from its original completion date, as shown in Figure 3A. It should
    be noted that all of the programs have changed direction, scope and methods of delivery since
    inception, this has contributed significantly to the delays.
    Figure 3A – Completion dates of programs audited
    Program Program description Original
    completion date
    Current estimated
    completion date
    ICTC
    (formerly TTP)
    CITEC managed program to establish
    foundation infrastructure to enable
    whole of government consolidation of
    CBD data centres, networks and
    infrastructure services.
    July 2010 October 2011
    IDES CITEC managed program to deliver whole
    of government email, identity management
    and authentication service.
    December 2009 June 2011
    CSP CorpTech managed program to implement
    whole of government finance and HR
    systems and system support processes.
    2006 2015
     Many of the controls within all three programs were typical of a project management scheme to
    manage schedules, capabilities and costs.
     The governance of investments at the program levels was insufficient to demonstrate that the
    delivery of benefits, including savings to government, was a key driver within the programs.
    The baselines, recording, monitoring and reporting of benefits did not form part of program
    documentation. In addition, there was no evidence of a correlation of the savings to costs
    incurred in achieving those savings.
     The ICTC program had undergone significant changes after its original business case was
    documented. A financial assumptions paper was prepared for the program and approval was
    obtained from the Treasurer for an outlay of $44m for the program. However, a formal business
    case was not developed and presented to the Cabinet Budget Review Committee.
    38 Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance
     Program boards for ICTC and IDES did not include stakeholder representatives that had the
    authority and responsibility to drive the program forward and to deliver the business outcomes
    and benefits at a whole of government level.
     While project reviews were performed, there were no regular reviews of the effectiveness of
    program level controls.
     Risk management processes in terms of scope, consistency and executive management
    reporting were not consistently applied across each of the three programs.
     While the program governance structure did not include sponsoring groups, Department of
    Public Works was in the process of implementing new governance arrangements to support the
    whole of government ICT strategy (Toward Q2 through ICT). The department informed that one
    of the sub-committees within this governance structure would be empowered to ensure the
    alignment of the programs to whole of government strategic objectives and to confirm the
    successful delivery and sign-offs of the programs.
    3.1.5 ICT Consolidation Program (ICTC)
    Program background
    In response to the Service Delivery and Performance Commission’s Report on ICT Governance in
    the Queensland Government (October 2006), (SDPC Report), a business case was developed
    for full consolidation of the government ICT environment. The funding outlay for full consolidation
    was considered to be high, and in 2008, the Cabinet Budget Review Committee requested an
    accelerated technology consolidation program that would return savings to government. The aim of
    the ICTC program was to establish the foundation infrastructure to enable whole of government
    consolidation of CBD data centres, networks and infrastructure services. The program was
    expected to run for two years and to deliver recurrent benefits of $8.2m from July 2010. In the
    meantime, the government acquired a new data centre and the ICTC program focussed on
    implementing a transitional network that would enable use of the new data centre.
    The program includes the following projects:
     Organisational change management – preparing departments for consolidation by facilitating
    people management and associated industry engagement.
     Consolidation planning and transition – planning and executing migration to the consolidated
    environment using roadmaps and application renationalisation tools.
     Foundation infrastructure and procurement – planning, buying and building the products that
    deliver whole of government consolidation.
    In September 2009, the ICTC program was transitioned to CITEC from the Office of Government
    Chief Information Officer to continue implementing the government’s ICT consolidation agenda, with
    an expected timeframe of two years to October 2011. When the program was revised, it was not
    clear whether the monetary benefit of $8.2m was still achievable. This was because future costs
    that CITEC was expected to charge clients had not been determined.
    The original program had a budget of $44m approved by the Treasurer. At January 2010, program
    funds spent were $12.17m ($9.34m in operating expenditure, and $2.83m in capital expenditure).
    Audit was advised that the program was expected to be completed within the original financial
    budget, but with an extended timeframe.
    Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance 39
    Audit findings
    In its current form, this program is not designed or structured to achieve full technology
    consolidation. While a new data centre and a transitional network was established, significant work
    was still to be performed to further consolidate various layers of technology, and to gain agency
    uptake for those services. The direction of the current program was to implement infrastructure that
    would enable agencies to consolidate and rationalise their ICT environment at their own discretion.
     An approved business case that clearly identified the benefits to be realised could not be
    identified. The program was expected to realise benefits of $8.2m annually from July 2010.
    However, as at January 2010, there was no method of identifying, recording, tracking and
    reporting demonstrable financial benefits for the ICTC program.
     An ICTC program board was being established at the time of audit. A program board with
    adequate stakeholder representation, that had the authority to drive the program forward and to
    deliver the outcomes and benefits, was not in place since the program began in June 2008, and
    subsequently transferred to CITEC in September 2009.
     There were no formal reviews of the program being performed at regular intervals since the
    project was transitioned to CITEC. The reporting of program costs did not contain sufficient
    detail to match milestones compared to funds spent. In addition, there was no evidence of a
    formal process to measure and monitor stakeholder engagement.
     A clear set of measurable benefits expected to be realised were identified at a program level.
    However, specific measures had not been defined, and there was no benefits management plan
    to consolidate benefits measures for all stakeholders impacted by the program. It was also
    identified that benefits reporting focused on agency uptake of the program’s solution, and not on
    benefits to stakeholders of the program. Consequently, the benefits analysis did not directly link
    to the program benefits.
    3.1.6 Identity, Directory and Email Services (IDES)
    Program background
    The IDES program aims to deliver a whole of government email, identity management and
    authentication service, managed and operated by CITEC, to facilitate secure access to data and
    applications for Queensland Government employees across the State.
    The IDES program was created in response to a recommendation in the SDPC report in 2006 that
    identified the need to examine the costs and benefits of taking a shared approach to the delivery of
    various ‘essential ancillary services’ including: identity and directory services, authentication,
    security certificates and email services. A business case for IDES was completed by the
    Department of Public Works in October 2007. It identified that estimated savings of $123m could
    be achieved over ten years, compared to the cost of agencies operating on separate platforms.
    Cabinet approved expenditure of $252m over ten years for the IDES program in December 2007.
    At this time the program was transferred to CITEC for implementation.
    40 Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance
    Audit findings
    The IDES program is a key program for the Queensland Government in driving efficiency through
    ICT. It is imperative that on a program of this size and significance that strong program governance
    controls are operating to ensure that management action can be taken at key points in the program
    and that the program remains on track. Controls over governance and benefits realisation need to
    be improved to ensure that the program delivers both the expected capability and benefit to
    Queensland Government.
     IDES was expected to transition all existing Microsoft Exchange agencies to the whole of
    government platform within 24 months (i.e. by December 2009). Delays were experienced and
    the program’s expected completion date was extended to June 2011. The implementation phase
    plan was originally expected to be completed and approved by 8 December 2008. However,
    actual delivery of this milestone occurred on 18 September 2009.
     The funding for the program’s costs of $252m was sourced from CITEC fees to agencies
    from using the new service offering, and a loan of $45m to cover the shortfall from fees
    collected and program costs within the first three years of the program. As a result of delays
    in implementation, losses would also be incurred in year four. However, the loan was expected
    to be repaid with interest within nine years, from revenues collected for the new service offering
    to agencies. This was based on the assumption that IDES would deliver 80,000 seats by
    June 2011.
     As at January 2010, the IDES program had recorded expenditure of $14m. The original
    business case expected expenditure within the first three years of the program (2007-08 to
    2009-10) to be $43m. The department reported that the significantly lower level of expenditure
    than originally expected was related to the delays the program had experienced.
     While processes were in place for progress reporting and monitoring, there was no program
    board with adequate stakeholder representation that had the authority to drive the program
    forward and to deliver the outcomes and benefits. Changes to the program’s schedule were
    not made in accordance with the program’s change control process. As a result of the lack of
    stakeholder representation on the governance board, only CITEC was involved in decisions
    regarding the program’s schedule. In addition, there were no formal, regular reviews being
    performed of the program’s effectiveness over processes relating to risks, issue, benefits,
    and program management activities.
     The governance framework in place at the time of audit was focused more on delivering
    capability, rather than delivering capability and benefits. A good framework for the management
    of benefits realisation was identified for the IDES program, with clear linkage between benefits,
    investment objectives, benefits measures, changes required to realise the benefits, and a
    documented Benefits Realisation Plan. However, the effectiveness of this process was limited
    as baseline and target measures were not defined for each stakeholder. As a result, it was not
    clear when and how benefits were expected to be realised, and whether the magnitude of
    benefits initially expected to be realised remained realistic.
     As the governance arrangements did not include the role of a Business Change Manager, the
    CITEC Board that was in place for IDES could not drive the delivery of both capability and
    benefits. Under such arrangements, there is a risk the program may deliver on capability that
    may not translate into benefits.
    Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance 41
    3.1.7 Corporate Solutions Program (CSP)
    Program background
    In August 2005, the Shared Services Solution was established to design and build a whole of
    government finance and HR solution with a capital budget of $125m. This budget was later revised
    to $190m in 2006 and then to $249m in 2007.
    The original business case for the Shared Service Initiative projected annual savings of $100m
    once fully implemented. Full implementation would represent one standard finance and HR solution
    supported by standard business processes. Implementation of a standard solution across all
    departments proved to be a slow and challenging process. The original implementation date was
    2006, but due to the size and complexity of the finance and HR solution, timetables were adjusted.
    A review of the program commissioned by the Shared Service Program and Policy Office in 2007
    identified that there were problems with the governance of the program and that the project
    timeframes would not be met within the original estimated funding requirement. Following a
    tender process, IBM was selected as the prime contractor and funding of $153m was approved
    by Cabinet Budget Review Committee for Phase 1 of the Corporate Solutions Program (CSP)
    in November 2007.
    During Phase 1 of the program, it was expected that a new HR system would be implemented for
    four agencies and the finance system implementation that was then underway would be completed.
    Subject to funding, HR and finance implementations in a further four agencies were also expected
    to occur. In September 2009, the prime contractor’s role was changed to only include the
    replacement of Queensland Health’s payroll system.
    A revised implementation approach was developed. This proposed approach changed the program
    direction from a single standard HR and finance environment to a multiple-systems HR and finance
    environment. The key components of this approach included:
     the prime contractor to complete the implementation of the Queensland Health Payroll system
     Department of Education and Training to remain on its existing HR and payroll system
     consolidation of existing agencies to a smaller number of supported HR and finance systems.
    As at March 2010, 12 implementations of the new finance system and one implementation of
    the new human resource system were completed. There were eight Legacy SAP systems, four
    Aurion payroll systems, three LATTICE Payroll systems, and one TSS payroll system still to be
    consolidated. In addition, separate instances of SAP and Aurion were maintained by CITEC as its
    business systems. These systems are shown in Figure 3B. At the time of this audit, a program
    roadmap in line with the new direction was being developed.
    The $100m in annual savings originally expected to be realised by 2006 are expected to be
    achieved by 2012-2013.
    42 Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance
    Figure 3B – Systems implemented by Shared Services
    System
    instance
    Communities Community
    Safety
    Education
    and
    Training
    Employment,
    Economic
    Development
    and
    Innovation
    Environment
    and Resource
    Management
    Infrastructure
    and Planning
    Justice
    and
    Attorney-
    General
    Premier
    and
    Cabinet
    Public
    Works
    Transport
    and Main
    Roads
    Health Police Treasury
    ECC5        
    ECC5 HR
    Health

    SAP 3.1i
    PWP

    SAP 4.6C
    CSA

    SAP 4.6C
    HQP

    SAP 4.6C
    CSP
      
    SAP 4.6C
    TPP

    SAP 4.6C
    CITEC

    SAP 4.6B
    QTP
      
    SAP 4.6B
    Health

    Aurion –
    ACE
        
    Aurion –
    DPW

    Aurion –
    DET

    Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance 43
    System
    instance
    Communities Community
    Safety
    Education
    and
    Training
    Employment,
    Economic
    Development
    and
    Innovation
    Environment
    and Resource
    Management
    Infrastructure
    and Planning
    Justice
    and
    Attorney-
    General
    Premier
    and
    Cabinet
    Public
    Works
    Transport
    and Main
    Roads
    Health Police Treasury
    Aurion –
    QPS

    Aurion –
    CITEC

    TSS 
    LATTICE –
    Corrective
    Services

    LATTICE –
    Emergency
    Services

    44 Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance
    Audit findings
    To maximise the value proposition within Shared services, the concept needs to be better
    understood at all levels within agencies and Shared Service Providers. It has been approximately
    eight years since its inception and there are still a number of different systems. A recent
    implementation of Queensland Health Payroll was a separate instance of SAP HR. With all the
    problems that have been experienced during the implementation, it is unlikely that Queensland
    Health payroll will be migrated to a whole of government solution. It is understandable that there
    are complexities in implementing a single system for all agencies. However, continuous effort needs
    to be made in agencies examining their business processes and business rules, with a view to
    simplifying and to standardising them across the agency in the first instance and then, where
    possible, across government.
    In addition, the following was noted:
     Visibility of program-level risks to key stakeholders – Program-level risks specific to CorpTech
    were only visible to CorpTech management and were not monitored by a governance board that
    had representation from key stakeholders.
     Documentation of program-level controls – The monitoring and control processes for the overall
    program had not been consolidated into a formal program plan.
     Benefits realisation process – There was no overall management of benefits realisation to
    identify, track and report total program benefits, including benefits to stakeholders and benefits
    to CorpTech as a service provider.
     Program reviews – Whilst project reviews did occur, there were no formal, regular reviews being
    performed of the effectiveness of the overall program’s processes reported to a governance
    board with stakeholder representation.
     Stakeholder engagement – The communication plan for the program did not adequately address
    how the program would engage with stakeholders. In addition, the plan was not formally
    approved by management.
    Given the magnitude of the CSP and its significance to the whole of government, stakeholder
    confidence in the program is key to its success. Implementation of governance processes that are
    visible to key stakeholders will improve the transparency of decisions made and ensure that
    management action can be taken at key points in the program.
    Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance 45
    3.2 Information technology project
    governance and project management at
    Department of Education and Training
    3.2.1 Audit overview
    In early 2009, a high level audit was performed of information technology governance processes at
    the Department of Education and Training. It was extended to include a follow up of a prior year
    audit on project management within the OneSchool program. The audit identified that an
    information technology governance framework across the department had not been documented.
    As a result, there was no shared understanding of the roles, responsibilities and accountabilities of
    the various stakeholders including the department’s Shared Service Provider, Corporate and
    Professional Services.
    A follow up audit has been performed to ascertain the status of the implementation of prior year
    audit recommendations relating to information technology governance and the OneSchool program.
    In May 2009, the department restructured the delivery of corporate services and Corporate and
    Professional Services, Department of Education and Training’s Shared Services provider, was
    disbanded. The information technology function previously provided by Corporate and Professional
    Services now form part of the Department of Education and Training’s Information and
    Technologies Branch.
    3.2.2 Audit opinion
    Appropriate action is being taken by the Department of Education and Training to address all the
    recommendations made during the 2009 audit. Specific action taken by the department in relation
    to information technology governance and OneSchool’s information technology project
    management is discussed below.
    Information technology governance
    Information technology governance at the Department of Education and Training is still at the
    developing stage. The initial steps for the establishment of an information technology governance
    framework have been undertaken, including documentation of the framework and the creation of
    governance committees. Implementation of some aspects of the framework was in progress, as
    shown below:
     A role has been created for the coordination of information technology related business
    continuity however, the information technology Business Continuity Plan and Disaster Recovery
    Plan were not finalised. Audit was advised that changes to the Department of Education and
    Training’s organisational environment during the third and fourth quarter of 2008-09 impacted
    on the release of these documents.
     Regular Information Security Committee (ISC) meetings were held quarterly. Reporting to the
    ISC commenced on the key areas of risks, security, information technology spend and key
    projects. The ISC had only received one report at the time of the audit.
    46 Auditor-General Report to Parliament No. 7 for 2010 | Program management and governance
     Roles were created to segregate the management and operational functions of security
    however, the implementation of operational security responsibilities and the compliance function
    had not occurred. An action plan addressing the implementation had been developed but was
    pending approval by ISC.
    The 2009 audit resulted in eight issues, including 18 audit recommendations, being raised with
    management. The overall status of the implementation of the audit recommendations by the
    Department of Education and Training is as follows:
     Five recommendations were implemented and one recommendation partially implemented. The
    implementation of these recommendations addressed weaknesses in relation to project
    management, business continuity planning and security management.
     Issues relating to six recommendations were re-raised during this follow up audit. Management
    advised that they were in the process of implementing these recommendations. These related to
    information technology business continuity and disaster recovery planning, project portfolio
    management, the effectiveness of the information steering committee and the implementation of
    operational security processes.
     No conclusion could be made on the operational effectiveness of the remaining six
    recommendations as enough time had not passed to allow gathering of appropriate
    audit evidence.
    Information technology project management
    In mid 2008 a high level audit of OneSchool was performed against better practice project
    management principles. The audit highlighted that the OneSchool’s governance framework could
    be enhanced through improving controls relating to scope, time, cost and quality. Seven issues,
    including 18 audit recommendations, were raised as a result of the audit. The follow up audit in
    2009 had identified that 11 recommendations remained outstanding.
    Satisfactory progress is being made by the Department of Education and Training on implementing
    the audit recommendations. The overall status of the implementation of the audit recommendations
    is as follows:
     Six recommendations were implemented and one recommendation was in the process of being
    implemented. The implementation of these recommendations addressed weaknesses in relation
    to the project governance structure and the creation and approval of key project documents.
     An issue has been re-raised in relation to key project documentation that could not be
    located within the OneSchool Document Register. This recommendation was in the process
    of being addressed.
    For the remaining three recommendations about project status reporting, quality management of
    supplier contracts and project variations, no conclusion could be made on their operational
    effectiveness as sufficient time had not passed since their implementation to enable the gathering
    of appropriate audit evidence.
    Auditor-General Report to Parliament No. 7 for 2010 | Information security 47
    4 | Information security
    Summary
    Background
    Information systems are relied upon for efficient and effective service delivery. Security
    of information within these systems and infrastructure are integral components of
    day-to-day business.
    Information security means protecting information and information systems from unauthorised
    access, use, disclosure, disruption, modification or destruction.
    Key activities
     Patient information security at Queensland Health: Suitable systems and frameworks are in
    place to ensure effective safeguarding of patient information however, some control gaps were
    identified that could impact on the security and privacy of patient information.
     Information technology network security: Although all eight entities had acted to improve
    network security following the 2009 audit with 34 per cent of the issues now resolved, action
    has yet to be taken on a number of significant recommendations. Urgent action is needed to
    address these issues.
    48 Auditor-General Report to Parliament No. 7 for 2010 | Information security
    4.1 Patient information security
    at Queensland Health
    4.1.1 Audit overview
    Patient information plays an essential role in Queensland Health’s service delivery, including
    planning and decision making, patient consultation, treatment and clinical practice and research.
    The effective safeguard of this information is therefore vital to the service that Queensland Health
    provides to the general public and helps to sustain confidence in the public health system.
    To improve the effectiveness of service delivery, Queensland Health is shifting its focus to
    enterprise wide systems and an integrated health system (including internal and external working
    partnerships) through various initiatives including the e-Health program. It is anticipated that this will
    improve service delivery but will require enhanced information system environments with additional
    layers of complexity, increasing the need for improved security of the systems holding patient
    information. The increasing dependence on computerised medical records will also require
    Queensland Health to provide assurance that their systems are resilient in the presence of a fault
    or other adverse event.
    The Queensland Information Privacy Act 2009 (The Privacy Act) provides a right for individuals to
    access and amend their own personal information and provides rules for how agencies handle
    personal information. In accordance with the Privacy Act, special provisions are included for
    Queensland Health to comply with the National Privacy Principles. Prior to 1 July 2009, the
    mandatory principles of Queensland Government Information Standard 42A provided for similar
    requirements.
    The audit examined whether there were suitable systems and frameworks in place to ensure
    effective safeguarding of patient information. The scope of this audit was limited to security of
    patient information within the information technology environment at the corporate office in Brisbane
    and the Emergency Departments at Princess Alexandra and Redland Hospitals.
    4.1.2 Audit opinion
    Overall, Queensland Health appears to have established a satisfactory control environment for both
    patient information repositories and the information technology infrastructure. Suitable systems
    and frameworks are in place to ensure effective safeguarding of patient information. The maturity of
    some aspects of the control environment compares favourably to other departments, while some
    control gaps existed that could impact on the security and privacy of patient information. Information
    handling practices could be further enhanced to prevent an information privacy
    incident occurring.
    The audit found that there were some opportunities to improve the efficiency and effectiveness of
    the collection, retrieval and storage of patient information. In particular, the paper based clinical
    information that is recorded and maintained separately by each hospital carries an inherent risk of
    delays in retrieving records when a patient presents at the hospital. This risk of delay is significantly
    higher when patient records are stored at a different Queensland Health facility.
    Queensland Health reported that the e-Health strategy, when implemented, should improve the
    availability and accessibility of patient information to clinicians. As part of this e-Health strategy, a
    state-wide medical records system is to be implemented. Princess Alexandra Hospital will be one
    of the first facilities to implement the integrated medical record system.
    Auditor-General Report to Parliament No. 7 for 2010 | Information security 49
    4.1.3 Audit scope
    This audit examined whether there were suitable systems and frameworks in place to ensure
    effective safeguarding of patient information. The focus of this audit was the security of patient
    information within the information technology environment for which Queensland Health is
    responsible. The audit included the corporate office in Brisbane and two hospitals being the
    Princess Alexandra and Redland Hospitals.
    The scope of the audit within the hospitals was confined to patient data captured within the
    Emergency Department and one ward. The audit examined information management, security
    processes and network security in relation to the patient information systems, manual patient files at
    the two hospitals and some of the other support systems that were used to record and share patient
    information between hospitals and external third parties.
    The audit was conducted under the following two broad objectives:
     to determine whether the areas of Queensland Health examined as part of the audit had efficient
    and effective systems for managing patient information throughout the patient lifecycle, in
    particular, the availability of systems to capture and safeguard patient information when
    information was shared between hospitals and external third parties.
     to determine whether Queensland Health had effective systems for protecting patient
    information from internal and external threats, specifically, whether there were appropriate
    and effective policies and systems and controls to safeguard Queensland Health’s network
    from intruders.
    4.1.4 Audit findings
    The two hospitals that were audited relied on a combination of computer based patient information
    systems and extensive paper records. Patient information was entered multiple times into paper
    forms and several different information systems. Clinical practices included converting electronic
    patient information to paper records when transferring patients to other Queensland Health
    facilities. The data re-entry led to inefficiencies and there was an increased risk of date entry errors.
    Clinicians reported that the retrieval of paper based patient records from another Queensland
    Health facility could take up to two days.
    At the Princess Alexandra Hospital, specific processes were set up to record and monitor patient
    files that were not found at the last recorded location. While Queensland Health reported that none
    of these files were deemed to be lost, this issue still posed a risk to patient information security.
    Also at the Princess Alexandra Hospital, access of former staff was not removed from the system
    that manages radiology images for the past three years, reportedly due to termination notices not
    being provided by the Human Resources section on a regular basis. In addition, physical security
    controls over medical storage facilities could be improved at both hospitals.
    A key control that needs to be addressed in this area is the periodic review of persons with physical
    access to the storage facilities, to ensure that these are commensurate with business requirements.
    Audit found that at one of the hospitals, there were 460 access cards with permission to enter the
    primary medical records area. This was considered to be excessive given that there were
    approximately 140 hospital information management staff.
    50 Auditor-General Report to Parliament No. 7 for 2010 | Information security
    It was also noted that there were a significant number of local databases and spreadsheets possibly
    containing confidential patient information managed by clinicians. These repositories were created
    mainly because information systems were not satisfying the immediate needs of the business.
    Queensland Health informed that the e-Health Program will include implementation of enterprise
    level systems that will encompass a wider range of business requirements.
    This audit also investigated information system and network management controls that protect the
    security and availability of patient information. The audit found that the preventative controls for
    external network access were established and only minor improvement opportunities existed.
    However, there was insufficient monitoring to reasonably detect unauthorised external access to
    Queensland Health information resources. Audit recommended that a capability to detect any
    security incidents that may bypass the internet firewalls be developed and implemented, and that a
    network intrusion detection sensor that monitors all external based access to the network be
    installed. Queensland Health has agreed to consider the audit recommendation as part of their
    risk assessment process.
    The audit found that there was an appreciable amount of technology and management attention
    targeted at ensuring the reliability of key clinical information systems however, there was insufficient
    planning or metrics to monitor and manage how these systems will perform in the event of a
    disaster. Audit has recommended that Queensland Health define the resilience requirements for
    all information systems processing patient information and associated technical infrastructure.
    In addition, Queensland Health needs to consider developing and implementing a formal
    overarching business continuity framework that encapsulates and links various existing business
    continuity policies and plans.
    4.2 Information technology network security
    4.2.1 Audit overview
    The Queensland Government is increasingly relying on information technology systems for efficient
    and effective service delivery, driving efficiency through enhanced online services. In this
    environment, it is critical that computer networks continue to operate reliably and the information
    assets and government processes accessed through these networks are protected against theft,
    misuse, disruption and unauthorised access.
    The results of an audit of network security at eight entities was reported in the Auditor-General
    Report to Parliament No. 4 for 2009 – Results of audits at 31 May 2009, tabled in Parliament
    on 30 June 2009. These entities were audited prior to the 26 March 2009 machinery of
    government changes.
    The network environments audited are shown in Figure 4A.
    Auditor-General Report to Parliament No. 7 for 2010 | Information security 51
    Figure 4A : Network environments audited
    Entities
    Department of Public Works – CITEC Queensland Corrective Services
    Department of Transport Queensland Police Service and Public Safety Network
    Management Centre
    Department of Main Roads Department of Local Government Sport and Recreation
    Department of Justice and Attorney-General (JAG) Department of Public Works – Shared Services Agency
    (Work performed by Internal Audit and reviewed by QAO)
    As a result of the machinery of government changes, Department of Main Roads and Department
    of Transport were merged, Queensland Corrective Services merged into Department of Community
    Safety and the Department of Local Government Sport and Recreation merged into the Department
    of Infrastructure and Planning. At the time of the audit, their network environments were in the
    process of being reorganised.
    4.2.2 Audit opinion
    The 2009 audit disclosed that while a significant number of security technologies and associated
    controls had been deployed, the resilience of network security controls needed to be strengthened
    at all agencies audited. The audit found that the strength of the overall network security
    environment varied across the eight entities and there was a clear indication that an ongoing
    focus on continuous improvement towards best practice security standards was required.
    With the exception of one entity, the security level was consistent with that of medium size business
    rather than a more complex State Government Department holding and processing sensitive
    information.
    The issues raised in Auditor-General Report to Parliament No. 4 for 2009 – Results of audits
    at 31 October 2009 are summarised below:
     inadequate controls over firewalls and internet gateways
     intrusion detection or prevention mechanisms not implemented
     security levels required from third party suppliers not clearly defined
     security weaknesses due to poor network design
     inadequate network systems documentation
     inadequate vulnerability management processes
     network security policy guidelines not documented
     inadequate network disaster recovery infrastructure
     equipment out of vendor support
     formal processes for security incident management not in place.
    52 Auditor-General Report to Parliament No. 7 for 2010 | Information security
    Audit has reviewed agency progress regarding the resolution of the issues raised in the previous
    audit. Due to the machinery of government changes, some of the networks were being merged into
    other departmental networks. The follow up audit disclosed that varying degrees of action had been
    taken to improve network security relating to all of the networks audited in the prior year. Thirty four
    percent of the issues were resolved by the end of February 2010. While management formally
    accepted the need to improve the control environment, implementation in selected agencies did not
    appear to be given a high priority. Some agencies did not have a formal implementation plan until
    audit commenced a follow up review. The implementation of recommendations relating to
    25 issues missed the original implementation timeframes by an average of four months.
    In particular, limited progress was made towards implementing controls that protect financial
    information and transaction processing systems to detect problems as they occur. Detective
    controls are essential, as perfect preventive controls are cost prohibitive. Early detection facilitates
    damage minimisation steps to be initiated. A high assurance of the security of government networks
    cannot be obtained until the majority of the security improvements are implemented and are
    operational. Urgent action is needed to address these issues.
    It is encouraging to note that the Queensland Government Chief Information Office had developed
    a plan to address these issues at a whole of government level. In addition, a whole of government
    information security committee was established in October 2009 and the Queensland Government
    Chief Information Office plan has been revised to address the security issues raised in the prior
    year audit. It should be noted that QAO audits of network security controls are performed at a
    point in time. Therefore, agencies need to have information security risk management processes
    that are of a holistic nature and assess the effectiveness of both preventative and detective
    controls in tandem. In addition, these need to be in alignment with current issues, trends and
    technological changes.
    As of February 2010, no serious security incidents have been reported. However, the network
    security arrangements must move to a robust level of control if the likelihood of these incidents
    occurring is to become negligible.
    Although many weaknesses in controls have been raised, the entities audited had not reported any
    major incidents of exploitation of these weaknesses. Following the tabling of Auditor-General
    Report to Parliament No. 4 for 2009, in September 2009, the Queensland Government Chief
    Information Office proposed a scheme be implemented for the central reporting of information and
    security incidents and the establishment of an incident response capability. This scheme was being
    implemented at the time of the audit. When this registry is established, it will be possible to
    determine the frequency and significance of incidents across government.
    Auditor-General Report to Parliament No. 7 for 2010 | Appendices 53
    5 | Appendices
    5.1 What is an information systems audit?
    Information systems are critical in all areas of government business, not just for the traditional uses
    of payment of employees and suppliers but as a repository of private and public information.
    Computerised systems are pervasive through government and virtually all citizens are reliant on
    the accuracy and reliability of information generated by and stored within computerised
    information systems.
    Using computers to record information changes the way in which that information is processed
    and stored. This affects the procedures used by an entity to achieve adequate internal control.
    An information systems audit examines controls within an organisation’s information technology
    environment and evaluates evidence of its information systems, practices, and operations. The
    evaluation of evidence obtained determines if the information systems are safeguarding assets,
    maintaining data integrity, and operating effectively to achieve the organisation’s objectives.
    An information systems audit is different from a financial statement audit. While a financial audit’s
    purpose is to evaluate whether an organisation is adhering to standard accounting practices, the
    purpose of an information systems audit is to evaluate the system’s internal control design and
    effectiveness. This includes, but is not limited to, information systems security, development
    processes and information technology governance. An information systems audit focuses on
    determining risks that are relevant to information, and in assessing controls in order to mitigate
    these risks. By implementing controls, the effect of risks can be minimised.
    5.2 Acronyms
    CSP Corporate Solutions Program
    HR Human Resources
    ICT Information and Communication Technology
    ICTC ICT Consolidation Program
    IDES Identity, Directory and Email Services Program
    ISC Information Steering Committee
    IT Information Technology
    QAO Queensland Audit Office
    QHIC Queensland Health Implementation of Continuity Project
    SDPC Service Delivery and Performance Commission
    54 Auditor-General Report to Parliament No. 7 for 2010 | Appendices
    5.3 Glossary
    Accountability
    Responsibility on public sector entities to achieve their objectives, about the reliability of financial
    reporting, effectiveness and efficiency of operations, compliance with applicable laws, and reporting
    to interested parties.
    Auditor’s opinion
    Positive written expression within a specified framework indicating the auditor’s overall conclusion
    on the financial report based on audit evidence obtained.
    Disaster recovery plan
    Also referred to as a business continuity plan. It describes how an organisation is to deal with
    potential disasters. A disaster recovery plan consists of the precautions taken so that the effects of
    a disaster will be minimised and the organisation will be able to either maintain or quickly resume
    mission-critical functions. Typically, disaster recovery planning involves an analysis of business
    processes and continuity needs; it may also include a significant focus on disaster prevention.
    Effectiveness
    The achievement of objectives or other intended effects of activities at a program or entity level.
    Efficiency
    The use of resources such that output is optimised for any given set of resource inputs, or input is
    minimised for any given quantity and quality of output.
    Governance
    The role of persons charged with the oversight, control and direction of an entity.
    Independent auditor’s report
    Issued as a result of an audit and contains a clear expression of the auditor’s opinion on the entity’s
    financial report.
    Information technology governance
    Information technology governance is the framework that ensures that processes and standards are
    in place to direct and control the investment in information technology.
    Program management
    Program management is the coordinated organisation, direction and implementation of a group
    of projects and activities that together achieve the outcomes and realise benefits that are of
    strategic importance.
    Auditor-General Report to Parliament No. 7 for 2010 | Appendices 55
    Qualified opinion
    Type of modified auditor’s opinion expressed when, except for the effect of a disagreement with
    those charged with governance, a conflict between applicable financial reporting frameworks or a
    limitation on scope that is considered material to an element of the financial report, the rest of the
    financial report can be relied upon.
    5.4 References
     Australian Standard 8015:200 – Corporate Governance of Information
    & Communication Technology
     Australian Standard 4360:2004 – Risk Management
     ISO/IEC 38500:2008 – Corporate Governance of Information Technology
     Queensland Government Program Management Methodology
     Managing Successful Programs, Office of Government Commerce, United Kingdom
     Queensland Government Project Management Methodology.
    56 Auditor-General Report to Parliament No. 7 for 2010 | Appendices
    5.5 Corporate Solutions Program timeline
    of key events
    Date Event
    August 2002
    Whole of government reviews of Corporate Services – Aligning Services and Priorities (ASAP)
    The Cabinet Budget Review Committee considers the Aligning Services and Priorities whole of
    government reviews. These included the Review of Corporate Services.
    December 2002 The Shared Service Initiative is approved by the Cabinet Budget Review Committee.
    1 July 2003 CorpTech is established within Treasury Department as a Shared Service Provider.
    September 2005 SAP Finance solution pilot preparation commences.
    July 2006 The first SAP Finance pilot implementation goes live at the Department of Justice.
    March 2007 The first SAP agency human resource implementation goes live within the then
    Department of Housing.
    May 2007
    – August 2007
    Capital budget for the program is revised to $249m following an independent review, which
    found that the delivery model was sub-optimal for a program of this size and scale. The review
    recommends that an experienced external ICT organisation be appointed to lead subsequent
    implementations and to accelerate the implementations.
    October 2007 The Treasurer and the Minister for Public Works and Housing, following a competitive tender
    process, jointly approve commencing negotiations with IBM.
    November 2007
    IBM tendered a price of $78.5m (excluding GST) for Phase 1. CorpTech’s Phase 1 costs were
    estimated at $74.5m (excluding GST), including a contingency provision of $15.2m, resulting in
    a total Phase 1 program cost of $153m.
    5 December
    2007
    The Under Treasurer on behalf of the State of Queensland enters into a contract with IBM.
    January 2008 IBM officially commences the implementation of the payroll system for Queensland Health
    1 July 2008 CorpTech transitions to the Department of Public Works.
    The original Go-Live date for Queensland Health HR system is missed. The system
    is not ready and business requirements are still being developed.
    September 2008 Second Go-Live date for Queensland Health HR system is missed. The system is
    not ready and business requirements are still being developed.
    October 2008 It was determined that the size, complexity and scope of the Phase 1 implementation was
    underestimated and that the revised implementation cost estimates significantly exceed its
    tendered cost and allocated funds.
    November 2008 Third Go-Live date for Queensland Health HR System is missed. The system is not ready and
    business requirements are still being developed.
    May 2009 Fourth Go-Live date for Queensland Health HR System is missed. There are an excessive
    number of defects and the system is not stable.
    June 2009 Fifth Go-Live date for Queensland Health HR System is missed. There are an excessive number
    of defects and the system is not stable.
    Implementation of revised Queensland Health HR system project governance model as
    the previous governance model was designed for the whole of government HR and
    financial implementation.
    August 2009 Sixth Go-Live date for Queensland Health HR System is missed.
    September 2009
    The scope of the IBM Prime Contractor contract is revised to Queensland Health
    HR solution only. IBM formally advised that they no longer fulfil the role of the prime contractor
    for the whole of government implementation.
    October 2009 Queensland Health Implementation of Continuity (QHIC) Project Board determines
    that the Go-Live date is to be deferred to early 2010.
    14 March 2010 Queensland Health payroll and rostering systems went live for the first payrun date of 24 March.
    Auditor-General Report to Parliament No. 7 for 2010 | Auditor-General Reports to Parliament 57
    6 | Auditor-General
    Reports to Parliament
    6.1 Tabled in 2010
    Report
    No. Subject Date tabled in
    Legislative Assembly
    1 Auditor-General Report to Parliament No. 1 for 2010
    Audit of A1 Grand Prix Agreements
    A Financial and Compliance audit
    4 February 2010
    2 Auditor-General Report to Parliament No. 2 for 2010
    Follow-up of selected audits tabled in 2007
    A Performance Management Systems audit
    23 March 2010
    3 Auditor-General Report to Parliament No. 3 for 2010
    Administration of Magistrate Court Services in Queensland
    A Performance Management Systems audit
    13 April 2010
    4 Auditor-General Report to Parliament No. 4 for 2010
    Results of local government audits
    Financial and Compliance audits
    21 April 2010
    5 Auditor-General Report to Parliament No. 5 for 2010
    Performance reviews – Using performance information
    to improve service delivery
    A Performance Management Systems audit
    18 May 2010
    6 Auditor-General Report to Parliament No. 6 for 2010
    Using student information to inform teaching and learning
    A Performance Management Systems audit
    20 May 2010
    7 Auditor-General Report to Parliament No. 7 for 2010
    Information systems governance and control, including the
    Queensland Health Implementation of Continuity Project
    Financial and Compliance audits
    June 2010
    Publications are available at www.qao.qld.gov.au or by phone on 07 3149 6000.
    58 Auditor-General’s Report to Parliament No. 7 for 2010 | Auditor-General Reports to Parliament

Leave a Reply

Your email address will not be published.