Audit of the Grants and Contributions IT System Projects
In accordance with Global Affairs Canada’s 2016-2019 Risk Based Audit Plan, the Office of the Chief Audit Executive conducted the Audit of Grants and Contributions IT System Projects.
The objective of the audit was to provide assurance that the grants and contributions IT system projects underway are being effectively managed to ensure the projects are implemented as planned.
Global Affairs Canada is currently undertaking a major consolidation of several of its corporate information systems through three interrelated and interdependent IT system projects – the SAP Merge, Data Warehouse Merge, and Grants and Contributions Portfolio projects. These projects are collectively referred to as the Corporate Systems Portfolio. These projects are ongoing and are anticipated to be completed in May 2017, with the new merged platform going live for the beginning of the 2017-2018 fiscal year. At that time, the Department will have a single SAP financial system and Data Warehouse.
Given the ongoing nature of these projects, this audit was conducted using a system under development audit approach. This allowed the audit team to closely monitor the projects that are being implemented and to provide timely feedback to senior management on issues and concerns that could affect the success of the projects. Ultimately, this approach will assist management to take necessary action immediately and address issues as they arise during the time the project is underway.
This audit provided an interim update of preliminary audit observations to the Audit Committee on December 16, 2016.
Why is this audit important?
This audit was identified as a priority engagement because of the high materiality of grants and contributions administered by the Global Affairs Canada and the importance of establishing a consolidated system to enable the Department to manage and report on grants and contributions in a more consistent and efficient manner.
The consolidation of the departmental key information systems plays a critical role in delivery of the department mandate and programs. The audit assessed whether sound project management practices are in place to manage risk of interruption to routine departmental operations and, in particular, G&C programming.
What did we examine?
The audit team examined the management of the following three integrated projects: (1) Grants and Contributions Portfolio; (2) SAP Merge; and (3) Data Warehouse Merge. (Appendix A provides more detailed information about the audit).
In addition, the audit assessed compliance with the Treasury Board Secretariat’s (TBS) Policy on the Management of Projects, associated standards and directives.
The audit was conducted from August 1, 2016 to April 10, 2017 and covered the period from April 1, 2016 to April 10, 2017.
What did we find?
Overall, many good practices were identified and the projects are moving towards completion. Although the amalgamation of SAP GCS and SAP FAS itself has not been considered a significant risk, there is a risk that the period of static reporting extends beyond the current plan and that contingency plans in the event of unforeseen circumstances are underdeveloped.
Based on documentation reviews and interviews with key IT personnel and business clients, the audit found that:
- Governance and oversight structures to support the Corporate Systems Portfolio projects are in place and functioning. As a best practice, more clearly defined individual accountabilities will help to attain the business outcome outlined in the project charters.
- Most of the roles and responsibilities are clearly defined and assumed. However, project managers’ roles for SAP Merge, DW Merge and G&Cs Portfolio Enhancements were not formally assigned to individuals at project level
- A client-driven working group was established to ensure that business requirements were considered in the decision-making process. Clients are kept informed of the projects’ progress and any potential issues on an ongoing basis.
- Business requirements for the G&C Portfolio and SAP Merge were collected, analyzed, documented and translated into system design.
- Communication and training strategies have been developed. Training plans for the DW Merge are included in the DW Communications Plan and respective training activities have already begun.
- The Project Management Office keeps track of scope changes and their approvals by respective client groups. The audit team did not find that levels have been defined for approval of changes, such as the level of authority required approval for specific changes.
- A portfolio schedule was developed with high-level deliverables from each project.
- The impact of DW delays related to the SAP Merge were identified and analyzed. However, contingency plans for managing schedule changes have not been fully developed.
Given that the SAP Merge project is still in the process of being implemented, immediate management actions to address these identified weaknesses are expected to reduce the risk that the project may not achieve its intended outcomes. Most importantly, management should develop a contingency plan for the SAP Merge project in case unforeseen events occur and to implement the full communication plan to ensure all system end-users are informed in advance of the changes and the impact on business operations is assessed.
Based on the findings listed above, the audit team made the following recommendations:
- For the remaining work to be completed, the Chief Information Officer should clarify the individual responsibilities to ensure both accountability for attaining specific business outcomes, and that overall objectives of all projects are achieved as intended.
- The Chief Information Officer should continue implementing the full communications plan for the SAP Merge prior to the “go live” date to ensure that all system end users are fully aware of changes and any potential impacts on their daily operations prior to the changes going into effect.
- For the remaining work to be completed, the Chief Information Officer should define levels for the approval of scope changes.
- For the remaining work to be completed, the Chief Information Officer should ensure that contingency plans for SAP Merge are fully developed, approved and communicated.
Statement of Conformance
In my professional judgment as the Chief Audit Executive, this audit was conducted in conformance with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing and with the Internal Auditing Standards for the Government of Canada, as supported by the results of the quality assurance and improvement program. Sufficient and appropriate audit procedures were conducted, and evidence gathered, to support the accuracy of the findings and conclusion in this report, and to provide an audit level of assurance. The findings and conclusion are based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed upon with management and are only applicable to the entity examined and for the scope and time period covered by the audit.
The Audit of the Grants and Contributions IT System Projects was included in the Global Affairs Canada 2016-2019 Risk-Based Audit Plan. The plan was recommended by the Departmental Audit Committee and approved by the Deputy Minister on October 17, 2016.
In order to provide high value to the Department, the audit was conducted while the IT projects were ongoing. Therefore, a System Under Development audit approach was used. This approach allowed the audit team to report findings and make recommendations to the project team on an on-going basis so that management action could be taken immediately to address identified weaknesses as they arise.
As an interim step to provide up-to-date audit results, preliminary audit findings were presented to Departmental Audit Committee members and Global Affairs Canada (GAC) management in December 2016, shortly after the conduct phase started. The audit observations made as of April 10, 2017 are presented to Departmental Audit Committee members and GAC management in this report prior to the projects’ final planned “go-live” date (May 2017).
Global Affairs Canada is currently undertaking a major consolidation of several of its corporate information systems through three interrelated and interdependent IT system projects. This initiative impacts key corporate systems and applications used by the Department for administering and managing grants and contributions. These three integrated projects compose the Grants and Contributions IT Corporate Systems Portfolio as follows:
(1) SAP Merge:
The Systems, Applications, Products in Data Processing (SAP), an Enterprise Resource Planning system, supports the management of finance, contracting, procurement, materiel, and grants and contributions (Gs&Cs). The Department currently has two SAP brand financial systems – the Finance and Administration System (FAS) and the Grants and Contributions System (GCS). GCS is comprised of many modules each meant to provide specific functionality, such as Project Management (PS), while FAS is used for transactions related to operations and maintenance. The SAP Merge project will amalgamate the two SAP systems into a single corporate SAP platform. This process will include transferring the functionality of GCS project management module into FAS.
(2) Data Warehouse Merge:
A separate but critical predecessor to the SAP Merge is the Data Warehouse Merge project. A data warehouse (DW) is a central repository of integrated data from disparate sources, including SAP. DWs support corporate reporting, data analysis, and Business Intelligence (BI). Global Affairs Canada is currently supporting two data warehouses - ex-CIDA and ex-DFAIT. The DW Merge initiative will migrate the former-CIDA grants and contributions data warehouse and business intelligence reporting environment to a single Corporate Reporting environment. Merging the two environments is intended to reduce the risks and costs associated with supporting two DW/BI environments and to provide users with a standard suite of reporting tools for grants and contributions reporting
(3) Grants & Contributions Project Portfolio:
In preparation for the SAP Merge and in parallel to the Data Warehouse merge, a number of projects are underway to enhance and upgrade the technologies supporting the departmental grants and contributions line of business. These projects, though managed separately, are collectively referred to as the G&C Portfolio. More specifically, the G&C Portfolio is comprised of the following projects:
- Grants and Contributions SAP
- Authorized Programming Process forms
- Enhancements to the Partners@International Portal
- Grants and Contributions reporting updates
After the SAP Merge project is implemented in May 2017, the Department will have a single SAP financial system and Data Warehouse. The diagram below provides a high-level view of the current state of the Department’s financial systems, data warehouses, and reporting systems, and the anticipated end state, after the projects’ completion.
The diagram presents the current state of the Department’s financial systems, data warehouses, and reporting systems, and the anticipated end state, after the projects’ completion.
- Two Systems, Applications, Products in Data Processing (SAP):
- Grants and Contributions System (GCS) (xCIDA SAP)
- Finance and Administration System (FAS) (xDFAIT SAP)
- Two Data Warehouses:
- xCIDA Data Warehouse, which is a central repository of integrated data from GCS
- xDFAIT Data Warehouse, which is a central repository of integrated data from FAS
- Two Reporting Systems:
- G&Cs Reporting, which is supported by xCIDA Data Warehouse
- Corporate Reporting, which is supported by xCIDA and xDFAIT Data Warehouses
- One SAP:
- One Data Warehouse:
- GAC Data Warehouse, which is a central repository of integrated data from FAS
- One Reporting System:
- Corporate Reporting, which is supported by GAC Data Warehouse
Due to the number of interdependencies amongst the various projects within the Corporate Systems Portfolio, delays in one project will have an impact on the others.
Project Organization Structure
An Executive Sponsor was assigned to manage the project activities for all three projects. The Department’s Project Management Office assigned a Portfolio Manager to conduct the day-to-day oversight and execution of SAP Merge, DW Merge, and G&C Portfolio. The Portfolio Manager reports to the Executive Sponsor. Each of the three projects has a designated technical team. An overview of the governance structure for the three projects is presented below.
Grants and Contributions IT Corporate Systems Portfolio Governance Structure
The organizational chart depicts the Grants and Contributions IT Corporate Systems Portfolio Governance Structure.
Starting at the bottom of the hierarchy:
- The different projects' activities (SAP, G&C Portfolio, Data Warehouse, Quality Control, Training, Communications), which are managed by:
- The Executive Sponsor, which reports to both the Director Level Steering Committee and the Corporate Systems Portfolio DG Steering Committee (CIO Chair), and is assisted by the Client Working Group/Business Representatives for communication with clients.
- The Director Level Steering Committee reports to the Corporate Systems Portfolio DG Steering Committee (CIO Chair), which ultimately reports to:
- The Senior Executive Sponsor (CFO), at the top of the hierarchy.
- The Project Management Office reports to the Executive Sponsor. Led by the Portfolio Manager, it consists of the Project Co-ordinator and the Project Manager.
Parallel to this hierarchy, there is the IM/IT Strategy Committee, to which reports the Project Oversight Committee. The project updates are also presented to these committees.
2. Observations and Recommendations
The audit results are derived from examination of documentation and interviews. The audit team reviewed key documentation including relevant TB policies and guidance, project planning documents, and committee terms of references and minutes. Interviews were conducted with 31 GAC employees. Based on the evidence gathered, the audit team concluded on each of the audit criterion listed in Appendix A. Findings and recommendations reflect the audit field work undertaken until April 10, 2017.
The audit team also referenced project management best practices, as outlined in the Project Management Institute’s (PMI) A Guide to the Project Management Body of Knowledge (PMBOK). The Project Management Body of Knowledge is a set of standard terminology for project management. The PMBOK Guide also overlaps with general management which both include planning, organizing, staffing, executing and controlling the operations of an organization.
Overall, good practices were identified and the projects are moving towards completion. However, a risk remains that the ongoing projects may not achieve their objectives. The audit team has made observations and has developed audit recommendations for improvements that may assist the project teams as they work towards successful completion. Results have been compiled into three areas: Governance and Accountabilities, Client Engagement and Communications and Change Management.
2.1 Governance and Accountabilities
Strong governance of complex projects such as the projects under review will support the effective delivery of the projects and ensure the work meets the needs of the organization.
For this series of projects, the governance of the Corporate Systems Portfolio (CSP) projects is comprised of a combination of processes and structures that direct, manage, and oversee the activities of the projects. In its present state, the governance system works to ensure that project progress is informed, common issues between projects are discussed, directions and solutions are provided, and decisions are made in a timely manner.
To enhance the governance in place, more clearly defined individual accountabilities would help to ensure that the business outcomes outlined in the project charter are attained.
2.1.1 Governance Structure
The Department established Director and Director General (DG) level Steering Committees to oversee the three projects. Both committees have terms of reference where their mandate, roles & responsibilities, committee membership and meeting frequency are defined. In addition to the terms of reference, the roles and responsibilities of the committees are defined in the Project Charters. For example, the DG Steering Committee is responsible for allocating resources and budgets necessary to support the corporate systems, while the Director Steering Committee is responsible for ensuring budget and resource availability as well accountable for the success of the project. Information updates on the projects are also presented to two additional committees: the Project Oversight Committee and the Information Management/Information Technology (IM/IT) Strategy Committee.
In addition to these committees, there are four working groups: the SAP Merge, G&C Portfolio, DW Merge Technical Working Groups and the SAP Client Working Group.
Through direct observation and a review of the Steering Committees’ meeting minutes, the audit team confirmed that these committees meet regularly as required by their terms of reference, and that they play a role in overseeing project implementation. For example, records of committee meetings have shown evidence of the Corporate System Portfolio project being discussed, advice from committee members provided and some key decisions made. However, while the risk of a delay of the DW Merge and the DW preparation work for the SAP Merge was raised to the Steering Committees starting in July 2016, the audit team did not find any evidence that the Steering Committees made any decisions to mitigate the risk of the potential delay.
2.1.2 Accountabilities, Roles, and Responsibilities
Clearly defined accountabilities, roles and responsibilities ensure effective and efficient project implementation.
For these projects, the audit team found that roles and responsibilities are defined for executive governing bodies and working groups at various levels, as are those for the Executive Sponsor and Portfolio Manager.
The Executive Sponsor, who is also a member for the DG Steering Committee, is responsible for reporting project status and changes to the Senior Executive Sponsor and Committees while the Portfolio Manager is responsible for the day-to-day oversight and execution of the project, including ensuring approval of deliverables as well as for briefing committees as required. From meeting minutes reviews and attendance of various committees, the audit team observed that the Portfolio Manager has been providing high-level portfolio updates to the Steering Committee since May 2016 concerning the timeline, ongoing activities, key risks, forecasted costs, and overall project status.
Various project management responsibilities for managing the three projects under review and the accountability for the end results are shared between the Portfolio Manager and the other members of the Project Management Office staff, functional directors, and the technical team leads. The Project Management Office, led by the Portfolio Manager, is responsible for defining and documenting project scope, cost, and schedule. However, project managers’ roles for SAP Merge, DW Merge, and G&Cs Portfolio Enhancements were not formally assigned to individuals at the project level. The technical team leads act as de facto project managers for their respective projects (i.e. SAP Merge and DW Merge). Nevertheless, formally assigned roles and responsibilities accompanied by the required authority would ensure that assigned tasks are performed with a clear understanding of priorities between the special project and routine operations.
Additionally, the audit team noted that while accountability for the success of the project is clearly assigned to the Director Steering Committee, specific accountability for attaining the business outcomes at an operational level was not as clearly defined and documented. This shortcoming increases the risk that bottlenecks may be created and decision-making processes may be slowed down. As a best practice, clearly defined accountabilities assigned to specific individuals would help to ensure more efficiently and effectively managed projects and would minimize the risk of project failure. It would also help to ensure that normal operations continue to function without significant disruptions.
For the remaining work to be completed, the Chief Information Officer should clarify the individual responsibilities to ensure both accountability for attaining specific business outcomes, and that overall objectives of all projects are achieved as intended.
2.2 Client Engagement and Project Communications
One of the risks identified by the Project Management Office is that inadequate stakeholder engagement may result in unclear business requirements and delayed critical business decisions required for the G&C, DW merge and SAP merge. The associated mitigation strategy developed by the Project Management Office was to address this risk through the governance structure and detailed communications plan.
The audit team examined the processes of how business requirements were identified, analyzed and reflected in the system design. Then, the audit team monitored how the project team communicated, consulted, and engaged with business clients to ensure that all their needs were considered and incorporated, as appropriate.
Overall, clients were engaged throughout the project and communications activities occurred to stakeholders affected by the changes implemented by the project.
2.2.1 Engagement with Business Clients
The engagement with business clients occurred from the outset of the project. Initial business requirements from different user groups were collected, analyzed and transferred to various Business Requirements Documents (BRDs) for the G&C Portfolio and the SAP Merge. However, there was no BRD or formal client sign-off for the DW Merge. As a result, there is a risk that the final product may not meet client expectations.
There was evidence of numerous consultations with business clients during the course of the project implementation. For example, the Client SAP Working Group was established to gather and document client requirements for the consolidated SAP system and to ensure that any impact of the SAP Merge on business processes is clearly identified, understood and mitigated.
Once the business requirements were identified and approved by clients in the form of BRDs, they were then translated into design specifications. The audit team reviewed the design specification documents for the SAP Merge. The SAP Merge project prepared detailed design and technical software application requirements. The audit reviewed Functional Design Descriptions for the SAP Merge and confirmed that they reflect identified business requirements.
As part of the engagement process with clients, the audit team found that a high-level training strategy was developed for the SAP Merge. According to the strategy, existing SAP training material is being updated to reflect the changes following the SAP Merge. Interviews indicated that the general consensus is that the changes to SAP are not significant enough to require the development of new training, and will instead be communicated through information sessions. Training plans for the DW Merge are included in the DW Communications Plan. Training activities for DW have already begun; there is a variety of training and online reference information available to help users with the transition.
2.2.2 Project Communications
The audit team expected to find evidence of ongoing communications activities, based on an established communications plan. Effective communications ensure that project stakeholders and oversight management are informed of the project status, issues, and challenges so that appropriate and timely decisions can be made for achieving the project functionality, budgetary and timeline goals.
The audit team noted that communications have taken place in various forms throughout the project. For example, the Project Management Officer conducted various presentations during the early stages of the project to the Chief Financial Officer, the Executive Sponsor, the Program Committee, the Project Oversight Committee, and the Corporate Management Committee. The Project Management Office continues to develop individual project monthly Keys Reports that provide updates on the schedule, budget, issues and risks. Interviews indicated that these Keys Reports are reviewed by the Project Sponsor and the Project Management Office. Regular project communications to the Director-level and DG Steering Committees are given by the Executive Sponsor and there is also regular communication between the Executive Sponsor and the Portfolio Manager.
A high-level communications strategy was also established and approved by the DG Steering Committee in November 2016. A detailed communications plan was developed and implemented for DW Merge. The audit team obtained and reviewed sample communications and determined that they are aligned with the communications plan.
The communications strategy indicates that IM/IT will collaborate with the client and the Communications group on holistic communications for the upcoming changes to G&C reporting and SAP G&C. A detailed plan will help to operationalize the strategy by identifying the client group, time and deliverables. At the time of this report, management had recently approved and started the implementation of a detailed communications plan for SAP Merge.
Key stakeholders impacted by changes indicated that they are aware of the upcoming changes and that they have been consulted through the SAP Client Working Group. However, several interviewees also expressed concerns that communications were not trickling down to the end user-level. Recent DG Steering Committee meeting minutes and client interviews indicate that the user community might not have a clear understanding of what the consequences of the merge might be on their routine operations.
Lack of extensive communications with all levels of stakeholders could result in misunderstanding the role clients have in the project’s success. It could also lead to a lack of preparedness for the consolidated system to mitigate potential issues resulting from the systems’ merge.
The Chief Information Officer should continue implementing the full communications plan for the SAP Merge prior to the “go live” date to ensure that all system end users are fully aware of changes and any potential impacts on their daily operations prior to the changes going into effect.
2.3 Scope and Schedule Change Management
Scope and schedule changes are not uncommon scenarios in the course of any project implementation process; they are two key inherent risks in project management which may impede a project from achieving all of its objectives. To ensure the risks associated with change management are mitigated, the audit team expected to find a clearly defined change management procedure, including change tracking, impact/benefit analysis, scenario development, and change approval.
According to the Project Charters, the Director-level Steering Committee is responsible for performing Change Management functions (scope, budget, and schedule). Nonetheless, the audit team found only one documented circumstance of an approval of a scope change made by the Director Steering Committee.
2.3.1 Scope Changes
Since project scopes were formally defined in each Project Charter, key changes to the scope were expected to be discussed and approved at the Director-level Steering Committee.
The audit team examined the tracking of scope changes by the Project Management Office. The audit team examined six scope changes to the Gs&Cs portfolio and DW projects recorded on the tracking document, and only one was approved by the Director Steering Committee. In some cases, the audit team did not find documented evidence that certain scope changes were analyzed to assess the impact on required resources. Similarly, in some cases, there was no evidence that the changes were formally approved by the clients or that they were implemented with the knowledge and approval of the Steering Committee or Executive Sponsor. Making scope changes without the proper impact analysis and approval may result in not meeting clients’ requirements.
Furthermore, the audit team found that the levels for approval of changes, such as the level of authority required for specific changes, were not defined. As a result, it may not be clear which scope changes need a formal approval.
As the project is near its scheduled deadlines, there may be an increase in the number and size of scope changes in order to meet targeted project deadlines. By having established levels for approvals, it would be clearer as to what may be changed with or without senior project management’s involvement.
For the remaining work to be completed, the Chief Information Officer should define levels for the approval of scope changes.
2.3.2 Schedule Changes
At the outset of the implementation of the projects, the Project Management Office noted that the multiple and complex projects had an increased risk of delays that could impact G&C Deliverables, DW Merge, and ultimately the SAP Merge. The Project Management Office also noted that this risk would be further exacerbated by the high degree of technical, scheduling and resource interdependence as well as resources shortages and delays in professional service resourcing. Therefore, it was critical to the team that they maintained highly integrated, detailed project schedules for the entire portfolio of projects and to identify and track interdependencies and work schedule to ensure efficient activity sequencing and resource allocation.
Based on this risk assessment, the audit team expected to find a comprehensive schedule at both project and portfolio levels. Furthermore, it was expected that changes in project schedules would be closely monitored, that associated impact would be analyzed and communicated, and that alternative scenarios and contingency plans would be developed due to high interdependencies among projects and within some project tasks.
The audit team noted that separate project-schedules were developed for each of the three projects which include project deliverables translated into activities. In November 2016, a portfolio-level schedule was developed by the Project Management Office including the high-level deliverables for each of the three projects. However, this portfolio-level schedule was not integrated with the project-level schedules. There were multiple examples of schedule items did not match between the various project-level-schedules and the portfolio-level schedule. As a result, without up-to-date and integrated project schedules, it may be difficult for the Project Management Office to assess the potential impact of a change in the schedule of one project on the overall portfolio of projects.
A review of the committee minutes and interviews indicated that project schedules were re-baselined a number of times for all the projects in scope by the Project Management Office. For example, the initial project schedules indicated that the DW Merge would be completed by December 2016 and that the DW preparation work for SAP would be completed by April 2017, just in time for the SAP Merge “go live”. However, the DW Merge is not yet complete at the time of this report and current project schedules indicate that the DW preparation work for the SAP Merge will be delayed past the planned SAP Merge date. Current schedules indicate the preparation work will be completed 20 days after the SAP Merge date; however, there remains a risk of further delay.
As a result, the DW clients were consulted in January 2017 about their requirements and were asked to identify which reports need to be made available at the Corporate System Projects completion, and which could be delivered later by the project team. However, contingency plans have not been fully developed, approved or communicated at the time of this audit report. The audit team confirmed with IM/IT that a back-out plan will be developed as part of the deployment plan but this work has not yet been completed or approved. Without contingency plans in place, any delay will cause the data in reporting tools to go staticFootnote 1, impacting the Department’s ability to meet reporting requirements and senior management’s access to timely information for decision-making.
One of the challenges to the scheduling process concerns staff resources. The audit team was made aware of resource challenges that the projects faced with regard to human resources (HR) and procurement. Interviews with project management and staff indicated that delays in the departmental HR and procurement processes impacted the projects’ ability to locate sufficient and qualified staff in a timely manner. In addition, staff turnover has been a challenge due to high project workload. To mitigate this challenge, project management is minimizing the use of overtime to avoid staff burnout.
For the remaining work to be completed, the Chief Information Officer should ensure that contingency plans for SAP Merge are fully developed, approved and communicated.
The audit team concludes that some key management principles are adequately applied to ensure the projects are implemented as planned. More specifically, governance and oversight structures are in place and functioning; significant efforts were made to collect client business requirements; and communications and training strategies have been developed.
However, improvements are needed to clarify individual accountabilities; strengthen change management procedures including defining levels for change approvals; and develop contingency plans in case unforeseen events occur.
Given that the Corporate System Portfolio projects are still in the process of being implemented, immediate management actions to address these identified weaknesses are necessary in order to reduce the risk that the projects may not achieve their intended outcomes.
Appendix A: About the Audit
The objective of the audit was to provide assurance that the grants and contributions IT system projects (SAP Merge, Data Warehouse Merge, G&C Portfolio) are being effectively managed to ensure the projects are implemented as planned.
The audit focused on the management of the following three integrated projects: (1) Grants and Contributions Portfolio; (2) SAP Merge; and (3) Data Warehouse Merge. The audit period included activities from April 1, 2016 to April 10, 2017.
To ensure that the audit focused on areas that would add value to management, it did not include a review of the adequacy and effectiveness of the process to identify and assess user requirements. As a result, the audit did not assess the completeness of the Business Requirements Documents and associated system enhancements. Given that the system changes based on the user needs assessment are in the process of implementation, reviewing this previous project phase for gaps would not have provided project and senior management with timely feedback that could be acted upon.
The audit also did not include an assessment of any enhancements and changes to systems/applications which are planned to occur after the SAP Merge goes live.
The following criteria were developed based on the controls expected to be in place to manage high-risk areas, and are designed to conclude on the audit objective within the defined audit scope.
- Grants and contributions IT system projects are being delivered using sound IT project management principles, including:Adequate and effective governance structure is in place to provide oversight and coordination of the projects
- A detailed deployment plan, schedule, and critical path, which include identified and linked project interdependencies, are in place and closely monitored;
- Risk management practices are in place, including implemented risk mitigation strategies;
- Budgets and resource allocation are aligned to evolving workload requirements, and;
- Detailed progress and issues monitoring and reporting is being performed.
Approach and Methodology
The Audit of the Gs&Cs IT System Projects was in accordance with Treasury Board Policy on Internal Audit, Directives andconforms to the International Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors.
Given the ongoing nature of the IT projects in scope, this audit was conducted using a System under Development audit approach. This allowed the audit to provide timely feedback to senior management on issues and concerns that could affect the success of the projects, so that management action could be taken immediately to address issues as they arise.
In order to conclude on the above criteria and report against the audit objective, the following methods were used:
- Identified and reviewed relevant policies, directives, and guidelines;
- Reviewed and analyzed relevant project documents, such as the charters, project plans, and schedules;
- Reviewed and analyzed financial information, including budgets and invoices;
- Interviewed key IT and project personnel, as well as business clients; and,
- Observed project and client working group meetings.
Appendix B: Management Action Plan
|Audit Recommendation||Management Action Plan||Area Responsible||Expected Completion Date|
|1. For the remaining work to be completed, the Chief Information Officer should clarify the individual responsibilities to ensure both accountability for attaining specific business outcomes, and that overall objectives of all projects are achieved as intended.||The Project Management Office will update the roles and responsibilities for the Executive Sponsor in the SAP Merge Project Charter to include the following additional statement: The Executive Sponsor in his capacity as the system owner of SAP is accountable for attaining the business outcomes as defined in section 5.2 of this project charter and ensures that overall project objectives are achieved as intended.|
In addition, names of individuals assigned to specific roles in the roles and responsibilities section of the SAP Merge Project Charter will be updated to reflect current membership.
|Chief Information Officer||April 15, 2017|
|2. The Chief Information Officer should continue implementing the full communications plan for the SAP Merge prior to the “go live” date to ensure that all system end users are fully aware of changes and any potential impacts on their daily operations prior to the changes going into effect.||Chief Information Officer||Ongoing, completion by end of May 2017|
|3. For the remaining work to be completed, the Chief Information Officer should define levels for the approval of scope changes.||As defined in the SAP Merge Project Charter, the Director Level Steering Committee is responsible for performing change management functions including approval of any scope changes. To date there have been no changes to the original scope and at this stage, deviations from scope as defined in the SAP Merge Project Charter are unlikely. If a scope change is necessary to meet the SAP Merge go-live date, the Director Level Steering Committee will be informed and their recommendations will be brought to the DG Steering Committee for their approval.||Chief Information Officer||Ongoing, completion by end of May 2017|
|4. For the remaining work to be completed, the Chief Information Officer should ensure that contingency plans for SAP Merge are fully developed, approved and communicated.||Chief Information Officer||Ongoing, completion by end of Quarter 1, 2017-2018|
Appendix C: Acronyms
- Business Intelligence
- Business Requirement Document
- Corporate Systems Portfolio
- Director General
- Data Warehouse
- Finance and Administration System
- Grants and Contributions
- Global Affairs Canada
- Grants and Contributions System
- Information Management/Information Technology
- Project Management Body of Knowledge
- Project Management Institute
- Project Management Module
- Systems, Applications, Productions in Data Processing
- Treasury Board Secretariat
- Date Modified: