HR Audit Case Study

Download as pdf or txt
Download as pdf or txt
You are on page 1of 31
At a glance
Powered by AI
The document discusses an audit of the PeopleSoft system used by Health Canada and Public Health Agency of Canada for human resources transactions. It identifies issues with governance, risk management, internal controls, and anticipated benefits of implementing PeopleSoft.

The focus of the audit was the PeopleSoft system, which is the primary system used by Health Canada and Public Health Agency of Canada for processing human resources business transactions.

Some of the governance issues identified include a lack of oversight and unclear roles and responsibilities.

Final Audit Report

Audit of the Human Resources Management


Information System

December 2013

Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Table of Contents
Executive summary ............................................................................................................ i 

A -  Introduction ............................................................................................................ 1 
1. Background ..................................................................................................................... 1 
2. Audit objective ................................................................................................................ 3 
3. Audit scope ..................................................................................................................... 3 
4. Audit approach ................................................................................................................ 3 
5. Statement of conformance .............................................................................................. 3 

B -  Findings, recommendations and management responses .................................. 5 


1. Governance ..................................................................................................................... 5 
1.1 Oversight ............................................................................................................... 5 
1.2 Roles and responsibilities ..................................................................................... 8 
2. Risk management ............................................................................................................ 8 
2.1 Management of operational risks ......................................................................... 8 
3. Internal controls ............................................................................................................ 10 
3.1 Management of change ....................................................................................... 10 
3.2 Standardization of business processes ................................................................ 13 
3.3 Data integrity ...................................................................................................... 15 
3.4 Protection of personal information ..................................................................... 19 

C -  Conclusion ............................................................................................................ 22 

Appendix A – Lines of enquiry and criteria ................................................................. 23 

Appendix B – Scorecard ................................................................................................. 24 

Appendix C – Road map to target state vision ............................................................. 25 

Appendix D – PeopleSoft system data flow overview .................................................. 26 

Appendix E – Anticipated benefits of implementing PeopleSoft ................................ 27 

Portfolio Audit and Accountability Bureau


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Executive summary
The focus of the audit was the PeopleSoft system, which is the primary system of Health
Canada and the Public Health Agency of Canada for processing human resources business
transactions. The audit objective was to provide assurance that the control framework for
PeopleSoft is effective for managing human resources as it relates to staffing, classification
and compensation. Sufficient and appropriate procedures were performed and evidence was
gathered to support the accuracy of the audit conclusion.

In November of 2011, Health Canada and the Public Health Agency of Canada rolled out the
PeopleSoft system. To facilitate the transfer and sharing of costs of the system, they entered
into a partnership arrangement with Agriculture and Agri-Food Canada. Overall, there is a
well-defined and properly applied governance regime that provides for the review and
oversight of stakeholder needs and data quality. To support data quality, there is a Data
Integrity Strategy, which includes a data quality control framework.

Roles and responsibilities between Health Canada, the Public Health Agency of Canada and
the Agriculture and Agri-Food Canada are well defined in the PeopleSoft Shared Services
Partnership Governance framework, service agreements, and the PeopleSoft Project Charter.
Roles and responsibilities are being effectively carried out. Operational risks related to the
use of PeopleSoft are receiving oversight through the PeopleSoft Shared Services Governance
Partnership and the Human Resource Senior Management Committee. A formal approach to
managing operational risks would ensure that risks could be managed in an effective manner.

Health Canada and the Public Health Agency of Canada have managed most changes well
and the introduction of the system has led to improvements in the self-service function, the
use of standard business processes and improved management accountability. The anticipated
benefit of using Express Lane Staffing, which will process low-risk staffing transactions
quickly, has not yet been realized.

The Data Integrity Strategy has produced some positive results by identifying errors in
PeopleSoft. Data integrity would be further strengthened with regular error reporting and
timely follow-up to ensure that errors are being identified and corrected. Moreover, all
manual leave adjustments should be sufficiently explained and verified in PeopleSoft. Risks
associated with the protection and the confidentiality of employee information are being
addressed. Further attention is required for employee information in the control and custody
of the service provider, which should be reflected in the service agreement or an information-
sharing agreement.

Management agrees with the seven recommendations and has provided an action plan to
improve the management control framework for PeopleSoft to manage human resources at
Health Canada and the Public Health Agency of Canada.

Portfolio Audit and Accountability Bureau Page i


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

A - Introduction
1. Background

In 2006, the Treasury Board Secretariat identified the Government of Canada’s Human
Resources Management Information System, PeopleSoft, as the system to be used for the
management of human resources for all of the federal government. PeopleSoft is a
commercial-off-the-shelf system, modified to meet common Government of Canada human
resource and legislative requirements, that provides an integrated platform for the
management of human resource information.

Currently, many departments and agencies are using different human resources systems and
this results in varying departmental processes for human resources transactions. The use of a
common human resource business platform will result in the elimination of aging human
resources systems and in the standardization of business processes and common data
definitions across the Government of Canada (see Appendix C).

The PeopleSoft shared service came into being as a result of an initiative led by the Treasury
Board Secretariat – the Human Resources Business Solution Project – which aimed at
enabling the clustering of partner departments and agencies to share one operational instance
of PeopleSoft. This would mean that departments and agencies would have to eliminate their
current human resources systems and replace them with PeopleSoft.

In 2009, Health Canada and the Public Health Agency of Canada made a decision to replace
its legacy system – HR Advantage – with PeopleSoft. HR Advantage was no longer a viable
option, nor was it supported by the Corporate Services Branch’s Information Management
Services Directorate. Health Canada and the Public Health Agency of Canada had determined
that it would be more cost-effective to participate in a partnership arrangement than for them
to host their own instance of PeopleSoft. The cost to implement PeopleSoft for Health Canada
and the Public Health Agency of Canada was approximately $6.2 million.

Prior to implementing PeopleSoft, Health Canada and the Public Health Agency of Canada
conducted an extensive exercise to address known data integrity issues. In addition, they
participated in a pilot study as part of the Human Resources Business Solution Project. In
November 2011, PeopleSoft went live with five partner departments and agencies,
representing more than 38,000 employees. In June 2012, Shared Services Canada joined the
Partnership, adding another 6,000 employees. Agriculture and Agri-Food Canada is the
service provider.

Departments within the partnership cluster are currently using the same configuration of
PeopleSoft (v8.9) to support their respective human resources business functions. Changes to
the common configuration require approval by the majority of departments and agencies
within the Partnership to be accepted for adoption. This has resulted in the elimination of
customization of PeopleSoft for a single department and the maintenance of a common
configuration. The Government of Canada has announced that it will be releasing an updated
version of PeopleSoft (v9.1) in 2014-15. Departments and agencies will be required to

Portfolio Audit and Accountability Bureau Page 1


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

implement PeopleSoft to manage their human resource business activities by the end of the
2016-17 fiscal year.

The service agreements identify the services to be measured and the level of service to be
provided by Agriculture and Agri-Food Canada for the shared common instance of
PeopleSoft. Agriculture and Agri-Food Canada provides the functional support services for
the PeopleSoft shared service. These services consist of but are not limited to shared service
business support, service desk support, back-up and restoration, ad hoc reporting,
performance reporting, and system maintenance. In the shared services partnership, the
Corporate Services Branch’s Human Resources Directorate provides human resources
services to both Health Canada and the Public Health Agency of Canada. The cost for
Agriculture and Agri-Food Canada to provide PeopleSoft and support services to the Health
Canada and the Public Health Agency of Canada is approximately $1.7 million annually. The
service agreements came into effect April 1, 2012, and expire on March 31, 2015.

PeopleSoft is Health Canada and the Public Health Agency of Canada’s primary tool for
supporting the processing of human resource business transactions. These processes include
compensation (leave), classification, staffing, staff relations, employment equity and official
languages, security and labour relations.

The implementation of PeopleSoft has resulted in the automation of human resources


processes that were not previously available in HR Advantage and the Integrated Leave and
Attendance Module. These enhancements have in some cases eliminated the need for
duplicate entry and manual records without significantly changing some of the human
resource business processes. In addition, the use of PeopleSoft in a shared environment
promotes collaborative governance and the sharing of information; improved capacity to
deliver human resources products and services; more effective fulfilment of legislative and
operational human resource business requirements; and reduced operating and maintenance
costs to support the human resources system.

The Regional Pay System is the primary source for generating information on salary
expenses and benefits, and it updates Health Canada and the Public Health Agency of
Canada’s financial system – SAP. Compensation advisors input pay and benefit information
through the PeopleSoft pay interface, which updates the Regional Pay System. In turn, the
Regional Pay System generates a data extract, which is loaded into Health Canada’s financial
system. There is no direct connection between SAP and PeopleSoft (see Appendix D).
Compensation advisors can also update the Regional Pay System, which is managed by
Public Works and Government Services Canada, by way of direct access. However, direct
input into the Regional Pay System is limited to only a few specific types of pay transactions
or to occasions when PeopleSoft is unavailable for use.

Portfolio Audit and Accountability Bureau Page 2


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

2. Audit objective

The audit objective is to provide assurance that the control framework for PeopleSoft is
effective for managing human resources as they relate to staffing, classification and
compensation.

3. Audit scope

The audit examined the governance and risk management of the PeopleSoft application
initiative and, for internal controls, focused on the human resources functional areas
supported by PeopleSoft, namely staffing, classification and compensation.

The audit covered the fiscal year 2012-13. Excluded from the audit were the following
human resources functional areas: security; employment equity and official languages; labour
relations; health and safety; and priority management. Also excluded from the audit were
Agriculture and Agri-Food Canada’s business and information technology operations that
support PeopleSoft.

4. Audit approach

The audit examined the governance, risk management and control practices of the human
resource functional areas supported by PeopleSoft against a set of pre-defined audit criteria.
The audit approach included a review of documentation, policies, standards, guidelines, and
framework and business processes. Interviews were conducted with senior management,
managers and human resource officials within the Human Resources Directorate. The audit
team conducted audit tests and analysis of PeopleSoft data from the classification, staffing
and compensation functional areas. The audit was carried out in the National Capital Region.

The audit criteria, outlined in Appendix A have been drawn from key sources: the PeopleSoft
procedural documentation; Health Canada’s PeopleSoft Business Case; Information Systems
Audit and Control Association – CoBiT; Institute of Internal Auditor’s Global Technology
Audit Guide; Information Technology Infrastructure Library; Treasury Board Secretariat’s
Operational Security Standard – Management of Information Technology Security; Policy on
Government Security; Directive on Privacy Practices; Directive on Privacy Impact
Assessments; and Health Canada’s Policy on Electronic Use of Networks.

5. Statement of conformance
In the professional judgment of the Chief Audit Executive, sufficient and appropriate
procedures were performed and evidence gathered to support the accuracy of the audit
conclusion. The audit findings and conclusion are based on a comparison of the conditions
that existed as of the date of the audit, against established criteria that were agreed upon with
management. Further, the evidence was gathered in accordance with the Internal Auditing
Standards for the Government of Canada and the International Standards for the
Professional Practice of Internal Auditing. The audit conforms to the Internal Auditing

Portfolio Audit and Accountability Bureau Page 3


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Standards for the Government of Canada, as supported by the results of the quality assurance
and improvement program.

Portfolio Audit and Accountability Bureau Page 4


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

B - Findings, recommendations and management responses


1. Governance

1.1 Oversight
Audit criterion: There is a well-defined and applied governance regime that provides for the review
and oversight of stakeholder needs and data quality.

Health Canada and the Public Health Agency of Canada have an established governance
structure that provides for senior management oversight of stakeholder needs, data quality
and unresolved problems and issues. Oversight is provided by the PeopleSoft Shared Services
Partnership Governance framework. This framework supports the Partnership in strategic
planning, management and day-to-day operations by ensuring that the needs of all partners
are considered in the decision-making process.

The PeopleSoft Shared Services Partnership


Governance framework consists of the following
committees:

The Partnership Steering Committee is a


committee at the assistant deputy minister level
responsible for providing strategic direction and
leadership to the Partnership. This Committee is the
final decision-making and dispute resolution level for
the Partnership. It also has the authority to approve
expenditures for major enhancements. It meets three
times per year.

The Partnership Management Committee is a


committee at the director general level responsible
for managing the Partnership. This Committee is the
primary decision-making and dispute resolution level
for the Partnership and also has the authority to
approve expenditures for major enhancements. It
meets three times per year.

The Service Management Committee is a director level committee responsible for ensuring
that service meets the operational requirements of the partners. This committee has primary
responsibility for assessing enhancement requests, and for prioritizing and approving minor
enhancements. It is the first level of resolution for service performance issues and partner
disputes. It is also responsible for reviewing the PeopleSoft Shared Service Dashboard. This
Committee meets bi-monthly.

The Business Relationship Committee is a manager level committee responsible for


managing service performance issues, request priorities and risks. This committee provides

Portfolio Audit and Accountability Bureau Page 5


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

input to the annual processes to update governance, service levels and the funding model to
develop the annual enhancement/maintenance plan. It meets monthly to discuss options and
issue resolutions, review concerns, register and review risk and register enhancement
requests.

The Business Working Group is a manager level committee consisting of subject matter
experts in their respective human resources functional areas. It was formed to investigate and
resolve common and/or function-specific issues in the areas of compensation, staffing,
classification and labour relations. This group meets as required.

The Service Operation Committee is a manager level committee responsible for managing
service performance issues, and reviewing and discussing incidents and service requests. This
Committee meets as required.

From interviews with key human resource staff who are members of the various committees
and working groups, along with a review of committee minutes and records of decisions from
the Partnership Management Committee, Service Management Committee, Business
Relationship Committee and the business working groups, it was noted that Health Canada
and the Public Health Agency of Canada have been active participants in the PeopleSoft
shared governance regime. Oversight is being provided at all levels of the Partnership
governance. From a review of the PeopleSoft problem logs, it was also noted that stakeholder
needs and problems, with a few exceptions, are being addressed in a timely manner.

Data governance

Human Resources Senior Management Committee

Health Canada and the Public Health Agency of Canada implemented a PeopleSoft Data
Integrity Strategy in September 2012, under the direction of the Human Resources Services
Management Committee, to address issues of data quality. The Human Resources Services
Management Committee, chaired by the Director General of Human Resources, is
responsible for setting the direction of the Data Integrity Forum (described further below),
receiving and assessing the results of the data integrity dashboard, influencing the human
resource community and approving human resource process changes.

The purpose of the PeopleSoft Data Integrity Strategy is to address the following:
 to identify PeopleSoft data quality issues;
 to identify roles, responsibilities and accountabilities of stakeholders involved in the
PeopleSoft data life cycle; and
 to establish methodologies for measuring errors and an action plan to implement activities
for permanently maintaining a high level of data quality in PeopleSoft.

A data quality control framework has been established to address data quality issues. Within
this framework, five distinct groups have been identified:

Portfolio Audit and Accountability Bureau Page 6


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Data Integrity Forum

The Data Integrity Forum consists


of representatives from all human
resources disciplines, along with
the Human Resource Reports
Team, the Human Resource
Systems Team and the PeopleSoft
Project Team. It has been set up to
identify issues that relate to data
integrity, confirm data ownership
and identify the action items for
each stakeholder.

Data owners/Business owners

The data owners are represented


by the human resources functional
areas (staffing, classification, compensation, security and labour relations) and are
responsible for creating data and maintaining data quality. They ensure that data are input
correctly into PeopleSoft. They receive and analyze data quality error reports, confirm
ownership and accountability, and validate business rules and corrections. Data owners are
responsible for correcting data errors and for ongoing monitoring of the data.

Data stewards

Data stewards, under the direction of the Director of Human Resources Planning, Analysis
and Systems, produce data quality reports. Data is analyzed to ensure that processes and
system rules are validated. Once the errors have been validated, the error reports are
distributed to the data owners. Data stewards are also responsible for following up with data
owners about actions and decisions taken to correct the errors.

PeopleSoft users

The PeopleSoft users are employees, contractors, consultants, temporary help or third parties
with whom special arrangements have been made to grant access to PeopleSoft. This class of
user has been granted explicit authorization to access, edit, modify, delete, use and view
information by the data owner. The data owners must authorize access. The data stewards
monitor access controls on behalf of the data owners.

Overall, there is a well-defined and applied governance regime that provides for review and
oversight of stakeholders’ needs and data quality.

Portfolio Audit and Accountability Bureau Page 7


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

1.2 Roles and responsibilities


Audit criterion: Roles and responsibilities are defined, communicated and carried out in
support of the system used to manage human resource business processes.
Roles and responsibilities for managing PeopleSoft within Health Canada and the Public
Health Agency of Canada are defined in three documents: the PeopleSoft Project Charter, the
PeopleSoft Shared Services Partnership Governance framework and service agreements.

Within Health Canada and the Public Health Agency of Canada, the responsibility to support
PeopleSoft and the business owners who use the system lies with the Director of Human
Resource Planning, Analysis and Systems. The PeopleSoft Systems Team, which is currently
supported by four system officers, provides systems support to all human resource functional
areas in Health Canada and the Public Health Agency of Canada. The team’s duties consist of
troubleshooting technical systems, providing guidance to end-users and providing user access
to PeopleSoft. They also play an important role in the Data Integrity Strategy by providing
system knowledge to the Data Analysis Team.

Additional roles and responsibilities between Health Canada, the Public Health Agency of
Canada and Agriculture and Agri-Food Canada are further defined in service agreements.
The purpose of the service agreements is to set out the terms and conditions between Health
Canada, the Public Health Agency of Canada and Agriculture and Agri-Food Canada. The
service agreements do not constitute a legal contract; rather, they are administrative
agreements between departments. They do not alter the existing authority and accountability
to execute its various roles and responsibilities in managing human resource activities. They
do, however, add a shared responsibility to make the Partnership work successfully for all
within it (see Audit Criterion 1.1 above).

In conclusion, roles and responsibilities between Health Canada, the Public Health Agency of
Canada and Agriculture and Agri-Food Canada are well defined, communicated and carried
out in support of PeopleSoft.

2. Risk management

2.1 Management of operational risks


Audit criterion: Risks associated with the use of PeopleSoft are effectively managed.

The Assistant Deputy Minister, Corporate Services Branch, and his senior members of their
branch executive committees ensure that there is a clearly defined governance structure to
addresses risk issues across strategic, program and project levels. On the basis of interviews
with key human resource executives and managers and a review of documentation, the
following risks associated with the use of PeopleSoft in Health Canada and the Public Health
Agency of Canada were identified:

Portfolio Audit and Accountability Bureau Page 8


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

 the inability to customize the standard PeopleSoft configuration as a result of restrictions


placed on Health Canada and the Public Health Agency of Canada as members of the
cluster and by the Treasury Board Secretariat;
 human resource staff resistance to change in new business practices associated with the
use of PeopleSoft;
 a shortage of skilled resources in PeopleSoft within Health Canada and the Public Health
Agency of Canada;
 data integrity; and
 the protection and safeguarding of employee information.

These risks are receiving oversight on two fronts: through the PeopleSoft Shared Services
Governance Partnership and the Human Resource Services Management Committee
(consisting of departmental senior executives). Health Canada and the Public Health Agency
of Canada, in collaboration with their partners, have been able to manage the inability to
customize PeopleSoft by developing solutions and workarounds to address human resource
functional and reporting requirements. It should be noted that the Chief Human Resource
Officer, Treasury Board Secretariat, has recently requested departments and agencies to not
make changes to the standard configuration of PeopleSoft.

With any major change, there is the inherent risk of resistance to change. The Directorate has
managed this risk by ensuring that human resources staff using PeopleSoft for the most part
are trained, as well as by promoting the benefits of its use.

Health Canada and the Public Health Agency of Canada had identified in original project
scoping documentation that there would be a shortage of PeopleSoft skills in-house if they
were to host their own instance of PeopleSoft. To address this risk Health Canada and the
Public Health Agency of Canada have been able to take advantage of the pre-existing
knowledge of PeopleSoft of other members within the human resources cluster.

Data integrity risk is being managed by the Data Integrity Strategy, which has been
previously discussed for Audit Criterion 1.1 and is further discussed for Audit Criterion 3.3.
To date, there has been only one meeting of the Data Integrity Forum. No minutes from the
meeting were taken, so it is difficult to determine the nature of the discussions that took
place. Analysis of the data is being conducted by the data stewards, and the findings are being
presented to Human Resource Services Management Committee for review. In addition, data
stewards have been working with the data owners to address issues concerning data integrity.

It was noted that no risk register is being used by either the PeopleSoft Shared Services
Governance Partnership or Human Resource Services Management Committee. A threat and
Risk Assessment was prepared by Health Canada in September 2011 for PeopleSoft. The
threat and risk assessment, which was approved by both Health Canada and the Public Health
Agency of Canada’s senior management. It indicated potential risks to the security of
employee information. Only recently have these risks received attention by the PeopleSoft
Shared Services Partnership Governance. This is explained further for Audit Criterion 3.4.

Portfolio Audit and Accountability Bureau Page 9


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

The audit concluded that operational risks related to PeopleSoft are being managed
informally. A formal approach to managing operational risks would ensure that risks are
managed in an effective manner.

Recommendation 1
It is recommended that the Assistant Deputy Minister, Corporate Services Branch
(Shared Services Partnership) develop a formal approach, including the use of a risk
register, to managing the operational risks of using PeopleSoft, in order to identify,
assess and mitigate risks.

Management response
Management agrees with the recommendation.

PeopleSoft partners will be informed of the requirement for Health Canada and the Public
Health Agency of Canada to establish a risk register. A risk register will be developed and
approved by the Assistant Deputy Minister of the Corporate Services Branch and shared with
PeopleSoft partners.

The Human Resources Services Management Committee will review the risk register on a
quarterly basis, thereby ensuring that risks are being managed.

3. Internal controls

3.1 Management of change


Audit criterion: Health Canada and the Public Health Agency of Canada have effectively managed
the changes required to maximize the benefits of PeopleSoft for the classification, staffing and
compensation functions.

In general, the drivers for change are activities, pressures or events that influence the strategic
direction within an organization. In 2009, Health Canada and the Public Health Agency of
Canada recognized the need to move from its legacy system (HR Advantage) to PeopleSoft.
The HR Advantage system could no longer provide the business functionality required to
manage human resource business transactions. In addition, there was a government-wide
requirement for departments and agencies to use PeopleSoft. Health Canada and the Public
Health Agency of Canada had determined that it would be more cost-effective to participate
in a partnership arrangement than for them to host their own instance of PeopleSoft.

The expected benefits of using PeopleSoft were many, such as streamlining business
processes, improving client service, achieving greater efficiency, improving the staffing
process and management accountability, and improving the capacity to deliver human
resource products and services. A detailed list of anticipated benefits is provided in Appendix
E. In order to realize the full potential of the application, the Corporate Services Branch
developed strategies for the transition of both organizations to a new way of doing human
resource business, such as the Change Management Strategy (2011), the Communications

Portfolio Audit and Accountability Bureau Page 10


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Strategy (2010), the Fit-Gap Analysis (2010) and a detailed implementation plan. Each of
these was designed with the intent to maximize the benefits of PeopleSoft.

The audit examined the staffing, classification and compensation functions to determine how
change was managed to maximize the benefits of using PeopleSoft.

Staffing

Staffing actions are processed mainly by using the Workforce Administration Module in
PeopleSoft. This module manages personal, job and employment-related information about
employees, as well as the management of assignment-related information, acting assignments
and appointments.

A significant change associated with the implementation of PeopleSoft has been the addition
of the Recruitment Module. At the time of the audit, this module has been partially
implemented; its full rollout is anticipated by November 2013. New functionality has been
introduced, such as Express Lane Staffing actions that allow managers to initiate a staffing
request directly into PeopleSoft (Express Lane Staffing self-service). Express Lane Staffing
was rolled out at the time PeopleSoft was implemented. Managers are able to quickly process
low-risk staffing transactions, such as assignments, casuals, non-advertised deployments,
secondments, and term extensions. In addition, administrative officers can access
functionality on behalf of managers. Express Lane Staffing has been offered to all branches
in the National Capital Region, but only a few are using this functionality. No training has
been provided to managers outside of human resources in using Express Lane Staffing. Some
managers have also indicated to their human resources advisors that they find Express Lane
Staffing to be very complicated. Lastly, it was noted that cost centre managers were advised
in August 2013 that a staffing action request, with approval by the branch senior financial
officers, is now required for processing a staffing action using Express Lane Staffing for
Health Canada. On the other hand, for the Public Health Agency of Canada a separate
financial approval by financial officers of the Office of the Chief Financial Officer is not
required for all staffing action requests.

In conclusion, Health Canada and the Public Health Agency of Canada have not yet achieved
the anticipated benefit of using Express Lane Staffing.

Classification

Classification work is accomplished using mainly the Position Management Module in


PeopleSoft. The module is used to create and manage work descriptions, classification
decisions and associated positions, including language requirements. Also, it is used to
manage designation/exclusion information related to positions.

The implementation of PeopleSoft does not represent a significant change in how business
transactions are being processed. The classification action request form is being used for
input to create the expanded position action request report. Currently, PeopleSoft does not

Portfolio Audit and Accountability Bureau Page 11


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

provide for digital signatures, and therefore a hard copy of the classification action request is
still required as part of the input process.

Compensation

The most notable improvement in PeopleSoft services has been seen in the self-service
functions, namely the self-service leave and personal information updates, which have
reduced service requests and integrated process functions to one system.

Compensation work is accomplished using mainly the Workforce Administration and Pay
Interface modules in PeopleSoft. The implementation of the PeopleSoft Pay Interface
represents a significant change in the way compensation advisors process pay-related data.
Pay data is no longer entered into the Regional Pay System; rather, it is directly entered into
the PeopleSoft Pay Interface. Pay transactions must follow the process flow, which includes
peer verification, before they can be processed by the PeopleSoft Pay Interface. There is an
additional layer of security for access to the PeopleSoft Pay Interface that is provided only to
compensation advisors. Internal controls have been strengthened in this regard. It was noted
during the course of the audit that not all pay-related transactions were processed in the same
manner (that is to say that workforce adjustment and overtime were also being processed in
the Regional Pay System). The latter transactions may need to be re-entered into the
PeopleSoft Pay Interface, resulting in a duplication of efforts. There was no clear direction
coming from human resources management regarding instances of when the Regional Pay
System was permitted to be used.

It should be noted that the Compensation Unit will commence transferring pay and benefit-
related information to Public Works and Government Services Canada as part of the
Government of Canada’s Pay Modernization Initiative, starting in November 2013. Under
this Initiative all pay and benefit-related activities will be managed centrally by Public Works
and Government Services Canada.

In conclusion, Health Canada and the Public Health Agency of Canada have managed most
changes well and have benefited from the changes. It has not yet realized, however, the
anticipated benefit of using Express Lane Staffing. Additional guidance to compensation
advisors is required regarding the use of the PeopleSoft Pay Interface and the Regional Pay
System.

Recommendation 2
It is recommended that the Assistant Deputy Minister, Corporate Services Branch
(Shared Services Partnership), in collaboration with the Director General, Financial
Operations Directorate (Shared Services Partnership), ensure that Express Lane
Staffing be reviewed in order to determine how to maximize its use.

Portfolio Audit and Accountability Bureau Page 12


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Management response
Management agrees with the recommendation.

Management will seek endorsement of Express Lane Staffing by Partnership Executive


Committee in October 2013 on the understanding that appropriate compensatory full-time
equivalent/salary controls will be identified.

Recommendation 3
It is recommended that the Assistant Deputy Minister, Corporate Services Branch,
(Shared Services Partnership) ensure that guidance is provided to compensation
advisors concerning the use of the PeopleSoft Pay Interface and the Regional Pay
System.

Management response
Management agrees with the recommendation.

The Compensation Unit will update and distribute enhanced standard operating procedures
for the PeopleSoft pay interface and the Regional Pay System to all compensation advisors.

3.2 Standardization of business processes


Audit criterion: The implementation of PeopleSoft has led to the standardization of business
processes for the classification, staffing and compensation functions.

As part of the Government of Canada’s Human Resources HR Modernization Initiative, the


Office of the Chief Human Resources Officer was mandated to coordinate and design
enterprise-wide alignment of human resource business processes for more effective and
efficient departmental operations (see Appendix C). To achieve the aims of the Initiative and
promulgate the adoption and use of common human resource business practices and
processes, Health Canada and the Public Health Agency of Canada developed a business case
for PeopleSoft (Sept. 2009) with the purpose of replacing the aging HR Advantage legacy
system. The business case objective was to adopt a human resources system that met
evolving business needs and could be aligned with the Government of Canada’s strategic
direction by providing a wide range of electronic services and taking full advantage of
technical solutions, such as a fully integrated learning management system, enhanced
reporting and an end-to-end business model. This would provide enhanced service to clients,
improved data integrity and uniform processes for Health Canada and the Public Health
Agency of Canada. The current PeopleSoft configuration (v8.9) and its accompanying
business processes have been recognized by the Office of the Chief Human Resources Office,
Treasury Board Secretariat of Canada, as the Government of Canada standard for processing
human resources business transactions.

Portfolio Audit and Accountability Bureau Page 13


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

PeopleSoft is designed to ensure that there is a systematic approach to processing human


resource business transactions. To complete a human resource business transaction in
PeopleSoft, all previous steps must be completed before the process can advance to the next
step. The entry of transactions and data must follow the integrated business process flow. It
was noted from a review of hard copy files that the human resources process is still very
much a paper-based process. Human resource information from paper-based forms, such as
the classification action request and staffing action request, that are used for input into
PeopleSoft, requires verification and approval before the information is entered into the
system. PeopleSoft does not provide digital signatures. Therefore, a paper-based form must
still be relied on for input into PeopleSoft.

The audit team reviewed business process documentation and hard copy files from the
staffing, classification and compensation functions. The following observations were made
below.

Staffing

The audit team reviewed internal advertised/collective staffing and casual, non-advertised
deployment or term extension staffing actions. A documented business process exists for
each of these staffing actions. In addition, on the basis of a review of hard copy staffing files
with PeopleSoft process documentation, it can be concluded that there are standard business
processes for managing staffing actions.

Classification

The audit team reviewed the “Create a Position” and “Change to a Position” classification
processes. It was noted that a documented business process exists for each of these
classification actions. Moreover, on the basis of a review of hard copy classification files with
the PeopleSoft process documentation it can be concluded that there are standard business
processes for managing classification actions. The Classification Action Request form is the
basis for classification undertaking to create or update a position. This form is used for all
classification actions.

Compensation

The audit team reviewed the “Taken on Strength,” “Leave without Pay,” and “Transfer In”
compensation actions. It was noted that a documented business process exists for each of
these compensation actions. Based on a review of compensation files with the PeopleSoft
process documentation, it can be concluded that there are standard business processes for
managing compensation actions. In addition, it was noted that pay and benefit information is
being entered in both the PeopleSoft Pay Interface (E-Pay card) and the paper-based pay card
for Health Canada, resulting in a duplication of effort.

The implementation of PeopleSoft has led to more standardization of business processes for
the classification, staffing and compensation functions.

Portfolio Audit and Accountability Bureau Page 14


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

3.3 Data integrity


Audit criterion: Procedures, processes and controls exist to ensure that human resource
data are complete, accurate and timely.

Data integrity is crucial for the reliability of the PeopleSoft system. If data is unreliable, key
reports are compromised and user acceptance is reduced. The Human Resource Services
Management Committee has identified data quality in PeopleSoft as a high priority in the
Human Resources Directorate. The implementation of the Data Integrity Strategy was put
into place to elevate the importance of having high quality information.

Transaction processing in the classification, staffing and compensation areas is accomplished


using a paper based manual system, and it is not until the end of the transaction that the data
is entered into PeopleSoft. The examination of procedures, processes and controls was
conducted in the staffing, classification and compensation functions.

Staffing

Procedures and processes for managing staffing activities are well documented in the
PeopleSoft training manuals. Based on interviews with officials from the staffing unit and a
review of documentation, it was observed that procedures and processes were being followed.
The audit team selected a sample of 30 staffing records (16 indeterminate – internal
advertised files – and 14 Express Lane Staffing files), namely casual and secondment with
the focus on key information contained in the staffing action request (that is to say action
reason, employment type and effective dates) and appropriate approval authority. The
staffing information recorded in PeopleSoft was compared with that in the hard copy files. No
significant errors were found. Two PeopleSoft staffing transactions could not be substantiated
because the hard copy files could not be located. Lastly, it was observed that each hard copy
file included a completed checklist to ensure that all information recorded in PeopleSoft was
accurate and complete.

Classification

Procedures and processes for managing classification activities are well documented in the
PeopleSoft training manuals. Based on interviews with officials from the classification unit
and a review of documentation, it was observed that procedures and processes were being
followed. The audit team reviewed a sample of 28 classification records (12 “Create a
Position” and 16 “Change to a Position” files) with a focus on key information contained in
the classification action request and the Employee Performance Agreement and Review (that
is to say classification code, action reason, and effective dates). No significant errors were
found.

Lastly, it was observed that each hard copy file contained a checklist. Upon further review it
was noted that many of the checklists were not being completed. This is an important quality
assurance mechanism to ensure that data entered into PeopleSoft has been verified and
validated.

Portfolio Audit and Accountability Bureau Page 15


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Compensation

Procedures and processes for managing pay and benefit activities are well documented in the
PeopleSoft training manuals. Such activities were followed, with exceptions noted for Audit
Criterion 3.1.

Three pay and benefit type activities were selected for review. These business activities were
“Transfer-In,” “Leave Without Pay,” and “Taken on Strength”. A sample of 36 compensation
records were reviewed (8 “Transfer-In,” 10 “Leave Without Pay,” and 18 “Taken-on-
Strength” records were selected). Key information reviewed for each of the pay transactions
included start and end dates for “Leave Without Pay,” pay list and pay office number, leave
and salaries. There were no significant errors identified in the sample. All transactions
reviewed in the sample showed sufficient peer review. Additional information obtained by
the data stewards (see Audit Criterion 1.1) has revealed that a high number of employees
were missing their pension start date, or that the information in PeopleSoft did not match
what was in the Regional Pay System. In addition, a number of employees were missing their
continuous service date, or the date in PeopleSoft did not match what was in the Regional Pay
System. The existence of these errors has been confirmed by the Compensation Unit. The
incorrect date could have a negative impact on employee continuous service awards. It was
also noted that there was no set frequency in how often data stewards produced error reports
and how often the information was provided to the human resources functional areas. Finally,
once the errors have been provided to the subject matter experts, there was no evidence to
support regular follow-up to achieve timely correction of the errors. This shortcoming could
affect the quality of the reports generated from PeopleSoft and ultimately the decisions made
by management.

In conclusion, the Data Integrity Strategy has produced some positive results. Errors and the
source of the errors are being identified in PeopleSoft. There is an increased awareness of the
importance of high quality data in PeopleSoft. In addition, the Strategy has resulted in a
collaborative effort towards data quality by all functional areas in the Human Resources
Services Directorate and has established processes for data quality assurance, assessment and
correction. The completeness and accuracy of data in PeopleSoft would be improved with
regular error reporting and timely follow-up.

Recommendation 4
It is recommended that the Assistant Deputy, Corporate Services Branch (Shared
Services Partnership), ensure that processes and procedures are put in place to achieve
timely correction and follow-up of the errors identified in PeopleSoft.

Portfolio Audit and Accountability Bureau Page 16


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Management response
Management agrees with the recommendation.

The Human Resources Services Directorate will strengthen data integrity controls by:

1) documenting data integrity procedures;


2) maintaining a list of all data integrity issues, including a description, the frequency,
Impact, and criticality;
3) ensuring that data owners (that is, human resources directors) receive error
reports on a bi-monthly basis;
4) requiring data owners to report on remediation actions and progress on a bi-monthly
basis; and,
5) providing bi-monthly progress reports to the Human Resource Services Management
Committee.

As part of the normal business process, Compensation will make manual leave adjustments in
the following circumstances:
 employee has transferred from another department and his/her leave account is being
established;
 leave request is received after year-end close, and therefore the carried over balance needs
to be adjusted (increased or reduced depending on the situation);
 a review of the employee’s leave file indicates that he/she has been allotted more/less
leave than that to which he/she is entitled; and
 request by Labour Relations Division as a result of mediation or settlement.

In a further analysis, of 4,175 manual leave adjustments in PeopleSoft, auditors found 456
manual leave adjustments that were made without an explanation for the change. PeopleSoft
provides a text field (not a mandatory field) for providing an explanation for the adjustment.
There was insufficient information in PeopleSoft to determine the reason for the leave
adjustment. It was also noted that PeopleSoft accepts manual leave entries without
verification by someone other than the individual making the change. This is an important
internal control that is missing. It is difficult to determine the validity of the adjustment
without an explanation and the accompanying verification.

Recommendation 5
It is recommended that the Assistant Deputy Minister, Corporate Services Branch
(Shared Services Partnership), ensure that all manual leave adjustments are sufficiently
explained and verified in PeopleSoft.

Portfolio Audit and Accountability Bureau Page 17


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Management response

Management agrees with the recommendation.

Compensation will update and communicate enhanced standard operating procedures for
manual leave entries in PeopleSoft, specifying requirements for explanatory notes and leave
transaction approvals.

Compensation will implement regular quality assurance reviews of randomly selected files to
document that standard operating procedures are being followed.

Pay system reconciliation

Pay transactions are created in the PeopleSoft Pay Interface, and verified and authorized
through the primary edits in the Pay Interface before being submitted to the Regional Pay
System by way of a batch process. In the Regional Pay System, they receive final edits and
processing. The batch process pulls only the authorized transactions. During the batching
process, the authorizer (that is, financial officer) reviews and authorizes the batch run using
the Batch Summary Fax form. Once the process is complete, each authorizer (financial
officer) receives an email message containing a link to a summary report produced by the
Regional Pay System. Five copies of the authorized batch summary faxes were reviewed. No
errors or anomalies were found.

Once the Regional Pay System receives the batch file, the system runs the batch through a
series of secondary edits. If there is an error, in that the data in the Regional Pay System does
not match the data in the PeopleSoft Pay Interface, the transaction will be rejected and is
returned to the Compensation Specialist’s work list as they would when pay data are
submitted. Corrections are made, and the edit process begins all over again. All transactions
that pass the edits in the Regional Pay System are processed in the batch run. The Regional
Pay System then sends a file containing the results of the validated transactions the following
morning, which is uploaded to the PeopleSoft Pay Interface. The batch summaries produced
from the PeopleSoft Pay Interface contain the number of transactions, types of transactions,
the total dollar amount and the name of the financial officer who authorized the transactions
for payment. However, the Regional Pay System does not acknowledge the total number of
transactions processed and the total dollar amount of the transactions received from the
PeopleSoft Pay Interface. Without a reconciliation of control totals between the two systems
it is difficult to determine whether all pay transactions have been received from the
PeopleSoft Pay Interface.

Recommendation 6
It is recommended that the Assistant Deputy Minister, Corporate Services Branch
(Shared Services Partnership), ensure that there is reconciliation between the Regional
Pay System and the PeopleSoft Pay Interface.

Portfolio Audit and Accountability Bureau Page 18


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Management response
Management agrees with the recommendation.

Corporate Compensation and the Chief Financial Officer Branch will produce a tool that will
easily compare and identify discrepancies between the two systems.

Corporate Compensation has requested a report from Public Works and Government Services
Canada that will show the number of Regional Pay System transactions and their financial
impact. This data will then be compared with a PeopleSoft report, and any discrepancies
between the two systems will be identified and corrective action taken.

3.4 Protection of personal information


Audit criterion: Health Canada and the Public Health Agency of Canada address risks to
the confidentiality of employee information (personal information) by ensuring that sensitive
data are protected in accordance with Government of Canada policies and directives.

Privacy

Under the Treasury Board Secretariat’s Policy on Privacy Protection, deputy heads are
required to establish practices for the management and protection of personal information
under their control to ensure that the Privacy Act is administered in a consistent and fair
manner. The Directive on Privacy Practices supports the policy by setting out the
requirements for sound privacy practices and management of personal information. Taken
together, the Policy on Privacy Protection and its related directives and guidelines are the
instruments upon which a sound privacy management strategy within government institutions
is structured. Departments and agencies are required to prepare a privacy impact assessment
for any new or substantially modified program activity involving the creation, collection and
handling of personal information. Employee information has been designated as being
personal information and rated to the Protected B level.

In accordance with the Treasury Board Secretariat’s Directive on Privacy Impact


Assessments, privacy implications must be appropriately identified and assessed, and privacy
risks mitigated with new or modified systems hosting personal information before they are
implemented. The audit findings conclude that the Health Canada and the Public Health
Agency of Canada deployment of PeopleSoft was not in compliance with the Treasury Board
Secretariat’s risk mitigation directives.

The scope of the Health Canada and the Public Health Agency of Canada approved privacy
impact assessment, completed in December 2011, identified seven risks, two of which were
rated as high. The privacy impact assessment did not encompass the analysis of personal
information risks related to the deployment and use of PeopleSoft. The privacy impact
assessment was confined to the data conversion and implementation of base PeopleSoft
modules only.

Portfolio Audit and Accountability Bureau Page 19


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

A subsequent privacy impact assessment was prepared in May of 2013 whose scope did
encompass an examination and assessment of the use and disclosure of personal information
by the human resources functional areas in an operational environment using the PeopleSoft
system. Of the 17 risks, two have been rated as high, and 15 have been rated as moderate.
Moreover, the three risks identified in the 2011 privacy risk assessment have also been raised
in the 2013 PIA. The only high risk that was identified in 2011 that continues to exist today
concerns information sharing between Health Canada, the Public Health Agency of Canada
and Agriculture and Agri-Food Canada. Further clarity regarding control and custody of
personal information should be reflected in the service agreement or an information-sharing
agreement. It was also noted that there was no separate service agreement or information-
sharing agreement for the Agency in this regard. Personal information in the control of the
service provider could be at risk with regard to its use, disclosure and access.

A draft management response and action plan has been prepared in response to the
recommendations in the 2013 privacy impact assessment. It is anticipated that the
management response and action plan will be approved by the Director General of human
resources by December 31, 2013.

Security

The Government security policy defines information technology security as the “safeguards
to preserve the confidentiality, integrity, availability, intended use and value of electronically
stored, processed or transmitted information.” Between the Government security policy and
the Policy on the Management of Government Information, mandatory requirements are
established for departments to protect information throughout its lifecycle. These policy
requirements are expanded upon by the Treasury Board Secretariat’s Operational Security
Standard for the Management of Information Technology Security. The standard forms the
backbone of the Government of Canada’s risk management philosophy and management of
information technology security risks: to prevent the compromise of information technology
systems by mitigating the risks before deploying systems in a production environment.

The operational security standard requires departments to conduct a threat and risk
assessment, a risk management tool used to identify, assess and recommend safeguards to
reduce residual risks to an acceptable level. Section 12.3.3 of the Management of Information
Technology Security standard indicates that following the completion of a threat and risk
assessment, “Departments must have their systems or services certified and accredited before
approving them for operation.” The purpose of certification is to verify that the security
requirements established for a particular system or service are met and that the controls and
safeguards work as intended. The purpose of accreditation is to signify that management has
authorized the system or service to operate and has accepted the residual risk of operating the
system or service on the basis of the certification evidence. The accreditation and
certification, more recently replaced by the security authorization and assessment, is an
effective compensating control of the security standard, whose purpose is to confirm that
deliverables of the threat and risk assessment remedial action plan have been implemented
and that the controls and safeguards work as intended. Approval of the security authorization
and assessment is an implied statement of fact by business owners that sound stewardship

Portfolio Audit and Accountability Bureau Page 20


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

practices and due diligence have been employed in reducing information technology security
risks to an acceptable level, thereby safeguarding the information assets and personal
information in their custody from potential compromise.

Agriculture and Agri-Food Canada’s instance of PeopleSoft had not been certified or
accredited when Health Canada and the Public Health Agency of Canada implemented it in
November 2011. Health Canada and the Public Health Agency of Canada had obtained an
interim authority to operate, granted under a conditional agreement that risks be reduced to
acceptable levels within a prescribed period (generally six months). Agriculture and Agri-
Food Canada has recently informed Health Canada and the Public Health Agency of Canada
that its instance of PeopleSoft has been recommended for final authority to operate and that
formal approval and sign-off for the security authorization and assessment is to be completed
by November 30, 2013.

In conclusion, the risks associated with the protection and confidentiality of employee
information are being addressed. Further attention is required concerning employee
information in the control and custody of the service provider, which should be reflected in
the service agreement or an information sharing agreement

Recommendation 7
It is recommended that the Assistant Deputy Minister, Corporate Services Branch
(Shared Services Partnership), take the necessary actions to improve the protection of
employee information managed by PeopleSoft.

Management response
Management agrees with the recommendation.

Management will review the 2011 threat and risk assessment and develop an action plan for
residual risks.

Management will address the risks identified in the 2013 privacy impact assessment:

1) Require Agriculture and Agri-Food Canada to improve the information sharing and
privacy clauses of the service agreement to meet the standards noted in the 2013
privacy impact assessment.
2) Revise the user privacy notices that are received at system login to more accurately
reflect the terms and conditions of use and the requirements of the Privacy Act.
3) Determine and clearly document the appropriate uses and disclosures of this
personal information (for example, for human resources planning purposes).

Portfolio Audit and Accountability Bureau Page 21


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

C - Conclusion
Overall, Health Canada and the Public Health Agency of Canada control framework for
PeopleSoft to manage the human resource function needs moderate improvement.

There is a well-defined and applied governance regime that provides for the review and
oversight of stakeholder needs, data quality, and unresolved problems and issues. The Data
Integrity Strategy is providing positive results by identifying errors in PeopleSoft. The
Strategy has also resulted in a collaborative effort towards data quality by all functional areas
in the Human Resources Services Directorate and has established processes for data quality
assurance and assessment. One area for improvement is a need for increased follow-up by the
functional areas to achieve the timely correction of errors.

The roles and responsibilities of Health Canada, the Public Health Agency of Canada and
Agriculture and Agri-Food Canada in support of PeopleSoft are well defined in the
PeopleSoft Shared Services Partnership Governance framework, service agreements and the
PeopleSoft Project Charter. Roles and responsibilities are being effectively carried out.

Operational risks related to the use of PeopleSoft are receiving oversight on two fronts:
through the PeopleSoft Shared Services Governance Partnership; and the Human Resource
Senior Management Committee. One area of improvement would be to see the Committee
adopt a more formal approach to risk management, including the use of a risk register to
manage risks related to PeopleSoft.

Health Canada and the Public Health Agency of Canada have managed most changes well,
which has led to improvements in the self-service function, the use of standard business
processes and improved management accountability. Health Canada and the Public Health
Agency of Canada would benefit from using Express Lane Staffing, which will quickly
process staffing transactions.

The classification, staffing and compensation functions are generally following procedures
and processes to manage human resource business transactions. No significant data integrity
errors were found. There were several employee records with important dates recorded
incorrectly in PeopleSoft. Explanations for manual leave adjustments in PeopleSoft need to
be provided and should be verified in PeopleSoft before they are accepted.

Risks associated with the protection and the confidentiality of employee information are
being addressed. Further attention is required for employee information in the control and
custody of the service provider, which should be reflected in the service agreement or an
information sharing agreement

The areas of improvement that have been noted will collectively strengthen the management
control framework for PeopleSoft in support of the human resources function.

Portfolio Audit and Accountability Bureau Page 22


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Appendix A – Lines of enquiry and criteria


Audit of the Human Resources Management Information System

Criterion title Audit criteria

Line of Enquiry 1: Governance

There is a well-defined and applied governance regime that provides for the
1.1 Oversight 2,3,4
review and oversight of stakeholder needs and data quality.

Roles and responsibilities are defined, communicated and carried out in support
1.2 Roles and
of the system used to manage human resource business processes.
responsibilities 1,2,3

Line of Enquiry 2: Risk management

2.1 Management of
operational risks 4,12 Risks associated with the use of PeopleSoft are effectively managed.

Line of Enquiry 3: Internal controls

Health Canada and the Public Health Agency of Canada have effectively
3.1 Management of
managed the changes required to maximize the benefits of PeopleSoft for the
change 12,13,14
classification, staffing and compensation functions.

3.2 Standardization of The implementation of PeopleSoft has led to the standardization of business
business processes11 processes for the classification, staffing and compensation functions.

Procedures, processes and controls exist to ensure that human resource data are
3.3 Data integrity4,9
complete, accurate and timely.
Health Canada and the Public Health Agency of Canada address risks to the
3.4 Protection of
confidentiality of employee information (personal information) by ensuring that
personal
sensitive data are protected in accordance with Government of Canada policies
information5,6,7,8,10
and directives.

Source of information:

1. PeopleSoft Shared Service: Partnership Governance – September 17, 2012


2. Service Agreement for PeopleSoft Shared Service Between AAFC and HC/PHAC – March 7, 2012
3. PeopleSoft Shared Service – Service Level Agreement – February 13, 2013
4. Information Systems Audit and Control Association - CoBit 4.0, 4.1
5. TB – Operational Standard: Management of Information Technology Standard
6. TB- Directive on Privacy Practices – January 31, 2013
7. TB – Directive on Privacy Impact Assessments – April 1, 2010
8. TB – Policy on Government Security
9. Institute of Internal Auditor’s Global Technology Audit Guide – July 2007
10. Health Canada’s Policy on the Electronic Use of Networks
11. PeopleSoft Procedure Manuals and Process Maps
12. PeopleSoft Business Case – September 2009
13. TB – Project Charter – Human Resources Business Solution Project – April 2010 
14. Information Technology Infrastructure Library

Portfolio Audit and Accountability Bureau Page 23


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Appendix B – Scorecard
Criterion Rating Conclusion Rec #

Governance

1.1 Oversight Overall, there is a well-defined and applied governance regime that -
NMI provides for review and oversight of stakeholder needs and data quality.

1.2 Roles and Roles and responsibilities are clearly defined, communicated and carried -
responsibilities NMI out in support of the system used to manage human resource business
processes.

Risk management

2.1 Management of Risks are receiving oversight on two fronts: through the PeopleSoft Shared 1
operational risks Services Governance Partnership and the Human Resources Senior
NMO Management Committee. A formal approach to managing operational risks
related to PeopleSoft would ensure that risks are managed in an effective
manner.

Internal controls

3.1 Management of Health Canada and the Public Health Agency of Canada have managed 2&3
change most changes well, which has led to improvements in the self-service
function and improved internal controls. It has not yet realized, however,
NMO the anticipated benefit of using Express Lane Staffing. Additional guidance
to compensation advisors is required regarding the use of the PeopleSoft
Pay Interface and the Regional Pay System.

3.2 Standardization of The implementation of PeopleSoft has led to more standardization of -


business processes human resource business processes for the classification, staffing and
NMI compensation functions across Health Canada and the Public Health
Agency of Canada.

3.3 Data integrity The Data Integrity Strategy has produced some positive results by 4,5 &
identifying errors in PeopleSoft. Further follow-up is required to ensure 6
that errors are being corrected in a timely manner. The completeness and
NMO accuracy of data in PeopleSoft would be improved with regular error
reporting and timely follow-up. Explanations for leave adjustments in
PeopleSoft need to be provided and should be verified in PeopleSoft before
they are accepted by the system.

3.4 Protection of Risks associated with the protection and the confidentiality of employee 7
personal information information are being addressed. Further attention is required for employee
NMO information in the control and custody of the service provider, which
should be reflected in the service agreement or an information-sharing
agreement.

S NMI NMO NI U NM
Satisfactory Needs Minor Needs Moderate Needs Unsatisfactory Unknown;
Improvement Improvement Improvement Cannot Be
Measured

Portfolio Audit and Accountability Bureau Page 24


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Appendix C – Road map to target state vision

Source of information: Treasury Board Secretariat – Human Resources Modernization: Presentation to the Council of Systems Cluster
Groups (March 2012).

Portfolio Audit and Accountability Bureau Page 25


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Appendix D – PeopleSoft system data flow overview

Portfolio Audit and Accountability Bureau Page 26


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Appendix E – Anticipated benefits of implementing PeopleSoft


Business
Anticipated benefits
focus
Results in a state-of-the-art human resources tool that incorporates best practices and is deemed the
industry leader. This human resources system is used by 26 departments and agencies, aligned with
Strategic the Government of Canada direction for human resources systems and processes, and is endorsed
alignment by Treasury Board Secretariat. It supports common business practices and processes across
government, reduces the reliance on home-grown tools and supports human resources in its day-to-
day activities.
Allows human resources advisors to become more effective and efficient with the introduction of
self-serve tools, the pay interface, an automated pay history card, a sequential position numbering
Improved system, and Government of Canada standard reports.
services Reduces the transactional workload of human resources staff by providing self-serve tools.
Generates the potential for cost reductions associated with leveraging changes/updates or new
common Government of Canada processes as part of continuous process improvement.
Meets the current business needs in the areas of case management and responds to emerging
business requirements.
Allows the department to readily adopt the common business practices and processes being
Delivering
developed and promulgated by Canada Public Service Agency for the whole of government.
human
Offers the department flexibility for future strategic investments and direction.
resources
Makes additional functionality available to the department such as the Online Pay Interface and the
services
ability to leverage the E-Pay card solution from another department.
Supports improved delivery of services, including reduction of training needs of human resources
advisors, reduction of backlog and elimination of multiple entries.
Replaces an outdated, end-of-life system that is inefficient and ineffective, and costly to adjust,
maintain and operate.
Eliminates the unique system and service delivery issues and problems currently encountered by the
department.
Supports a common approach by many users, resulting in a better infrastructure.
Provides a common platform that permits easy integration with other systems and reduces the
Modern
technology interface requirements.
technology
Minimizes technical risks.
Provides ongoing supplier support, including extending the life of the system, as upgrades and
modernization will be part of the vendor support to the product.
Fosters partnership and collaboration with human resources initiatives through other departments
(members of the human resources cluster), initiatives that have the potential to reduce information
technology costs related to enhancements, interfaces, tools, training material and documentation.
Requires the use of standard data and single-source input, which improves data integrity and the
consistency of results for reports and tracking.
Promotes data quality and reliability by supporting the consolidation and sharing of information,
promoting its visibility, and facilitating its transferability and portability among departments.
More Provides the department with a series of best practices and management tools from PeopleSoft
efficient implementation in other departments.
management Requires the use of a common set of integrated business processes for delivery of the full spectrum
of human resources activities.
Offers the department flexibility for future strategic investments and direction.
Translates into efficiencies with the introduction of a pay interface, an automated pay history card, a
sequential position numbering system and Government of Canada standard reports.

Portfolio Audit and Accountability Bureau Page 27


Health Canada and the Public Health Agency of Canada
Audit of the Human Resources Management Information System
Final Audit Report December 2013

Business
Anticipated benefits
focus
Reduces the requirement for human resources staff with specialized and unique skills associated with
the current system.
Reduces the learning curve of human resources advisors who join the department from current
Improved PeopleSoft user departments.
resourcing Allows peer counselling within the 26 cluster departments.
Supports common business processes, which leads to a more stable human resources workforce, by
assisting in the recruitment and retention of human resources specialists as well as facilitating
organizational realignments.
Avoids expenditures on currently planned departmental investments in system upgrades and
independent human resources management systems.
Includes shared development and support costs and offers flexibility for future strategic investment.
Cost
Reduces the cost of training of human resources staff as many in the human resources community will
reduction
already be trained in use of PeopleSoft.
Achieves economies of scale in the operation of application management services, maintenance and
replacement of hardware and infrastructure, and in the periodic major upgrades to new versions of the
system platform.

Source of information: PeopleSoft Business Case – September 2009: Anticipated benefits to participate in a partnership arrangement with
Agriculture and Agri-Food Canada.

Portfolio Audit and Accountability Bureau Page 28


Health Canada and the Public Health Agency of Canada

You might also like