2005-716 RPB Audit Management Control of the Project and Business Management System (PBMS)

December 8, 2006

Recommendation 1

1) It is recommended that the ADM RPB take measures to ensure that complete and accurate data is entered into PBMS in a timely manner, including:

1. ensuring that all RPB staff have clear, documented responsibilities for their timely and accurate data input and usage of PBMS information through regular monitoring and reporting, and that these are enforced;
2. strengthening user access validation; user password controls; coordination of user access to PBMS and BI reports; and
3. establishing and implementing a national training strategy for PBMS users including BI reports.

Departmental Response

1. RP will develop a national direction on the timely input of data into PBMS, that will build on and complement existing regional direction on this subject, in order to ensure a consistent national understanding and to identify national performance norms.
2. RP will complete a review and rationalization of users with PBMS access and develop an access protocol.
3. RP will enhance existing training methods and support for PBMS with a documented training strategy.

OPI/OSI

• DG, PPMS

Implementation Actions

A)

1. Review existing procedures and reporting mechanisms
2. Develop and provide national direction
3. Ensure reports are developed to support monitoring requirements
4. Establish national performance criteria and ensure monitoring of these standards

B)

1. Review and refine application access lists to determine if accounts are still valid.
2. Implement an annual access review protocol
3. Access protocols will be assessed as part of the MITS review identified under 2e below

C)

1. Review and refine existing training planning methods
2. Document and communicate strategy
3. Ensure and monitor the implementation of the training strategy

Action Implementation Date
(Plan provides expected results by date)

A)

1. April 30, 2007
2. June 30, 2007
3. June 30, 2007
4. June 30, 2007

B)

1. Jan. 31, 2007
2. March 31, 2007
3. March 31, 2008

C)

1. Feb. 1, 2007
2. March 31, 2007

Expected Results

1. Timely and accurate input of PBMS data
2. strengthening user access validation; user password controls; coordination of user access to PBMS and BI reports; and
3. Consistent training approach and a national training strategy

Recommendation 2

2) It is recommended that the ADM RPB take cost-effective measures to establish updated systems requirements and processes and monitor them. Remedial actions that are appropriate to PBMS' lifecycle as a legacy system, should include the following:

1. technical performance criteria and targets (including system availability, response time, levels of support, problem tickets, etc.);
2. finalized and disseminated procedures for bridging of data between PBMS, CDFS and other systems as required;
3. documented system modification and change management procedures, and testing and acceptance processes;
4. archiving of data; and
5. a structured approach to identify ongoing business and technical risks related to PBMS.

Departmental Response

1. Through Service Agreement negotiations, RP will establish system performance levels, including infrastructure availability, response times, downtime etc.
2. RP agrees to finalize and disseminate procedures for bridging of data between PBMS, CDFS and other systems as required.
3. RP will document system modification and change management procedures, including testing and acceptance processes.
4. RP has been aware of the issues related to data archiving in PBMS for sometime. Prudent investment management related to aging assets and competing priorities have resulted in no action being taken to date. The timing of the FST project and the BST project, which will lead to the replacement of the PBMS functionality and the closing down of PBMS will be major considerations in the investment decision making and "MITS" projects.
5. RP continues to identify business and technical risks through the Value Management tool, Business Resumption Planning and and "MITS" projects.

OPI/OSI

• DG, PPMS

Implementation Actions

1. Engage ITSB/AMS to establish system performance levels and monitor the system performance levels.
2. Finalize and disseminate procedures for bridging of data between PBMS, CDFS and other systems as required.
3. Review and refine existing documentation.
4. RP will continue to review the appropriateness of investments in PBMS, including data archiving, in the context of our annual RP IT business and investment plan.
5. Identify and mitigate technical risks through ongoing "MITS" project assessments.

Action Implementation Date
(Plan provides expected results by date)

1. April 30, 2007
2. March 31, 2007
3. March 31, 2007
4. Annually by March 31st of each year
5. March 31, 2008 (based on project timelines)

Expected Results

1. Signed service level agreement with ITSB/AMS (application support) and ITSB/SMD (infrastructure)
2. Documented bridging procedures between systems.
3. Procedural document
4. Archiving strategy
5. Documented technical risks and associated mitigation plans