2005-716 Audit of Management Control of the Project and Business Management System (PBMS) - Final Report

December 8, 2006

Table of Contents

• Executive Summary
• 1. Introduction
  • 1.1 Authority for the Project
  • 1.2 Objectives and Scope
  • 1.3 Audit Approach and Methodology
  • 1.4 Background
• 2. Findings, Conclusions and Recommendations
  • 2.1 Key Findings
    • 2.1.1 Management Controls that ensure PBMS data integrity
    • 2.1.2 Management controls that assess if PBMS supports the achievement of operational, management and business transformation objectives in RPB
  • 2.2 Conclusions
  • 2.3 Recommendations
• Appendix A – Audit Criteria

Executive Summary

The Audit, Assurance and Ethics Committee (AAEC) approved this audit as part of the 2005-2006 Internal Audit Plan.

The objectives of the audit were:

• To assess the management controls to ensure data integrity in the Project and Business Management System (PBMS), and
• To assess the management controls, which enable PBMS to support the achievement of operational, management and business transformation objectives in Public Works and Government Services Canada (PWGSC), Real Property Branch (RPB)

The scope of the audit included:

• An examination of
  • key roles, responsibilities and accountabilities;
  • key system controls and processes;
  • data management controls;
• The identification, assessment and management of data management risks; and
• An examination of the mechanisms in place to ensure that the information meets project and business requirements and the planning process for business and system changes to respond to Real Property business directions and challenges.

For the purposes of this audit, data integrity was defined as the quality of correctness, completeness, timeliness, soundness and compliance with the purpose of the creator of the data. The audit was conducted in the National Capital Area (NCA) through inte rviews with key personnel in the RPB, a system demonstration, and the review of relevant documentation. The audit did not assess supplementary systems, which provide data to PBMS and other real property systems that interface with PBMS, nor did it assess interfaces with the Common Departmental Financial System (CDFS), except for the monitoring of transactions rejected from the interfaces. The audit did not examine application/other system's programming and/or hardware.

The audit was performed in accordance with specific audit criteria, which were developed from the Government of Canada Management Accountability Framework elements (Stewardship; Results and Performance) and Control Objectives for Information Technology.

Context

In the previous audit on RPB risk management, concerns were expressed by Real Property staff regarding the usefulness of PBMS reporting for decision-making. The Annual Audits of the Financial Statement of the Real Property Disposition Revolving Fund identified that extensive reconciliation was required between PBMS and CDFS. RPB has been proactive in requesting this audit to assist them in their determination of the quality and timeliness of their data as well as the identification of other issues that may influence the information use, application and continued viability of the PBMS. In addition, in 2005, RPB undertook a Value Case project, which included PBMS, that was intended to provide a set of tools and measures by which to assess the benefits, costs and risks of RPB investment in information management/information technology (IM/IT) systems.

Other initiatives are currently underway that will have an effect on PBMS. For example, PWGSC is currently involved in an initiative to move the financial management system to a SAP environment. The Real Property Systems group has undertaken a study of reporting options for PBMS to replace the current dated Business Intelligence (BI) reporting tools. A Business Case for this has been developed, dated January 31, 2006, and it is currently pending approval. RPB has also undertaken a Business and Systems Transformation Project that proposes a solution for better integration of the various systems within RPB.

Conclusions

PBMS is a critical, national business information system intended to record and track management information on all RPB projects and operational activities. The system receives data from, and provides data to, other RPB and PWGSC systems, including the CDFS, which is the department's primary financial management and reporting system. In 2005-2006 $1.1 billion in revenues and over $2.8 billion in expenditures were recorded in PBMS with a cost of $4.5 million to maintain the system.

The draft PWGSC Policy on Revenue, Receipts and Accounts Receivable states that "It is PWGSC policy to adopt good cash management practices in order to reduce the government's net cost of borrowing through improved timing of cash flows". This audit concludes that RPB must strengthen its management controls to ensure compliance with this policy. Evidence indicates that the data in PBMS is not entered in a timely manner, although eventually posted, thus impeding PWGSC's financial management responsibilities for revenue capture and cash management. In addition, considerable reconciliation efforts are required to ensure the accuracy and reliability of data that is being bridged to CDFS.

Although PBMS has been in operation for nine (9) years, performance criteria have not been established and hence not monitored or reported. Without supportable measures on PBMS objectives and performance, information for operational intelligence and process engineering is not available. Some elements of risk assessment have been addressed, however, risk assessment has not been formally completed either for individual modules or PBMS as a whole. As a consequence, PBMS current risks are not formally reported, monitored or managed. This could lead to inadequate protection of system data (technical risks) and/or system initiatives that are not focused on the areas of greatest risk in meeting RPB objectives (business risks).

Recommendations

The audit team is mindful that other initiatives underway in the department (SAP, Study of BI reporting tools, BST project) will have a direct impact on PBMS. The functionality of the data currently housed in PBMS is important and will continue, albeit possibly in a different application(s).

With the objective of instituting and maintaining the discipline required for data integrity and systems performance, and in order to comply with the PWGSC Policy on Revenue, Receipts and Accounts Receivable:

1. It is recommended that the ADM RPB take measures to ensure that complete and accurate data is entered into PBMS in a timely manner, including:
   • ensuring that all RPB staff have clear, documented responsibilities for their timely and accurate data input and usage of PBMS information through regular monitoring and reporting, and that these are enforced;
   • strengthening user access validation; user password controls; coordination of user access to PBMS and BI reports; and
   • establishing and implementing a national training strategy for PBMS users including BI reports.
      
2. It is recommended that the ADM RPB take cost-effective measures to establish updated systems requirements and processes and monitor them. Remedial actions that are appropriate to PBMS' lifecycle as a legacy system, should include the following:
   • technical performance criteria and targets (including system availability, response time, levels of support, problem tickets, etc);
   • finalize and disseminated procedures for bridging of data between PBMS, CDFS, and other systems as required;
   • documented system modification and change management procedures, and testing and acceptance processes;
   • archiving of data; and
   • a structured approach to identify ongoing business and technical risks related to PBMS.

1. Introduction

1.1 Authority for the Project

The Audit, Assurance and Ethics Committee (AAEC) as part of the 2005-2006 Internal Audit Plan approved this audit.

1.2 Objectives and Scope

The objectives of this audit were to:

• To assess the management controls to ensure data integrity in the Project and Business Management System (PBMS); and
• To assess the management controls which enable PBMS to support the achievement of operational, management and business transformation objectives in PWGSC, RPB.

The scope of this audit covered the management controls to ensure data integrity and to enable PBMS to support the achievement of operational, management and business transformation objectives in RPB.

The audit did not assess supplementary systems, which provide data to PBMS and other real property systems that interface with PBMS, nor did it assess interfaces with the Common Departmental Financial System (CDFS), except for the monitoring of transactions rejected from the interfaces. The audit did not examine application/other system's programming and/or hardware.

1.3 Audit Approach and Methodology

The audit was conducted between January and April 2006 in the National Capital Area (NCA). The audit was performed in accordance with specific audit criteria, which were developed from Government of Canada Management Accountability Framework elements of Stewardship and Results and Performance, as well as Control Objectives for Information Technology. The detailed criteria are presented in Appendix A – Audit Criteria.

The audit criteria used to assess the management controls to ensure data integrity in the PBMS covered the following:

• The roles, responsibilities and accountabilities;
• The system controls and processes;
• The data management controls; and
• The identification, assessment and management of data management risks.

The audit criteria used to assess the management controls which enable PBMS to support the achievement of operational, management and business transformation objectives in PWGSC, RPB, covered the following:

• The mechanisms that ensure that the information provided by PBMS meets project and business requirements; and
• The planning processes to make changes to the system in response to RPB's strategic direction.

The audit was conducted through interviews with key personnel in RPB, a demonstration of the RPB system, and document review.

1.4 Background

As presented on the RPB website, "The Project and Business Management System (PBMS) application is a tool to assist in the provision of enhanced project management services for our clients in an era of government reductions and fiscal responsibility." PBMS was established in 1997 to provide enhanced project and business management planning, monitoring and reporting.

PBMS is a critical business information system, which requires employees throughout RPB to record and track management information on all of their projects and operational activities. Over 5,500 active users provide input to PBMS. The system also receives data from, and provides data to, other RPB and PWGSC systems, including the CDFS, which is the department's primary financial management and reporting system. PBMS is set up in six regional offices, each operating on a local area network (LAN) with individual databases. There is no automatic electronic national consolidation of data. National information is obtained by querying each regional database and consolidating the results. In 2005-2006, $1.1 billion in revenues and over $2.8 billion in expenditures were recorded in PBMS. Over the same period, $4.5 million was spent in maintaining the system.

The PBMS is a client server based application residing on a shared server environment, developed in Powerbuilder using an Oracle 8i database. The PBMS application consists of seven (7) modules.

1. PM: Project Management
2. TM: Time Management
3. BMP: Building Management Planning
4. WPM: WorkPlan Monitoring
5. RPT: Reporting
6. CatchAll: Environment Services Sustainable Development Performance Reporting
7. DRF: Real Property Disposition Revolving Fund (used by National Capital Area only)

There are two modules which have had limited usage across RPB. Only two of the five reports created by the Reports Module (RPT) are in use and the CatchAll Module has had long standing issues with reliability. Because of their limited usage, it was decided to exclude the RPT and CatchAll modules from the scope of this audit. Due to reporting issues with the PowerBuilder tools used in RPT, BI Tools (Cognos Impromptu and PowerPlay) have been used to meet most PBMS reporting requirements. There is a central BI team that supports reporting requirements. In excess of 200 PBMS reports have been created using BI tools. Of the approximate 5500 users of PBMS, some 800 have access to BI reports.

2. Findings, Conclusions and Recommendations

2.1 Key Findings

The key audit findings are grouped by each of the two (2) audit objectives.

• To assess the management controls to ensure data integrity in the PBMS; and
• To assess the management controls, which enable PBMS to support the achievement of operational, management and business transformation objectives in Public Works and Government Services Canada (PWGSC), Real Property Branch (RPB)

2.1.1 Management Controls that ensure PBMS data integrity

For the purposes of this audit, data integrity was defined as the quality of correctness, completeness, timeliness, soundness and compliance with the purpose of the creator of the data. Through the course of this audit, a number of controls were examined.

i) Data entry

All RPB national systems, including PBMS, are consolidated within the Real Property Information Management and Systems Directorate. Key leads and accountabilities have been identified for PBMS system management activities. The A/Director General, Program and Policy Management Sector is the business owner of all PBMS modules except RPDRF. The owner for the RPDRF module is the Director General, Accommodation and Portfolio Management. The Regional Business Information Administrators (RBIA) are responsible for the accuracy of PBMS data (in the NCA and in each region). The roles and responsibilities for the RBIAs have not been formally documented, which leaves RPB at some risk for inconsistent or incomplete fulfillment of duties related to this role.

Controls for data entry such as mandatory fields, drop down lists and edit and reasonableness checks were found. However, data entry into PBMS is not always timely. Reports were obtained from RPB that indicate significant amounts of un-posted time in the Time Management Module. RPB's own Value Cases on the PM/TM module concluded that with regard to project management activities on a day-to-day basis, information is not always entered in a timely basis. This results in in consistent and incomplete financial and project information for decision-making during the course of the year and undermines user confidence in the data in the system. Although data is eventually entered into the PM/TM modules, the timing of cash flows is negatively impacted during the year. The draft PWGSC Policy on Revenue, Receipts and Accounts Receivable states that "It is PWGSC policy to adopt good cash management practices in order to reduce the government's net cost of borrowing through improved timing of cash flows. As a result, the length of time between the provision of goods and services (or event giving rise to the revenue), the issuance of the related invoices, the receipt of payment and its deposit to the credit of the Receiver General for Canada must be minimized and government assets safeguarded. As per the Treasury Board Policy on Receivables Management, to the extent possible, payment should be required from external clients in advance, or at the same time as the goods or services are provided."

ii) User access

The process to provide user access to PBMS is well defined. The access to PBMS modules is granted regionally by the respective RBIAs using the Common Module System (CMS). Even though initial user access to the system is controlled, there are no processes in place and no requirement to revalidate user access to either PBMS or to the BI reporting tools. Revalidation of access is important to confirm that access remains appropriate and consistent with the control principal of granting access only to those who require it as part of their duties. Some PBMS modules have been live since 1997 and there are currently in excess of 5,500 users (800 users with access to BI tools), while records indicate that there are approximately 3,900 FTEs in RPB. This demonstrates a high risk that existing access is broader than that required by current valid PBMS users. RPB should investigate and rationalize PBMS user accounts. In addition, since there is a license cost associated with each user who has access to Business Intelligence (BI) tools, reducing the number of BI tools users who no longer require access could save money.

Password controls for PBMS users do not exist. Users are required only to provide a network sign-on and, since PBMS is a client-server application, to have the client-side installed on their workstation. Users are not required to enter a user ID and password for authentication to PBMS . An 'IT Security Risk Assessment' is in process for Real Property Systems, including PBMS. RPB has indicated that the IT Security Risk Assessment initiative includes an evaluation of user authentication to systems. The audit team supports RPB's intention to complete the IT Risk Assessment and the implementation of corrective actions based on the assessment.

iii) System back-up

The back-up process for PBMS, as a national system, is managed by ITSB, under a common back-up, storage and retention process that is applied for each of the NCA and regional PBMS databases. This service provides for full back-ups of all PBMS databases nightly, with a one-year retention period for back-ups. The one-year retention period is the ITSB default and is applied unless other specific directions are received from the system owners.

iv) Data archiving

There is currently no data archiving strategy for PBMS data. All data that has been input since 1997 has been retained in the various regional databases, even though much of it is inactive. For example, of the approximately 104,000 NCA projects recorded in PBMS in February 2006:

• 82,000 had been previously closed (79%);
• 2600 had a status of planned or deferred (2.5%); and
• 19,400 were reflected as active (19%) (7700 started before April 1, 2004 & 11,700 after).

A data archiving initiative for RPB systems is at the feasibility study stage, but no decisions have been made with respect to PBMS. Lack of proper archiving of PBMS data could have a negative impact on application performance and stability, requiring longer times to perform system searches, queries, and reporting, and to run various processes. Lastly, storage costs for archived data are generally less than for live data.

v) Historical records of transactions

The system retains an audit trail of PBMS transactions. PBMS modules were found to retain historical information on key fields such as

• project funding amounts;
• funding status and status date for each amendment together with the CDFS bridge status and last bridged date by amendment;
• budget fields, with user id and date stamps of changes made;
• mandatory planned start and end date fields;
• first input date for each of the key date fields, covering preliminary project approval date through to final certificate of completion date;
• individual time charged to projects, permitting a history of total hours worked by employee, and project fees for the timesheets for the employee; and
• billing details, including details generated from CDFS, are non-modifiable, such as: amount invoiced (for all years as well as by invoice), invoice numbers, and invoice dates.

vi) Data transfer to CDFS

The RBIAs are responsible for monitoring bridging transactions between PBMS and CDFS. These responsibilities include billings, commitments, actual expenditures, and time reporting. In addition, RBIAs are responsible for investigating and clearing, rejected data to ensure completeness and accuracy in PBMS. During the audit, we were informed by an RBIA that there were no formal procedures available. The RBIA indicated that each individual RBIA has developed their own notes based on what they were told by their predecessor and what they have learned from experience. Subsequent to the audit, RPB provided, on November 21, 2006 a document dated September 15, 2004 entitled "PBMS CDFS Bridging Process – Version 1", which was, however, incomplete and included references to procedures "still in progress". Technical guidelines for correcting rejections are in the process of being prepared by the Product Support Group; however, this document is not comprehensive in that it does not include procedures that describe the methodology for monitoring the bridges. In the absence of current, formal guidance on required procedures, there is a risk that monitoring and clearing of rejected transactions will be done inconsistently among employees, especially as it applies across the various regions, and over time which would impact the data integrity of PBMS.

vii) User training

Despite the volume of users in the NCA and across all regions, there is no national training strategy or standard training materials, aside from user guides and quick reference cards available on the intranet. To date, training has been the responsibility of each region. Within each region, the RBIAs have been responsible for developing and delivering any PBMS training required in their regions. As this is just one of the responsibilities of the RBIAs, training has not occurred on a regular or consistent basis. Lack of formal training could lead to data integrity issues (accuracy, completeness, and timeliness) and the use of manual systems or other automated applications (spreadsheets) to gather and analyse RPB business management information. Failure to actively communicate to users the available reports may lead to unnecessary re-development efforts, or to user dissatisfaction with a perceived lack of availability of reports.

RPB has formed a National Systems Training Group and there is a central BI team that supports reporting requirements. To date, some PBMS training has been developed for the BMP/WPM modules (in the form of learning tools and workshops), but there is currently no plan for the other modules, especially PM and TM which have the largest number of users. PBMS user guides and the BI Tools user guide have been developed and are updated for release notes by the Product Support team. User guides, release notes, Quick Reference Cards and BI Tools user guide are made available to users on the PWGSC intranet.

viii) Problem management

There is a formal process in place to identify and monitor potentials issues/enhancements regarding the various PBMS modules. Users contact their regional RBIA as the first point of contact for potential issues. RBIAs record issues identified in the Issues/Faults Tracking System (IFTS), including a general description of the problem, date and user identifying the issue, type of issue (typically fault or enhancement), and severity (low, medium, high, critical). The audit found approximately 500 open tickets as at February 2006, dating from April 1, 2004. The RBIAs escalate the issues to the Product Support team as necessary. The Product Support team also receives and logs issues in IFTS directly. Items are assessed, and assigned a priority, which are addressed within the constraints of available resources. RPB indicated that issues with potential benefits across regions are also given consideration.

ix) Change management

There is an established process for program changes to PBMS modules. Regular monthly and quarterly releases are scheduled. Change requests arise from numerous sources and these are documented in IFTS and in 'Harvest' change management software. Technical analysis, design, development and testing are performed and results are tracked in Harvest. Some overview documentation exists for the key steps to be followed for program changes and some draft documentation the testing processes does exist. However, there is no complete documentation for the change management process. This leaves the potential for changes made to the production environment not following all required steps, which could in turn lead to system/programming errors (bugs), or changes not meeting user requirements. Finally, existing change management documentation indicates that user acceptance testing is one of the key steps for all changes. However, user acceptance testing is generally completed by the Product Support team. Although actual end users are sometimes involved in signing off their acceptance of changes made to the system, there are no defined criteria used to determine when to involve end users.

x) Risk assessment

RPB has undertaken certain initiatives that address risk components of PBMS. For example, an 'IT Security Risk Assessment' project is currently in process for Real Property Systems. As part of this project, an initial Security Context and Threat Analysis was completed for PBMS in February 2006. This analysis identified a risk environment as it relates to PBMS security, including related confidentiality, availability and integrity issues. Security risks are to be addressed as part of a subsequent step that includes a gap analysis between required security and existing security, and an examination of options to mitigate risks. It is RPB's plan to derive a set of metrics and to conduct a client satisfaction survey within RPB. The 'Value Cases' completed for each PBMS module in 2005 as part of the overall RPS Value Case project include sections on business and technical risks. However, as risk was not the main focus of this initiative, these sections were inconsistently completed across modules, some modules were not complete for risks and/or mitigation strategies, and technical risks tended to focus on implications to each module of PBMS or risks if interfacing systems were decommissioned.

Notwithstanding these initiatives, PBMS risks are not formally reported, monitored or managed, at either the business or technical levels. In the absence of formal reporting and monitoring, it is not evident that significant risks concerning PBMS are regularly identified. This could lead to a lack of adequate protection of system data (technical risks) and inadequate or inappropriate focus on the areas of greatest risk in meeting RPB objectives (business risks). Given that in 2005-2006, $1.1 billion in revenues and over $2.8 billion in expenditures were recorded in PBMS with a cost of $4.5 million to maintain the system, it is incumbent upon the department to regularly identify and monitor PBMS risks.

2.1.2 Management controls that assess if PBMS supports the achievement of operational, management and business transformation objectives in RPB

The finding of the 'Value Case' project, conducted in 2005 for all Real Property systems, was that no formal performance targets, performance measures, or performance monitoring exists for PBMS. This audit corroborates this finding and supports the creation of performance targets that will provide management with measures for actual against desired performance.

There are a number of significant and strategic initiatives currently underway that may impact the future direction of RPB and RPB management information systems, including PBMS. The most notable are:

• Business Transformation, as a result of 'The Way Forward';
• The move to a SAP environment in 2008;
• The National Project Management System (NPMS), which defines the business requirements for managing projects;
• RPB current efforts to explore options for better integration between RPB systems.

To support integration of changes to PBMS with new business directions, RPB has taken certain measures, such as:

• The responsibility for all RPB national systems has been consolidated into one organizational unit;
• The Policy, Planning, and IM/KM Steering Committee facilitates IT governance for RPB systems;
• Development of an RPB IM/IT Strategy was completed for 2005-2006, with a three-year strategy under development. The development process for the strategy includes steps to align with PWGSC priorities, RPB Business Plan, and RPB Renewal initiatives;
• Reactivation of the Business Information Network (BIN) to include regional, NCA, Finance, and subject matter specialist membership.

2.2 Conclusions

PBMS is a critical, national business information system intended to record and track management information on all RPB projects and operational activities. The system receives data from, and provides data to, other RPB and PWGSC systems, including the CDFS, which is the department's primary financial management and reporting system. In 2005-2006 $1.1 billion in revenues and over $2.8 billion in expenditures were recorded in PBMS with a cost of $4.5 million to maintain the system.

The draft PWGSC Policy on Revenue, Receipts and Accounts Receivable states that "It is PWGSC policy to adopt good cash management practices in order to reduce the government's net cost of borrowing through improved timing of cash flows". This audit concludes that RPB must strengthen its management controls to ensure compliance with this policy. Evidence indicates that the data in PBMS is not entered in a timely manner (although eventually posted) thus impeding PWGSC's financial management responsibilities for revenue capture and cash management. In addition, considerable reconciliation efforts are required to ensure the accuracy and reliability of data that is being bridged to CDFS.

Although PBMS has been in operation for nine (9) years, performance criteria have not been established and hence not monitored or reported. Without supportable measures on PBMS objectives and performance, information for operational intelligence and process engineering is not available. Some elements of risk assessment have been addressed, however risk assessment has not been formally completed either for individual modules or PBMS as a whole. As a result, PBMS risks are not formally reported, monitored or managed. This could lead to inadequate protection of system data (technical risks) and/or system initiatives that are not focused on the areas of greatest risk in meeting RPB objectives (business risks).

2.3 Recommendations

The audit team is mindful that other initiatives underway in the department (SAP, Study of BI reporting tools, BST project) will have a direct impact on PBMS. The functionality of the data currently housed in PBMS is important and will continue, albeit possibly in a different application(s).

With the objective of instituting and maintaining the discipline required for data integrity and systems performance, and in order to comply with the PWGSC Policy on Revenue, Receipts and Accounts Receivable:

1. It is recommended that the ADM RPB take measures to ensure that complete and accurate data is entered into PBMS in a timely manner, including:
   • ensuring that all RPB staff have clear, documented responsibilities for their timely and accurate data input and usage of PBMS information through regular monitoring and reporting, and that these are enforced;
   • strengthening user access validation; user password controls; coordination of user access to PBMS and BI reports; and
   • establishing and implementing a national training strategy for PBMS users including BI reports.
      
2. It is recommended that the ADM RPB take cost-effective measures to establish updated systems requirements and processes and monitor them. Remedial actions that are appropriate to PBMS' lifecycle as a legacy system, should include the following:
   • technical performance criteria and targets (including system availability, response time, levels of support, problem tickets, etc);
   • finalize and disseminated procedures for bridging of data between PBMS, CDFS, and other systems as required;
   • documented system modification and change management procedures, and testing and acceptance processes;
   • archiving of data; and
   • a structured approach to identify ongoing business and technical risks related to PBMS.

Appendix A – Audit Criteria

The audit was performed in accordance with specific audit criteria, which were selected from Treasury Board Secretariat Management Accountability Framework elements (Stewardship: information and IT management, project management and real property; and Results and Performance: information and decision-making, and performance reporting) and Control Objectives for Information Technology.

The audit criteria, as published in the Audit Survey Report, are as follows:

1.1 The management framework for PBMS, primarily key roles, responsibilities and accountabilities, has been defined and communicated throughout the Real Property Branch.

• Key roles, responsibilities and accountabilities have been defined and documented.
• Key roles, responsibilities and accountabilities have been communicated to impacted parties.

1.2 Necessary systems controls and processes have been designed, and are operating in accordance with, departmental policies and procedures.

• Key controls over data input, processing and output have been defined and implemented.
• Monitoring of bridges between PBMS and CDFS occurs, and procedures are in place to identify, investigate and clear transactions that reject from the bridging processes.
• Reporting using Business Intelligence (BI) tools is subject to a controlled process for development and publication of standard BI reports.
• Key controls over user access to the PBMS system modules have been defined and implemented.
• PBMS user guides have been developed and a process implemented to update them for new system releases.
• A training program has been developed and implemented that addresses the needs of the various users of the PBMS system.

1.3 Data management controls have been established and are functioning.

• A problem management process has been defined and implemented to record, track and resolve system problems/incidents.
• A change management process has been defined and implemented to approve, analyze, develop, test, and implement program changes.
• Audit trails are retained for key data fields.
• Adequate back-ups of the six regional databases are taken and retained.
• A data archiving strategy has been defined and implemented.

1.4 Risks to data management are identified, assessed, recorded and brought to the attention of management.

• A risk assessment approach has been defined and implemented for PBMS.
• Risks are monitored and reported on an on-going basis.
• Significant risks are escalated to the attention of management.

1.5 The PBMS system is monitored to provide information on the extent to which operational and management performance objectives set for PBMS are achieved.

• PBMS business and technical requirements have been defined and documented.
• PBMS is monitored for and evaluated against established business and technical requirements.

1.6 A planning process has been established whereby changes are made to PBMS to respond to the business directions of the Real Property Branch.

• Processes and procedures have been established and implemented to monitor and assess PWGSC and RPB business objectives and initiatives.
• Processes and procedures have been established and implemented to integrate business initiatives with future PBMS changes, where required.