Audit of
Information Technology Planning

Final Report

May 14, 2004

Table of Contents

Executive Summary

1.0 Introduction

1.1 Background

1.2 Objectives of the Audit

1.3 Scope of the Audit

1.4 Audit Approach

2.0 Audit Findings

2.1 Management Control Framework

2.2 Investment Management

2.3 Resource Management

2.4 Project Management

3.0 Management Response and Action Plan

Executive Summary

As part of its approved Audit Plan for the 2003-2004 fiscal year, the Internal Audit and Assurance Directorate of the Corporate Management Branch of the Public Service Commission (PSC) undertook an Audit of Information Technology (IT) Planning at the PSC.

The purpose of the audit was to assess the adequacy of the IT planning process with respect to: priority setting for technology investment; funding strategies and sources; business case development; and the decision-making, approval/governance structure. The audit criteria were based on the Control Objectives for Information and related Technology (COBIT) Framework, specifically the planning and organization domain of COBIT, which covers strategy and tactics, and the way IT can best contribute to the achievement of business objectives.

Recently, the PSC has experienced significant change in terms of its mandate, structure and resources; this is expected to continue for the near future. The efficient and effective provision of technology services is seen as a key component of the PSC's delivery of its programs, no matter what changes may occur. Having a sound framework for managing IT will be paramount to the successful use of technology to advance the goals of the organization.

A framework for managing IT in the PSC exists and the various elements that make up the framework are defined and available to all staff on the PSC intranet site. These includes IT policies, committees (mandate, roles and responsibilities), processes (software certification, project management methodology), and procedures (planning, project management). The project management framework for planning, developing and implementing IT projects, if is consistently followed, provides a framework for sound project management.

How IT services will be planned and delivered during and after the transition to the new PSC is an area of concern. Over the last few years, IT planning has been initiated and a number of processes put in place to develop an IT plan. However, despite attempts to formalize and standardize the IT planning process, client commitment to IT planning has been less than supportive. Arising from a combination of historical causes and the current organizational changes, the lack of a partnership between the Information Technology Services Directorate and the business areas is a hindrance to effective IT planning.

The audit concluded that there are opportunities for improvement in the following areas.

• IT planning was initiated but has not been effectively continued at the PSC. There is no IT strategic plan. In order to sustain the IT infrastructure and services in support of program delivery, a formal strategic IT plan is necessary.
  
  
• The leadership provided by ITSD and the capability of the organization to meet PSC business objectives relies heavily on good communication. The level and type of communication between ITSD and program branches are not effective. There is tension and distrust between ITSD and the business areas and there is a lack of partnership to develop and implement IT activities.
  
  
• The PSC is annually investing in IT, i.e. hardware, software and new application development. It is difficult to ascertain if the PSC is investing in information technology effectively and at the level required to effectively support the program areas and to sustain ongoing IT services. Investment in technology often takes place in the last quarter using surplus funds.
  
  
• Despite recent efforts to address the issue of managing information resources, the PSC has not addressed the requirement for an information architecture to optimize the use of information in the organization. Significant work is needed to develop and implement an Information Management (IM) infrastructure and capability.
  
  
• Assessing risk and ensuring the continued provision of IT services is an important element of managing IT resources.
  
  
  • A draft Business Continuity Plan (BCP) has been prepared. The organization is at risk until the plan is finalized, distributed and tested in order to ensure the continuity of IT services in the event of a disaster.
  • The department is moving toward risk management; improvements are required in its application and coverage.

1.0 Introduction

The audit of IT planning at the PSC was approved by the Internal Audit and Evaluation Committee in accordance with the PSC 2003-2005 Internal Audit Plan. The audit engagement was recommended based on an assessment of the following risk factors:

• Strategic Planning: Risk that the technology planning process may not be clearly defined and formalized, resulting in planning and delivery uncertainties.
  
  
• Investment: Risk that the PSC may not be investing adequately in technology.
  
  
• Cost (Duplication): Risk that many duplicate and/or standalone systems or databases are maintained without a common technology infrastructure, creating excessive maintenance and overhead costs, unproductive workflow, and a lack of integrated information to support decision making.

1.1 Background

The PSC is the independent agency responsible for safeguarding the values of a professional Public Service: competence, non-partisanship and representativeness. It does this by administering the Public Service Employment Act (PSEA) and a merit-based system and by carrying out other responsibilities as provided for in the PSEA and the Employment Equity Act (EEA). The mission of the PSC is: to maintain and preserve a highly competent and qualified Public Service in which appointments are based on merit; and to ensure that the Public Service is non-partisan and its members are representative of Canadian society.

The PSC has approximately 1,600 staff, of whom 900 are located in the National Capital Region. The PSC consists of five branches: Recruitment and Assessment Services; Learning and Development Programs; Merit Policy and Accountability; Recourse; and Corporate Management. The PSC has its national headquarters in Ottawa and operates in through six regional and eleven district offices.

With the passage of the Public Service Modernization Act, the PSC is undergoing a significant change in terms of its mandate, structure and resources. However, the efficient and effective provision of technology services is seen as key to the ongoing effective functioning of the PSC. Some concern has been expressed about how IT services, including planning, will be delivered during and after the transition to the new PSC. Regardless of the future situation, having a sound framework for managing IT will be paramount to the successful use of technology to advance the goals of the organization.

The Information Technology Services Directorate (ITSD) functions under the leadership of the Director General, ITSD as part of the Corporate Management Branch (CMB). Its resources include some 85 FTEs and a $7.2M salary and non-salary budgets.

There have been and will continue to be significant changes at the PSC. The executive management team has experienced a number of changes - for example, a new President and Commissioners and several new Vice Presidents. The key players of IT planning committees have also changed several times in the last two years.

1.2 Objectives

The audit objectives were to assess the adequacy of the planning process with respect to:

• priority setting for technology investment;
  
  
• funding strategies and sources;
  
  
• business case development; and
  
  
• the decision-making/approval/governance structure.

1.3 Scope

Based on the Control Objectives for Information and related Technology (COBIT) Framework, the audit examined the planning and organization domain which covers strategy and tactics, and the way IT can best contribute to the achievement of business objectives. COBIT defines four domains that group together the processes and activities related to IT. Furthermore, it covers the planning, communicating and managing of the steps to support the realization of the strategic vision. Finally, it examines the organization as well as the technological infrastructure which is in place.

The audit was limited to the Recruitment and Assessment Services Branch, Merit Policy and Accountability Branch, Recourse Branch and Corporate Management Branch and Legal Services which constitute the future PSC.

1.4 Audit Approach

The audit approach included an extensive review of documented policies, procedures, guidelines, and plans, and interviews with approximately 25 individuals at various levels across the PSC.

Through the use of an integrated methodology and drawing from the Information Systems Audit and Control Association's COBIT framework, the audit team was able to undertake a comprehensive analysis of the issues and generate this report.

The general approach and methodology was consistent with accepted practices, processes, procedures and standards as defined by Treasury Board Secretariat's 2001 Policy on Internal Auditing, the Institute of Internal Auditors, the Information Systems Audit and Control Association, and the Canadian Comprehensive Auditing Foundation. Our audit team conducted this assignment in compliance with these recognized standards and practices.

The audit is a result of a high degree of cooperation and collaboration involving IT staff, program staff and their respective managers and some regional staff.

2.0 Audit Findings

The audit scope included the examination of four major areas. Based on the results of the audit, the findings are grouped into these areas.

It is important to note that this is an audit of IT planning at the PSC, and not solely of planning carried out by ITSD. IT planning is a corporate activity that requires the efforts, support and commitment of the whole organization. The IT organization provides the IT leadership, and is a main player in carrying out the IT planning process.

2.1 Management Control Framework

2.1.1 Organizing

An adequate accountability framework has been defined and includes a Steering Committee; however, this committee is no longer operating effectively.

Finding

For the effective delivery of IT services, a governance structure must be put in place with roles and responsibilities defined and communicated. An authority and accountability framework must be defined and followed and an IT Steering Committee established and given the mandate to strategically direct the organization with respect to IT.

The PSC intranet site, which is available to all staff, describes the IT function, organization, policies, committees, roles and responsibilities, processes, and activities of ITSD. It documents the authority and accountability framework for IT service delivery.

The e-Business Steering Committee (EBSC) is a subcommittee of the PSC Executive Management Committee (EMC) with a mandate to maximize the effective use of information and information technology (I&IT) in support of the PSC's Strategic Goals and Objectives by:

• developing a client-focused strategic vision for the PSC's use of I&IT, including the PSC contribution to Government On-Line (GOL) initiatives;
  
  
• developing and managing the implementation of an I&IT Governance Framework for the PSC, including approval of related principles, roles and responsibilities, processes and policies, and reviewing and prioritizing I&IT investments for funding consideration by EMC; and
  
  
• recommending to EMC an Information and Information Technology Strategic Plan as part of the PSC business planning process.

Although much of the governance structure exists, it is no longer effective for IT planning purposes. For example, despite the essential role played by the EBSC, the group has not met regularly for the last year. In addition, the EBSC has not provided an I&IT Strategic Plan as part of the PSC business planning process.

Managers interviewed during the course of the audit did not see the EBSC as an effective committee to ensure the appropriate use of information technology. For example, the move to shared services for IT, although a major shift in the IT delivery concept, was never tabled or discussed by the EBSC. Business managers see a disconnect between ITSD and the business side of the PSC resulting in a lack of a partnership in the planning, development and delivery of IT services. With the many changes coming to the PSC information sharing and planning are more critical for the long term delivery of programs that are highly dependent on IT services.

Conclusion

A governance structure for IT planning has been put in place by ITSD. If consistently followed, this structure provides a framework for IT planning. However, it is currently not effective as a mechanism to plan and manage IT services, as it does not have the full support of all business areas. The planning structure will only work effectively when there is a partnership and commitment among ITSD and the business areas to ensure the effective delivery of IT services.

Recommendation

1. It is recommended that the Vice President, Corporate Management Branch:
   

• ensure the EBSC become more active in the achievement of its mandate
  
  
• ensure efforts are made to establish a partnership among the business areas and ITSD for IT planning and management of IT resources.

2.1.2 Planning

In order to sustain the IT infrastructure and services in support of PSC program delivery, a formal and fully documented strategic plan for IT services is necessary.

Finding

A Strategic IT Plan should strike an optimum balance between information technology opportunities and the business requirements of the host organization. The undertaking of a strategic planning process at regular intervals leads to long-term plans, which are periodically translated into operational plans and give clear and concrete short-term goals. Defining a direction takes advantage of available and emerging technology by creating and maintaining a technological infrastructure plan.

ITSD supports the PSC Branches in achieving their business goals and objectives. As part of a planning process, an IT Planning and Review Group (ITPRG) consisting of ITSD representatives and representatives of the various Branches of the PSC was created. ITPRG's mandate is to develop an annual strategic IT plan, through identifying initiatives within the branches, by providing input into the plan, by prioritizing and reviewing IT initiatives, and by sharing and exchanging information about electronic service delivery throughout the year. This process describes a working partnership through which IT services can be planned and managed.

However, despite a significant effort by ITSD and branch representatives, the ITPRG has not developed a strategic IT plan since 2002, but rather has generated a list of recommended initiatives for approval and funding by EBSC. The representation at ITPRG has not been effective as membership continuously changes. There is concern about whether the members are at the appropriate level to be able to represent their organization. The ITPRG meetings are no longer viewed by many business members as a useful exercise. For example, the priority setting process is seen as flawed as the priorities of the larger branches and those with more available funding appear to benefit at the expense of other branches. Many individuals interviewed indicated that the requirements of smaller initiatives were not given serious consideration even though from an operational perspective they were very important to the delivery of the requesting program.

ITSD has developed a multi-year plan for the ever-greening parts of the PSC's IT infrastructure. It highlights the financial requirement to ensure sufficient IT to support the primary business functions of the PSC. It is based on a cycle of replacement, e.g., replacement of desktop computers every three years and an upgrade of the desktop Operating System and Office Automation Suite, to keep current with industry trends and government standards. The current Ever-Green Plan requires updating and is not considered to be effective because it depends on year-end surplus funds.

ITSD has developed a Systems Rationalization Strategy and Plan. The focus is on legacy applications that are supposed to be replaced with more modern solutions in view of the PSC transformation and the Public Service Recruitment System initiative. These legacy systems often are not decommissioned and continue to be used. Clients must be willing to support the turning off of systems that have been replaced; this is not always the case at the PSC. Systems rationalization involves assessing systems and their maintenance costs and decommissioning the appropriate system at the appropriate time. Although this was productive it is not clear how it integrates with the Ever-Green Plan or the Short-Term IT Plan.

Conclusion

Although IT planning was initiated through ITSD, it has not been effectively supported or continued at the PSC. It puts the ongoing availability of the IT infrastructure and services and, subsequently the delivery of business programs at risk.

Recommendation

2. It is recommended that the Vice President, Corporate Management Branch:

• Ensure the implementation of a Strategic IT Planning process that results in:
  
  • a strategic IT plan;
    
    
  • an evergreen plan;
    
    
  • a systems rationalization plan;
    
    
  • an IT operational plan; and
    
    
  • a partnership between ITSD and business areas in the planning process.

2.1.3 Communicating and Leadership

The leadership provided by ITSD and the capability of the organization to meet PSC business objectives relies heavily on good communication; however, the level and type of communication between ITSD and program branches is not effective.

Finding

Communicating is a key element in creating a positive work environment, and fostering the necessary sense of partnership between the IT service provider (ITSD) and the service consumers (the business lines). Management aims and direction need to be communicated to ensure user awareness and understanding, by establishing and communicating policies and standards to translate the strategic options into practical and usable user rules/procedures. It is also important for IT group to understand the business lines.

IT policies and standards are available to staff on the intranet site. We found that staff interviewed are aware of their availability and content. Reminders are issued by ITSD on employees' obligations to comply with the policies and procedures.

Memoranda of Understanding (MOU) have or are being developed between ITSD and PSC directorates to provide a framework for responsibilities and accountability. The MOU details the specific services to be provided by ITSD to the directorate within appropriate budget, efficiency, quality and time frame controls.

Each member of the ITSD management team has been assigned a number of branches, regions or directorates. The level and depth of the interaction has varied from client to client. Some have met with their ITSD representative on a regularly scheduled basis. For others it has rarely occurred. Most clients do not see this arrangement as an effective means to communicate. They felt they were one-sided efforts with little information or direction or leadership coming from ITSD.

Committees such as the ITPRG are not seen as a good forum for exchanging information and are perceived to be more beneficial to ITSD than the business areas. The recent announcement of the move to shared services without consultation of its partners has increased a pre-existing concern about whether ITSD considered their clients to be partners in the effective delivery of IT services.

Conclusion

There is a lack of cooperation and partnership among the business areas and ITSD, and scepticism among business areas of ITSD's commitment to client requirements and service. This is not an recent issue.

Recommendation

3. It is recommended that the Vice President, Corporate Management Branch:

• ensure better mechanisms for client support and commitment to IT planning;
  
  
• promote an environment of client consultation, partnership, and full disclosure;
  
  
• promote a planning process that enables clients to feel their needs are understood and considered in the IT planning process; and
  
  
• ensure ITSD provides IT leadership to the PSC.

2.2 Investment Management

The PSC is annually investing in information technology, in terms of hardware and software as well as new application development. It is not evident whether such investments are at the level required to effectively sustain ongoing IT services.

Finding

An effective investment management process is essential in ensuring that sufficient funding is available to sustain the IT infrastructure at a level sufficient to support business requirements. An IT operational budget should be established and approved by the organization, which is in line with the organization's short-term and long-term budget, business and IT plans. Actual spending should be done in accordance with the organization's processes and procedures. Finally, the delivery of IT services should be cost justified and in line with industry costs.

ITSD's operating budget is established and approved each fiscal year. A-Base costs are managed as per PSC processes and procedures. ITSD has started to record staff time in an effort to more effectively cost services.

The PSC still tends to operate on "year-end money" investment basis. Previously, year-end surplus funds were used to upgrade the technical infrastructure. In each last quarter there would be acquisition of hardware and software in line with the Evergreen replacement time-lines and PSC IT standards. These large volume acquisitions were seen as more cost-effective than smaller purchases. However, with this method of replacement there is a risk that the infrastructure will not be upgraded if a spending freeze is imposed. It is the perception of many business areas that IT costs are simply increasing without substantiation.

Generating, managing and reporting on key information is essential in actively managing the overall PSC IT investment. No standard costing structure exists to support the full cost of IT across the PSC, although efforts have been made recently to develop an IT Costing Model. The effort to arrive at an overall IT cost for the PSC has not been supported by the client branches.

Conclusion

It is difficult to ascertain if the PSC is investing in information technology effectively and whether it is at the level required to effectively support the program areas and to sustain ongoing IT services.

Recommendation

4. It is recommended that the Vice President, Corporate Management Branch:

• ensure the collection of appropriate IT statistics and costs to support the investment in IT services;
  
  
• ensure that full costs for IT in the PSC are recorded, analyzed and reported; and
  
  
• address the year-end funding issue in the PSC.

2.3 Resource Management

2.3.1 Manage Human Resources

Finding

Sound human resources management requires effective determination of the number and level of staff required, work descriptions, objective and measurable performance evaluation, and assessment of the skills of current employees. The objective is to maximize personnel contributions to the IT process through sound management techniques.

In 2002, ITSD developed an ITSD Technology Vision: Strategic Value Through People and Partnerships. It states, "ITSD's strategic initiatives target three areas: investments in our people, investments in the technology infrastructure, and investments in Internet-based e-tools." Since then, ITSD management has placed a high priority on ensuring that all staff understand and support this vision.

A new organizational structure was implemented, and a new management team established. A staff stabilization exercise was completed through competitive processes. A restructuring of the ITSD offices was designed to put a "new face" on the organization and improve employee working conditions. A fish mascot "Chuck Highliner" was chosen, and customer service and teamwork were promoted through four key behaviours: Have fun; Make their day; Be there; and, Attitude.

All ITSD employees receive an annual, written performance evaluation highlighting their accomplishments. A training plan for each employee is completed based on this performance evaluation. ITSD is committed to creating a learning organization through investments in the training and development of our people.

The PSC is in a state of significant change as the result of the Public Service Modernization Act (PSMA) and other politically initiated changes. ITSD is in a state of flux now as plans are made for a shift to shared services model of operation.

Conclusion

Despite the current environment of significant change, ITSD is attempting to manage its human resources as effectively as possible.

2.3.2 Manage Information Resources

Although recent efforts have started to address the issue of managing information resources, the PSC has not addressed the requirement for an information architecture to optimize the use of information in the organization.

Finding

Information for the PSC, as a knowledge-based organization, is a primary resource for operations. All services provided to internal and external clients involve information. Consequently, its management throughout its life-cycle is essential for effective and efficient service delivery. All three types of information (corporate, operational and management) must have features of quality, accuracy, integrity and reliability, if effective decision making is to take place. A successful IM strategy depends on a strong underlying architecture. This would include IM policies, an IM governance and accountability framework, IM standards and practices, technology based systems, and trained resources.

The PSC is in the process of developing an IM strategy and vision. An IM Committee, chaired by the Director General (DG), ITSD as Chief Information Officer (CIO), has responsibility for developing a strategy that includes both electronic and paper-based information and its security. The initial vision is organization-oriented and does not reflect the actual data architecture and delivery. There is concern by business managers that the focus is on the technology and not the business lines. With the CIO role being in ITSD, it is critical that ITSD understand the issues facing service delivery. Interviews raised concern that ITSD did not have this understanding and that there is currently no real information architecture. The new PSC will be almost exclusively a knowledge-based organization. With the discussion of shared services and the potential of IT moving to another organization, the location of the IM function is a concern.

The PSC has used the Information Management Capacity Check (developed by the National Archives of Canada) to assess its IM deficit and to develop an action plan and strategy to build its IM capacity. The assessment uses five levels of rating: non-existent (1); early stages of development (2); good management practices(3); advanced (4); and best practice (5). The IM Capacity Check assesses an organization against criteria in the following six areas:

• organizational context - capacity to support, sustain and strengthen IM capabilities;
  
  
• organizational - capacity to develop people, process and technology resources required for sound IM
  
  
• management of IM - capacity to effectively manage activities in support of IM as it relates to the effective delivery of programs and services;
  
  
• compliance and quality - capacity to ensure information holdings are not compromised;
  
  
• information life cycle - capacity to support each phase of the information life cycle; and
  
  
• user perspective - capacity to meet the information needs of all users.

The results of this assessment concluded that the PSC on average rated a one or two in all categories.

Conclusion

The PSC has identified the need for information management and has completed significant effort such as the Information Management Capacity Check and the IM Strategy and Vision. However, more work is needed before the PSC develops and implements an effective IM infrastructure and capability.

Recommendation

5. It is recommended that the Vice President, Corporate Management Branch:

• ensure that an Information management framework is developed and implemented consisting of:
  
  
  • a strategic IM vision;
    
    
  • an appropriate accountability structure; and
    
    
  • an information architecture for the PSC.

2.3.3 Risk Management and Continuity Planning

While some Threat Risk Assessments have been completed, they have not been completed for all IT systems, services and facilities, making it difficult to determine whether sufficient safeguards exist to respond to a threat to the provision of IT services.

A draft Business Continuity Plan (BCP) has been prepared; however, until it has been finalized, distributed and tested, the organization is at risk of not being able to provide continued IT services if there is a disaster.

Finding

Assessing risk helps to ensure the achievement of IT objectives and the necessary responses to threats to the provision of IT services. A risk assessment framework includes different kinds of IT risks such as technology, security, continuity and regulatory.

The Public Service of Canada is moving toward a risk management approach to the work environment. The government's risk management policy makes it incumbent on managers to be informed about the security threats, vulnerabilities, impacts and risks to which their business operations may be subject. The standard approach to assessing risk is the use of the Threat and Risk Assessment (TRA).

At the PSC, all new information systems development projects operating under the IT Project Management Framework are required to do TRAs at various stages of development. Major projects have completed TRAs. However, there has not been a TRA of the technical infrastructure. It is important that IT risk assessment is linked to the overall risk framework and business of the organization. To date, TRAs carried out at the PSC seem to be focussed on specific IT applications and services, and not linked to overall business delivery.

Federal government policy requires departments and agencies to establish a business continuity planning program to provide for the continued availability of critical services and assets. The program must include a governance structure, monitoring of overall readiness, and continuous review, testing and audit of the Program.

Like most departments and agencies, the PSC developed a BCP for IT as part of its Year 2000 business resumption planning. More recently a draft BCP was prepared and discussed at Executive Management Committee. The PSC is now waiting for Treasury Board standards to be produced in order to create a final version.

Conclusion

Although the department is moving toward security risk management, improvements are required in the application and coverage of the process. The PSC requires a final BCP for IT services, but it must reflect the reality of PSC services.

Recommendation

6. It is recommended that the Vice President, Corporate Management Branch:

• ensure a review of the IT risk assessment process and initiate improvements to expand and broaden its coverage to align with the PSC risk management framework;
  
  
• pending finalization of government-wide standards, ensure that updated plans for all business operations at all sites are in place to provide for the continued availability of IT services and assets; and
  
  
• ensure an overall Threat Risk Assessment is conducted for the PSC.

2.4 Project Management

2.4.1 Organization and Management

Finding

Project success is more likely when effective project management occurs. This requires sound management techniques, complete system planning, and formal processes to manage risks that comply with organizational standards and constraints.

The definition of I/IT projects has been established. A committee structure for review and approval has been implemented. The e-Business Steering Committee (EBSC) approves and reviews projects over $50K.

The Project Review Committee is the authority on policies, architecture, guidelines and standards used to plan and manage IT development projects. It has the authority to approve projects under $50k, make recommendations on projects going to EBSC for approval, and monitor projects. It ensures projects progress efficiently and effectively while responding to the strategic objectives of the PSC.

A Technical Review Committee has been established as the authority on the IT framework for policies, architecture, guidelines and standards used to plan and manage the technical soundness of IT projects. This is achieved through screening of project initiation forms and project proposal documents. In addition, the committee reviews risk management plans and privacy impact assessments to ensure risks associated with new technology or conformance to the architecture or performance are known. This Committee also approves major changes and configuration management of the PSC infrastructure.

All policies and procedures with respect to projects are available to all staff through the PSC intranet site. Staff interviewed as part of this audit were aware of the processes to be followed. The audit did not confirm that the processes were being followed for all projects. Currently the largest projects fall within this framework.

Conclusion

The PSC, through ITSD, has established a project management framework to plan, develop and implement IT projects. If it is consistently followed, it provides for sound project management.

2.4.2 Project Control

Finding

Formal processes used to control projects should include areas such as: project planning; project tracking and oversight; quality assurance; configuration management; and systems development methodology.

A project development methodology has been developed which is based on the Treasury Board's Enhanced Management Framework for IT Projects. It is a risk-based approach, which is available on the PSC intranet site, and is to be followed by I/IT projects. A change management process has been established and all software is to be certified by ITSD before going into production. A test laboratory is available to project developers for testing; however, there are concerns about the amount of time it takes to set it up for testing a new version or upgrade.

The Project Review and Technical Review committees monitor project progress. We found that written status reports are not always completed. Minutes of meetings usually comprise the formal documentation of status.

Conclusion

Formal processes have been established with the intent of ensuring that projects are controlled during planning, development and implementation.

3.0 Management Response and Action Plan