PeopleSoft Human Resources Management System
March 2011

2. Observations – Management Framework

2.1 Follow-up on Previous Audit of PeopleSoft

The Department’s Internal Audit Branch conducted a previous audit of PeopleSoft in 2003 to assess, among other things, the reliability and integrity of the data processed and stored in the system, the adequacy of user training, and the adequacy of access controls. The audit concluded that staff were not sufficiently aware of the impact of errors; that there were few written procedures for the data entry functions of the system; and that sector administrators and regional offices made little use of PeopleSoft. Furthermore, the audit found that although there was good on-site support for the system at HQ, support was inadequate in the regional offices.

As part of the current audit objectives, the audit team assessed some of the same controls that were reviewed in the previous audit. Consequently, the team was able to follow up on the major recommendations of the previous audit and has included the results of this follow-up in the appropriate sections of this report.

2.2 Roles and Responsibilities

The respective roles and responsibilities of the HR Systems Group and IMB Corporate Systems in supporting PeopleSoft are clearly defined.

As noted earlier, the HR Systems Group in HRPDD and Corporate Systems in IMB both have responsibilities for PeopleSoft. The HR Systems Group, which comprises business analysts, functional analysts, a Web site coordinator, and a Web site publisher, is responsible for managing the PeopleSoft help line and developing business requirements for proposed changes to the system. Business analysts in IMB Corporate Systems are responsible for addressing the technical components of proposed changes to the system.

We found that proposed changes are supported by a well-documented change management process that includes an investment proposal for each requested change. Both the HR Systems Group and IMB Corporate Systems are required to sign off prior to implementing a new version of the system.

It is the opinion of the audit team that roles and responsibilities of both groups are well defined.

The Service Level Agreement (SLA) needs to be updated to confirm the level of services required.

The services IMB provides to the HR Systems Group are governed by a Service Level Agreement (SLA) that provides for the development, maintenance, and operational support of the system as well as the preparation of a Statement of Sensitivity (SOS) Footnote 1 and a Threat and Risk Assessment (TRA) to be completed every two to three years. The current SLA was signed in 2001-02. At the time of the audit, neither the SOS nor the TRA had been completed. The SLA needs to be updated and the services provided redefined, if necessary.

There is a need to review the business analysts’ job descriptions to address the overlap of duties of the business analysts in the HR Systems Group and IMB Corporate Systems.

The audit team reviewed job descriptions of staff in both the HR Systems Group and IMB Corporate Systems to determine if the generic job functions reflect the duties performed by the employees of each unit. Our review of the organizational structure of the HR Systems Group and IMB Corporate Systems confirmed that business analysts are present in both groups. We found that there is a need to clarify the business analysts’ duties described in their job descriptions. Nonetheless, the business analysts in both groups have informally defined their respective responsibilities: the IMB Corporate Systems business analysts address technical issues, while the HR Systems Group business analysts address business issues.

The HR Systems Group is currently undergoing an organizational design and classification review exercise. It is our opinion that this would be an appropriate time to make corrections to the business analysts’ job descriptions.

Recommendation and Management Response

1. It is recommended that the DG, HRPDD ensure that the SLA with IMB is updated and the services redefined if necessary. (Medium Risk) Footnote 2

Agreed. As referenced in Section 2.5 of this document, the SLA ‘between the HR Systems Group and IMB identifies the terms and conditions related to the services provided by IMB and addresses such things as the availability of IMB staff to service the system, the acceptable maximum downtime for system updates, and the restore time in case of a disaster. IMB has also signed operational level agreements (OLAs) with an outside supplier for infrastructure components, including the system network, the Help Centre, and on-site work stations. The audit team interviewed a variety of users in different positions to assess their level of satisfaction with the performance of the internal and external service providers. All users indicated their satisfaction with the response time and the level of service.” In addition, the audit findings confirmed that the roles and responsibilities for the members of PSoft team (both functional and technical) are clearly defined. With the aforementioned in mind, the SLA will be reviewed and updated by December 31, 2011 and will be communicated as appropriate. Completion date: December 31, 2011.

Recommendation and Management Response

2. It is recommended that the DG, HRPDD, in consultation with the Manager, HR Systems, IMB Corporate Systems, ensure that the business analysts’ job descriptions are reviewed to accurately reflect their duties. (Low Risk)

Agreed. As referenced earlier in this report, the roles and responsibilities of the HR Systems Group and IMB Corporate Systems are clearly defined. The CS employees within the Technical Team analyze business requirements that have been gathered and documented by the business analysts within the HR Systems Team in order to determine the technical impacts, design options, etc. As such, there is no overlap or duplication of roles. However it is recognized that the current work descriptions require adjustment. The IMB Corporate Systems Group will be implementing the government-wide endorsed CS generic job descriptions this fiscal year. This will serve to address this recommendation. The work descriptions for the business analysts within the HR Systems Group are in keeping with those used in government as part of the broader shared systems initiative for PeopleSoft. Completion date: March 31, 2012.

2.3 System Enhancement Plan

The HR Systems Group has developed a system enhancement plan.

HR Systems Group staff meet with the directors in HRPDD and those in the regions on an annual basis to discuss their system requirements for the upcoming year and the level of priority attached to each identified requirement. The HRPDD directors also correspond with all clients, requesting that they identify requirements for new HR information that may necessitate changes to PeopleSoft. The HR Systems Group subsequently prepares an annual budget that includes line budget items (e.g. training, translation, supplies, and Government of Canada HRMS Program Centre Footnote 3 maintenance and software upgrades) and incorporates into the budget the user-identified requirements, if funds are available.

The audit team is of the opinion that the HR Systems Group has developed an appropriate systems enhancement plan.

2.4 Budget

The budget process is well defined and tracking of expenses over the year is adequate.

The Director, HR Systems Group prepares the annual budget for PeopleSoft, sharing tracking responsibilities with the Manager, HR Planning and Employment Equity and HR Systems. The audit team examined the budget for fiscal year 2009-10 and found that it included the appropriate type of expenses such as system support, consulting services, travel, and training. The approved budget for 2009-10 was $327,802 with actual expenditures incurred amounting to $309,440 at the time of the audit.

Release of surplus funds late in the year makes it difficult for the HR Systems Group to complete special technical projects within the fiscal year.

We were told that while the current budget of $327,802 is sufficient to cover the costs of maintaining the system, no funds are available for special technical projects. Consequently, when one of these special projects is given priority, the Director, HR Systems Group submits a request for additional funding, typically in the spring of each year. If approved, the funds are normally released in the fall.. We were told that access to the funds late in the year may result in projects being completed in the following fiscal year. For example, the HR Systems Group identified a project to be completed in fiscal year 2010-11 (i.e. Business Intelligence (BI) project) that will require funding in the amount of $174,504 to complete. At the time of the audit, only a sum of $59,974 had been received to support the project. The HR Systems Group had no indication of when the remainder of the funds would be forthcoming. Unless funds are released quickly, we were advised that it is unlikely the project will be completed within the fiscal year. Resources currently available for the project may not be available in the next fiscal year.

The current budget is sufficient to ensure maintenance of the system but leaves little monetary resources to offer other services to end-users.

The audit team requested budgets from prior years in order to analyze the types of expenses incurred over time to support the system. The HRPDD provided budget information dating back to fiscal year 2002-03. A comparison of the budgets from 2002-03 to 2009-10 showed that the amount paid for PeopleSoft maintenance had increased over these years, while the overall budget had decreased. Maintenance costs increased from $124,325 in 2002-03 to $241,979 in 2009-10 and represented 73% of the overall budget in 2009-10. Program Centre costs also increased significantly since 2002-03 from $50,840 to $102,361 and represented 32% of the total budget in 2009-10. We were told that the allocation of funds to maintenance has left little monetary resources to provide other services to users, such as training and printing of updated user manuals.

2.5 System Performance

Procedures have been developed and implemented to ensure the continuous performance of the system.

The HR Systems Group has developed and implemented procedures to ensure the availability of PeopleSoft to end-users. The SLA between the HR Systems Group and IMB identifies the terms and conditions related to the services provided by IMB and addresses such things as the availability of IMB staff to service the system, the acceptable maximum downtime for system updates, and the restore time in case of a disaster. IMB has also signed operational level agreements (OLAs) with an outside supplier for infrastructure components, including the system network, the Help Centre, and on-site work stations. The audit team interviewed a variety of users in different positions to assess their level of satisfaction with the performance of the internal and external service providers. All users indicated their satisfaction with the response time and the level of service.

It is the audit team’s opinion that the HR Systems Group has implemented adequate procedures to ensure the continuous performance of the application.

The HR Systems Group has not developed a report that provides management with relevant data to assess the overall operational performance of the system.

We reviewed the “Operations Report for DOJ PeopleSoft” and found it to be very technical. The report provides information on individual system components such as availability, CPU utilization, and memory utilization, but it does not report on response times. In addition, the language and content of the report is so highly technical that we were unable to determine the specific performance measurement information for PeopleSoft that management and users require. The report shows operational activity only by hardware system name without identifying whether the system contains the PeopleSoft application, PeopleSoft print services, PeopleSoft database, or whether the system pertains to a specific region or the Department as a whole. The report also does not explain the implications of the various activities. For example, what are the performance implications when the total number of disk transfers exceeds 120 million? Or, what are the performance implications when the memory utilization exceeds a certain threshold (e.g. 70%, 80%)?

The HR Systems Group should be able to generate an overall report on the performance of certain aspects of the system (e.g. availability, reliability, and response time). This information would be useful for understanding the negative impacts when the system is not operational. However, HR Systems Group has not developed a global report that would summarize all information, thereby providing relevant data to management on the overall performance of the system. It is the auditors’ opinion that the preparation of such a report would help management in its overall assessment of the system.

Redundancy is built into the PeopleSoft infrastructure to ensure continuous performance of the system.

Redundancy is built into the PeopleSoft infrastructure to ensure continuous performance of the system. There are currently two each of the application servers, web servers, and database servers, thereby ensuring that a system failure at one point of entry does not affect the overall performance of the system: when one server breaks down, the second one kicks in.

It is the audit team’s opinion that the current infrastructure supports the continuous performance of the system.

Recommendation and Management Response

3. It is recommended that the Senior Director, Business Support, Applications and Services ensure that an overall performance report is prepared that provides relevant data on PeopleSoft to assist management in its overall assessment of the system. (Low Risk)

Agreed. The Senior Director, Business Support, Applications and Services (BSAS) will communicate with management to determine needs, modify the existing report, as appropriate, to respect these needs, and ensure that they are communicated regularly and that issues are addressed in an efficient manner. Completion date: By March 31, 2012 and ongoing thereafter.

2.6 Change Controls

The Implementation Checklist needs to be updated to include an approval signature and date.

IMB Corporate Systems is responsible for implementing new versions/upgrades of the system and completes an Implementation Checklist to document the process. The audit team reviewed the Implementation Checklist completed for the version 8.9 implementation and found it to be accurate. However, we noted that the document does not include an approval signature and date. It is management’s responsibility to ensure that documentation supporting system changes is signed by the appropriate authority. This procedure is necessary to validate the process. It is therefore important that the Implementation Checklist be updated to include this information.

Once IMB is ready to move a test version into a production environment, an Upgrade Status Form is completed and signed. Our examination of the Upgrade Status Form produced for the version 8.9 testing found the document to be accurate and appropriately signed.

Recommendation and Management Response

4. It is recommended that the Senior Director, Business Support, Applications and Services ensure that the Implementation Checklist is updated to include an approval signature and date. (Medium Risk)

Agreed. The Senior Director, Business Support, Applications and Services (BSAS) will ensure that the Implementation Checklist is updated to include an approval signature and date and that the related change and release management processes are updated accordingly. Completion date: By March 31, 2012.

2.7 System Documentation

The HR Systems Group is in the process of developing a procedures manual that will complement the technical guide currently available through PeopleSoft.

The technical documentation on PeopleSoft is an integral part of the system and is accessible to users on JUSnet. As part of additional documentation available to system users, the HR Systems Group is currently developing a procedures manual (HR Systems Group - Operations Guide) that provides details on the management framework governing the system and information on how to get help when needed. The Operations Guide, which is in a draft form dated March 2010, provides detailed information on the following topics:

  • roles and responsibilities of the operational team
  • communication tools
  • guidelines and procedures for using the system
  • documenting issues
  • security issues
  • training

The Operations Guide is an excellent initiative undertaken by the HR Systems Group to gather relevant user information into one document. It is our opinion that users will benefit from gaining access to it as soon as it is completed.

Recommendation and Management Response

5. It is recommended that the DG, HRPDD ensure that the Operations Guide is finalized and provided to users as soon as it is completed. (Low Risk)

Agreed. The HR Systems Team recognizes the need to have all processes and procedures that are currently used to effectively maintain the application documented and made known to the ever-increasing user community. The work in relation to the development of an Operations Guide is nearing completion and will be finalized, communicated to all users, and made available through HR and You. Completion date: By December 31, 2011.

2.8 Backups and Business Continuity Planning

Data backups are done on a regular basis and have been tested for restoration.

Data backups are done on a regular monthly basis and transmitted to two separate locations for safekeeping. The backups are sent to the departmental archives in tape form and retained for a period of one year. We were told that the process for restoring data is in place and has been tested successfully.

There is a need to review the restore processes for the PeopleSoft application and determine which process is most reliable.

There are two different methods in place for restoring the PeopleSoft application. The first method creates application backups as server images: the process copies the existing application to a second server and this copy becomes available when the application on the main server fails. We were told that application backups are not scheduled regularly and are not automatically done when updates/upgrades to the system are completed. Consequently, application backups could be out-of-date when the system needs to be restored from the backup image.

A second method of restoring the application exists. The Data Base Administrator (DBA) has developed a guide that details a system restore process that can be completed in approximately one day.

Management should review these processes to determine whether both methods are necessary and reliable. In our opinion, two methods of restoring the same application could lead to confusion, especially when the best application restore solution has not been determined.

The criticality of PeopleSoft needs to be assessed and a business continuity plan completed.

During the course of the audit, interviewees in both HR Systems Group and IMB Corporate Systems were unable to provide a business impact analysis (BIA) and a business continuity plan (BCP) for PeopleSoft. However, in the IMB BCP, PeopleSoft is identified as a critical system that should be restored within a maximum acceptable delay of two days. The Guide to Business Continuity Planning in the Department of Justice states that a BIA and a BCP must be completed for all essential departmental functions and that the BCP should be tested every two years.

While there is an agreement with Public Works and Government Services Canada (PWGSC) to have access in case of an emergency to some off-site infrastructure (i.e. hardware and operating system) to run PeopleSoft, no BCP is in place for restoring the PeopleSoft system.

Recommendation and Management Response

6. It is recommended that the Senior Director, Business Support, Applications and Services review the restore processes for the PeopleSoft application to determine which process is most reliable. (Medium Risk)

Agreed. The HR Systems Group and the Senior Director, BSAS recognize the criticality of effective system restore processes and acknowledges the need for application server backups, which are required when the PeopleTools or operating systems are upgraded.The Senior Director, BSAS will review the current restore processes with a view to determining the best option. This will be part of a joint effort with the Technology Services Division (TSD) of the Information Management Branch to incorporate in the disaster recovery process for the Department. In addition, this step/requirement will be added to the DBA procedures prior to next PeopleTools/operating systems upgrade, currently scheduled for fiscal 2012/13. Completion date: By March 31, 2012.

Recommendation and Management Response

7. It is recommended that the DG, HRPDD ensure that the criticality of PeopleSoft is assessed through a BIA, and that a BCP is completed for PeopleSoft. (Medium Risk)

Agreed. HRPDD and the IMB will work in collaboration to ensure that the assessment and plan are completed in conformity with the department’s guide to business continuity. Completion date: By March 31, 2012

2.9 System Access and PeopleSoft Roles

User access privileges have been granted without the appropriate supporting documentation.

To secure the confidentiality of HR data, the HR Systems Group has developed procedures to control access to the system. The PeopleSoft Security and Access Administrator (Administrator) creates user accounts in accordance with the procedures described in the draft Operations Guide. User access is usually limited to a discipline (e.g. staffing, classification, or employment equity) and must have a supervisor’s approval. When an employee leaves the Department, the Administrator, who is advised by either phone or email, subsequently deletes the employee’s user ID.

In order to validate the account creation process, the audit team examined the forms granting permission for access to PeopleSoft. At the time of the audit, the system had a total of 5,775 PeopleSoft users Footnote 4, 421 of whom were HR users and 5,354 who were non-HR users. The audit team verified that the access form was signed by the appropriate authority and that the PeopleSoft roles Footnote 5 granted were appropriate for the user’s position and responsibilities.

From the sample of files selected, the audit team found that 20% of the files examined did not have on file the proper supporting documentation to create the accounts and/or assign specific roles. Furthermore, we found that while the system permits online completion of the access request form, some staff still complete the form by hand and forget to provide their supervisor’s name. While we found that in all cases a supervisor had signed the manually completed form, the signature was often illegible and could not be matched to a name.

The HR Systems Group needs to enhance existing procedures supporting access controls to strengthen the confidentiality and integrity of HR data.

During our interviews with the PeopleSoftSecurity and Access Administrator to discuss the account creation process, we were informed of the following issues that have an impact on HR data confidentiality and integrity:

  • There is no system in place for advising the Administrator when people transfer jobs within the Department. As a result, someone could transfer out of HR into another area and retain their HR access privileges.
  • There is no system in place to record an expiry date on temporary additional access related to acting periods. Therefore, an individual could retain the additional access after the acting assignment is over.
  • HR staff have access to all employee records, whether in the regions or at HQ. The reason for providing this overall access privilege lies in the practices followed by the Department when transferring an employee from one organization or region to another. We were told that the HR office in the “sending” region typically does not send the HR information promptly to the “receiving” region. This work is considered low priority or not the responsibility of the sending office.

These issues need to be addressed.

Recommendation and Management Response

8. It is recommended that the DG, HRPDD ensure that the creation of system access privileges is supported by the appropriate documentation. (Medium Risk)

Agreed. The HRMS contains both Protected A and Protected B data and as such, it is imperative that we have the appropriate safeguards in place to ensure the protection of this data. The process referenced above by the Audit Team was implemented in 2010 with this imperative in mind. The process in place requires that all requests for system access be initiated by the employee’s responsible manager through the completion of the HRM System Access Request Form. This Form must be completed electronically and submitted by the responsible manager. Given the Protected B designation of certain data elements, a “restricted” access process has been put in place that requires a second-level approval by the Corporate Owner.

As such, the HR Systems Group has a process in place to ensure that the system access privileges are supported by the appropriate documentation, however, it is recognized that further enhancements to this process can be made. As such, the HR Systems Team will undertake a comprehensive review of all existing PeopleSoft access groups and user profiles and will establish a cyclical schedule to ensure that this review occurs on a regular basis. The aforementioned Operations Manual provides detailed information on the Access Privilege Process and reiterates the responsibilities and accountabilities of those employees who have been granted access. The publication of this Guide will serve to reinforce the importance of safeguarding the integrity and confidentiality of HR data. Completion date: December 31, 2011.

Recommendation and Management Response

9. It is recommended that the DG, HRPDD ensure that existing procedures supporting access controls are enhanced to strengthen the confidentiality and integrity of HR data.(Medium Risk)

Agreed. The HR Systems Group had commenced work to strengthen the existing procedures related to access controls to ensure the confidentiality and integrity of HR data. In addition to the work referenced above; the HR Systems Group will further enhance the process which currently requires managers to inform us of changes within respective areas and of the resulting changes in access requirements by:

  • developing a monthly report that tracks all internal movement of employees with access privileges to the application. HR Systems will use this report to initiate a communication with the user and new supervisor to confirm the access privileges required to perform functions in the new role if this has not been initiated by the supervisor. These access privileges will be documented and signed off and reviewed as part of the ongoing process referenced above;
  • creating shared folders with limited access within the HR Systems Team to store completed documentation, and supporting information for each user account.

Completion date: Work has commenced and will be completed by December 3l, 2011.

A periodic review of all active user accounts needs to be undertaken and an overall account status report produced.

HR personnel periodically review PeopleSoft data. For example, we found that on a quarterly basis the HR advisors working within sensitive disciplines (e.g. awards, labour relations, and performance pay) review information within the modules for accuracy. We also found that the Security and Access Administrator monitors all non-Justice employees Footnote 6 who have PeopleSoft user IDs. However, there was no documentation to confirm that the Administrator periodically reviews all active user accounts to determine whether the users are regularly using the system. In order to achieve better control over system access privileges, the Administrator needs to undertake a periodic review of all active user accounts and produce a status report.

Recommendation and Management Response

10. It is recommended that the DG, HRPDD ensure that all active user accounts are periodically reviewed and an overall account status report is produced. (Low Risk)

Agreed. As noted in the management responses to Recommendations 8 and 9, a process is being implemented to ensure periodic reviews of access privileges for all users. Completion date: March 31, 2012.

2.10 Data Sensitivity and Security

A Privacy Impact Assessment and a Threat and Risk Assessment need to be completed for PeopleSoft.

We were told that the Program Centre completed a Privacy Impact Assessment (PIA) for PeopleSoft some time ago, but HRPDD could not provide us with the actual timeframe or a copy of the PIA.

The Department completed a Threat and Risk Assessment (TRA) in 2006 in order to achieve departmental compliance with the Treasury Board Management of Information Technology Security (MITS). We were told that both IMB Corporate Systems and the HR Systems Group recognize that TRAs should be completed as soon as possible.

The HR Systems Group needs to update the Certification and Accreditation of PeopleSoft.

The Certification and Accreditation (C&A) of PeopleSoft was valid until December 31, 2008. The C&A needs to be updated to ensure the continued security of the system.

The appropriate protection level for all HR data needs to be identified and communicated to staff.

We reviewed information in the 2006 Threat and Risk Assessment and the 2008 Certification and Accreditation document and found that PeopleSoft data has been designated as either “Protected A” or “Protected B” in these documents. We also reviewed the Department’s Guide to the Transmission, Storage and Destruction of Protected and Classified Informationand found that salary information has been designated as “Protected A”. Based on our review, it is our understanding that all information in the system should be designated “Protected B”.

From our interviews, we found that some directors in HRPDD understand that all PeopleSoft data should be “Protected B”,while others think that only some should be “Protected B”and the rest “Protected A”. In our view, these inconsistencies may lead to the incorrect designation of certain HR data and thereby reduce its protection level.

Recommendation and Management Response

11. It is recommended that the DG, HRPDD ensure that a Privacy Impact Assessment and a Threat and Risk Assessment are completed. (Medium Risk)

Agreed. HRPDD in collaboration with IMB will immediately initiate the steps to secure the services of experts to undertake a Privacy Impact Assessment and a Threat Risk Assessment in order to ensure compliance with the Treasury Board Management of Information Technology Security (MITS., Completion date: By March 31, 2012.

Recommendation and Management Response

12. It is recommended that the DG, HRPDD ensure that the Certification and Accreditation of PeopleSoft is updated. (Medium Risk)

Agreed. HRPDD in collaboration with the IMB will take the necessary steps to ensure that the Certification and Accreditation of PeopleSoft is updated and completed by March 2012.

Recommendation and Management Response

13. It is recommended that the DG, HRPDD ensure that the appropriate protection level for all HR data is identified and communicated to staff. (Medium Risk)

Agreed. The PeopleSoft HRMS is the government-endorsed application for HR Management. The Government of Canada version of the PeopleSoft HRMS is maintained by the Program Centre housed within PWGSC. The Program Centre has identified appropriate security designations for the modules licensed by the Government of Canada. Responsibility for access controls is left to the discretion of each government department utilizing the application taking these security designations into consideration. As referenced above, both the 2006 Threat and Risk Assessment and the 2008 Certification and Accreditation documents designate PeopleSoft data as either Protected A or B. Work to update both of these documents will be undertaken in the short-term and will serve to reconfirm the appropriate levels of protection for the system. As referenced in 8, 9, 10 above, restricted access with a second level approval process is granted for Protected B data.

A communication strategy will be put in place to identify and communicate level of protection for all HR data. Completion date: By March 31, 2012.

2.11 Data Integrity

There is a system to validate the transaction entry process and data integrity, but the initial error rate threshold prior to intervention needs to be reviewed.

The Data Integrity Unit of the HR Systems Group was set up in response to the 2003 PeopleSoft audit as a temporary measure to address the findings of the audit. At the time of the current audit, the unit was permanently established with one staff member dedicated to reviewing the integrity of the HR data entered by HR assistants and advisors nationally. The instructions for this review are well documented and the process a thorough one.

We examined the regional quarterly data integrity (initial error rates) reports developed by the Data Integrity Unit for the period starting in January 2008 and ending in March 2010 and found that all identified errors are corrected in a timely manner. We noted that the initial error rates ranged from a quarterly low of 1.5% in one region to a quarterly high of 51.2% in another region. When the error rate for a particular user is greater than 20%, within 24 hours the Data Integrity Unit advises the supervisor of the individual responsible for entering the data into the system. The supervisor is then charged with investigating the reasons for the high initial error rate, taking action to correct the errors found and addressing the problems encountered.

To validate the accuracy of the PeopleSoft data, the audit team selected a sample of 10 personnel files and examined 19 elements of HR information from each file. We then matched the specific information to the data contained in the system. We found no errors in the sample selected.

In our opinion, although the data integrity validation process is appropriate, the error rates prior to intervention are too high.

Recommendation and Management Response

14. It is recommended that the DG, HRPDD review the appropriateness of the initial error rate threshold. (Medium Risk)

Agreed. The integrity of the data contained within HRMS is of critical importance given that the data is used to respond to central agency reporting requirements, for planning purposes and to support decision making, etc. As referenced above, the audit team concluded that the data within the PeopleSoft system is accurate. The audit team also confirmed that there is an appropriate system to validate the transaction entry process and data integrity. The Audit team was of the view that the initial error rate threshold which forms part of the data integrity process is too high. As a result, the DG HRPDD has undertaken a review of the initial error rate threshold and as a result, the threshold will be reduced to 10%. This means that managers will be informed of the errors made by their staff when their error rate exceeds 10%. It is important to note however that all errors are submitted to the end user in question for correction.

The DG HRPDD will communicate the importance of data integrity to all Regional Directors of HR and their staff. Completion date: By September 30, 2011

The DG HRPPD will communicate the need to include performance objectives in the PREAs of all HR Advisors and Assistants regarding the integrity of the data for their respective areas of responsibility. Completion date: By December 31, 2011.

The HR Systems team will continue to provide training to end users.

Date modified: