PeopleSoft Human Resources Management System
March 2011

Executive Summary

Overall Opinion

Management has developed a framework to support the maintenance of the system, identify new system requirements, and communicate changes to end-users. Interfaces with other systems are well managed and PeopleSoft-generated information is matched to these systems. Documentation is readily available for end-users and queries are responded to in a timely fashion. Opportunities for improvements have been identified in the areas of system access and data security and sensitivity. The criticality of PeopleSoft also needs to be assessed and a business continuity plan developed for the system.

Background

The Department of Justice manages the human resources (HR) information pertaining to its workforce through the PeopleSoft Human Resources Management System (PeopleSoft) and uses information generated from the system to support the development of HR programs and policies and to prepare departmental reports. The system also allows employees to manage their leave electronically.

The Human Resources and Professional Development Directorate (HRPDD) at HQ manages PeopleSoft, while Information Management Branch (IMB) provides technical support for the system.

The planning and on-site examination phases of this audit were carried out between May and September 2010 and covered practices and procedures pertaining to all activities relating to PeopleSoft in the Department.

Management Framework

Roles and Responsibilities

The respective roles and responsibilities of the HR Systems Group and IMB Corporate Systems in supporting PeopleSoft are well defined. However, the Service Level Agreement governing the services provided by IMB needs to be updated to confirm the level of services required.

We found that business analysts’ job descriptions should be reviewed to accurately reflect their duties.

System Enhancement Plan

HR Systems Group staff meet annually with HRPDD directors and those in the regions to discuss system requirements. In our view, the HR Systems Group has developed an effective system enhancement plan.

Budget

The budget process is well documented and expenses are tracked over the year. The budget is sufficient to ensure maintenance of the system. However, little monetary resources remain to provide services to end-users, nor are funds available for special technical projects. Consequently, when a special project is given priority, the Director, HR Systems Group submits a request for additional funding. The timing of release of these funds will be the deciding factor as to whether the project can be completed within the fiscal year.

System Performance

Continuous performance of the system is ensured through the procedures developed and implemented by the HR Systems Group and the redundancy built into the PeopleSoft infrastructure. The HR Systems Group generates individual reports on certain aspects of system performance, such as downtime and restore time. However, it has not developed a report that could be used by management to assess the overall operational performance of the system.

Change Controls

IMB Corporate Systems is responsible for implementing new versions/upgrades of the system. We reviewed the Implementation Checklistto document the process and found it to be accurate. However, the document does not include an approval signature and date.

System Documentation

Technical documentation on PeopleSoft is integrated into the system and readily available to end-users on the departmental Intranet.

The HR Systems Group is developing an Operations Guide that provides details on the management framework governing the system and information on how to get help when needed. The Operations Guide is an excellent initiative to gather relevant user information into one document and users will benefit from gaining access to it as soon as it is completed.

Backups and Business Continuity Planning

While data backups are completed on a regular basis and have been tested for restoration, application backups are done irregularly and two methods exist for restoring the application. The application backup and restore process needs to be reviewed.

During the audit, interviewees in both IMB Corporate Systems and HR Systems Group were unable to provide a business impact analysis (BIA) and a business continuity plan (BCP) specifically for PeopleSoft. However, in the IMB BCP PeopleSoft is identified as a critical system that should be restored within a maximum of two days. The criticality of PeopleSoft needs to be assessed through a BIA, and a BCP needs to be developed for the system.

System Access and PeopleSoft Roles

The PeopleSoft Security and Access Administrator is responsible for controlling access to the system by creating user accounts in accordance with procedures established by the HR Systems Group. User access is usually limited to a discipline (e.g. staffing, classification, or employment equity) and requires a supervisor’s approval. When an employee leaves the Department, notification is sent to the Administrator who then deletes the account.

We examined a sample of files to validate the user account creation process. We found that 20% of the sample files did not have proper supporting documentation for creating an account and/or providing access to a specific discipline. Also, there was no documentation to confirm that the Administrator periodically reviews the active accounts for regular usage.

Furthermore, from interviews we found that the HR Systems Group needs to enhance existing procedures supporting access controls to strengthen the confidentiality and integrity of HR data.

Data Sensitivity and Security

A Privacy Impact Assessment (PIA) and a Threat and Risk Assessment (TRA) need to be completed for PeopleSoft, and the Certification and Accreditation (C&A) needs to be updated. The Department completed a TRA in 2006 in order to achieve departmental compliance with the Treasury Board Management of Information Technology Security (MITS). The C&A of PeopleSoft was valid until December 31, 2008.

We reviewed information in both the TRA and the C&A and found that PeopleSoft data has been designated as either “Protected A” or “Protected B” in these documents. From our interviews with directors in HRPDD, we found an inconsistent understanding of how HR data should be labeled.The appropriate protection level for all HR data needs to be identified and communicated to staff.

Data Integrity

HRPDD has developed a system to validate the transaction entry process and data integrity, but should review the appropriateness of the error rate threshold.

System Features

System-Generated Information

The information generated from PeopleSoft supports management in their HR-related decisions and is used by the Department to complete special projects. PeopleSoft functionality for report formatting requires some users to use Microsoft Excel and other parallel systems to perform some analysis and generate some reports. In our view, this is an acceptable practice.

Security Features

PeopleSoft has a built-in log function that directs messages to the Database Administrator (DBA). The logging feature, however, does not separate messages by type, requiring the DBA to manually scan the log in order to review and address security messages. This is time-consuming, and as a result, information on security breaches is not reviewed. At present, the Department does not have an automated solution to review the logs. PeopleSoft logs need to be monitored for security breaches.

Interfaces with Other Systems

As part of its corporate responsibilities, HRPDD is responsible for updating HR-related information into various systems owned by either PWGSC, PSC, or TBS. There are currently system interfaces between PeopleSoft and four other external systems:

  • Regional Pay System (RPS)
  • Employment Equity Database (EEDB)
  • Position Classification Information System (PCIS)
  • Departmental Staffing Activity Information System (DSAIS)

Interfaces with these systems are well managed and the information produced by PeopleSoft is matched to the information generated from the other systems to ascertain accuracy and validity.

Interfaces with End-Users

Documentation and Training

PeopleSoft internal system documentation and the documentation available on the Intranet provide sufficient information for users to navigate through the system and complete basic training on the system.

The HRPDD Data Integrity Unit monitors the data entry error rates of HR assistants. When error rates are greater than 20%, the supervisor of the HR assistant responsible is advised and is then charged with investigating the reasons for the high error rate and taking corrective action. We found that the data entry error rate of HR assistants was significant (over 20%) and not always consistent from one year to the next. In our opinion, a 20% error rate is too high a threshold. The reasons for these errors need to be determined and consideration given to providing additional training to reduce the error rate.

Technical Support

The HR Systems Group has implemented tools to track problems encountered by PeopleSoft users. The most recent version of PeopleSoft registers, classifies, prioritizes, and tracks problems with the system from start to finish. A problem tracking software is used to create reports on open items and provide statistical information such as counts by type, priority, and location of problem.

From our examination of the reports addressing outstanding issues and open requests over a set period of time, we conclude that when an issue can be resolved, it is resolved within a reasonable time., In our view, a periodic review of the outstanding problems would allow management to develop an action plan to resolve these issues on a timely basis.

Communications with Users

The HR Systems Group has implemented tools and procedures to ensure that PeopleSoft-related information is communicated to end-users on a timely basis.

The management responses to the recommendations contained in this report were provided by the Director General, Human Resources and Professional Development Directorate.

Date modified: