When IT governance goes wrong

Inefficient IT projects are the bugbear of every IT manager.

Speaking the World Computer Congress 2010 in Brisbane, manager of Griffith University’s internal audit office, Cathy Blunt , provided an interesting insight into the main contributing factors to failed or inefficient IT products in government agencies. The public university has undergone internal changes to prevent similar failures, although Blunt wasn’t shy of self-criticism in her review of what sends government IT projects over the edge. Here are some of her thoughts.

Strategic Alignment

“The one that’s probably got the most press coverage over the last few months has been the Queensland Health payroll system. There’s a Queensland auditor’s report about that — it’s well worth a read. It will keep you awake at night for a little while if nothing else.

“In terms of strategic alignment there are a couple of things that the Queensland Audit Office included in their report: There were unclear roles and responsibilities, particularly those in Queensland Health and the people within CorpTech responsible for actually delivering the system, as well as IBM, the service delivery partner with CorpTech. The responsibility between those and who was responsible for the project outcomes was very unclear.

“There was also a lack of strategic outcomes as to what it was they were trying to deliver. Queensland Audit Office quite roundly criticised Queensland Health for not reviewing the awards for their staff before they tried to implement the system to try and reduce the number of awards that were captured in the payroll system they were delivering.

“The [Queensland] Department of Employment and Training was also hit with the same Queensland Audit Office report — they didn’t just want to pick on Queensland Health — and they were criticised for their IT Governance framework not being documented.

“Just to show that auditors don’t always get it right, the Australian National Audit Office (ANAO) was reviewed by KPMG and was criticised for needing better alignment needed between its key risks and IT strategic plan.”

Value Delivery

“The NSW Licensing Project certainly comes up fairly high. A lot of issues were raised that the initial business case did not consider all the agencies involved around savings, what the risks would be, how they would manage the risks involved with the project, how the change management would occur and also training across all of the agencies; it certainly involved a lot of backtracking to compensate.

“The [Queensland] Department of Public Works was criticised for not having mechanisms to demonstrate the value in their projects.”

Risk Management

“Queensland Health was again criticised by the Queensland Audit Office because significant risks in relation to the payroll project weren’t identified, quantified and they kept changing the goal posts as to what the risk framework was actually going to look like during the project. They dragged down the risk rating for some of the definitions during the project.

“The Queensland Department of Employment and Training also comes under fire again for some of their risk management processes in IT. No formal IT risk management processes or registers were in place over projects and other IT activities.”

Resource Management

“Griffith University — our own organisation, had a payroll project that was running over time and budget so they cut back the user acceptance testing (UAT) and refused to push back the go live date on it. Probably another month would have done it, but we found quite a number of issues after go live, that I actually identified as part of a payroll audit. Management didn’t find it themselves, and it took another 18 months before they addressed the issues and fixed it up.

“Because it was running over time and under budget, as soon as the project went live, all of the project skills from the contractors working on the project were shown the door, so we had no expertise there, and had to scramble to find people who had gone off to other projects.

“The Office of State Revenue had a major ICT revenue system going live at the same time as CorpTech was implementing a whole heap of SAP systems across Queensland Government. Queensland Treasury had an ICT steering committee, but we found that CorpTech were attracting the Office of State Revenue’s SAP experts by paying them better. It was obvious one part of Queensland Treasury wasn’t talking to the other.”

Performance Management

“The ANAO was criticised again for not providing key performance indicators for its IT strategic plan objectives. You’d think IT auditors would know better than that, but we like to keep ourselves on our toes every now and again.

“The Queensland Dept of Employment and Training had no project management office to oversee identification and measurement of project benefits. I had a discussion recently with the audit officer at the Department of Employment and Training and he had a lot of the issues that came out of the Queensland audit report. He has taken those lessons learned and turned it into a checklist, and has taken it to his information steering committee and IT management, and said: This is what I need you to check off for every project now, and show me you’re addressing these issues.’ It has been a nice way to turn around the learnings coming out of the work that’s been done in the Queensland Audit Office.”

Blunt also shared some of the issues she has found after spending four years internally auditing projects at Griffith University:

• Lack of formal IT risk assessment frameworks and registers
• Project methodology not always followed
• Project benefits realisation not identified and monitored
• IT Governance committees not working effectively
• Business agenda does not always meet best practices or expectations
• IT policies and procedures no implemented consistently