Media reports show an alarming trend of growing cyber security attacks and corporate espionage.
In March 2019, the Queensland Under Treasurer referred concerns to the Auditor-General about the delivery of the State Penalties Enforcement Registry (SPER) Reform Program. The Auditor-General agreed to audit the effectiveness of the governance of the program’s information and communication technology (ICT) component. The report, Effectiveness of the State Penalties Enforcement Registry ICT reform (Report 10: 2019–20), was tabled in parliament in February 2020.
As part of this report, we provided lessons learned to guide all entities involved in ICT projects. As the Queensland Government intends to spend $2.6 billion on ICT projects over the four years from 2018–19 to 2021–22, improving oversight and governance, and providing transparent information on cancelled projects, will help manage the risk of project failure.
Where software as a service (SaaS) contracts lock entities into long-term relationships, thorough due diligence of the vendor and their product is required. Entities should not use an outcomes basis as an excuse for not defining detailed project requirements appropriately, particularly if tailoring software is required. If entities have not seen the product working in action, they need to arrange site visits and see the product working first-hand. Entities need to be confident that the vendor’s product meets their needs and that vendors can work well with them.
Not defining the contract deliverables sufficiently up front is costly. When this happens, the vendor’s and entity’s expectations may be misaligned, which may result in many change requests and significant contract variations, which cost time and money.
Over reliance on consultants and contractors can result in a lack of business understanding when requirements are defined for ICT projects. When an entity lacks the expertise it needs for a major ICT project, it should engage a ‘critical friend’ who is independent of the delivery team and can provide objective and independent advice to the project steering committee on risks.
Involvement of staff with detailed knowledge of an entity’s business operations is important for transformational projects. But if staff need to continue their business-as-usual responsibilities during this time, it limits their capacity to be involved in the project and manage risks. Entities should consider freeing internal staff involved in transformational projects from their business‑as-usual responsibilities by delegating and assigning their responsibilities to others.
Projects should not push ahead when major changes, such as government policy position changes, will impact on projects. Entities should take the opportunity to pause, assess risks, and fully reconsider before moving forward.
Entities need to be careful they do not commit to long-term software development and support contracts that make it hard for them to terminate when things go wrong. Entities should be confident the product works well before they commit to service agreements. Contracts should allow the entity to conduct assurance activities over the vendor during implementation and incorporate this into the project assurance.
An organisation’s culture can inhibit project governance effectiveness when the entity operates in silos and when bad news is not communicated. Stopping a project before it incurs unnecessary costs is better than stopping it when significant money has already been spent.
For critical business transformation projects, trying to do everything at once is high risk. Implementing changes in segments provides more opportunity to review, learn and assess risk.
Project steering committees for major ICT projects should include representation from internal ICT areas and the newly created Office of Assurance and Investment (formerly part of the Queensland Government Chief Information Office).
When steering committee members are part of the governance group for a long time and there are no members of the committee who are independent of the entity, they will find it hard to question decisions they have previously made. If entities are highly dependent on external consultants, they should engage an independent expert who can act as a critical friend and challenge the decisions being made.
Statutory officers have responsibilities defined for them in legislation, which gives them independence from the chief executive officers in the entities they serve in when executing defined statutory officer responsibilities. But in addition to these, they also have management responsibilities (like delivering projects). It is important that statutory officers and chief executives work collaboratively to ensure effective delivery of major projects.
You can find more information on this audit, the recommendations, and lessons learned for all entities on our website at: www.qao.qld.gov.au/reports-resources/reports-parliament/effectiveness-state-penalties-enforcement-registry-ict-reform