Implementing a new information and communication technology (ICT) system can be challenging. Such projects are often expensive in time, skill or monetary cost, and it is therefore imperative to plan well from their outset.   

In this blog, we provide questions and insights on common issues and risks that entity management may consider during the various stages of implementing an ICT project.

Project governance

• Have you designated ownership in project governance and accountability frameworks?

When designing the project’s governance and accountability frameworks, you should ensure that all designated parties understand what they are responsible and accountable for. At each governance step, ask:

• Have we completed readiness activities in a timely manner and to the specified quality? Who is responsible for ensuring this happens?
• Do we understand how the project will affect change on our business areas and have we updated local guidance as required?
• Have we adequately considered and/or mitigated risks arising from the project or that may impact on successfully completing the project?

Clearly assigning accountability and responsibility before the project begins means management can make informed decisions, and assign the right people with the right skills to deliver the project.

• Have you aligned projects to business outcomes?

Successful projects effectively align with their business strategies. They are based on a strong and accountable governance framework, align to business outcomes, and have identifiable and measurable benefits for the entity.

To effectively align a project to business outcomes, you should understand and agree on the minimum successful product at the start of the project. Doing so will allow you to build agility into the project so it can respond to business needs.

When replacing legacy systems, your entity can deliver broader business outcomes that otherwise wouldn’t be possible within the existing system. To achieve this, you should involve subject matter experts and key business teams in evaluating and using new solutions, and monitoring the transition through the changes.

• How will you realise and measure expected benefits?

With any project, entities face a risk that they may not realise the expected benefits. How are you ensuring the project will deliver the expected quality and quantity of benefits at the agreed time?

Identifying and documenting the benefits you expect from implementing the system at the start of the project, as well as how you will measure this, will help provide a true assessment of the system’s success. It’s also important to include assurances at critical points in the project to decide whether you are ready to implement the next project phase.

For more points you should consider when managing projects, see our blog Effectively monitoring and managing projects and programs. 

Transition controls and processes

• What steps will you take to test the system and manage defects you identify?

To assess if your entity has met the system implementation requirements, management should conduct both functional tests (for example, business functionality/user acceptance tests) and non-functional tests (for example, security and stress tests) before go-live.

Any defects that management identifies should be monitored and resolved. If any remain unresolved at go-live, they should perform appropriate risk and impact analysis and agree on a plan to address the defects.  

• Have you adequately trained and familiarised staff?

Significant issues may arise if your entity doesn’t provide staff with adequate training and familiarisation with the new system before go-live. While experiencing an adjustment period is common, a lack of training and familiarisation can cause significant issues, confusion and errors. This is discussed in depth in our report Queensland Health’s new finance and supply chain management system (Report 4: 2020–21).

Information technology controls

• Do you monitor the access of privileged users?

Privileged users have a high level of system access – they can access sensitive data, and create and configure within the system.

It’s important to monitor the number and level of privileged user accounts, review whether the users need privileged access, and establish a process to monitor their activities.

You should be careful not to create numerous user accounts with privileged or full system access in an attempt to smooth the transition to a new system. Having an excessive number of privileged users increases the risk of undetected and unauthorised activities and transactions.

• Have you assigned user roles carefully?

When assigning user roles and system access, you should adopt the principle of least privileges – a user’s role and system access level should align with their day-to-day job responsibilities.

Ensure you don’t assign conflicting roles to a user, and that you have segregated duties. For example, a user with access to update employee master data, such as bank details and pay rates, should not have access to approve payroll. Likewise, if a user in the accounts payable team can also access vendor master data, including bank details, there is an increased risk of fraudulent transactions being processed.

• How often do you review delegation authority?

Although your entity will configure delegation authority when setting up the new system, it’s important to ensure this doesn’t become outdated over time. Implementing a process for regular, periodic reviews will help ensure delegation authorities remain appropriate and authorised; likewise, controls should adequately prevent and detect users that exceed their approved delegation.

More information on key controls in managing user access is available in our blog Access controls for information technology systems.

Monitoring controls

• Have you established relevant system and exception reports?

Monitoring controls are an integral part of your entity’s internal control system. Management should plan and evaluate the need for relevant system and exception reports to ensure the implemented system controls and processes are operating effectively when the system goes live.

Resources

Reports to parliament

• Delivering successful technology projects (Report 7: 2020–21)
• Effectiveness of the State Penalties Enforcement Registry ICT reform (Report 10: 2019–20)
• Monitoring and managing ICT projects (Report 1: 2018–19)
• Results of audit: Local government entities 2012-13 (Report 14: 2013–14), section 5.3.4 (pages 50–52).

Better practice guides

• QAO better practice guide—Delivering successful technology projects
• QAO better practice guide—Learnings for ICT projects

Blogs

• Evolving digital services in government
• Learnings for ICT projects
• Lessons learned: Project steering committees for digital transformation projects
• Effectively monitoring and managing projects and programs
• Access controls for information technology systems