HALIFAX, WEDNESDAY, MARCH 3, 2004
STANDING COMMITTEE ON PUBLIC ACCOUNTS
8:00 A.M.
CHAIRMAN
Mr. Graham Steele
VICE-CHAIRMAN
Mr. James DeWolfe
MR. CHAIRMAN: Good morning, ladies and gentlemen. I would like to call this meeting of the Public Accounts Committee, Province of Nova Scotia to order. Before we begin, I just want to introduce our presenters here today. We have with us officials from the Department of Finance, Ms. Vicki Harnish, Deputy Minister, and with her is Susan Sparks, Director of Corporate Information Systems. Today, of course, we will be investigating and discussing the system applications and data processing, SAP, system.
Before we begin, I would like to introduce our members, beginning with the chairman, Mr. Steele, as I am the vice-chairman.
[The committee members introduced themselves.]
MR. CHAIRMAN: There are probably a couple of members who will be joining us, and I will ask them to identify themselves later or I will identify them as such. As usual, we have the Auditor General, Mr. Roy Salmon, and his staff with us. I will now direct your attention to Ms. Harnish. Ms. Harnish, would you care to make some opening comments?
MS. VICKI HARNISH: I would, thank you. Mr. Chairman, I appreciate this opportunity to appear before the Standing Committee on Public Accounts. Appearing with me, you've introduced Susan Sparks, who is our Director of Corporate Information Systems. Her division is responsible for the overall management, maintenance and support of the SAP systems within the provincial public sector. I will be referring a lot of the committee's more technical questions to Susan, because Susan is the technical expert in this area.
1
Before we address the specific questions, though, I would like to take a few minutes to overview the findings of the Auditor General's review of our SAP environment, contained in Chapter 3 of the 2003 Annual Report. First, I would like to emphasize that the SAP system is a secure environment. We back them up every day, and data is stored off-site in a secure location as an industry best practice. Additionally, restoration of the SAP environment is tested on a regular basis. This backup and recovery process has been in place since the SAP system was implemented in 1997.
I think, though, it's important to acknowledge that there's always room for improvement. The Department of Finance takes the Auditor General's recommendations concerning our SAP environment very seriously and, to this end, we have already implemented a number of his recommendations. Additionally, the department has initiated a project to formalize policies and standards within the CIS Division. This project is based on the Canadian Institute of Chartered Accountants Information Technology Control Guidelines. The project will report to a steering committee, and I've asked the Director of Corporate Internal Audit for government to chair the steering committee.
I would like to highlight some of the recommendations and the action already taken by the Corporate Information Systems Division. With respect to security, we concur with the Auditor General's recommendation to restrict the use of the SAP super-user, SAP_ALL, security profile. All on-line users have had this access removed, including all of the Corporate Information Systems support staff. We are also in the process of redesigning the security around the SAP interfaces, and have disabled all inactive end-user accounts, as defined by the Auditor General. We have also requested that SAP Canada provide us with industry best practices, with respect to the management of SAP security for our environment.
It's important for the committee to understand, however, that one of the primary reasons the province selected SAP as its corporate software system is because of its enhanced security features. SAP, as a world-class software, has an extensive and comprehensive security audit trail. Its enhanced security features contribute to the selection of SAP in 80 per cent of the top 500 companies in the world.
As stated previously, the SAP environment is backed up on a daily basis, and the backup tapes are stored off-site in a secure location. The Corporate Information Systems Division tests the restoration of the SAP environment on a regular basis. The province currently houses all SAP infrastructure within the provincial data centre. This is a secure environment, which has been certified to be an appropriate data centre.
The province has procured an Infrastructure Vendor of Record contract for the SAP environment through a competitive request for proposals process. The vendor of record contract was awarded to Sun Microsystems, and part of that contract ensures that the province receives 24/7 infrastructure replacement support. The SAP environment is fully mirrored and, although not formalized, a provision with the infrastructure provider for the
provincial SAP systems has been developed in case of a physical disaster to the provincial data centre.
The Corporate Information Systems Division is in the process of dividing the provincial SAP infrastructure into two secure data centres, to provide further infrastructure redundancy at a cost-effective price to the taxpayer. As reported to the Auditor General, a formal disaster recovery plan will be developed, tested and implemented by the end of June of this year.
The Auditor General also recommended that government review policies concerning departmental business continuity and corporate disaster recovery planning. The importance of updated departmental business continuity plans has already been discussed at the Deputy Ministers' Forum. The Department of Finance will be reviewing business continuity for critical systems within its own department, and that includes not only Corporate Information Systems but also treasury investments and government accounting. With respect to corporate disaster recovery planning, the Business and Technology Advisory Committee has been asked to discuss the corporate disaster recovery plan for our computer services at its next scheduled meeting, again, per the Auditor General's recommendation.
As a result of the Auditor General's Report, the Department of Finance contracted SAP Canada to review the daily operations within the Corporate Information Systems Division and recommend security and control best practices for the province's SAP environment. SAP Canada has also awarded the CIS Division the distinction of being a certified SAP customer competency centre, after reviewing our capability in a number of areas.
A detailed final report of findings and best practices will be completed by the end of March. As an additional commitment to internal controls, the Department of Finance is finalizing a request for proposals for an external audit - and that would be a 5900 audit - to review the controls surrounding the province's SAP environments. We expect this will take place in June 2004. We would like to have an opportunity to actually complete some of the work that's ongoing with respect to reviewing our security and documenting our procedures before we have an external audit. Really, it would provide a good check for us of whether or not we've completed the work that needs to be done.
The other area of concern contained within the Auditor General's Report was with respect to the area of formalized SAP planning. Although a primary stakeholder in the SAP Program, the Corporate Information Systems Division's responsibility is with the support of the current SAP systems within the province and not the planning and rollout of future SAP implementations. In fact, because of the growth and dependence on SAP within the province, government has created a SAP Projects Office within the Office of Economic Development to address corporate SAP planning.
Currently, all SAP implementation projects within the province follow what's called the Accelerated SAP - which is ASAP - implementation methodology as recommended by SAP Canada. The Projects Office is currently developing a corporate SAP governance framework, a standard project implementation methodology and is defining evaluation criteria for future SAP implementation projects.
In closing, Mr. Chairman, I would like to reiterate that the Department of Finance is working diligently to address the concerns of the Auditor General. We have a document, which we would like to distribute, which highlights each of the Auditor General's recommendations contained in Chapter 3 of his report and the status of our resolution to each of these recommendations. We hope that this will help the committee focus their questions in order to obtain more detailed explanations to any of our responses. This is a technical and complex area, and Susan is well positioned to respond to questions on the specific technical issues.
MR. CHAIRMAN: Ms. Harnish, thank you for your overview. Before we go any further, I would just like to mention that we have been joined by Mr. Gerald Sampson, Victoria-The Lakes, and he will be replacing Mr. David Wilson, Glace Bay; and also Mr. Daniel Graham, Halifax Citadel, has joined us. I will remind the presenters that Ms. Mora Stevens is the clerk for the committee, and she is at your service.
The time is 8:15 a.m., and we will start with the NDP for the first 20-minute period. Mr. Graham Steele.
MR. GRAHAM STEELE: Ms. Harnish, welcome, I understand this is the first time you've appeared before the Public Accounts Committee. You are a very senior and experienced civil servant, and it's almost unbelievable to me that we haven't hauled you in here before now. Welcome and congratulations on your recent appointment as Deputy Minister of Finance. I know you have your work cut out for you, and I have no doubt that this will be the first of a number of appearances before this committee.
[8:15 a.m.]
This topic that we have before us today is, on one level, very technical but, on another level, very important for people to understand. This SAP system is the central financial management system, not just financial but there are other aspects of it as well, for the government. It's very important that it function well. Having said that, I'm going to set it aside for the first few minutes, because there's another topic I want to ask you about.
I'm a bit like a dog with a bone with this topic, and everybody who comes before this committee who has anything to say I ask them about it, because the part of the Auditor General's Report this year that disturbed me the most was an item that involved only a few
million dollars and that was in the long-term care sector where there was a policy change last year that the Department of Health said would cost $6 million to implement.
In the budget documents that were presented to this Legislature, the policy change was said to cost $3 million, and at the end of the year the true cost was $6 million, just like the Department of Health said it would be. What appears to have happened is that somewhere in the Treasury and Policy Board, for which I believe you were responsible at the time, somebody just drew a line through the $6 million figure and put in a different figure, and nobody who has come before this committee has offered a satisfactory explanation of why it is that the Legislature appeared to have been given a figure that no one believed to be true. As an MLA, as the chairman of this committee, there is nothing that makes me more angry than the idea that the Legislature is being given false figures.
So I was wondering if you could explain whether in your role now as Deputy Minister of Finance or formerly as a senior official at Treasury and Policy Board, because everybody else who we've asked this question says it wasn't us, it was Treasury and Policy Board who did it, what happened and how did that figure get changed, so that the figure presented to the Legislature was different from what everybody in the Department of Health knew that it ought to be? What happened?
MS. HARNISH: Well, I don't think you've been given quite accurate information. I was at Treasury and Policy Board when this issue was raised through the Auditor General's Report. I would not have been at Treasury and Policy Board at the time of the actual recommendation with respect to long-term care. However, we did go back and check the files. The files clearly indicated that when this proposal was brought forward to Treasury and Policy Board by the Health Department, there was a cost range and $3 million was within the cost range. The actual fact that it was $6 million at the end of the day was not something that was presented to the board at the time. So there is a bit of a disconnect, I believe, between what you might have been told - or not you - what the Auditor General may have been told at the Health Department and what our records at Treasury and Policy Board clearly showed.
MR. STEELE: Okay, because the information we have in this committee, of course, is what the Auditor General gives us, and the Auditor General's Report said the figure was $6 million and it was changed to $3 million.
MS. HARNISH: I can't speak to why the Health Department provided information that's different than the information that was actually submitted to Treasury and Policy Board at the time.
MR. STEELE: Mr. Salmon, do you have a comment on that? Basically, Ms. Harnish, if I understand her rightly, says that the information in your annual report saying that the cost estimate from the Department of Health was $6 million is mistaken, that there was actually a range of $3 million to $6 million.
MR. ROY SALMON: We did an audit; we did not do any audit work in Treasury and Policy Board on this issue. Our audit was confined to the Department of Health in the home-care sector. We were informed by those people that they had put forward a request for $6 million to cover this specific item, and that it was adjusted to $3 million and they did not know the reason why.
MR. STEELE: I would like to move on to the computer systems now. The chapter in the Auditor General's Report on the SAP system is the longest chapter, probably the most technically complex; it contains by far the most number of recommendations. There's a lot of detail here. Am I to understand that this response that has been handed out to the committee this morning is an official response to the Department of Finance, recommendation by recommendation, to the Auditor General's Report?
MS. HARNISH: Well, I don't know if we would call it official, but certainly what we've attempted to do is document our progress, just to assist you in taking a look at what we are doing. I spoke to almost all of these in my opening remarks, and this really is documentation, just to report, for your ease, what's going on.
MR. STEELE: When the Auditor General's Report came out, the initial response, as reported in the media, from the Department of Finance was essentially, if I can sort of summarize it all in a sentence or two, there's not really as much of a problem as the Auditor General appears to be indicating. Now that caused me a little bit of concern, because I'm getting a bit of a mixed message from Finance about whether Finance accepts everything that the Auditor General's Report says or whether there are some things that the department feels are mistaken or perhaps exaggerated. Even after your opening presentation this morning, which was helpful, I'm still not clear. Does the Department of Finance agree with the Auditor General's analysis? Is there any part of it with which the department does not agree?
MS. HARNISH: I think I would characterize our response, and I've thought about this and Susan and I have discussed this, as we have work to do with respect to documenting our policies and procedures, and ensuring that all the bases are covered; however, I think that if a disaster had occurred, we were in good shape to restore. Although we didn't have a completely documented set of guidelines, I believe we had a good idea of how it would be done. I think we had the components in place that it could be done. I would characterize our shortfalls in this regard as not having put the formality and the actual rigour to the process that the Auditor General has recommended. I agree that that does need to be done and, as you can see, we are taking a number of measures to ensure that it actually is done properly.
MR. STEELE: Are there parts of the Auditor General's analysis with which the department does not agree, that it simply feels are mistaken?
MS. HARNISH: I will let Susan answer that, it's probably easier.
MR. CHAIRMAN: Ms. Sparks.
MS. SUSAN SPARKS: I think our response to the media at that time was not necessarily on the Auditor General's Report, it was on the media's interpretation of the report that there were end-users out there in the system, many, who could just go in and do anything in the system and there was no security around the system whatsoever. As well, there would seem to be some indication or some impression that the system wasn't backed up on a regular basis, that the data was not stored off-site on a regular basis, that there were a lot of practices within the division, we were just running around with no direction and no competence, and I think that's what we had issue with.
We wanted to clarify that, as SAP Canada has just done by certifying the division as a SAP core competency centre, although as Ms. Harnish indicated that the documentation wasn't in place, and we are working diligently to put it in place, that the system itself, the controls around the system are relatively good controls.
MR. STEELE: Let me talk for a second about the security part of the Auditor General's Report. These aren't media reports of what the Auditor General says, I'm going to read actual phrases and sentences. The Auditor General says, "We encountered situations that raise serious concerns as to whether security has been given an appropriate level of consideration . . . " He goes on to say, "Based upon the nature and significance of these security issues, we believe that government should commission a full and independent audit of all aspects of SAP security . . .". The next paragraph, "The need for a security and control audit is urgent."
Now, the Auditor General and his senior staff are all accountants and they tend to speak in very polite language and so when we see language like this in the vocabulary of the Auditor General, this is pretty drastic language: serious concerns, full and independent audit, urgent. Yet, the message I seem to be getting from Finance is well, it's not really that bad, there's no really serious problem. So let me ask you this. What level of assurance can you give the people of Nova Scotia that the financial management system has never been abused?
MS. SPARKS: Of the million transactions that have gone on in the corporate financial management system, we have not found, through our regular budget management processes, where every budget manager in the province has to go through their budget on a regular basis, provide monthly forecasts and sign off those, with all the internal controls that are in place, there has not been a discovery of any fraudulent, misappropriate use of that system. That has been a system that has been in place since 1997.
So, if you want me, personally, to guarantee every transaction, no, I'm not going to guarantee but I will tell you that there are a number of controls that are in place, the security is profile generated. The Auditor General was reviewing the staff within my division. These are IT professionals and they were reviewing their access and they felt that there were too many people on my staff who had full access to that environment, something that's been changed based on their recommendation. So that of their serious concern has been addressed. As far as all the end-users who were out there, they didn't do a comprehensive audit on all the users who were out there and the profiles that were out there, and so on and so forth. So, I find it a little bit of a disconnect with respect to their language of serious concerns and immediate reaction and so on and so forth.
MR. STEELE: Now, of course, I'm not asking you to personally guarantee, because that wouldn't be fair, but what I was asking you was what level of assurance you can give the people of Nova Scotia, whose money is being managed by this system, that the system hasn't been abused? The answer that I got from you the first time is, none has been discovered.
MS. SPARKS: I would offer a very, very high degree of confidence, myself, that the system has not been abused. Although evidence has not been found, I am ultimately responsible for the security of that system and so that's why I'm here today and my reputation is on the line with respect to that. So, I can assure you that I do everything in my power to ensure that people aren't using the system inappropriately.
MR. STEELE: But do you see the difficulty that we have sitting here? We rely on the information provided by the Auditor General who, in this particular chapter, has used strong language, the strongest language that Auditors General ever use to say, you know, if he could have a flashing red light on this he would, saying, there's a problem here. In fact, there's another part of this stuff on security where he says that some of the situations are so serious that we can't even tell you what they are because they're confidential but we brought them to the attention of management. So, I don't want anybody to think that the only issue they've raised is the number of end-users or the super-user, there's more going on here but I'm still getting the message from you that fundamentally there isn't a problem.
MS. SPARKS: That is one area I would somewhat like to respond to, because the information that was in the report is the information that was given to our division. So, if you think that there are a hundred other findings that they couldn't report to based on security, I was actually surprised at the level of detail they put in the report with respect to giving out user ID names and so on and so forth. So, if you're under the impression, and you can ask the Auditor General this, if you're under the impression that there were many other breaches of security or issues that they found that they couldn't give in the report, not to my knowledge were there many others.
MR. STEELE: Okay, let me read the sentence that I'm referring to, this is Paragraph 3.19, "We encountered situations that raise serious concerns as to whether security has been
given an appropriate level of consideration in managing CFMS/SAP. These matters have been reported separately to management and are not detailed here due to the confidential nature." So as far as you're concerned, what is that referring to?
[8:30 a.m.]
MS. SPARKS: We received one letter from them outside of this information and that was with respect to the SAP_ALL user ID. So other than the report that was given, that is the information that we received, which was in the report.
MR. STEELE: Mr. Salmon or Mr. Edmonds, what's going on here? There's supposed to be additional things that have been brought to management's attention, as far as I can tell, management is saying they're not quite sure what you're referring to.
MR. SALMON: I will turn it to Mr. Edmonds.
MR. RON EDMONDS: The information that we are referring to there was the very first draft of our report which contained all the details, every aspect of our concerns. That was reviewed in detail, in person, with the CIS Division.
MR. STEELE: Okay, Ms. Sparks.
MS. SPARKS: There were not any recommendations within that information that are not contained in this report.
MR. STEELE: Besides security, one of the other issues which the Auditor General's Report underlines is the lack of planning, the lack of strategic planning. Just to give everyone a flavour of what the Auditor General says about this, the report says, ". . . we expected to find an extensive and formalized planning structure for the division." Then they go on to say, ". . . we found that there is no formalized planning . . .". Then they say in Paragraph 3.13 why this is so important, "To continue managing in this very complex environment without a formalized planning process significantly increases the risk of inefficient operations, missed opportunities, decisions based upon incomplete information, inability to react on a timely basis to important issues and the inability to measure and report upon performance."
Now, that's pretty serious stuff. So, this is the financial management system for the Province of Nova Scotia, not only does it cover all of core government, it covers other entities as well and not only that but it's about to be rolled out to other entities as well. Not only are we consolidating what it covers now but it's covering more all without, apparently, any strategic planning. Why should Nova Scotians have confidence that this system is going to work when the Auditor General can say those kind of things about it?
MS. SPARKS: As part of the Department of Finance, the Corporate Information Systems Division does participate in the department's business planning process and in last year's business plan, outcomes and measures related specifically to the CIS and the rollout of SAP. So, do we have a complete and well-defined operational plan? No. That is part of the project that we're working on to ensure that these plans stay in place for the operational management of the system. I do want to indicate, however, that government has invested in a SAP Projects Office within the Office of Economic Development. Their responsibility is to strategically plan for the SAP rollouts and implementations within the provincial public sector. It is not for the Corporate Information Systems Division to actually plan for rollouts within the municipal, school board, health care sectors and so on and so forth. It's the Office of Economic Development Projects Office. I do know that they have plans and they are setting up evaluation criteria for all the implementations and so on. We work in partnership with them.
So from a strategics planning perspective, that happens at the SAP Projects Office. I do agree that we need to more formalize our operational plans within the division and we are attempting to do so now.
MR. STEELE: We have this chapter in the Auditor General's Report that raises concerns about security, planning, disaster recovery, business continuity, practices and procedures but at the same time we're talking about rolling this system out to other sectors of the Nova Scotia public sector. Isn't it time, do you think, to slow down, get things right with what we're doing now on all of those areas which are very important before we move forward and use this system for other purposes?
MR. CHAIRMAN: A very brief answer, please.
MS. SPARKS: Based on the information that was provided to the committee members, that's what we're doing. We have actually set up a project to look at ensuring all those recommendations are in place or are proceeding to be put in place. There are some overlaps with some of the projects that are ongoing now. We don't want to stop a project in mid and wait six months or a year at a substantial cost to government. What we want to do is do the two so that at the implementation time in October, the HR implementation that is going in, we will have our house in order for planning for the disaster recovery and for our policies and procedures.
MR. CHAIRMAN: Thank you. It is now time to turn to the Liberal members. Ms. Whalen, you have the next 20 minutes.
The honourable member for Halifax Clayton Park.
MS. DIANA WHALEN: The questions that have been raised so far on the security and so on are certainly paramount in all of our minds. Taking that just one step further, two weeks ago, I guess it was, when the Auditor General was here, they had given us this chart in colour, which is the rollout of the different systems that are being offered under your management, through SAP. What was indicated was that two years ago there was just a very small number - I think it was just at the top of the chart, is that right? We have it in our book but it's in black and white so you can't see it as well, but it was just the very top level, basically that was being offered through your CIS section. Now we're looking at a rollout of many, many more new systems coming on board.
What I would like to just go over with you a little bit are the resources you have available, and how they have grown over time, and whether you feel properly resourced to do these kinds of changes in the environment you are working in right now. Maybe just first off we could talk about the staff resources you have currently and perhaps compare them to what you had two years ago.
MS. SPARKS: Currently within the Corporate Information Systems Division, we have 36 full-time staff members, including myself. Before we started implementations in the school boards, we had 21 or 22 staff, so we have grown quite significantly in the last two years to support the new systems that are coming on board.
Each system, as it comes on board, as we implement a new system, we do an evaluation of the new staff members or new support members that are required. What we do is actually take existing members from the team and put them on the project so they can be very well-trained, they can understand the environment and so on. Then what we do is we hire the new people or we bring in people from other areas of government to work in the CIS Division so that they can gain the experience there.
What we're doing is often when systems are implemented by external companies, they hand you off the system at the end and you're left to support it and you may understand SAP and the intricacies, but you don't understand maybe the business processes and so on. By having our staff members involved on the project, for example, the HR payroll project that is going on right now with the province and the school board, I currently have 10 staff members on a full-time and part-time basis on that project, plus we have the other 25 staff within the support organization as well, that will be augmenting the support.
The eMerge Project, just to let you know that it's not just my staff working on that project, there's a staff of about 35 people on that project. It has its own project director, it has its own project implementation management steering committee and has all the proper processes; it went through the Tangible Capital Assets process to obtain funding and so on and so forth.
MS. WHALEN: If I could, just to take you back a step. We have talked about all of the security documentation and planning that needs to be done right now and I understood from the introduction that there is a timeline that has been set; we're talking about something that was going to be ready by the end of March and an outside audit by the end of June, perhaps. Are all of these other projects able to continue on the same timeline, the same track you've got them on, without first identifying what an external auditor, for example, might find in the security area?
MS. SPARKS: With respect to the HRM payroll system, they are having independent security reviews as part of their project, within their project, to ensure that the security and so on that they're putting in place, and the policies and so on and so forth, are put in place within that project structure. In reaction as well to the Auditor General's comments and concerns, they said we need to put in - they already had a quality assurance part of their project - a bit more diligence with respect to security, and they are demanding that before we go live, that my disaster recovery plan is in place; it is a service level that I have told them
will be in place. The system will not go live without the actual tested disaster recovery plan in place, so they have put those controls and responsibilities on that.
That being said, we also have staff from Corporate Internal Audit who are going to help us back at the office, I guess, to implement these recommendations and write these policies. We have a senior person within our division right now that's at - this week and next week - policy workshops put on by the Dalhousie School of Public Administration so we will have the tools in place to be able to do that. So we are investing - even though we are doing it with our own staff - by bringing other people in government, as well.
MS. WHALEN: Can you give us a date that you're expecting that eMerge Project to go live?
MS. SPARKS: For the school boards, the expectation is August of this fiscal year, or this calendar year, I guess. For the provincial departments and agencies, the go-live date is October.
MS. WHALEN: Could you address the electronic payments to vendors and what the timeline is for that one?
MS. SPARKS: The electronic payment to vendors right now is on track, an RFP has been signed with a service provider. We actually were looking at an April 1st date for the implementation, but are delaying that implementation until probably the July/August time frame.
MS. WHALEN: Is that delay related to the Auditor General's Report?
MS. SPARKS: Partially. Also, we want to make sure we have the resources, and I guess how it relates to the Auditor General is we want to make sure that everything is properly in place before we implement. We were in the process at the time of signing a request for process for a banking service provider for those services. But we've decided to delay the actual implementation until we feel that all the appropriate controls are confirmed to be in place.
MS. WHALEN: And if there's a delay in the security audit, for example, being done, or anything like that, is your intention to hold off on the introduction of these new systems?
MS. SPARKS: I don't anticipate that there would be any delay because we don't want to build on a house of cards, so from that perspective, we do want to ensure that we have a solid foundation, which we believe we do. We need to formalize a solid foundation, but before we build on that foundation we want to ensure and have audited that it is solid, and then build on that from there.
MS. WHALEN: If you didn't have all the answers in time you would consider waiting?
MS. SPARKS: We would consider but we anticipate because it is our priority. The projects that you speak of are a very top priority within government and they are managed to implement on the date. If those are critical paths that need to be in place, to ensure that they get implemented on the date specified, then those things will be done before they are implemented.
MS. WHALEN: Can I ask you, you have these two priorities, I assume they are your top two priorities, the eMerge and the vendors payment?
MS. SPARKS: Yes.
MS. WHALEN: They would be the two top priorities that you are working on now. In choosing those and in choosing to expand the system, was any cost-benefit analysis done to show that there was real benefit to the province?
MS. SPARKS: The eMerge Project, for the provincial government and for the school boards, had to go through a Tangible Capital Assets submission in order to obtain the capital funding to pay for the projects, and in that TCA is a cost-benefit realization. They have to go to the Business Technology Advisory Committee and present to them, and as well, they have to go through the rigorous process to compare the costs and benefits for those projects. So they go on individual merit, they don't just say these are SAP projects and we're going to continue to roll that out. Each project is defined on its own merit and its own benefit.
Within the eMerge Project, they do actually have benefit realization criteria that they have put in place so that a year after implementation, for example, they will be able to look back and say, did we get the benefit that we said we would get from this project, to help us further enhance our ability to implement these projects in the most cost-effective way, and also to identify which projects actually are returning the best investment.
MS. WHALEN: Can you give me an idea of the cost to introduce - let's pick one of them - the eMerge Project, let's say? What kind of cost would be associated with that endeavour?
MS. SPARKS: I don't have exact figures on that, not being the project director. I think the budget is about $6.7 million for both sectors. One of the cost savings that the project was able to look at was combining the school board and provincial HR implementations. They had submitted separate capital asset submissions, totalling above $8 million together, and by doing the projects together, we were able to offer a substantial savings to government.
[8:45 a.m.]
Those costs, they're very high, and we understand that, but they are significantly reduced from industry standards because we have internal competence within the province and are able to put those people on the projects and so on.
MS. WHALEN: What's the real benefit of introducing them through the SAP system? Can you describe that?
MS. SPARKS: There are a number of benefits. The primary one, integration with our financial system, is to have a fully-integrated system. In the case of the school boards, they have a number of service providers that are providing their payroll information. It costs a lot of money to maintain many interfaces to pension systems and so on, so when you go with one system, you have one interface, you have common information, you have common business practices, a big benefit. When we implemented the financial systems within the school boards, the cost of these implementations are not just to take a software and use a new, updated software with enhanced capabilities, it's actually to look at the business processes behind them. We had school boards that were out there doing various different business processes, and we sat down with the school boards to find best business practices, so everybody would operate their business in the same manner.
MS. WHALEN: Of the 35 people you said were working on that, in total 10 are from your section or work within your core competency group. The others, would they be school board employees?
MS. SPARKS: They would be school board, provincial, and I think there are about five or six consultants.
MS. WHALEN: The end-users will be all integrated into that team.
MS. SPARKS: Exactly, and those are the core team members. If you talk about advisory team members and extended team members, you're talking probably upward of 50 to 100 people who are being consulted through this process.
MS. WHALEN: We read the article, actually given to us last time, where you were interviewed or the system was discussed, it was called, At the Wheel of a Caddy. I think it was a SAP magazine that it appeared in. They definitely say that the system is top notch. I'm wondering again about the resources we have to run that system, because we're in a province that is not accustomed, perhaps, to Cadillacs in our service delivery in other areas - it's difficult to afford, often, right? So, can you discuss the actual funding of your area and the needs you have? I understand it's a high-pressure area, a lot of things going on, you're responsible for $5 billion in transactions and so on. Are you properly resourced in terms of the size of your group? I'm really concerned with the growth that we see coming. Can you give me some sense of how you're going to be on top of it?
MS. SPARKS: The certification that SAP just gave us last week, as a certified customer competency centre, one of the measurements they base that on is on Gartner's, which is an IT industry think tank that actually defines, depending on how many users you have, how much staff you should have in order to support those end-users. What we did is we gave them the numbers after the HR implementation. So we gave them the number of users for us to be evaluated based on what our number of users will be after, not our current number of users but our number of users after implementation, and they said, based on industry best practices, we had a sufficient number of staff to support those users. They were very impressed at the level of expertise that we had in our staff.
They did, as you brought up, bring up the point that as we continue to roll out, we can't be expected to support the continued rollout with the existing number of staff. That's why every project that comes on, not only is the capital cost of implementing the project costed in, but the ongoing support dollars for enhanced infrastructure, for enhanced support, for training, all of those numbers are crunched in because those are operational dollars that now have to be spent on the support of the operation.
So they have the same concern that you do, and they very well say that you're certified now, your certification is for two years, when you will have to be re-certified. At that point in time, if your numbers - right now, we're at about 2,500 end-users if you count the eMerge, we're certified up to 6,000. Once we go above the 6,000 user mark, then we have to be re-certified, if it happens within those two years.
MS. WHALEN: The extra cost that you're going to require for this coming year, where you have two major projects coming on-line, have they gone forward in the budget for this year? Can you be assured that you will get that money?
MS. SPARKS: Yes. The budget, specifically for the support of the HR system on the school board side, has gone to the Department of Education, and it has been forwarded by the Senior Executive Director of Finance to the deputy minister and minister as a critical issue for payment. So they have committed to those dollars. We do spend existing money on the operations of those systems, and the idea is not to get new money to move into the support organization, it's to take the existing money and transfer it to the competency centre.
With respect to the provincial support, we have already moved staff into the competency centre, which supported our legacy HRMS system. So we moved them in, again, before the system was implemented, so they could do some cross-training and learning of the environment, so they will be able to support, at no additional cost, our environment.
MS. WHALEN: Can you tell me, have you used outside consultants at all in your introduction of these new systems?
MS. SPARKS: Yes, we do.
MS. WHALEN: And how frequent is that?
MS. SPARKS: On new areas, new modules which are outside of our expertise, we would use consultants more than we would use them, for example, on implementations that we've already done. For example, we've implemented SAP in a number of municipalities. We have the expertise to do that. So if there was a municipality out there, and got prioritized through the governance framework, that wanted us to implement, we could probably do that with our own forces; we wouldn't have to hire consultants. That's where the cost saving of having this competency centre is really at, that we can reuse these resources, we're not depending on outside, high-priced consultants to do our implementations for us.
MS. WHALEN: There was quite a lot mentioned in the article about training of staff. Is that what you're referring to when you talk about bolstering your internal capability?
MS. SPARKS: Exactly. Training is something that I've held onto very tightly for our division, and it's something that I spend a lot of effort to justify. As we all know, times are tight within Nova Scotia, but it is critical, if you're going to use internal people, to keep them adequately trained. All of my staff have career plans and have training identified at the beginning of the year that they need. What we do is if a lot of this training can't be done or isn't offered locally, we bring somebody down to do the training on-site at a considerable savings, rather than sending five people to Toronto or Montreal or somewhere like that.
MS. WHALEN: What sort of training budget do you have?
MS. SPARKS: It's about $70,000. The other thing that I wanted to mention is that one of the universities within Nova Scotia, St. Francis Xavier, has what's called a SAP University Alliance Program, and we have hired a number of those graduates who already have SAP training, technical and functional training.
MS. WHALEN: I have a question related to the over-expenditure of a different program, which is an IT program, in that I just want to know whether you've experienced these kinds of over-expenditures or gone beyond budget, and that would be the Meditech system that's coming in with the Department of Health and still not up to a rollout yet, and it's gone from a $30 million budget to $50 million. We haven't seen the end of it yet. Can you tell me if you've experienced anything like that in your rollout of SAP. I think you've been there since 1997, haven't you?
MS. SPARKS: Yes, I have. No. You can't really compare Health, their systems and what they're going through with some of the implementations that we have done, primarily because we are experienced now, so we have that experience behind us. We've been at this for seven-plus years; 1996 is actually when the implementation started within the province. But it's really not fair for me to comment on other IT expenditures.
MS. WHALEN: I understand. I think my time is almost up.
MR. CHAIRMAN: You have one minute left.
MS. WHALEN: Could I ask you, earlier on it was mentioned in one of our previous meetings about mould being found in the building where the equipment is housed, can you give me some idea about whether or not that did pose a potential disaster for you?
MS. SPARKS: If the system had to be shut down, whether it was mould, whether the building blew up, in case of a physical disaster, what we would put in place is that we have other data centres within the province, some which are owned by the province; Camp Hill would be one, or the Infirmary Data Centre, and we have been in discussions with the Halifax Regional Municipality who also have a data centre. What we would do, in the case of mould, we would just move our equipment, we already have wide-area network access to that.
In the case of a physical disaster, that's when we would have to go to the Infrastructure Vendor of Record and say, you've told us that it would take you two weeks to get the new equipment up and running, and that's about the time frame it would take us. What we are planning to do with our current disaster recovery plan is to separate our infrastructure environment and co-locate it in two locations. So if we have a problem of a physical disaster-type nature, then we can run on one or the other cylinder of the equipment.
MS. WHALEN: So in that case there would be no downtime.
MR. CHAIRMAN: Thank you, the time has expired for the Liberal caucus. We will now turn to the PC caucus and the honourable member for Waverley-Fall River-Beaver Bank, Mr. Hines.
MR. GARY HINES: Thank you, ladies, for coming in today. In your opening statements, you alluded to the formation of a formal disaster recovery plan. Can you give me some background as to what that program would be?
MS. SPARKS: A formal disaster recovery program is a provision for computer systems if there was a physical disaster to the environment of where the computer systems are housed. So the formal disaster recovery plan would have in it - there's a methodology in creating a disaster recovery plan. So what you have to do is consult with all of your clients. You first have to determine how long the clients can operate in an environment without their computer systems.
There are some environments like Health where they can't, they need them running 24/7 all the time. There are other systems, and when we first implemented our financials, we determined we didn't need 24/7 if there was a physical disaster, we could have manual business continuity in place for a two- or three-week time period, write manual cheques for the critical systems that we needed to write them for and it's not as critical. As we depend on SAP more and more, that time frame is going to get smaller and smaller. So, on initial consultation with our stakeholders, we've determined that a two- to three-day downtime is plenty, even for growth of our system.
So the plan will entail having our infrastructure co-located in two locations, so we would have our development and quality assurance environment located in one environment and we would have our production environment located in another. In the case of a disaster, as we do now, as we have always done, we take the information and it's backed up on a regular basis. There is what's called a hard backup, which is a taped backup; it's done every day. Those tapes are taken to a secure facility, it is called Iron Mountain, in Dartmouth and they are vaulted, it's a secure facility where those tapes are taken off-site.
In the case that there would be a physical disaster to the production environment, what we would do is take the backup information from the last backup - seven or eight o'clock at night is when we do our backup - we would take those tapes and load the information on our development and quality assurance environment; we would have the system running from that infrastructure. Now, that infrastructure won't be as robust as our production environment. We have a very, very redundant and robust infrastructure environment, so what we would have to do is identify the mission critical application users to be using that system during that period while we endeavour to rebuild a production environment.
MR. HINES: I'm going to move to another area now and I'm going to move on the basis of a statement in the Auditor General's November report, where it is noted that, "The implementation of GAAP as the basis of government's financial reporting . . . has allowed Nova Scotia to move from the bottom of the pack . . ." to the leader with regard to Canadian provincial government financial reporting. That being said, have you done comparisons with the other provinces to see where you are in relation to them? Do you have ongoing information to compare your systems or do you agree with the Auditor General that you are top-notch and that we do have the Cadillac, as one of the members alluded to?
[9:00 a.m.]
MS. SPARKS: With respect to the policies around GAAP, that's not my area to respond to, but I can tell you I was at a conference of my peers last June where we were discussing information systems for both financial and human resources, and we are somewhat the envy of some of the other jurisdictions because we are going to have one consolidated information technology system. So our information will not be, our HR system over here and our financial system over here and another system for, say, work order management.
What we have is one integrated system which allows for many, many operational efficiencies. It allows for single entry, so you enter in once and it feeds all the other systems that are out there; it allows for consistency, so what a financial person calls a full-time equivalent is what an HR person calls a full-time equivalent, which is what our department person calls a full-time equivalent. It allows for similar business processes around the system.
So, as I've said, I can't comment specifically on GAAP, but I can comment that I do believe we are a leader. We just won a silver medal in the Fall at the GTEC awards, which are government recognition awards, based on our cross-jurisdictional sharing and partnerships. So, we are being recognized. The article in the magazine that Ms. Whalen referred to, I really do think that we are a leader in this area. I'm not trying to gloss over what the Auditor General had said. Yes, there is always room for improvement and we need to make sure that we do have a solid foundation for these systems before we move forward. But we really do have good systems and good planning and so on, to move us into the next level of having these systems integrated and we are the envy of other jurisdictions of the country.
MR. HINES: So your security efforts are obviously the envy of other jurisdictions as well, is that what you're hearing?
MS. SPARKS: To be honest, from a security perspective, we haven't gotten into that specific discussion, so I don't want to comment on that - I mean envy on something that I haven't really discussed with my peers. Governments are looking at things like single sign-on and those types of environments and huge, huge security implications that need to be addressed before you can go to those, and we're doing all the evaluation now before we move
to those environments. So I don't know if we're the envy on that, but we are doing due diligence to make sure that we have secure systems.
MR. HINES: As semi-computer-illiterate, I guess I would call myself, I'm not going to ask you the hard technical questions but one thing that does concern me is something that concerns all of us, and that is individual security and the potential for hackers and so on. Do you feel that you're less at risk to hackers than other systems?
MS. SPARKS: We actually have enhanced security right now because we have multiple organizations using SAP. So, what we've done is extra diligence in, first of all, segregating the environments, so we don't have municipalities looking at school board information and we don't have provincial departments looking at regional housing information and so on. We have security, even though it is in one physical infrastructure, we have it segregated and there is security around each environment. So we've taken that additional step.
We've also put firewalls around our physical infrastructure in separating it from the provincial wide-area network, because we don't want people in the wide-area network on other systems being able to come into our environment without appropriate access and vice versa. We do have the municipalities and we do have school board users and so on in our environment, and we don't want them to have access to other information on our provincial wide-area network. So we actually segregated before we were part of the network and actually put a firewall around our environment to ensure that we're further protected.
We also have in place security not just at the SAP level but we have security at our server level, by Sun Microsystems. So we have security at various levels within the system. As I've said, we don't just have your end-user ID when you log onto SAP, it is password protected - we make you change the password every two months - and you have an eight-letter password. All the right things, what we're supposed to do, we have involved but we also have security at an operating system level. We have security at an infrastructure level as well.
MR. HINES: You've gone to the next area of concern and that is regarding passwords. I know in my everyday life that I don't share my password for my e-mail or my bank accounts and so on, how do you determine who gets passwords so you can access the system, how do you determine it and how do you protect when somebody moves from your department to another department that they don't take the password with them or that kind of thing; what are the measures taken internally to protect?
MS. SPARKS: This is an area that the Auditor General also pointed out that we can be more proactive with. We do have policies, every user who signs onto our system has to sign that they have read that they are not to share their password, that they're not to use the system for inappropriate use and so on and so forth, but they do have to sign an agreement.
The assignment of roles for that user, what access they can give is by the directors of Finance and will be by the directors of Human Resources and by the owners of the system within the departments. So they are the people who are responsible. We can't monitor 2,500 users and say, is this person allowed to look at this department's chart of accounts, for example, so what we do is we leave that to the leadership within the department and they have to physically sign a form in order to grant access to the environment.
One of the things the Auditor General did come up with is that although there are exit policies in place when staff leave government that they're supposed to notify their IT groups to disable those user IDs, sometimes they slip through the cracks. So what the Auditor General has told us we should be more diligent of is to report to the people who know, in the departments, what users are active in the system, what users have not used their user sign-on, say, for a period of a month or two months, and after six months those users are disabled.
The benefit of bringing on the HR system is we will now have a link with our active employee database, so that any employee who terminates off the system will automatically have their password locked. So that's an enhanced function of bringing on the HR module, which we didn't have before, because the integration wasn't there. So that's a huge benefit to that environment.
MR. HINES: Do some passwords automatically expire?
MS. SPARKS: Yes. After 60 days - it's either 30 or 60, I don't know the exact number - you have to reset your password, you have to give it another password, so if you log in it will say, please change your password, and you can't switch between two, it has to be one you haven't used six times before. They are eight characters long. For myself, I'm an occasional user, as a budget manager and it's sometimes difficult to remember those.
MR. HINES: Now, the SAP program, is it connected to the Internet in any way or is it truly just an internal device?
MS. SPARKS: Right now it is internal but there is a project underway, the SAP Portals Project, which is looking at linking what we call operational systems, in which SAP would be one, to the Internet, but all of the protocols and security and so on that have to be in place will be done before they are out for broad use across the Internet. Currently, there is no Internet access to SAP.
MR. HINES: Mr. Chairman, I will pass off now to my colleague, if you wish.
MR. CHAIRMAN: The honourable member for Chester-St. Margaret's.
MR. JOHN CHATAWAY: Mr. Chairman, I very much appreciate you people coming in and certainly, at least for this member of the committee, I'm learning a lot, I think. Ms.
Harnish, firstly, you mentioned that we have enhanced security and that the department is certainly accepting and trying to implement all the recommendations made by the Auditor General and, of course, there are 20 of them. I haven't read that, I've only had it for five minutes, but I can obviously see that it is very, very important. The other thing, of course, is that you did mention, Ms. Harnish, that a formalized disaster recovery plan will be made by June of this year; basically, you said that it's now going to be formalized.
Also there is an SAP department now, under Economic Development and they are formalized, they are put in place and, of course, Ottawa has said what a system we have in Nova Scotia, yes, we bless the system, and they wouldn't say that if it wasn't true. But basically one of the things that I would be very interested to know is the disaster recovery. What would qualify as a disaster in terms of disaster recovery? What would you say, what's your term for a disaster?
MS. SPARKS: The first thing you define in a disaster recovery plan is what constitutes a disaster and who makes the decision that a disaster has occurred. For example, when Hurricane Juan was here in September, to reiterate the secure environment that we do have, the municipal users and the school board users that were outside the affected areas were up and running, business as usual during that period because of where the infrastructure was provided and the secure facility it was after. But what defines a disaster, you actually define that in your disaster recovery plan
There are various levels of disaster. You can have, obviously, a disaster to the entire city in which case we're in bigger trouble than just the SAP environment; you could have a physical disaster to the production environment of your building, in which case that's defined and we look whether it's because of what the Auditor General brought up, that there is a mould so people can't actually go in there, so we can't get access to the environment, or is it because the building no longer exists. So, if it's a case of mould or where it's questionable, there are criteria that get evaluated to determine what decisions are made, okay, yes, now we're going to our next site.
One thing about a formal disaster is that you only can back up to the latest hard backup tapes. So often there is a period of time that is lost. If, for example, we've done a formal backup tape at seven o'clock the night before, and the next morning is when the disaster occurs, the work that's been done from that period of time to that morning is going to be lost and you have to go back to that period of time. So by making that decision, yes it is a formal disaster, people are understanding that there are implications to that as well.
MR. CHATAWAY: Certainly, it seems that you've got a good definition of what a disaster is and you have various plans to deal with it, of course. How do other provinces deal with the security and disaster recovery? I understand that when you get together with other provinces you discuss things like you won a silver medal or whatever, but I mean how do we compare in this province with other provinces in disaster recovery and things like that?
MS. SPARKS: To be honest with you, I can't comment specifically on disaster recovery for the government. I know it is something that governments struggle with, because you're basically trying to mitigate risk. You can always take insurance out, which is fine but computer systems now are something we need, on a daily basis, and 10 years ago plans that might have been in place are not going to be good enough now because we rely on our e-mail, we rely on our computer systems on a daily basis. So it's something that we struggle with because it's an expenditure that we may never use.
The approach that we're taking with actually taking the infrastructure that we've already purchased and dividing it so we continue to actually use both, so we don't have a machine that we spent a lot of money on sitting out there just waiting for a disaster to happen, that gets old really quick and that's not being used. So, you're seeing more disaster recovery plans where people are sharing, so we've been in discussions with the Halifax Regional Municipality, where we can share sites and share costs and if your system goes down, you can come onto ours and if ours goes down, we will go onto yours. That way we're not spending money on equipment we will never use, but we are mitigating in case of a disaster.
MR. CHAIRMAN: You have one minute left, Mr. Chataway.
MR. CHATAWAY: Here's a naive question. Does it take a natural disaster like a fire or a hurricane to damage software, hardware, data, or can a critical failure just happen at any time, like the way a home computer all of sudden crashes, and oh my goodness, it's all gone. Can our system in the province crash?
[9:15 a.m.]
MS. SPARKS: That's one thing we're in very good shape with, because we have what's called a fully mirrored or fully redundant environment. A computer is just made up of hardware components, it's made up of pieces of equipment and although through the years these pieces are more reliable than they were, they are susceptible to failure as well. What we've done in choosing Sun is gone with a company where their susceptibility to failure is less than most. We've actually had problems with the equipment that the users would never see, because it's like a phone line that has five different lines, when the first line is busy, it goes to the next one and when the next line is busy, it goes to the next one. So, if the equipment that the system is running on actually fails it will go to the next environment. So, even though we've had minor infrastructure issues, it's been transparent to the users out there, it's been business as usual.
MR. CHAIRMAN: Thank you. We have to move now into our second round. We will leave a few moments at the end for some committee business as well as some closing comments from our presenters. We will start with the honourable member for Dartmouth South-Portland Valley and I will allow you 10 minutes.
Ms. More.
MS. MARILYN MORE: Ms. Sparks, you've talked about the benefits of a consolidated integrated system. I'm just wondering if you could give us a brief explanation about the history behind the separation of the Halifax Regional Municipality system, that although they use SAP, they have their own separate infrastructure support organization and licensing arrangements. I'm just wondering how that occurred and what are the implications?
MS. SPARKS: The actual licensing arrangement is under the provincial licensing agreement. So, the Halifax Regional Municipality paid for their own licences and are responsible for maintenance but they obtained a substantial discount because they are part of the province's licence with SAP.
Actually, what happens is the Department of Finance pays the software maintenance fees to keep up to date on our software changes and so on and we re-bill the external agencies for their portion of that maintenance. So they actually don't have their own licensing agreement, it is part of the provincial licensing agreement.
What they decided, they went out for their own evaluation through a request for proposals process and they evaluated the best software and chose SAP. They, from the onset, felt that they were a large enough organization that they wanted to provide support services, provide infrastructure and so on internally within their own organization. They already had enough people there from their legacy systems and instead of working with the province to create one support organization, they felt the economy of scale within their own organization was enough to support their own environment.
That being said, we're in constant communication from my level to our technical staff with questions. So we share information back and forth. If we have a question on our end, we can consult with them and vice versa. We've actually back-filled, we've sent staff there to help them in times when they've needed some support and so on. So although it's not a formal relationship for support, there is a relationship that exists between the two organizations.
One of the reasons the other organizations are coming onto our support environment is that it was an augmentation to a current environment. So instead of the school boards going out and creating another 20 people that would be needed to support their environment and the regional housing authority going out and creating a support environment of 10 or 15 people, we've put them all into one to gain the economies of scale and expertise in supporting all of the systems.
The Halifax Regional Municipality, because they're really an independent agent from the province, obviously, there is some reporting relationship but unlike the school boards or the district health authorities or even the regional housing authorities, there is not as formal
a relationship between the two entities. They've made their decision and, as I have said, it works well for them and we communicate with them on a regular basis.
MS. MORE: Is this going to have any impact on access to municipal information or the consistency of reporting?
MS. SPARKS: Not at all, because the Halifax Regional Water Commission, which is part of the Halifax Regional Municipality, is actually in the process right now of a municipal tax and water system implementation. They are taking part of that process and because there is the consistency of their water billing with other municipalities and, obviously, HRM does not do water billing, they're actually coming on our infrastructure for that piece of their operation. They've made a conscious decision to keep the practices consistent around the municipality for water billing. They've decided to come on the provincial infrastructure and be supported through its service level agreement from our staff.
MS. MORE: I will now pass it over to my colleague, Mr. Steele.
MR. CHAIRMAN: Mr. Steele.
MR. STEELE: Ms. Harnish, I've had a chance over the last little while to reflect on the answers that you gave earlier on this question of the long-term care budget figure. So I have something that I want to ask of you. But before I ask you, just to summarize what I understand went on, you said today that a review of the documentation in Treasury and Policy Board files indicates that the Department of Health provided a range; the range, if I understand correctly, was $3 million to $6 million. So the figure in the budget documents was $3 million. When questioned directly about this issue, Department of Health figures have never referred to a range, they've said the figure they presented was $6 million and if I understand Mr. Salmon correctly, that is the information that his staff obtained from the Department of Health, that the figure for this policy change was $6 million.
Now, in a $5 billion budget, $3 million might not seem like a lot, but to me it's fundamental because of what it says about the integrity of the financial information that members of this Legislature receive. The members of this Legislature should be debating public policy, not whether the figures are correct figures or not. I think it's fundamental to the work of this Legislature that we resolve what happened here. It seems to me that the only way to do that is for the documentation that you've referred to in the Treasury and Policy Board to be tabled with this committee. Are you in a position to do that or can you undertake to contact the people who are in a position to do that so that we can resolve this issue once and for all?
MS. HARNISH: I would suggest, and I haven't looked to see, but as you know, Cabinet documents are subject to Cabinet privilege and advice to the Executive Council is subject to Cabinet privilege. So I would have to have someone take a look at it to verify
whether or not under the FOIPOP legislation that would be releasable or not. I can't tell you offhand because I haven't looked at that documentation for some time.
MR. STEELE: This Legislature and this committee is not subject to the FOIPOP Act. The information provided to us doesn't go through the same screen that it goes through for private citizens. We need to have an answer, so this documentation that you referred to, is it your view that this is subject to Cabinet confidentiality and we can't see it?
MS. HARNISH: It would be my view that this is information that Cabinet relied upon to make decisions, because what I am referring to is Cabinet documentation.
MR. STEELE: You understand the difficulty we have here is that if one wants to look at it in a negative light, the Legislature was fed a faked figure. That's extremely serious.
MS. HARNISH: I believe what I said is I don't think you were served with a fake figure at all based on the information that I have about the decision-making information at the time.
MR. STEELE: But in order for us to satisfy ourselves about whether we got a true figure or a fake figure, we need something more than somebody in government saying to us, trust us. We need to see the documentation. So what do you think we should do to get that documentation?
MS. HARNISH: I would suggest that the Health Department would be the appropriate venue to ask. I really don't know what discussion Mr. Salmon has had with the Health Department. When I was at Treasury and Policy Board and we verified the documentation, we didn't know on what basis Mr. Salmon made his comments. I have no doubt that he was told because he would have no reason to be untruthful, but I can tell you that our review of the documentation indicates that a range was provided to the Treasury and Policy Board and the decision was made based on that range. I can't even remember if $3 million to $6 million was the number but I can tell you that $3 million was within the range.
MR. STEELE: And you're saying that the documentation has been reviewed and that is what it says but this committee can't actually see that document?
MS. HARNISH: I'm not saying that, I'm saying that I would not be in a position to make a decision as to whether or not this particular piece of Cabinet documentation would be available to the committee.
MR. STEELE: Who is? Who do we have to ask, who do we have to go to? We need to resolve this, we can't just leave it hanging. Who has the power to let this committee see that document?
MS. HARNISH: At this point in time I can go back, I will undertake to determine whether or not this would be releasable information.
MR. STEELE: So you said you will go back and . . .
MS. HARNISH: I will discuss this matter and I will seek counsel to determine whether or not this information can be released or not because it is Cabinet documentation.
MR. CHAIRMAN: Ms. Harnish, just so the committee understands, you have agreed to an undertaking to look into this matter and provide the committee with a response.
MS. HARNISH: I will.
MR. STEELE: Ms. Harnish, when you do have a response I would just ask that you do it through the clerk of committees and that way everybody on the committee gets the same information at the same time.
MR. CHAIRMAN: Thank you very much. The time has expired. We will now move to the Liberal caucus. Mr. Graham.
MR. DANIEL GRAHAM: I would like to just follow up on the line of questioning that Mr. Steele had just been pursuing, with respect to the $3 million to $6 million. It is my understanding that budget preparations begin in the late Fall of the previous fiscal year, is that fair to assume?
MS. HARNISH: Budget preparations go on year-round.
MR. GRAHAM: So it's fair to say that for the 2003-04 year, budget preparations would have been going on in the Department of Health in late 2002 for the 2003-04 budget year?
MS. HARNISH: Generally departments start their business and budget planning process sometime in September. From Treasury and Policy Board we would send them out guidelines for the coming year on their business planning efforts, as early as September. They generally begin their own strategic planning at that point in time; some departments do operational planning as well. Most departments plan right through the September to March time period.
MR. GRAHAM: The reason I'm asking that question is because I attended the news conference in November 2002, when the $6 million figure was first released by Mr. Muir in the basement of a building up at the continuing care offices for the Department of Health. I don't recall at any point during that discussion that there was any range given and that, in fact, there were figures released at that time that specifically laid out a figure in the range of
$6 million. Is there any way to potentially explain that discrepancy, given that Department of Health budgeting processes would have been ongoing, at least up to that point?
MS. HARNISH: Look, I wasn't at the Treasury and Policy Board in November 2002, and I wasn't at the press conference, so I am in no position to discuss what Mr. Muir would have or would not have said at that point in time.
MR. GRAHAM: Okay. When did you join Treasury and Policy Board, was it late winter, Spring?
MS. HARNISH: I was appointed to the Treasury and Policy Board in August 2003.
MR. GRAHAM: Prior to that you were . . .
MS. HARNISH: Public Service Commissioner.
MR. GRAHAM: You were in the Public Service Commission. I appreciate that this may not be something within the scope of your knowledge, given your involvement with Treasury and Policy Board. I knew that you were with the Public Service Commission and was your work exclusively at the Public Service Commission at that time?
MS. HARNISH: No, I also served as Secretary to the Executive Council at the same time. To tell you the truth, I'm rather fuzzy on this issue because it would have been 18 months ago and I have seen so many proposals go through Treasury and Policy Board and Cabinet, and not being under the impression that we were going to discuss this today, I haven't gone back to refresh my memory or look at any of the notes on that.
MR. GRAHAM: You may have a similar response in relation to some other questions that I just would like to ask. In your role as the Secretary to the Executive Council, I'm wondering whether or not you would have any role related to budget preparation or facilitation of budget issues in the Spring of 2003?
[9:30 a.m.]
MS. HARNISH: As Secretary to the Executive Council I would have scheduled the budget submissions, I would have been acting as a staff person at Cabinet during the presentations, I would have prepared the minute letters. I would not have been directly involved in the preparation of the budget.
MR. GRAHAM: Would you have been involved at all in the preparation for significant announcements; for example, in June 2003 there was a debt management announcement that I understand was arranged largely through senior officials. Would that sort of thing fall into your bailiwick at all?
MS. HARNISH: It did not.
MR. GRAHAM: I would like to go back to the recommendations and your responses to the recommendations that are contained in the document that you have put out today. Under Recommendation 3.1 there is the sentence that reads, "The CIS division is currently working with the SAP Projects Office within the Office of Economic Development to develop formal strategic plans, including vision and mandate, for the overall SAP Public Sector Program." I'm just wondering what exactly that means?
MS. HARNISH: Ms. Sparks will talk about her role with this.
MS. SPARKS: Currently I am on the steering committee for Economic Development SAP Projects Office, which is made up of government officials from various departments, as well as public sector entities, so it's not just provincial government departments. It's a temporary steering committee that is set up until a full governance structure is in place, which is planned for the Spring of this year.
MR. GRAHAM: A full governance structure for what?
MS. SPARKS: For the SAP program implementation.
MR. GRAHAM: Why is it based out of the Office of Economic Development? It just seems to be a strange fit.
MS. SPARKS: We're kind of a strange fit wherever we go because we have a corporate mandate and not just corporate internal to government, it's corporate external to public sectors as well. The reason that it's there is the Director of Strategic Initiatives for Information Technology's position resides within the Office of Economic Development, and the SAP Projects Office reports indirectly to her.
MR. GRAHAM: However, if this were a coherent process that came from the centre and SAP is at the centre, the CIS division is in Finance, that kind of coordination should properly be with Finance, should it not?
MS. SPARKS: It may be and that's what they're determining now. The office has been up and running officially since June of last year and so what they're doing right now is determining the fit and the relationship between the support organization and the strategic arm. You know you have, for example, in Treasury and Policy Board, a number of strategic arms that determine policy and set priorities, yet the individual departments or corporate entities are responsible to carry out those priorities. So a similar arrangement right now exists and it may change but that's the arrangement right now that exists. We are linked in, obviously, through my involvement in the steering committee, the controllers involvement with the Executive Management Committee on the projects like eMerge and so on and so forth.
MR. GRAHAM: Ms. Whalen, I think, has some questions as well.
MR. CHAIRMAN: Ms. Whalen.
MS. WHALEN: I would like to go back just to some of the upcoming changes that are planned within the SAP system and just a few comments about that. I feel that a lot has been accomplished and obviously, you have a well-trained section and so on; however, I think it's very ambitious what we are looking at rolling out, and not only the rollout of the new programs but the overlay that you have, which is all of the plans. I've just begun to go through your answer to all of the recommendations and there are quite a number of committees reporting to the Director of Internal Audit and other committees and SAP coming in to look at things, external auditors, et cetera, so we have a lot of things happening simultaneously.
As a member of the Legislature - and on behalf of the other members, as well - I feel that we need some assurance that all of the security issues will be fully addressed before anything else comes on-line. I know you have indicated you have every confidence it's working, but can you give us an assurance that everything will be adequately addressed, that all of the corrections will be made, or gaps will be filled, before anything goes on-line? I'm thinking in particular of the HR and the vending receipt payment system because those ones certainly open up a lot more risk to the system.
MS. SPARKS: What I can assure you is that the status that was given on each of the recommendations will be in place by the time we implement the other projects. Now, though, whether that addresses every last concern that the Auditor General has with respect to security, we've given our answers based on their recommendations.
MR. CHAIRMAN: One minute left.
MS. WHALEN: Can you be more clear about what you mean by the status will be in place? That doesn't sound assuring.
MS. SPARKS: The status that we gave you on the recommendation, where we have indicated dates that they will be done by June, they will be done by June. Where we have indicated dates that they will be done by May, they will be done by May. The project with respect to our policies and guidelines has a June time frame, so all of the projects that are underway or we are attempting or we are doing this, all will have implementation dates of this summer, which will be before we implement our HR and electronic vendor payments.
MR. CHAIRMAN: The time has expired for the Liberal caucus. We will now give the remaining 10 minutes to the honourable member for Waverley-Fall River-Beaver Bank.
Mr. Hines.
MR. HINES: You're getting that name right every time, Mr. Chairman, I appreciate that.
MR. CHAIRMAN: I'm getting ready for when the House opens, Mr. Hines.
MR. HINES: I'm going to go to Recommendation 3.9 in the circulation. "We recommend that all users listed as having the capability of updating key global accounting settings be examined to determine why they need these capabilities, and to assess the associated risks." I would like for you to elaborate some on the answer that you've given us there and in so doing, explain what the external 5900 audit will be for what it is.
MS. SPARKS: What this recommendation entails is with a SAP you have transactions and then you have what are called global account settings, where you need the key, it's like going into a safety deposit box where you need the bank's key and your key to open up the box, you can't open it up with one or the other. So these global account code settings are one of the keys and they also need the transactions associated with that key and we didn't find that those account transactions were in place. The Auditor General brings up a good point that having those global account keys, you may want to relook at those and limit those. So we are looking at limiting those global account keys although there are no duplicate keys in place now, we will look at taking those global account settings away completely and only giving them to the one or two users that require them.
The 5900 audit is an actual control review audit, as defined by the Canadian Institute of Chartered Accountants. It is a service provider audit. So what it audits is that it audits our group that we doing due diligence with respect to securities, policies, our infrastructure, our data centre, all the rest of that and it ensures that we're actually not putting their system at risk as far as security and usage is concerned.
The external auditors would request that we have that done. It makes their job, because it's done for the whole system and they can put that on their checklist. Then what the external auditors then will focus on is the actual transaction usage to make sure that if we've said that there should be compensating manual controls, that they've put those in and they validate transactional-based processing. So the actual 5900 doesn't go in and look at everybody's transactions and so on, it just ensures that we've set up a secure environment that is robust, has a disaster recovery plan and so on. This is an audit that will be done yearly, by the way, it's not one that we do now and then we never do one again. It's something that we're going to do on a yearly basis.
MR. HINES: Moving to Recommendation 3.16, "We recommend that the current service level agreements should be reviewed by legal counsel." Are they and if they're not, is that being looked at?
MS. SPARKS: They will be. We've committed to that. That's a formality. Again, to be honest, I was doing these service level agreements, between one government organization to another and although some clients have been reviewed by legal counsel, they weren't reviewed by our legal counsel. So they will be reviewed. We're enhancing, because one of the other recommendations that the Auditor General had is that we put in provisions for disaster recovery, we put in provisions for this external 5900 audit and there were certain other clauses that they felt should be in place. I have informed all of our clients that we will be doing that, then we will have them reviewed by counsel and we are recommending that they have them reviewed by their appropriate counsel if they haven't already done so.
MR. HINES: Now, I will move to Recommendation 3.19, "We recommend that appropriate policies and procedures for using the SAP corrections and transport system be designed, documented and implemented." Can you elaborate some on that one?
MS. SPARKS: I tried to explain on this one what the corrections and transport system was. It is a control system to move changes from our development to our quality assurance to our production environment. So what it does is we don't go into our production environment and make changes on the fly, we do them in the development environment. We test them there. We move them to a quality assurance environment, test them for integration and then they go to production. We have procedures. We have e-mails, we have things that we had not formalized with respect to that. There are all kinds of types of changes that go through the correction and transport system. There are changes that are significant, so you're making changes to how the system processes and then there are table element changes where you're adding a new company code, so there are various types of changes that need various levels of rigour around sign-offs and so on.
So what we had was unformalized procedures surrounding our most complex ones, where there were major system changes. The auditor came in and said, well, you didn't provide that rigour when you promoted this table change, and our answer was, well, we
didn't need to because it was a table change, we're adding a new field. What his recommendation was, is to ensure that you have policies and procedures that are documented, so everyone in the division has their manual, they know that if it's this type of change, they have to get a user to sign off, if it's this type of change, it's good enough to get the manager to sign off and so on and so forth.
MR. HINES: The question I have is, in my world of electronics, it is constantly changing almost at blinding speed. The SAP system, when it's established and we have all the entities included in it, are you going to have the resources and the people to move forward to do upgrades or is the requirement there for upgrades? I know with personal computers and so on, we don't really need to in many occasions, most occasions, to move to the new technology, we only think we do. Are we in a similar situation here?
MS. SPARKS: We have done two upgrades so far, since we implemented SAP within the province and they were done completely in-house with the in-house staff. It's a longer process doing it in-house but then the people who are going to support the system after the upgrade, they are knowledgeable on the new product, all the training documentation has been changed, we go out and retrain end users if the look and feel has changed and so on. So we actually have project plans and all that, provided that information to the Auditor General to show him that we do due diligence when we do these upgrades and so on.
We have a software agreement, we pay maintenance to SAP and they have certain limits, just like, right now in Microsoft, you may not be supported on Windows 95 anymore, so it's the same with SAP; it's much more complex than upgrading, but we have to maintain a certain level of upgrade in order to keep our contract with SAP valid. So we do have to do upgrades in the area probably of every two to three years.
MR. HINES: Thank you, you have been very informative and I'm going to pass off to my colleague, with the chairman's permission.
MR. CHAIRMAN: The honourable member for Chester-St. Margaret's, the two and a half minutes are yours.
MR. CHATAWAY: One question. On my colleague's last question, you were saying specifically where you're going in the future. What does the future hold for SAP? Do you expect further implementation of SAP and its modules, for example, in non-governmental agencies? Just sort of give us an idea of the critical path for this year because any department works that at this year's goal and then we do this, what is the critical path for this year that we're in and other years after that too?
MS. SPARKS: As we plan for SAP, there is a longer term plan which we are going to be looking at for three to five years out, then there is our regular planning through the cycle of business planning on a yearly basis. So we have the longer-term plan and I can tell you that we expect to see SAP in our district health authorities, to help us better manage their human resources and financial dollars that they have right now. That's really where the majority of our budget goes to and we really should have these systems in place there. So we know that we're going to be there, can I tell you exactly when? It's my understanding that TCA may recommend some initial dollars to do the planning on that next fiscal year, to actually do the implementation.
[9:45 a.m.]
I think they would rather implement tomorrow if they can but we really do have to take this, we are taking it in a staged approach, we are not trying to implement everything; there's a lot of work and we're very busy. We also do plan to make sure that we're not going to be over-burdened and have everything come crashing down on us. We want to make sure that we have the resources in place, the planning is done appropriately, all of the things that can cause a project to fail, and those are the things that cause projects to fail. It's not the software, it's not the technology, those are proven; it's the actual business transformation, it's the planning that is done up front, and so we want to ensure that that is done appropriately.
MR. CHATAWAY: Will Education come after Health?
MS. SPARKS: Education is already in place. In all school boards across the province, they now use the SAP financial system, they will be using HR, and the Department of Education has access to all school board financial information now so it actually provides further audits to what was in place before.
MR. CHAIRMAN: Thank you very much, we are right on schedule. As usual, I would like to allow up to five minutes for closing comments if you so wish. Ms. Harnish.
MS. HARNISH: I don't have a long, formal conclusion. I guess what I would like to say is that it should be obvious to the members here today that Susan and her staff are quite knowledgable in this area and have done a lot of work in this area. I think it's also obvious from our response to the Auditor General's Report that we have taken his recommendations very seriously and we're moving to implement many, even as we speak.
Ms. Whalen did have a concern about the resourcing and the adequacy of resourcing. I would like to assure her that within the Finance Department at the senior management level, we are very determined that this work will proceed as we've set out, and we have made additional resources out of other units of the department available to assist Ms. Sparks with this work, in particular our internal audit group; a couple of individuals have been assigned
to do work on this. So we are quite, I think, certain that we can continue to fulfill the projects that we've undertaken in the time that we have set out. Thank you.
MR. CHAIRMAN: Thank you. The Auditor General would like to have an opportunity to make a closing comment as well.
MR. SALMON: Mr. Chairman, we had not seen this document prior to today, but we're very pleased to see it now. We were aware that the department was taking our recommendations very seriously. We put a lot of effort into this audit, it's a complex area, so I just want to commend the Department of Finance for putting this forward, indicating the status of what they have done or are doing, and we can use this to, in the future, monitor that the actions are taken; that is our intention. Thank you.
MR. CHAIRMAN: Thank you, Mr. Salmon, for those comments. I want to thank our presenters. Susan, you have demonstrated your knowledge. I'm sorry you were on the hot seat so long, you've done a lot of talking this morning, and deserve a few moments of peace and quiet when you get back to your office. Ms. Harnish, I want to congratulate you for taking on the challenge of the job that you have. I guess you know first-hand the challenges that are associated with attaining a stable financial balance in government. You have made a most interesting presentation to this committee and I thank you all for that, and the members for their questioning and so on.
Having said that, what we will now do is adjourn very briefly to wish our guests goodbye and following that we will reconvene with our chairman so that we can deal with some committee business, as he presents some recommendations that came out of our subcommittee meeting yesterday. We will reconvene in three minutes.
[9:50 a.m. The committee recessed.]
[9:53 a.m. The committee reconvened.]
MR. GRAHAM STEELE (Chairman): The meeting is called back to order. We have an item of committee business. Yesterday the Subcommittee on Agenda and Procedures met to deal with a number of outstanding matters, and a recommendation of the subcommittee is before the committee now for approval.
Very briefly, Item No. 1(a) involves a gentleman by the name of Andrew Lewis, who has a company called Optinova Systems. He has run into difficulties with InNOVAcorp. It's the recommendation of your subcommittee that both InNOVAcorp and Mr. Lewis be invited to appear. We do recognize this is a somewhat different mode than usual. Normally we base our work, or we use as our launching pad, the work of the Auditor General. This is coming in by way of concerns from a private citizen, but it is healthy from time to time to vary our methodology, I think. This seemed, to your subcommittee, to be a worthwhile topic.
Another topic was raised by a constituent of Mr. Chataway's, involving the collection of HST. After considerable discussion, your subcommittee is recommending that we do actually go ahead and invite Canada Customs and Revenue Agency to appear before this committee to discuss all aspects of the collection of HST, which after all is a joint federal-provincial tax. We decided that it's not something that we could just say, well, that's a federal matter, leave it up to the federal government since they're collecting our money as an agent of the province. There are a number of issues that we could raise with them, including the concerns raised by Mr. Lees. Canada Customs and Revenue Agency is a federal agency and is not bound to appear before this committee without a subpoena, but we will see what their response is to the invitation that will be going out shortly from the clerk.
Item No. 2 is an item from the Halifax Regional School Board. I believe it was distributed to all members. A resolution was passed by the Halifax Regional School Board which, in essence, expresses concern about the funding formula and asks the Public Accounts Committee to inquire into it. After discussion, your subcommittee concluded that it's not really within the mandate of this committee to have an inquiry into a matter of public policy, that is, what government ought to do. The Halifax Regional School Board is essentially asking the government to change the funding formula to take into account certain features of the demographics of this region.
However, items within the jurisdiction of the Department of Education are definitely very clearly, under our Rules, within the mandate of the Human Resources Committee and so your subcommittee is recommending that particular matter be referred to the Standing Committee on Human Resources for their consideration. But I believe we agreed that this recommendation would be going with the favourable recommendation of this committee saying that it is a worthwhile topic and very much worth the while of the Human Resources Committee if they choose to look into it.
So, those are the topics and those are the recommendations. Is there any discussion?
Can I have a motion to adopt these recommendations?
MR. JAMES DEWOLFE: I so move.
MR. CHAIRMAN: And seconded by Mr. Graham. Would all those in favour of the motion please say Aye. Contrary minded, Nay.
The motion is carried.
These recommendations are approved.
Are there any other items requiring the attention of the full committee before we adjourn?
The member for Halifax Clayton Park.
MS. WHALEN: Mr. Chairman, if I could, I would like to ask that, with the agreement of the committee, that a letter go to the Minister of Finance requesting written assurances for the issue that I raised with them today about the ambitious program they are undertaking and whether or not all of the security issues have been addressed before they move forward with the introduction of new, major systems?
MR. CHAIRMAN: That letter would be going from me as chairman on behalf of the committee?
MS. WHALEN: That's what I would like to see.
MR. CHAIRMAN: Any discussion on that? Perhaps, in consultation with myself and the clerk we can refine the letter and make sure that it says what you have in mind. Yes, certainly, I have no difficulty with that. Does anybody have any difficulty with such a letter going out as a result of today's meeting? No. Thank you.
Are there any other matters requiring the attention of the full committee?
MS. WHALEN: I have one more and perhaps on your behalf, you mentioned about wanting the material relating to the $3 million discrepancy - and we know the story. I'm wondering, again, if we should perhaps from the committee's point of view, put in a FOIPOP because we have no indication on how you will get some verification on what went on?
MR. CHAIRMAN: My own personal view on that is that would not be a good precedent because what it would imply is that we, as the Public Accounts Committee of the Legislature must abide by all the procedures of the Freedom of Information and Protection of Privacy Act and, in essence, that we are no different than any other private citizen. I believe very fundamentally that we are not subject to that Act and if this committee asks for information it should receive it. For example, it is perfectly within the power of this committee to receive Cabinet confidences; however, that would have to be done in confidence, on the understanding that it could never, ever be discussed outside this room, which is a privilege not really available to private citizens. So, I, myself, wouldn't favour us submitting an FOI request on that basis.
MS. WHALEN: Could I amend that to a letter then going again from you as chairman of our committee to, perhaps, the Minister of Health asking for his backup information whether there ever was a range of information given?
MR. CHAIRMAN: Mr. DeWolfe, discussion.
MR. DEWOLFE: Mr. Chairman, we already have an agreement by the presenter here today, the deputy minister, to undertake to look into that matter and get back to this committee.
MR. CHAIRMAN: The Deputy Minister of Finance has undertaken to look into that, take advice to see if the information can be released. Is there some purpose that a letter would serve above and beyond the commitment that has already been made here in public today?
MS. WHALEN: I think it would indicate how serious we are that we really want it and that it is more than a casual request.
MR. CHAIRMAN: Would it be helpful if we sent out a letter to the Deputy Minister of Finance simply confirming in writing the commitment that she made today?
MS. WHALEN: That would be satisfactory. I just think that it can be something, one of many items that were mentioned today that perhaps wouldn't get the attention it deserves, so a letter would help to reinforce that. I would be happy with that.
MR. CHAIRMAN: A letter simply confirming the commitment made today. Is there any objection to that from anybody?
MR. DEWOLFE: Simply a reminder.
MR. CHAIRMAN: As Mr. DeWolfe said, simply a reminder. That's fine.
Any other matters requiring discussion? If not, a motion to adjourn.
MR. DEWOLFE: So moved.
MR. CHAIRMAN: Would all those in favour of the motion please say Aye. Contrary minded, Nay.
I would like to remind members, just finally, next week's session is a three-hour session, 8:00 a.m. to 11:00 a.m. with Mr. Barker from the Liquor Corporation.
Thank you, this meeting is adjourned.
[The committee adjourned at 10:00 a.m.]
