Overview

Executive Summary

Financial controls within the Estates department, historically, were found to be lacking and the potential for financial ‘exploitation’ identified and acknowledged.  Processes have been in place for some time now, which address the business risk of such financial loss, but they are ‘manual’ and rely on individuals to follow the agreed processes. 

Acknowledgement of the financial risk together with recommendations from an Estates Finance Audit to tighten control processes further, reducing the reliance on individuals’ adherence to processes, have led to the ‘must have’ business requirement to implement system controlled delegated authority levels in the Archibus client for services (and goods TBC) purchase ordering and invoicing. Furthermore, to develop business cases for other ‘should have’ recommendations from the audit, with consideration of the in-flight University-wide Core Systems Programme, which will ultimately centralise all financial and HR operations across the University. 

This will require engagement with and solution delivery in collaboration with Mass, our Archibus support partner.  A supplier quote and solution document has been received.

A potential systems and data security issue has also been identified whereby a system admin-level user name and password is ‘commonly’ known and has not been changed since the Archibus platform was installed over 18 years ago. Given a lack of clear information with regards the AFM User/AFM Secure password structure in the Archibus Technical Architecture Document (TAD), this change requires careful management with testing in DEV and TEST environments, before changes in the LIVE environment are undertaken.

A risk profile considering the whole Archibus solution will be created initially, from which a test plan will be developed and testing undertaken.  The testing will be designed to ensure the password change does not have impact the functionality of the Archibus solution especially given its extensive customisation.

Background

Resources in the Estates department currently utilise Archibus windows client and the EBIS system environment to manage and report on all financial management aspects of the business activity related to stock control, purchase ordering, purchase/sales invoice creation/processing, recharges and project/programme financial management.   

Whilst the current system has proved to be successful in the past, the ever increasing reliance on external vendors and associated costs in maintaining / upgrading an ageing system is imposing unacceptable delays in implementing on-going business led change.

The Purchase to Payment (P2P) project (EST097) was initially started 20/01/17 as there was a requirement to develop and implement a new integrated system, to provide the Estates department with the ability to manage the entire Purchase to Payment process relating to all purchases across the department, whilst aligning with the new WebCentral based Helpdesk, the central procurement and finance systems, and, ensuring the necessary financial controls were in place. The proposed approach was also to continue the revised strategy of returning to 'out of the box' solutions wherever possible, supplemented by internally developed and supported system interfaces as necessary.

Following the initiation of the University-wide Core Systems Programme, the initial requirements for this project were deemed inappropriate and the project was put into 'suspend' mode on 28/08/17. 

Requirements for delegated authority levels to be system controlled still existed and the project was brought out of ‘suspend’ mode to enable this element to be progressed.  The full project requirements were to be re-assessed once the project was 'resumed' and the Project Brief revised and the project re-planned and costed accordingly.  The project was resumed in June 2018, but other Estates projects priorities impacted the completion of the requirements re-assessment, causing a delay in confirming the revised scope, costs and delivery schedule. 

With due consideration for the Core Systems Programme and for the recommendations made to Estates Finance following a departmental audit, the revised project scope was determined.

Scope

The following scope was discussed and agreed with Karen Adamson (Sponsor), Head of Estates Finance:

  • The implementation of system controlled delegated authority levels associated with the Purchase Ordering process in Archibus for contract services (Must have) and goods (Should have, subject to Mass quote);
  • Batch sorting/processing (Nice to have);
  • Secondary authorisations/authorisation work flow (Nice to have);
  • Role and responsibility restrictions for the raising of PO’s/authorisation i.e. PM’s to be restricted to raising/authorising PO’s only for projects they ‘own’ (Nice to have);
  • PO/Goods Receipting/Invoicing – 3-way matching (Nice to have);
  • Restrictions to having only authorised and contracted suppliers ‘usable’ in the system (Nice to have).

All ‘Nice to have’ elements are to be investigated, and cost and timescale estimates for implementation to be presented, as Business Case proposals.  Any of the 'nice to have' elements subsequently approved for implementation by the Project Board (Project Sponsor; Senior User and Senior Supplier) will be delivered via the change control process and under the management of this project or transferred under the Estates Core Systems Integration Programme.

It was established that a solution to the system controlled delegated authority levels (contract services only) had previously been developed by Mass and had been deployed to the UoE TEST environment, but had not been fully tested, signed off and deployed.  This solution had been backed out from TEST.  Agreement has been made with Mass to review and if possible refine the solution accordingly, taking consideration of the Archibus system upgrade which has been delivered since the original solution was developed.  A consideration to include controls for ‘goods’ purchases is to be made on receipt of supplier quotation(s).

A requirement to change the Archibus 'AFM User' password was raised during the P2P re-assessment period.  It is believed that this 'Systems Administration' level access and password is extensively known by individual’s outwith the EBIS Support Team and IS Support functions, and that the password has never been changed since the original systems implementation over 18 years ago.  It is also understood that the password does not conform to any password or security policies.  Although the extent of use of the AFM user access and password cannot be ascertained, it has been determined that a password change and restricted publication of the new password should be implemented as soon as possible to deliver enhanced security around the data in Archibus. 

Although an unrelated requirement to P2P, it was considered appropriate to build this requirement into the P2P project as a second work stream, to minimise the project management and governance overheads associated with starting up and managing a separate project over a similar time frame.

Out of Scope

The following items are deemed out of scope for this project:

  • The delivery/implementation of any of the above 'nice to have' elements without full authorisation following Business Case review and full project change control sign-off;
  • The development of any interfaces between the existing core applications; Archibus, eFinancials and SciQuest;
  • Any changes to the eFinancials and SciQuest core systems;
  • The development of any business solutions outwith the functionality of the core systems, required to support the Estates Purchase to Payment process;
  • Identification and review of any processes outwith system Purchase ordering and associated delegated authorisation controls

Objectives

  1. Define business requirements with consideration for Core Systems Programme and Estates Finance Audit
  2. Implement System (Archibus) Controlled Delegated Authority Levels for Estates Purchase Ordering
  3. Present Business Case proposal(s) for project scope 'nice to have' elements
  4. Successfully implement a change to the Archibus AFM password

Deliverables

 

Item

Description

MoSCoW

In Scope

Owner

O1

D1

Gather and review (Define) current 'As is' business processes in relation to Purchase Ordering (goods and contract services)

M

Y

Business Analyst / Business Lead - Finance

O1

D2

Gather and review (Define) current delegated authority levels to be implemented as part of the system solution

M

Y

Archibus System Support

O2

D1

System Design - Review and refine system design/implementation document covering the system controlled delegated authority level solution

M

Y

Business Partner Technical Lead (Mass)

O2

D2

Build - Review and refine build

  • Development of a software solution to deliver system controlled Delegated Authority Levels in line with present business definition levels and in line with 'As is' processes
  • Refine existing processes (as necessary) to take the system controlled functionality into consideration,  to continue to support the Estates Purchase to Payment process

M

Y

Business Partner Technical Lead (Mass) / Business Analyst

O2

D3

Test solution with consideration of business process

  • Define and deliver against a test plan (Functional Testing)
  • Define and deliver against a test plan (User Acceptance Testing)
  • Complete testing according to the defined and agreed plans and produce sign off documentation

M

Y

Business Partner Technical Lead (Mass) / Business Lead - Finance / Archibus System Support

O2

D4

Implement the solution

  • Prepare all release documents and obtain approval for deployment
  • Deploy fully tested solution

M

Y

Project Manager / Business Partner Technical Lead (Mass) / DevTech

O2

D5

Define and deliver an effective user communication/training and support plan

M

Y

Project Manager / Business Lead - Finance / Change Management Lead

O3

D1

Deliver quote(s) and timescale estimates for each element

M

Y

Business Partner Lead (Mass)

O3

D2

Prepare Business Case proposals and submit to Project Board for authorisation/rejection

M

Y

Project Manager

O3

D3

 

Create project change control documentation for any authorised elements and implement accordingly

S

Y

Project Manager

O4

D1

 

Investigate/Understand the password structure across the Archibus platform and update the TAD accordingly

  • AFM Users
  • Oracle AFM password
  • Coldfusion administrator password
  • Archibus client package
  • Odbc connections
  • Crons and database interfaces
  • Bamboo properties file

M

Y

Business Partner Technical Lead (Mass) / IS Application Support

O4

D2

 

Create a risk profile associated with the proposed change(s)

M

Y

IS Application Support / Archibus System Support

O4

D3

Document options to manage the password(s) on-going and agree outcome (Project Board sign-off)

M

Y

IS Application Support / Dev Tech

O4

D4

Test solution 

  • Define and deliver against a test plan (Functional Testing)
  • Complete testing according to the defined and agreed plan and produce sign off documentation

M

Y

IS Application Support / Archibus System Support / Business Lead - Finance

O4

D5

 

Implement the solution

  • Prepare all release documents and obtain approval for deployment
  • Deploy fully tested solution
  • Support process and resources in place for Go-live

M

Y

Project Manager / IS Application Support / DevTech / Archibus System Support

 

Benefits

The project will deliver the following benefit through the implementation of system controlled delegated authority levels:

  1. Enhanced financial control with resources unable to generate/submit a Purchase Order above their level of financial responsibility;

and the following benefit through the implementation of a new AFM password:

  1. Enhanced system and data security across the Archibus platform.

Success Criteria

  1. The production of a defined and approved set of business requirements (Signed off Project Brief)
  2. The implementation of the system controlled delegated authority levels in line with the design (Signed off system design/system testing/solution delivery)
  3. The successful change of the AFM user password with minimum business/operational impact (Signed off Risk Profile/testing/solution delivery)
  4. Confidence in the effectiveness of the implementation is maintained throughout the project through: 
    • effective project governance and stakeholder management
    • effective management of project risks, issues and changes
    • effective review of the project by means of a Lessons Learned process
  5. Business is well prepared for the implementation through:
    • effective business communication and user training/education
    • enhanced support for period(s) of Go-live

Project Milestones

(Please copy and paste from Milestones log)

MILESTONE

DATE

End of Planning Milestone

18/01/19

Requirements/Design Milestone

18/01/19

ASOR Milestone

01/03/19

End of Delivery Milestone

29/03/19

DSOR Milestone

29/03/19

Project Closed Milestone

30/04/19

Project Info

Project
Estates Purchase To Payment
Code
EST097
Programme
Estates Business Operations Optimisation Programme (EOO)
Management Office
ISG PMO
Project Manager
Helen Lobb
Project Sponsor
Karen Adamson
Current Stage
Close
Status
Closed
Project Classification
Grow
Start Date
20-Jan-2017
Planning Date
28-Feb-2019
Delivery Date
31-Jul-2019
Close Date
16-Aug-2019
Programme Priority
2
Overall Priority
Normal
Category
Discretionary