FUJ00079783
FUJ00079783
ICL Pathway Schedule of Corrective Actions: Ref: IA/CAP/008
CSR+ Development Audit Version: 0.1
Date: 22/11/99
Document Title: Schedule of Corrective Actions
CSR+ Development Audit
Document Type: Schedule
Abstract: This document presents the Observations and
Recommendations resulting from the referenced Internal
Audit(s) along with the agreed corrective action, the action
owner and the date by which the action is to be complete. A
status field is included for quick reference purposes.
Status: Draft
Distribution: J. Bennett M. Coombs
T. Austin M. Bennett
P. Jeram J. Hunt
G. Chatten D. Groom
G. King G. Hooper
Library
Author: Jan Holmes
Comments to: Jan Holmes
Comments by:
COMMERCIAL IN CONFIDENCE Page 1 of 14
© 1999 ICL Pathway Ltd
ICL Pathway
Schedule of Corrective Actions:
CSR+ Development Audit
FUJ00079783
FUJ00079783
Ref: IA/CAP/008
Version: 0.1
Date: 22/11/99
0.1
0.2
0.3
0.4
Document control
Document history
Version Date Reason
01 22/11/99 Initial draft following preliminary analysis with MJBC (17/11)
0.2 29/11/99 Following review with individual action owners
Approval authorities
Name Position
M. Bennett Director Quality & Risk
Associated documents
Reference Vers Date
fi] TA/REP/O1S — 1.0 28/10/99
7] TA/REP/009— 0.1 21/09/99
Table of content
T Emtroduction oo... ees cece cess esse eeeeeseeeees seen eesneenneeseeeesseesnsesessnesseeesneaneesneeneesneseeenese
2 PLOCESS .....-.ccsesssecsessseccsesseessecsneeseesecsssssseesscsecesssessesessneessseneessessessiseneceissesseneesneeseseseeey
3 Key to Phare. eeec cee eececeecessessessesesesneesesneseeseencesesnesecseeneesesueesesesnesuesueseeansreeeeaneessneeeenees
4 Implementation oo... eceece ec eeeceeceeseeeeeeeseesaeeeeeesueeseueenesaeaneeuesneetentensesenseeenees
Signature Date
Source
Audit of CSR+ Development
Report on EPOSS Solutions
Row ww
COMMERCIAL IN CONFIDENCE
Page 2 of 14
FUJ00079783
FUJ00079783
ICL Pathway Schedule of Corrective Actions: Ref: IA/CAP/008
CSR+ Development Audit Version: 0.1
Date: 22/11/99
1 Introduction
This document presents the Corrective Action Plan that emerged from a post audit
meeting following the audit of the operation of CSR+ Development.
2 + Process
This Plan will go through a number of iterations and reviews following production as
Corrective Actions (CA) are worked on and, subject to agreement between the CA
Owner and Internal Audit, amended.
The status will remain OPEN until such time as the CA Owner and Internal Audit
agree on a course of action to address the issue at which time the status will be
changed to ACTION. Once the actions have been carried out, subject to agreement
between the CA Owner and Internal Audit, the status will change to CLOSED.
Once actions have been agreed the Plan will be monitored by the responsible manager
and subject to periodic review by Internal Audit.
3 Key to Plan
CAP Ref. Unique number allocated to each Observation/ Recommendation
for follow-up
Report Ref. Paragraph number in the original report where the
Observation/Recommendation was raised
Observation/Recommendation Narrative detail taken directly from Audit Report
Owner The identified owner of the Corrective Action (CA)
MTM Management Team Member to whom the CA Owner reports
Status CA status.
OPEN pending agreed corrective action
ACTION pending completion of agreed corrective action
CLOSED on completion of agreed corrective action
Agreed Action/Commentary Detail of the CA agreed between the CA Owner and IA. If the CA
Status is OPEN or ACTION it will contain a commentary of the
current position.
Due Date The date of the next important event in the CA. Where the Status
id CLOSED the date will be the closure date.
COMMERCIAL IN CONFIDENCE Page 3 of 14
ICL Pathway
Schedule of Corrective Actions:
CSR+ Development Audit
Ref:
Version:
Date:
IA/CAP/008
0.1
22/11/99
FUJ00079783
FUJ00079783
4 CSR+ Development
Report Reference IA/REP/015
a full intranet provides an ideal opportunity to re-launch
them and I recommend that an awareness programme is
launched to overcome the apparent lack of knowledge of
the coverage and content of the OLS. This must be
backed up with effective management checks ensuring
that the key controls are exercised.
015/01 3.2 The audit identified that some Team Leaders had Py TPA Open Retrospective Work Group
identified retrospective work to generate missing and 17/11 : Agreed to form a CAP group to cover a number of
update CSR documentation in preparation for future related recommendations. Precise activities to be discussed and
° agreed with PJ.
This retrospective work should be supported by the Action I 95/11 TPA — PI/TPA to establish forum with Delivery
orsanisation and sho vuld be fiken info account in any Managers to identify the shortfall. Put together plan with
tmust be vane dan di recommen 4 that Delive Unit resourcing implications to present to JHB/MJBC. Will have to
P . we ty 5 be cost justified. Email invitation to meeting (1/12) issue to
Managers are tasked with developing ‘Get Well Plans: DMs 26/11 03/12/99
for their retrospective units to deal with the missing or Ss <0/k". 03/12/99
incomplete deliverables.
01502 I 3.3 Many of the development teams are producing Py TPA I Open Retrospective Work Group
documentation to varying form and content standards. 7/11: See 013/01
The current work to convert the existing helpfile OLS to Action I 25/11: See 015/01 0312/99
COMMERCIAL IN CONFIDENCE
Page 4 of 14
ICL Pathway
Schedule of Corrective Actions:
CSR+ Development Audit
Ref:
Version:
Date:
IA/CAP/008
0.1
22/11/99
FUJ00079783
FUJ00079783
Ref,
015/03 3.4
Hard evidence is an important element of ISO
registration. The audit found little in the way of hard
evidence to support assertions made wrt reviews.
There was an abundance of verbal assurances that
lifecycle reviews had taken place but very little hard
evidence, in the form of walkthrough notes, document
comment sheets, review meeting minutes, etc existed.
Having moved from the NR2 position where even
anecdotal evidence was hard to find Pathway must now
formalise the documenting and retention of review
outcomes. Not only does this provide evidence of review
but can also be used to measure the effectiveness of the
review process itself, an important element of
continuous process improvement.
TPA
Action
Retrospective Work Group
17/11 : See 015/01
25/11 : See 015/11
03/12/99
COMMERCIAL IN CONFIDENCE
Page 5 of 14
ICL Pathway
Schedule of Corrective Actions:
CSR+ Development Audit
Ref:
Version:
Date:
TA/CAP/008,
0.1
22/11/99
FUJ00079783
FUJ00079783
015/04 4
The audit identified that EPOSS continues to be
unstable. PinICL evidence illustrated the numbers of
PinICLs raised since the 1998 Task Force and the rate of
their being raised.
The EPOSS Solutions Report [7] made specific
recommendations to consider the re-design and re-write
of EPOSS, in part or in whole, to address the then
known shortcomings. In light of the continued evidence
of poor product quality these recommendations should
be re-considered.
TPA
JHB/
MJBC
Open
Action
17/11 : This action falls within Development but requires higher
level drive. Has links with CS and BD. MJBC to speak with
TPA direct.
25/11 : Work on AI298 identified that majority of problems
(~80%) were to do with error and printer error handling. Daily
meetings had been instigated. TPA of view that while original
code had not been good it would be difficult to justify the case
for re-writing now.
25/11 : Email issued by TPA :-
“We have not formally closed down the recommendation that
we re-engineer the EPOSS application due to its inherent
instability. Since this recommendation was made, a number of
events/actions have taken place. We embarked upon a major
maintenance exercise for LT2 which targeted several known
stability issues. In parallel, we carried out a defensive testing
activity which identified a number of faults which were
addressed. The intensive exercise designed to remove
acceptance incident 298 resulted in many substantial
improvements to the error handling, messaging and printing
aspects of the product. We finally introduced improved unit
and link testing and more disciplined configuration control.
Finally, the maintainability and enhanceability of the product
has been proven by the speed and quality of the SIP 16 and
EPOSS Reconciliation developments.
We will of course continue to monitor the PINICL stack for the
next few months and if necessary re-evaluate this decision.
Would Jan please close this issue formally using the rationale
described.”
COMMERCIAL IN CONFIDENCE
Page 6 of 14
FUJ00079783
FUJ00079783
ICL Pathway Schedule of Corrective Actions: Ref: IA/CAP/008
CSR+ Development Audit Version: 0.1
Date: 22/11/99
015/05 4.2.2 RDMC did not have any test scripts and testing for this PJ TPA Open Retrospective Work Group
fundamental part of the solution was informal. 17/11: See 015/01
Effort should be expended, as soon as practicable, into - 5 5
developing a full suite of unit and/or link test scripts, and Action 25/11: See 015/01 os/l2i9e
a formal test strategy for future releases of
RDMC/RDDS should be established.
015/06 5.1 The CSR+ Plan had recently been changed and a revised I GC/ MJBC I Open Release Management Group
delivery date arrived at. The audit expressed concern MJBC 17/11 : Agreed to form a CAP group to cover a number of
that while slipping dates additional ’ on UP fo <i " ;
. a . “ related recommendations. Precise activities to be discussed and
requirements/functionality was being added in. .
agreed with GC.
In order to protect the revised delivery date it is
imperative that no further changes are accepted to the
CSR+ requirements baseline and I recommend that the
principles enshrined in the Release Management process
be applied to the current CSR+ requirements baseline.
015/07 I 5.2 A Non Functional Catalogue is currently being GI TPA I Open 17/11 : An activity to be planned/agreed to review the emergent
developed. NFC against B&TC scripts.
The design and development work for CSR+ is largely ‘Action 25/11 : TPA — Confirmed that Janet Dore was producing NFR
complete. B&TC’s proposed testing of NFRs is and that a Gap Analysis would follow. Not aiming to deliver
currently based on old, potentially superseded gaps at CSR+ and any future delivery will have to be cost
requirements although the delivery a revised NFR. ustified. GJ looking to identify missing bits against B&TC
Catalogue is imminent. It is imperative that the existing technical test Register. JD also looking at what should be in
scripts are validated against the NFRs in the new system to identify what scripts should contain. End 12/99
Catalogue at the earliest opportunity.
0150s I 5.2 There is an implied risk that the NFR Catalogue may TPA TPA I Open 17/11 : Suggested that a TDA review of the NFC be carried out
highlight deficiencies in the CSR~ products delivered to identify any potential issues.
that will require re-work.
. 25/11: TPA - I
‘Action /11: TPA — See 015/07 End 12/99
COMMERCIAL IN CONFIDENCE
Page 7 of 14
ICL Pathway
Schedule of Corrective Actions:
CSR+ Development Audit
Ref:
Version:
Date:
IA/CAP/008
0.1
22/11/99
FUJ00079783
FUJ00079783
015/09
The audit identified the informal nature of the
GH
MHB
Open
cussed
17/11: To be
being experienced with integrating Predict! And AMS
would impact on the introduction of a revised risk
management process.
It was noted that difficulties are being experienced in the
integration of the Predict! Tool with the AMS planning
tool. While maintaining full integration as the ultimate
goal the Risk Manager should not delay in introducing
the revised RM process across the programme.
arrangements between QRM and Secure Development. Action 25/11 : Accepted. SDU and Roy Birkenshaw contacted to
The agreements and commitments to conduct the KMS arrange meeting to discuss/agree UAT requirements. These to
User Acceptance Tests should be formalised and be formalised and planned to happen 02/00. GH also reviewing
reflected in the Security Manager’s workplan for 2000. user documentation — ongoing at moment. This will be reflected
in workplan. End 12/99
O1S/10 5.3 The audit identified that there was no formal ownership I GH MHB Open 17/11 : To be discussed
or plan that supports penetration testing Action I 25/11 : Meeting initiated with SDU, Chris Wannell (NR2
Assuming that the requirement for penetration testing experience) & Kevin Barrett to discuss Penetration testing. Last
remains the approach agreed for NR2 should be known position was that this had been offered to Admiral
reviewed for continued suitability. Ownership of the Management Services who were going to prepare a proposal.
activity should be assigned and the necessary resources GH also to meet Richard Gaze (Horizon Test Manager) 29/11.
committed and reflected in the Programme Plan. GH believes that PT will run along similar lines to NR2 but will
have to confirm against new contract. 10/12/99
O1S/11 5.4 Concern was expressed that the technical problems GK MHB Open 17/11 : To be discussed
COMMERCIAL IN CONFIDENCE
Page 8 of 14
ICL Pathway
Schedule of Corrective Actions: Ref.
CSR+ Development Audit Version:
ate:
IA/CAP/008
0.1
22/11/99
FUJ00079783
FUJ00079783
Ref,
O1S/12
The audit highlighted that an independent risk register GK/
was being maintained by the Director QRM. This could I MHB
lead to inconsistency in Pathways approach to risk
identification and mitigation.
It is anticipated that the Predict! register will form the
sole repository and source of risk information, providing
a common and consistent view of risk, and the use of all
other registers, lists and matrices should cease once this
has been fully implemented.
MHB
17/11 : Work undertaken to compare both lists. Update made to
GPK register and decision taken to operate single list — Predict!
O1S/13
5.4
The Programme Office has developed a separate risk GK
register which the audit considered should be applied to
all delivery streams.
The risks identified on the PO risk register apply in
whole or in part to all Delivery Units. In order to ensure
that Delivery Managers and Team Leaders address the
detail of these risks they should be incorporated into
each DU’s risk register and the risks managed alongside
those already identified.
MHB
Open
17/11 : To be discussed but suggested that lists are
consolidated.
o1s/14
Concern was expressed by a number of Team Leaders Gc
about the planning process.
For the Planning Process to be accepted and used
positively by the Team Leaders it is imperative that it
meets their needs as well as management’s. I recommend
that a full review is carried out of the Planning Process
that confirms or refutes the concerns raised by the Team
Leaders and establishes a process that is acceptable to,
and used by, all interested parties.
MJBC
Open.
17/11 : MJBC stated that Planning Manager is to be appointed —
review situation with Team Leaders? Later discussion with GC
suggests that new appointee will not be capable of conducting a
wide ranging review. GC maintains that he wants an
independent audit of the planning process.
COMMERCIAL IN CONFIDENCE
Page 9 of 14
ICL Pathway
Schedule of Corrective Actions:
CSR+ Development Audit
Ref:
Version:
Date:
IA/CAP/008
0.1
22/11/99
FUJ00079783
FUJ00079783
O1S/1S 5.6 The audit identified that process management was. MHB JHB Open ISO Registration Group
operating on a departmental basis and made more 17/11 : Agreed to form a CAP group to cover a number of
complex the assurance that Pathway had a full suite in . : woe
time for ISO registration, related recommendations. Precise activities to be discussed and
agreed with MHB. An ISO Board has been proposed. Details,
To have any chance of success I believe that a similar TORs ete to be provided.
singular resource should be appointed to take overall
responsibility for the co-ordination of process
development and deployment across the whole of
Pathway and that this resource and the ISO Project
Manager should be organisationally co-located.
015/16 5.6 The audit identified the absence of development JH TPA Open 17/11 : To be discussed
standards for Agent and Counter development 25/11 : JH under impression that Agent Team had
The Host Application Database Design and Interface comprehensive range of development standards so no further
Standards were developed to provide definitive technical work required in that area. Confirmed that this was not the case
standards for host development teams. Arguably out of with Counters and that JD was producing :
date since it deals specifically with Oracle development, (a) Description of Standard APIs for Counters
there are no known equivalents for Counter or Agent
Development. I recommend that the HADDIS is updated (b) Development Standards or Counters
to reflect the current host development environments and
the equivalents for Counter and Agent development be
produced.
OIS/17 5.6 The audit identified that there were no universal C or JH TPA Open 17/11 : To be discussed
VB standards in place.
However, to improve coding quality and ensure a
consistent basis for code review coding standards for C
and VB must be developed and deployed via the Intranet
OLS. These standards should then be used.
COMMERCIAL IN CONFIDENCE
Page 10 of 14
ICL Pathway
Schedule of Corrective Actions:
CSR+ Development Audit
Ref:
Version:
Date:
IA/CAP/008
0.1
22/11/99
FUJ00079783
FUJ00079783
O1S/18
The audit identified the possibi
ity that the statistics used
Gc
MIJBC
Action
17/11 : GC confirmed that the Workset review had been carried
within the proposed “Get Well Plans’ identified in 3.2. In
order to size the job the Programme Office should
undertake a review of the worksets to ensure that they
are all required and workset owners should review their
content to confirm their accuracy, as required in
Documentation Management, OLS Release 17.
to report progress on documentation generation and out and was complete. Several redundant Worksets had been
approval may be inaccurate. removed from both the CSR and CSR+ document lists..
In order to present a more accurate reflection of CSR+ 17/11 : GC to draft instruction to Directors requiring that a
documentation status, thus improving the reporting to TPA/ MJBC_ I Action Workset review is carried out. MJBC to sign.
and monitoring of this by management, two review MHB/ 25/11 : Following discussion with TPA decided to include the
cycles should be undertaken/completed : JF/ SM ° owin 0
workset review in the Retrospective Work Group.
a. The Programme Office should complete their
review the totality of the PVCS documentation worksets
for CSR+.
b. Workset owners should review their worksets
and confirm the current content or provide details of
changes to the Programme Office.
O1S/19 5.8 A similar situation pertains for the CSR documentation. I GC MJBC I Gpen 17/11: See 015/18
The size of this task is significant and should be included Action 25/11 : See 015/18
COMMERCIAL IN CONFIDENCE
Page 11 of 14
ICL Pathway
Schedule of Corrective Actions:
CSR+ Development Audit
Ref:
Version:
Date:
TA/CAP/008,
0.1
22/11/99
FUJ00079783
FUJ00079783
015/20
The QAM had not been able to progress the quality
improvement programmes that he had been recruited to
do.
The Quality Assurance Manager should be given the
authority to proceed with the role that he was recruited
to undertake. This will require the acceptance of, and
agreement to, the Quality Improvement Plans by the
Development Director and formal approval by him to
proceed.
Retrospective Work Group
17/11 : See 015/01
015/21
The QAM had produced a report detailing current
failings against IS09001. Unfortunately the report was
not being acted on in the appropriate manner.
This report provides a valuable insight into the state of
Developments processes and the weaknesses that exist.
It should be given a wider circulation, especially to the
Pathway Quality Manager, and any corrective work
identified should be authorised.
MHB
JHB
Open
ISO Registration Group
17/11 : Agreed to form a CAP group to cover a number of
related recommendations. Precise activities to be discussed and
agreed with MHB. An ISO Board has been proposed. Details,
TORs etc to be provided.
015/22
QA Checklists had been developed by the QAM but
their use was by no means universal.
Many of the Delivery Unit teams are planning
retrospective review sessions for their documents. This
should be extended across all Units and the use of the
Checklists mandated during those reviews.
JHem
TPA
Open
Retrospective Work Group
17/11 : See 015/01
COMMERCIAL IN CONFIDENCE
Page 12 of 14
ICL Pathway
Schedule of Corrective Actions:
CSR+ Development Audit
Ref:
Version:
Date:
TA/CAP/008,
0.1
22/11/99
FUJ00079783
FUJ00079783
015/23
Quality planning was virtually non existent.
It is questionable whether there is any benefit in
producing Quality Plans at this stage of CSR+
development. However, the value of the document in
bringing together details of the resources, organisation,
processes, reviews, risks, assumptions and other
contributory factors must be realised in future Release
and its production by Delivery Managers made
mandatory.
JH
TPA
Open
17/11 : Production of Quality Plans deemed to be nugatory at
this stage of development. Require confirmation that necessity
and wherewithal present on new OLS.
015/24
The audit considered that insufficient management
attention was being given to the contractual requirement
to obtain ISO registration by September 2000.
Having personally steered three separate companies
through the rigours of ISO 9000 registration, including
one to ISO9001/TickIT, I believe that the breadth of
scope of the proposed certification, and the time
remaining in which to achieve it, demands that a full
time Project Manager is assigned to the task. Either the
Quality Manager should be able to transfer any non-
essential initiatives or a resource should be assigned to
him specifically to manage the registration commitment.
MHB
JHB
Open
ISO Registration Group
17/11 : Agreed to form a CAP group to cover a number of
related recommendations. Precise activities to be discussed and
agreed with MHB. An ISO Board has been proposed. Details,
TORs etc to be provided.
015/25
Notwithstanding the appointment of dedicated resource
to drive this project, and to assist when one is appointed,
an activity should take place to produce an inventory of
all processes, developed or under development, and their
deployment status within Pathway. This activity should
build on the work undertaken for Development and the
inventory mapped onto the requirements of ISO9001 to
identify shortcomings.
MHB
JHB
Open
ISO Registration Group
17/11 : Agreed to form a CAP group to cover a number of
related recommendations. Precise activities to be discussed and
agreed with MHB. An ISO Board has been proposed. Details,
TORs etc to be provided.
COMMERCIAL IN CONFIDENCE
Page 13 of 14
ICL Pathway
Schedule of Corrective Actions:
CSR+ Development Audit
Ref:
Version:
Date:
IA/CAP/008
0.1
22/11/99
FUJ00079783
FUJ00079783
015/26 5.11
A considerable amount of time (and money) had been
Release Management Group
developing without the benefit of the imposition of
standards or content controls.
Pathway IT Infrastructure should established a policy
and strategy for the development and deployment of
intranet sites within Pathway. It should also conduct a
review of existing activity, identify standards for their
content and presentation values, and ensure that future
intranets developed for use within Pathway conform to
the strategy.
GC/ Open
spent earlier in 1999 to develop a revised Release MJBC 17/11 : Agreed to form a CAP group to cover a number of
Management process. A project manager was to have related recommendations. Precise activities to be discussed and
been appointed in August to implement and deploy the hoteed with GC
proposed process. 8 .
A Project Manager should be appointed without delay
and he/she must concentrate their initial efforts into
identifying those areas that will benefit CSR+ and.
implementing them.
015/27 5.12 The audit identified a plethora of varied intranet sites, all I PW SM Action 17/11 : Paul Westfield has been emailed with detail from report
and asked for views/proposals.
COMMERCIAL IN CONFIDENCE
Page 14 of 14