Implementation of the Criminal Justice Enhancement Program (CJEP)

1. EXECUTIVE SUMMARY

1.1 Introduction

The Criminal Justice Enhancement Program (CJEP) is a highly complex major information technology project of the Department of Justice (the department). It is an integrated Information and Communication Technology (ICT) platform designed to support the participation of the key law enforcement agencies engaged in the administration of criminal justice within Victoria. It includes Victoria Police, the Office of Public Prosecutions, Victoria Legal Aid, the County Court and Corrections Victoria.

CJEP is designed to integrate and streamline systems and processes across agencies to minimise transaction costs and to improve access, quality and timeliness of information to agencies, courts, legal practitioners and the public.

CJEP was approved to proceed in October 1998 with funding of $14.5 million and a target completion date of November 2000. Originally, the CJEP program scope comprised five principal projects. Three additional projects were subsequently added.

The CJEP projects have been incorporated into the following three key integrated IT software applications:

E*Justice—to be used by police, prosecutions, corrections and legal aid officers, with a focus on managing information about accused persons and handling briefs of evidence
ACS Courts—to be used by the County and Magistrates' Courts with a focus on improving case management and sentencing information
Justice Knowledge Exchange—to manage the exchange of selected data between E*Justice, ACS Courts, and the legacy IT systems that remain in operation in justice agencies.

The CJEP systems are referred to collectively as the Integrated Justice Systems suite of applications or the Integrated Justice Systems (IJS). The CJEP systems operate in conjunction with a large number of legacy systems and reside in a complex set of networks in Victoria Police and the department. IJS also includes secure links between the department, Victoria Police, Office of Public Prosecutions, Corrections Victoria and private prison providers to enable the sharing of information.

The Secretary of the department is the CJEP project sponsor and responsibility for day to day project management of CJEP has rested with the department. Implementation of CJEP has been overseen by a steering committee comprising representatives from the key agencies involved in CJEP.

The department appointed a primary IT contractor in November 2000 to scope, design, build, install and support CJEP applications. This contract concluded in December 2005. At that time, a unit was established within the department’s Technology Services Group to maintain, support and enhance CJEP applications into the future.

In May 2003 our Office reported to Parliament on the progress of CJEP and the adequacy of its management at that time. That report outlined the main achievements under CJEP, the widening of its scope and funding and its then target completion date of March 2004. This revised target completion date was not achieved.

1.2 Implementation of CJEP

CJEP has not been implemented on time or on budget. While four of the five CJEP projects have been delivered it is not complete because the electronic brief/disclosure project (E*Brief) is not operating and may not be fully implemented until 2009.

The department considers CJEP to be complete because in its view CJEP’s core IT systems were delivered by December 2005. The department advised audit that the finalisation and implementation of E*Brief is the responsibility of Victoria Police, in line with a decision by the CJEP Steering Committee in mid-2007.

Regardless of who is now responsible for completing E*Brief, it is clear that E*Brief was part of the approved and funded scope of CJEP. On that basis the approved and funded scope of the CJEP program had not been fully implemented at the time of the finalisation of this report.

There have been substantial cost overruns on CJEP. The department spent $39.9 million on CJEP’s development and implementation to May 2008 and Victoria Police estimates that a further $4 million will be required to complete the E*Brief project.

The initial budget for CJEP of $14.5 million was increased by $15.4 million to reflect approved scope changes to the program between 2000 and the end of 2002. In addition to funding approved by government for scope changes to CJEP since 1998, the department has supplemented CJEP’s funding from its own budget on an ongoing basis.

Some of the additional expenditure on CJEP is attributable to approved scope changes to the program. These scope changes were required either to enable CJEP systems to be implemented and operated as originally envisaged—and as such, should have been identified and costed as part of the original planning and budgeting for the project—or, to provide increased functionality for agencies using CJEP systems.

The department has not recorded or monitored expenditure by CJEP partner agencies on its development and ongoing support. Advice from these agencies indicates that they have incurred around $10.4 million for costs associated with CJEP, over and above what has been spent by the department.

The department spent $18 million on maintenance, support and enhancements to the implemented CJEP systems to April 2008.

Delays in completing CJEP and the associated cost increases are mainly due to:

underestimation of the complexity, magnitude and level of cross agency involvement required of such a project
an inadequately developed business case that contributed to poor scoping of the project and a failure to identify realistic funding requirements
inadequate specification of system requirements
development and implementation issues and related delays associated with contractor performance
fluctuating levels of commitment to and ownership of CJEP by partner agencies.

CJEP’s success was highly dependent on adequate IT infrastructure being in place in partner agencies. The initial project budget made minimal provision to address infrastructure deficiencies which were evident at the program’s outset. Considerably more effort could have been put into early planning for infrastructure development. The failure to do this contributed to implementation problems and delays that damaged the confidence of partner agency staff in CJEP.

1.3 Benefits realisation

The department and CJEP partner agencies advise that the implementation of CJEP has resulted in considerable benefits including:

establishing secure links for the transmission of data between the criminal justice agencies and a middleware layer, known as the Justice Knowledge Exchange (JKE), which allows system-to-system real time transactions to be completed. The various CJEP systems—E*Justice, Case List Management System (CLMS) and the JKE—are now an integral part of the operations of the criminal justice system
implementation of the CLMS in the County Court significantly improved the Court’s capacity to manage cases from initiation to conclusion and enabled the Court to retrieve information electronically including Court outcomes
approximately 24 per cent of all civil documents are now lodged electronically with the County Court, eliminating significant effort for court users in delivering hard copy documents to the Court
the replacement of attendance books in police stations with an electronic record of all ‘attendances at police stations’ has eliminated the need for attendance book entries to be transcribed into the Law Enforcement Assistance Program (LEAP) database as this function is now performed automatically by the JKE
the E*Justice police cell custody and property modules enable Victoria Police to share custody and property information with Corrections Victoria. The sharing of this information has eliminated the potential for confusion about risk ratings of prisoners as they move between police cells and prisons and has standardised a means of describing prisoners’ property
the immediate receipt by Victoria Police of electronic orders from both the County and Magistrates’ Courts
benefits associated with the community corrections module of E*Justice such as the electronic forwarding of an alert to the relevant case officer concerning any interaction that an offender may have had with the criminal justice system. These alerts occur in real time and are an invaluable means of community corrections officers being able to quickly gain knowledge of an offender’s activities rather than having to wait for a range of administrative processes
the automated calculation of prisoner sentences, electronic receipt of prisoner warrants, effective file tracking and property management system and automated muster counting functions in the corrections environment.

The department advised that in addition to these tangible benefits there are a range of collaborative work practice related benefits that have emerged from the program. By bringing together staff from the various criminal justice agencies to focus on business processes, CJEP has engendered a spirit of co-operation between these agencies that has not always been present in the past.

The extent of benefits delivered by CJEP has not been systematically measured, tracked and reported. While the department established a benefits capture framework early in CJEP’s development it lacks a comprehensive range of performance indicators to adequately measure the benefits flowing from CJEP’s implementation. In particular, performance indicators relating to intangible benefits such as better risk management of offenders, information sharing and community savings are not sufficiently robust.

There has not been regular reporting against the benefits capture framework. The lack of progressive identification, monitoring and reporting of benefits is compounded by the failure to conduct a detailed impact study to assess whether CJEP has delivered the benefits and savings projected at its inception.

The lack of systematic measurement and reporting of CJEP benefits represents a lack of accountability to ministers, stakeholders and the community, given the importance of CJEP and the extent of public funds invested in its development.

1.4 Program governance

The department has demonstrably given significant emphasis to the governance and management arrangements for CJEP since its inception and took appropriate action to strengthen CJEP’s governance and management structures in response to recommendations made in our May 2003 report to Parliament on the progress of CJEP. These arrangements largely met audit’s expectations.

Appropriate governance and management structures and arrangements do not, on their own, guarantee the success of a major project. There also needs to be real commitment to and ownership of the project by the stakeholders and agencies tasked with implementing it.

The CJEP Steering Committee had adequate stakeholder representation, and was provided with regular reporting by the program director regarding the program’s progress. The committee was fully aware of the extent to which CJEP had exceeded its original timeframes and budget for implementation.

While high level partner agency commitment to the CJEP program was always present in a formal sense—through membership of the CJEP Steering Committee and allocation of internal resources by agencies to support the program—this was not always matched by actions and ‘on the ground’ commitment and ownership. It is acknowledged that the maintenance of support over long periods for major projects such as CJEP is always a challenge for participating agencies. Agencies need to balance the demands of the project with their responsibility to ensure the delivery of service obligations using available resources.

This audit identified a number of deficiencies in the application and enactment of the CJEP governance and management arrangements and in CJEP’s monitoring and reporting framework, including:

The CJEP Steering Committee did not meet often enough at a critical juncture for the project in 2002–03. This was addressed from October 2003 when monthly meetings resumed.
Reporting to the steering committee, particularly in the earlier phase of the program’s implementation lacked sufficient detail to facilitate the level of oversight and management required for such a large and complex project.
There is no monitoring and reporting of the program’s whole of project and whole of life project costs incurred by the department and other agencies.

These deficiencies adversely affected the oversight and management of CJEP’s implementation and assessment of the expected program and project deliverables and outcomes.

1.5 Ongoing management and support of CJEP systems

The department needs to ensure the provision of effective ongoing support and management of CJEP systems to realise the benefits associated with its investment in the program.

The department developed and implemented an effective plan to transition the future development and support of CJEP from the primary IT contractor to the department’s in-house support group. However, the decision to provide the ongoing support service for CJEP systems internally was not based on a comprehensive and fully costed business case.

The department developed a memorandum of understanding (MOU) in June 2006 to define the governance policies and arrangements for the oversight, management and coordination of the CJEP as an ongoing program. This MOU has been operational since June 2006.

1.6 Information security over CJEP

The adequacy of security over the CJEP systems and data is ultimately in the hands of the individual justice sector agencies and their staff, contractors and partners who use the systems. These agencies need to establish, maintain and adhere to effective information security management systems. There is also a need for an overarching information security policy and system governing the CJEP systems. The policies and systems of individual agencies should be consistent with the overarching requirements.

A comprehensive overarching information security policy for CJEP systems and information was established in June 2006 but it is not fully operational. Some of the actions required under that policy have not been implemented. While this matter needs to be addressed, information security policies and controls over CJEP systems are in place at the individual agency level.

The department has recognised the need for a more comprehensive approach to information security over the past two years and has taken positive steps to address weaknesses in its previous approach.

Notwithstanding this, the department needs to maintain a strong focus on ensuring that its information security management system is fully implemented and monitored for effectiveness and compliance. The department is in the process of:

supporting the communication of the new Information Security Management System framework (ISMS) and policies to all staff, contractors and relevant partners with a coordinated training program
completing a ‘gap analysis’ to identify the extent to which current practices and controls meet the requirements of the new framework and policies
·fully implementing data classification which is critical to the effectiveness of any ISMS.

1.7 Recommendations

E*Brief Project

Victoria Police should commit to the completion of E*Brief and ensure it is delivered in line with the CJEP vision and rolled out across the police force. (Recommendation 3.1)
The CJEP Governance Board should resume governance responsibility for the completion of the E*Brief project to better assure the integrity of the complete CJEP. (Recommendation 3.2)

Monitoring of CJEP performance and benefits

The department should establish performance measures of a strategic nature that are linked to CJEP’s expected outcomes and report performance against baseline data for these measures to both CJEP stakeholders and the Parliament through its annual report. (Recommendation 4.1)

Ongoing management and support of CJEP

The department needs to:

obtain sign off to the MOU by Victoria Legal Aid to formalise the governance arrangements in place relating to CJEP
develop a comprehensive and fully costed business case including an option analysis to justify funding levels and whether the CJEP support service should be retained internally or be outsourced
develop and maintain a risk management strategy and risk plans to identify, manage and monitor any ongoing risks relating to CJEP systems. (Recommendation 6.1)

Information security over CJEP

The CJEP Information Security and Privacy Committee should commence regular annual reporting to the CJEP Governance Board on any breaches of policy or any other issues that may affect CJEP systems. (Recommendation 7.1)

The department should:

ensure that the information privacy statements of CJEP partner organisations comply with the requirements of the CJEP Information Security Policy (Recommendation 7.2)
establish a business continuity plan for the shared domain elements of CJEP systems (Recommendation 7.3)
ensure that its data classification scheme is fully implemented and supported with appropriate guidance material as soon as possible (Recommendation 7.4)
establish performance measures for the management of information security and ensure that subsequent performance is monitored and reported to senior management (Recommendation 7.5)
finalise the development of an overall IT security plan that covers the building of awareness, establishes clear standards based on its Information Security Policy and ICT security policy, and defines monitoring and enforcement processes (Recommendation 7.6)
establish a single configuration management database as soon as possible. (Recommendation 7.7)

RESPONSE provided by Acting Secretary Department of Justice

The Department would like to acknowledge the lengthy discussions that have taken place between officers of our respective organisations in an attempt to confirm the factual information in the report and to clarify matters of interpretation. The opportunity for the Secretary, DOJ to meet with you and your senior staff was also appreciated.

The Department agrees with the report’s recommendations except in the two areas outlined below.

The report recommends that the CJEP Governance Board should resume governance responsibility for completion of the E*Brief Project

The E*Brief project is part of a larger project within Victoria Police aimed at improving brief creation and management processes. The Department is satisfied that the governance and management arrangements that Victoria Police has established for this project are effective. Arrangements are also in place for the Victoria Police Deputy Commissioner with responsibility for the project to report on progress to the CJEP Governance Board.

The report recommends that a business case be developed to justify continuation of internal support for CJEP systems

The CJEP Governance Board decided early in 2005 to establish a unit within DOJ to provide ongoing support maintenance and enhancements of CJEP systems. This decision was based on a presentation to the Steering Committee from the CJEP Project Director which examined the relative costs of outsourcing this function and establishing an internal unit. The projected costs for external provision of these services were based on experience with the then incumbent service provider. Apart from relative costs, the Steering Committee also took account of the desirability of providing an internal service support group which could become familiar with the business processes of the CJEP partner organisations and thus better understand future requirements.

The Department is satisfied that the internal unit is both effective and competitive, in cost terms, with the external market. The internal unit has been operating effectively since December 2005 and has received many compliments from partner organisations as to its responsiveness and effectiveness.

The Department also notes that the annual cost of the internal unit is at the lower end of the industry standard range for provision of maintenance and support services for complex IT systems such as CJEP.

The report contains a number of conclusions with which the Department fundamentally disagrees. While the Department acknowledges that these conclusions are audit opinion, it does not believe that they are supported by the facts.

FURTHER comment by the Auditor-General

The department’s response to specific audit conclusions with which it disagrees is set out in Appendix A to this report. Rather than demonstrating that the relevant audit conclusions are not supported by the facts, this response merely presents the department’s perspective on these matters.

Audit conclusions are formed following objective analysis of the evidence using criteria and considering context. This is done in accordance with audit methodology and Australian auditing standards.

RESPONSE provided by Chief Commissioner, Victoria Police

Victoria Police does not accept that a high level commitment has not always been backed up by effective action. Victoria Police’s commitment to the CJEP project has been exemplified by its piloting of modules of the system over lengthy periods of time and by its preparedness to commit additional resources to the project, including people with the requisite skills. Victoria Police was not prepared, however, to introduce a system into the operational environment while significant deficiencies remained.

CJEP was an ambitious and complex IT change process. Many factors contributed to either partial success or failure. Some issues of process and acceptability of use of electronic formats still remain in the chain of users or potential users of a fully integrated criminal justice system, some of whom are not within Victoria Police.

Victoria Police remains committed to a fit for purpose electronic brief and is prepared to participate in an interdepartmental steering committee reformed to ensure the success of CJEP.