Implementation of the Criminal Justice Enhancement Program
(CJEP)
1. EXECUTIVE SUMMARY
1.1 Introduction
The Criminal Justice Enhancement Program (CJEP) is a highly
complex major information technology project of the Department of
Justice (the department). It is an integrated Information and
Communication Technology (ICT) platform designed to support the
participation of the key law enforcement agencies engaged in the
administration of criminal justice within Victoria. It includes
Victoria Police, the Office of Public Prosecutions, Victoria Legal
Aid, the County Court and Corrections Victoria.
CJEP is designed to integrate and streamline systems and
processes across agencies to minimise transaction costs and to
improve access, quality and timeliness of information to agencies,
courts, legal practitioners and the public.
CJEP was approved to proceed in October 1998 with funding of
$14.5 million and a target completion date of November 2000.
Originally, the CJEP program scope comprised five principal
projects. Three additional projects were subsequently added.
The CJEP projects have been incorporated into the following
three key integrated IT software applications:
- E*Justice—to be used by police,
prosecutions, corrections and legal aid officers, with a focus on
managing information about accused persons and handling briefs of
evidence
- ACS
Courts—to be used by the County and Magistrates' Courts
with a focus on improving case management and sentencing
information
- Justice
Knowledge Exchange—to manage the exchange of selected data
between E*Justice, ACS Courts, and the legacy IT systems that
remain in operation in justice agencies.
The CJEP systems are referred to collectively as the Integrated
Justice Systems suite of applications or the Integrated Justice
Systems (IJS). The CJEP systems operate in conjunction with a large
number of legacy systems and reside in a complex set of networks in
Victoria Police and the department. IJS also includes secure links
between the department, Victoria Police, Office of Public
Prosecutions, Corrections Victoria and private prison providers to
enable the sharing of information.
The Secretary of the department is the CJEP project sponsor and
responsibility for day to day project management of CJEP has rested
with the department. Implementation of CJEP has been overseen by a
steering committee comprising representatives from the key agencies
involved in CJEP.
The department appointed a primary IT contractor in November
2000 to scope, design, build, install and support CJEP
applications. This contract concluded in December 2005. At that
time, a unit was established within the department’s Technology
Services Group to maintain, support and enhance CJEP applications
into the future.
In May 2003 our Office reported to Parliament on the progress of
CJEP and the adequacy of its management at that time. That report
outlined the main achievements under CJEP, the widening of its
scope and funding and its then target completion date of March
2004. This revised target completion date was not achieved.
1.2 Implementation of
CJEP
CJEP has not been implemented on time or on budget. While four
of the five CJEP projects have been delivered it is not complete
because the electronic brief/disclosure project (E*Brief) is not
operating and may not be fully implemented until 2009.
The department
considers CJEP to be complete because in its view CJEP’s
core IT systems were delivered by December 2005. The department
advised audit that the finalisation and implementation of E*Brief
is the responsibility of Victoria Police, in line with a decision
by the CJEP Steering Committee in mid-2007.
Regardless of who is now responsible for completing E*Brief, it
is clear that E*Brief was part of the approved and funded scope of
CJEP. On that basis the approved and funded scope of the CJEP
program had not been fully implemented at the time of the
finalisation of this report.
There have been substantial cost overruns on CJEP. The
department spent $39.9 million on CJEP’s development and
implementation to May 2008 and Victoria Police estimates that a
further $4 million will be required to complete the E*Brief
project.
The
initial budget for CJEP of $14.5 million was increased by $15.4
million to reflect approved scope changes to the program
between 2000 and the end of 2002. In addition to funding approved by
government for scope changes to CJEP since 1998, the department has
supplemented CJEP’s funding from its own budget on an ongoing
basis.
Some of the additional
expenditure on CJEP is attributable to approved scope changes to
the program. These scope changes were required either to
enable CJEP systems to be implemented and operated as originally
envisaged—and as such, should have been identified and costed as
part of the original planning and budgeting for the project—or, to
provide increased
functionality for agencies using CJEP systems.
The department has not recorded or
monitored expenditure by CJEP partner agencies on its development
and ongoing support. Advice from these agencies indicates that they
have incurred around $10.4 million for costs associated with CJEP,
over and above what has been spent by the department.
The department spent $18 million on maintenance, support and
enhancements to the implemented CJEP systems to April 2008.
Delays in completing CJEP and the associated cost increases are
mainly due to:
- underestimation of the complexity, magnitude and
level of cross agency involvement required of such a project
- an inadequately developed business case that
contributed to poor scoping of the project and a failure to
identify realistic funding requirements
- inadequate specification of system
requirements
- development and implementation issues and
related delays associated with contractor performance
- fluctuating levels of commitment to and
ownership of CJEP by partner agencies.
CJEP’s success was highly dependent on adequate IT
infrastructure being in place in partner agencies. The initial
project budget made minimal provision to address infrastructure
deficiencies which were evident at the program’s outset.
Considerably more effort could have been put into early planning
for infrastructure development. The failure to do this contributed
to implementation problems and delays that damaged the confidence
of partner agency staff in CJEP.
1.3 Benefits realisation
The department and CJEP partner agencies advise that the
implementation of CJEP has resulted in considerable benefits
including:
- establishing secure links for the transmission
of data between the criminal justice agencies and a middleware
layer, known as the Justice Knowledge Exchange (JKE), which allows
system-to-system real time transactions to be completed. The
various CJEP systems—E*Justice, Case List Management System (CLMS)
and the JKE—are now an integral part of the operations of the
criminal justice system
- implementation of the CLMS in the County Court
significantly improved the Court’s capacity to manage cases from
initiation to conclusion and enabled the Court to retrieve
information electronically including Court outcomes
- approximately 24 per cent of all civil documents
are now lodged electronically with the County Court, eliminating
significant effort for court users in delivering hard copy
documents to the Court
- the replacement of attendance books in police
stations with an electronic record of all ‘attendances at police
stations’ has eliminated the need for attendance book entries to be
transcribed into the Law Enforcement Assistance Program (LEAP)
database as this function is now performed automatically by the
JKE
- the E*Justice police cell custody and property
modules enable Victoria Police to share custody and property
information with Corrections Victoria. The sharing of this
information has eliminated the potential for confusion about risk
ratings of prisoners as they move between police cells and prisons
and has standardised a means of describing prisoners’ property
- the immediate receipt by Victoria Police of
electronic orders from both the County and Magistrates’ Courts
- benefits associated with the community
corrections module of E*Justice such as the electronic forwarding
of an alert to the relevant case officer concerning any interaction
that an offender may have had with the criminal justice system.
These alerts occur in real time and are an invaluable means of
community corrections officers being able to quickly gain knowledge
of an offender’s activities rather than having to wait for a range
of administrative processes
- the automated calculation of prisoner sentences,
electronic receipt of prisoner warrants, effective file tracking
and property management system and automated muster counting
functions in the corrections environment.
The department advised that in addition to these tangible
benefits there are a range of collaborative work practice related
benefits that have emerged from the program. By bringing together
staff from the various criminal justice agencies to focus on
business processes, CJEP has engendered a spirit of co-operation
between these agencies that has not always been present in the
past.
The extent of benefits delivered by CJEP has not been
systematically measured, tracked and reported. While the department
established a benefits capture framework early in CJEP’s
development it lacks a comprehensive range of performance
indicators to adequately measure the benefits flowing from CJEP’s
implementation. In particular, performance indicators relating to
intangible benefits such as better risk management of offenders,
information sharing and community savings are not sufficiently
robust.
There has not been regular reporting against the benefits
capture framework. The lack of progressive identification,
monitoring and reporting of benefits is compounded by the failure
to conduct a detailed impact study to assess whether CJEP has
delivered the benefits and savings projected at its inception.
The lack of systematic measurement and reporting of CJEP
benefits represents a lack of accountability to ministers,
stakeholders and the community, given the importance of CJEP and
the extent of public funds invested in its development.
1.4 Program governance
The department has demonstrably given significant emphasis to
the governance and management arrangements for CJEP since its
inception and took appropriate action to strengthen CJEP’s
governance and management structures in response to recommendations
made in our May 2003 report to Parliament on the progress of CJEP.
These arrangements largely met audit’s expectations.
Appropriate governance and management structures and
arrangements do not, on their own, guarantee the success of a major
project. There also needs to be real commitment to and ownership of
the project by the stakeholders and agencies tasked with
implementing it.
The CJEP Steering Committee had adequate stakeholder
representation, and was provided with regular reporting by the
program director regarding the program’s progress. The committee
was fully aware of the extent to which CJEP had exceeded its
original timeframes and budget for implementation.
While high level partner agency commitment to the CJEP program
was always present in a formal sense—through membership of the CJEP
Steering Committee and allocation of internal resources by agencies
to support the program—this was not always matched by actions and
‘on the ground’ commitment and ownership. It is acknowledged that
the maintenance of support over long periods for major projects
such as CJEP is always a challenge for participating agencies.
Agencies need to balance the demands of the project with their
responsibility to ensure the delivery of service obligations using
available resources.
This audit identified a
number of deficiencies in the application and enactment of the
CJEP governance and management arrangements and in CJEP’s
monitoring and reporting framework, including:
- The CJEP Steering Committee did not meet often
enough at a critical juncture for the project in 2002–03. This was
addressed from October 2003 when monthly meetings resumed.
- Reporting to the steering committee,
particularly in the earlier phase of the program’s implementation
lacked sufficient detail to facilitate the level of oversight and
management required for such a large and complex project.
- There is no monitoring and reporting of
the program’s whole of project and whole of life project costs
incurred by the department and other agencies.
These deficiencies adversely affected the oversight and
management of CJEP’s implementation and assessment of the expected
program and project deliverables and outcomes.
1.5 Ongoing management and support of CJEP
systems
The department needs to ensure the provision of effective
ongoing support and management of CJEP systems to realise the
benefits associated with its investment in the program.
The department developed and implemented an effective plan to
transition the future development and support of CJEP from the
primary IT contractor to the department’s in-house support group.
However, the decision to provide the ongoing support service for
CJEP systems internally was not based on a comprehensive and fully
costed business case.
The department developed a memorandum of understanding (MOU) in
June 2006 to define the governance policies and arrangements for
the oversight, management and coordination of the CJEP as an
ongoing program. This MOU has been operational since June 2006.
1.6 Information security over CJEP
The adequacy of security over the CJEP systems and data is
ultimately in the hands of the individual justice sector agencies
and their staff, contractors and partners who use the systems.
These agencies need to establish, maintain and adhere to effective
information security management systems. There is also a need for
an overarching information security policy and system governing the
CJEP systems. The policies and systems of individual agencies
should be consistent with the overarching requirements.
A comprehensive overarching information security policy for CJEP
systems and information was established in June 2006 but it is not
fully operational. Some of the actions required under that policy
have not been implemented. While this matter needs to be addressed,
information security policies and controls over CJEP systems are in
place at the individual agency level.
The department has recognised the need
for a more comprehensive approach to information security over the
past two years and has taken positive steps to address weaknesses
in its previous approach.
Notwithstanding this, the department needs to maintain a strong
focus on ensuring that its information security management system
is fully implemented and monitored for effectiveness and
compliance. The department is in the process of:
- supporting the communication of the new
Information Security Management System framework (ISMS) and
policies to all staff, contractors and relevant partners with a
coordinated training program
- completing a ‘gap analysis’ to identify the
extent to which current practices and controls meet the
requirements of the new framework and policies
- ·fully implementing data classification which
is critical to the effectiveness of any ISMS.
1.7 Recommendations
E*Brief Project
- Victoria Police should commit to
the completion of E*Brief and ensure it is delivered in line with
the CJEP vision and rolled out across the police force.
(Recommendation 3.1)
- The CJEP Governance Board should
resume governance responsibility for the completion of the E*Brief
project to better assure the integrity of the complete CJEP.
(Recommendation 3.2)
Monitoring of CJEP performance and benefits
- The department should establish
performance measures of a strategic nature that are linked to
CJEP’s expected outcomes and report performance against baseline
data for these measures to both CJEP stakeholders and the
Parliament through its annual report. (Recommendation
4.1)
Ongoing management and support of CJEP
The department needs to:
- obtain sign off to the MOU by
Victoria Legal Aid to formalise the governance arrangements in
place relating to CJEP
- develop a comprehensive and
fully costed business case including an option analysis to justify
funding levels and whether the CJEP support service should be
retained internally or be outsourced
- develop and maintain a risk
management strategy and risk plans to identify, manage and monitor
any ongoing risks relating to CJEP systems. (Recommendation
6.1)
Information security over CJEP
The CJEP Information Security and Privacy Committee should
commence regular annual reporting to the CJEP Governance Board on
any breaches of policy or any other issues that may affect CJEP
systems. (Recommendation 7.1)
The department should:
- ensure that the information
privacy statements of CJEP partner organisations comply with the
requirements of the CJEP Information Security Policy
(Recommendation 7.2)
- establish a business continuity
plan for the shared domain elements of CJEP systems
(Recommendation 7.3)
- ensure that its data
classification scheme is fully implemented and supported with
appropriate guidance material as soon as possible
(Recommendation 7.4)
- establish performance measures
for the management of information security and ensure that
subsequent performance is monitored and reported to senior
management (Recommendation 7.5)
- finalise the development of an
overall IT security plan that covers the building of awareness,
establishes clear standards based on its Information Security
Policy and ICT security policy, and defines monitoring and
enforcement processes (Recommendation 7.6)
- establish a single configuration
management database as soon as possible. (Recommendation
7.7)
RESPONSE provided by Acting Secretary Department of
Justice
The Department would like to
acknowledge the lengthy discussions that have taken place between
officers of our respective organisations in an attempt to confirm
the factual information in the report and to clarify matters of
interpretation. The opportunity for the Secretary, DOJ to meet with
you and your senior staff was also appreciated.
The Department agrees with the report’s
recommendations except in the two areas outlined below.
The report recommends
that the CJEP Governance Board should resume governance
responsibility for completion of the E*Brief
Project
The E*Brief project is part of a larger
project within Victoria Police aimed at improving brief creation
and management processes. The Department is satisfied that the
governance and management arrangements that Victoria Police has
established for this project are effective. Arrangements are also
in place for the Victoria Police Deputy Commissioner with
responsibility for the project to report on progress to the CJEP
Governance Board.
The report recommends
that a business case be developed to justify continuation of
internal support for CJEP systems
The CJEP Governance Board decided early
in 2005 to establish a unit within DOJ to provide ongoing support
maintenance and enhancements of CJEP systems. This decision was
based on a presentation to the Steering Committee from the CJEP
Project Director which examined the relative costs of outsourcing
this function and establishing an internal unit. The projected
costs for external provision of these services were based on
experience with the then incumbent service provider. Apart from
relative costs, the Steering Committee also took account of the
desirability of providing an internal service support group which
could become familiar with the business processes of the CJEP
partner organisations and thus better understand future
requirements.
The Department is satisfied that the
internal unit is both effective and competitive, in cost terms,
with the external market. The internal unit has been operating
effectively since December 2005 and has received many compliments
from partner organisations as to its responsiveness and
effectiveness.
The Department also notes that the
annual cost of the internal unit is at the lower end of the
industry standard range for provision of maintenance and support
services for complex IT systems such as CJEP.
The report contains a number of
conclusions with which the Department fundamentally disagrees.
While the Department acknowledges that these conclusions are audit
opinion, it does not believe that they are supported by the
facts.
FURTHER comment by the
Auditor-General
The department’s response to specific audit
conclusions with which it disagrees is set out in Appendix A to
this report. Rather than demonstrating that the relevant audit
conclusions are not supported by the facts, this response merely
presents the department’s perspective on these matters.
Audit conclusions are formed following
objective analysis of the evidence using criteria and considering
context. This is done in accordance with audit methodology and
Australian auditing standards.
RESPONSE provided by Chief
Commissioner, Victoria Police
Victoria Police does not accept that a
high level commitment has not always been backed up by effective
action. Victoria Police’s commitment to the CJEP project has been
exemplified by its piloting of modules of the system over lengthy
periods of time and by its preparedness to commit additional
resources to the project, including people with the requisite
skills. Victoria Police was not prepared, however, to introduce a
system into the operational environment while significant
deficiencies remained.
CJEP was an ambitious and complex IT
change process. Many factors contributed to either partial success
or failure. Some issues of process and acceptability of use of
electronic formats still remain in the chain of users or potential
users of a fully integrated criminal justice system, some of whom
are not within Victoria Police.
Victoria Police remains committed to a
fit for purpose electronic brief and is prepared to participate in
an interdepartmental steering committee reformed to ensure the
success of CJEP.