Note: The following graphics and rating represent IA’s evaluation for the
risk levels of the issues and recommendations that were identified.
Table of Contents
1.4 It was evident from the review that the change from the
previous records management software, Versatile to new
records management software was justified. The weaknesses
of the versatile system was noted to be three (3) times more
than strengths of the system. However, a high level of
subjectivity was evident in the evaluation process in the
allocation of points due to the unstructured approach used
which would have hindered application of the criteria
uniformly. The Commission needs to assess potential
contracts on the principles of value for money, transparency
and accountability.
2.1 The primary audit objectives of this review were to: Commented [NA1]: Make sure it ties to the detail objs in
the respective section
i. Evaluate the accomplishment of the project objectives and
determine the efficiency and
effectiveness of the operations of the new system;
ii. Determine the existence, accuracy and completeness of
records transferred and maintained; and
iii. Ascertain whether value for money was achieved in the
changeover to the new system.
5.0 8
14.0 30
15.0 32
5.3 Findings
10 | P a g e
5.6 It was observed that there was also no detailed breakdown of
the criteria and an explanation of how the total points would
be allocated for each category.
5.7 The evaluation process did not cater for the utilisation of
individual score sheets to support each evaluator’s scoring of
the individual bids based on the established criteria. Thus,
absent from the report namely Guide to the Evaluation of the
Proposal Documents was an appendix of these individual
score sheets.
11 | P a g e
higher as compared to Onbase (Digidata) which was
allocated 10 points less than Knowledgelake for a bid price
three (3) times greater than Newgen.
5.9 Risks
5.12 Recommendations
5.14 The Commission must ensure that evaluations are carried out
in accordance with prior approved and or predetermined
criteria and in a manner that ensures strict compliance with
Section 24 (1) of the Integrity of Public Life Act 2000 (see
A product of the Internal Audit Department
12 | P a g e
Appendix 1). These written evaluation criteria must be
established by the Executing Unit prior to the closing date
(submission deadline date) of the Bids, and must be
uniformly applied and may not be changed after opening of
bids. To ensure the criteria is uniformly applied, the
Commission should ensure a detailed breakdown of each
category of the criteria exists and an explanation of the
requirement of how points should be allocated.
13 | P a g e
the ranking and the selection for the award of contract. The
evaluation report should be clearly labelled ‘Evaluation
Report’ and identify the specific project for which it refers to.
5.19 RM -
RM Implementation Action
Cross functional team to be charged with revising the Tenders Rules and Guidelines for
evaluation to include templates and formulae to generate the scoring
RM will include at the next revision of the policies and procedures manual, that all reports to
be submitted to the RM t be signed off as final by the designated divisional/departmental head
and/or designated senior officer before being lodged with us. (Note that in so doing we are
14 | P a g e
defining what we mean by final record as opposed to being responsible for acquiring a
signature).
Name & Title Sparkle N. Ferreira Implementation Date 31st March, 2018
of Person
Responsible
IM Implementation Action
N/A
15 | P a g e
Unreliable (Frequent crashes),
Documents in the system not searchable ,
Use of the ERMS remote desktop (portal) is not at all
reliable”, etc.
6.3 Findings
‘Difficult to navigate
Incomplete
Disorganized
Inflexible
Does not meet the current physical and electronic needs of
staff
Difficulty in accessing the documents.
Electronic filing of documents needs to be improved to allow
for easier accessibility’.
16 | P a g e
document. Additionally, Newgen indicated in its proposal
document to the TTSEC that it could accomplish twenty-
eight (28) requirements as they were unsure about (1)
requirement stated. In addition, it should be noted that IA
found that one (1) item was later determined by TTSEC to
not be applicable. However, ten (10) items of the twenty-
eight (28) requirements were not fully completed by the
Newgen team. Highlighted below are the unsure item, not
applicable item and not completed items:
Unsure item
i. Microsoft Office and all future Microsoft Updates
Not Applicable
i. Ability to read and access the current record structure as has
been created with Versatile
Not Completed
i. Electronic requests for file creation;
ii. Electronic logging of all Incoming Mail;
iii. Electronic management of ALL Mail for Despatch;
iv. Electronic logging & tracking of ALL Interoffice Memos;
v. Logging & Assignment of the receipt and processing of all
External requests;
vi. Barcoding of Files/Box Files/Documents/CD’s;
vii. Full Text Search;
viii. Ability to read and access the current records structure as has
been created with Versatile (import & data entry);
ix. User-friendly Access; and
x. Flexibility of the system (to adapt to change example
possible changes to the Commission’s filing structure)
6.6 Risks
17 | P a g e
6.8 Recommendations
6.11 RM -
6.12 IM – Recommendation noted. Commented [NA3]: Action and action date needed as to
when Newgen will be contacted on the same in the space
provided below
RM Implementation Action
18 | P a g e
Objective # 3: To ascertain the accuracy and completeness of the
data transferred during the migration from previous Versatile
system to the new ERMS.
7.1 Findings
7.2 It was noted that items from 2008 to mid-2016 were migrated
to a ‘Versatile Migration Folder’ on the ERMS. A sample of
thirty (30) items were selected from the mail log (task listing)
which were received by RM prior to 2016. IA was able to
trace twenty (20) of these items in the new ERMS, which
was representative of sixty six percent (66%) of the sample.
7.3 Of the twenty (20) items traced to the ERMS, IA noted the
length of time it took to and on average it took seven (7)
minutes per item. Due to this time gap, the end users may
encounter productivity problems which may involve longer
intervals in obtaining information needed for completion of
job deliverables. However, it was noted IA was not a regular
user of the ERMS and lacked familiarity that would have
contributed to ease of use overtime.
7.5 Risks
19 | P a g e
reputational risk for the Commission, if required to provide
documents and these documents cannot be retrieved.
7.8 Recommendations
7.11 RM -
7.12 IM – In progress
RM Implementation Action
20 | P a g e
8.0 IMPROVEMENT IN THE USE OF SYSTEM FOR
INPUT AND RETRIEVAL OF DOCUMENTS
8.3 Findings
8.5 Of the thirty (30) items tested in the ERMS, IA noted the
length of time it took to find these items. On average, it took
21 | P a g e
fifty one (51) minutes to locate these items resulting in under
two (2) minutes per item.
8.6.2 Additionally, the search function did not work constantly and
was not intuitive. That is, links to batches of documents or
related matters did not always functioned. The search
function did not drill down in terms of the specific matters
being searched for. For example, the search feature by
registrant acronym, was the most responsive feature
however, no search material was retrieved when attempts
were made to search by registrant’s acronym and a specific
key word. Also, the system didn’t contain prompts or related
options that would expedite the search time.
8.6.4 The viewing size for documents changed from page to page.
For example, an increase of the viewing size of the record on
the first page, did not automatically adjusted for the other
pages within the document.
8.7 Risks
22 | P a g e
8.9 Crucial information can be permanently lost with regards to
data not successfully migrated which may lead to
reputational risk for the Commission, if required to provide
documents and these documents cannot be retrieved.
8.10 Recommendations
8.11 It is recommended that reviews be done by Newgen to Commented [4]: Is this practical though?
improve the retrieval of documents and the ease of use of
information in the ERMS, making it less tedious for end
users and resolve the associated bugs in the system.
Thereby, boosting the overall efficiency of the Commission.
23 | P a g e
logging, inputting and retrieving staffers could be easily
achieved.
8.16 RM -
RM Implementation Action
24 | P a g e
Objective # 5: To assess the adequacy, effectiveness and
completeness of the process to rectify errors that arose during the
project phases and encountered by users.
9.2 The process to treat with errors involved an email being sent
to Newgen helpdesk, the issue would be logged and a ticket
number assigned followed by a request for a team viewing
remote session.
IA randomly selected five (5) tickets submitted to NEWGEN
and in all instances tested, there were proper authorisation
granted by the Commission to commence a team viewer
remote session with NEWGEN.
9.3 Findings
9.4 IA observed that there are two (2) error logs. One kept by the
IM Division which contained thirty seven (37) issues of
which thirty two ( 32) closed and two (2) in progress and the
other log by the RM Department which contained forty eight
(48) issues of which thirty seven (37) were shown as open.
There was no coordination between these two lists to
efficiently deal with errors that occurred.
9.6 IA observed that the actual dates on which issues were closed
were not recorded on the log, and thus, IA was unable to
estimate an average time it took to resolve the eleven
25 | P a g e
(11)closed issues. In addition, the error log did not contain
the ticket number or an unique sequential identifier number.
9.7 The Project Closure document reflected that the only major
opened issue to date as per IM’s error log was the issue of
Migration. All other open and in progress issues as per RM’s
Error log were not documented.
9.8 IA noted that the Newgen project team was different from
the maintenance team assigned by NewGen. This resulted in
longer time for rectification of errors. Additionally, the
vendor originated in India and this created a language barrier
when dealing with issues.
9.9 Risks
9.11 Recommendations
9.12 Due to the disparity among the initial two (2) logs and the
final unapproved log, it is recommended that IM and RM
embark on a clean-up exercise over RM’s initial Error log to
decipher which issues are actual real issues and ensure that
the same are logged with NewGen for which corrective
measures or solutions can be offered by NewGen, to aid in
remedying the situation. The final approved log should be
updated with any missing issues and pertinent information.
This final approved error log should be agreed upon by RM
and IM and signed off. This should then be approved by the
CEO and sent to Newgen for a timeline for resolving open
issues.
26 | P a g e
issues to Newgen under the new format of reporting issues.
That is, via the use of new web-ex reporting template to
Newgen to be actioned. Also, IM should facilitate the remote
sessions which will be monitored while Newgen is in
working on the system
9.15 RM -
RM Implementation Action
27 | P a g e
Objective # 6: To ensure proper authorization over the access
rights of the system in order to preserve the integrity of confidential
data and assess the adequacy and effectiveness of the dissemination
of information (how and to whom).
10.3 Findings
10.5 Risks
10.8 Recommendations
28 | P a g e
inconsistent with their job functions. These reviews should
be a joint effort between process owners, the administrators
of the respective application and the IM division.
Documentation of the results of these reviews should be
retained for audit purposes.
10.12 RM -
RM Implementation Action
29 | P a g e
11.0 CONSISTENCY IN INTERVALS FOR CHANGING
PASSWORDS FOR NON ROOT AND ROOT
ADMINISTRATORS
11.1 Findings
11.2 IA observed that both the end users and RM users ERMS
logins were directly linked to their Windows log in
credentials. Therefore, every time users changed their
Windows password, the login information for ERMS
changed automatically. IA noted from the “Draft
Operational Risk Manual ’’, Section 7.3.3: User Password
Management which stated that “all user passwords must
comply with the management standards specified within this
Operational Risk Manual. General Standards are that
passwords must be changed on a regular basis, based upon
how frequently the password is used. All end user passwords
and non –root administrative passwords should be changed
every forty five (45) days or less. All root administrator
passwords should be changed every thirty (30) days or less”.
11.4 Risks
30 | P a g e
11.5 If End Users and RM Users passwords are not changing their
passwords at the recommended expiry dates, increases the
risk of unauthorised access to their system through possible
password leakage.
11.6 Recommendations
11.10 RM -
RM Implementation Action
31 | P a g e
Name & Title Implementation
of Person Date
Responsible
IM Implementation Action
12.3 Findings
32 | P a g e
the ‘Offsite back up storage record of tape movement” form
for the old batch of tapes returned would be verified to the
software generated numbering / coding on the cartridge label.
However, there is no physical evidence on TTSEC’s copy of
the form reflecting that this check was done. Therefore, there
is an issue that there is no signage area on TTSEC’ copy of
the form to reflect that a check was done to verify the codes
of the tapes returned matched to the codes stated on the form.
12.6 Risks
12.8 Recommendations
33 | P a g e
identification details as per the numbering on the tapes is the
same as per the identification details as per the “Offsite back
up storage record of tape movement” form.
12.11 RM -
12.12 IM – .
RM Implementation Action
34 | P a g e
adequacy of training for IM staff in maintaining and supporting the
system. Additionally, to assess the adequacy of the training for the
staff of the Commission in the use of the ERMS.
13.1 Compliant Control
13.2 Following the walkthrough that was done on the ERMS with
RM users, IA observed that the staff received the training
from the relevant software provider. Additionally, IA
reviewed the ‘User Manual for Process Workflow in ERMS
Solution’ and it was noted that the document was detailed
and it included visual screen shots which made it easy to
follow and understand.
Also it had a step by step approach to scanning, uploading
and indexing documents for both Omniscan and Omnidocs.
13.5 Findings
35 | P a g e
that functional staff were trained on the 25 th and 26th June
2015 and, the end user staff members were trained on the
22nd, 23rd, and 24th June 2015. However, no evidence was
provided by RM as to the individuals trained, whether or not
this included all relevant personnel and who conducted the
training.
13.9 Risks
13.12 Recommendations
36 | P a g e
13.14 A refresher training session on the use of the ERMS by end
users should be done by RM since the last one held was over
a year ago.
13.16 RM -
RM Implementation Action
37 | P a g e
14.2 IA reviewed the Evaluation Form created by the RM
Department for ascertaining feedback on the ERMS. It was
observed that the form was adequate when compared to best
practice and the guide provided by the “Software Evaluation:
Criteria Based Assessment”, taken from the Software
Sustainability Institute.
14.3 Findings
14.5 Risks
38 | P a g e
14.6 Non-cooperation of staff in participating in future
questionnaires and evaluation exercises when responses
doesn’t bring about change and issues seem to go unresolved.
14.8 Recommendations
14.11 RM -
RM Implementation Action
39 | P a g e
15.0 UPLOAD OF DOCUMENTS IN THE ERMS THAT
WERE NOT RECORDED IN VERSATILE AS
HIGHLIGHTED IN PREVIOUS AUDITS
15.1 Findings
15.3 Risks
15.5 Recommendations
40 | P a g e
missing documents should be compiled and submitted to the
General Counsel to determine the possible impact of not
having these documents. This recommendation is currently
being worked on and is still a work in progress item.
15.8 RM -
RM Implementation Action
41 | P a g e
to which funds were expended economically and efficiently and the
extent to which the related project was effective in meeting its
objectives.
17.1 The Post Implementation ERMS Value-For-Money (VFM)
audit was intended to examine how well the Trinidad and
Tobago Securities and Exchange Commission (TTSEC)
managed the project and its activities.
17.2 The initial approved budget (fiscal 2014/2015) for the ERMS
project was TT$1, 641, 195. It was however noted that some
components of the project were undertaken within the
2014/2015 fiscal year, while others were undertaken within
2015/2016.
42 | P a g e
proposal was the least expensive at TT$1,407,195,
(TT$2,629,196) less than the Digi data’s proposal. It should
be noted that the Annual Support Cost/Maintenance and
Support cost was factored into the bids for each company for
the first year. Going forward the Maintenance and Support
cost would be incurred on an annual basis.
17.6 Cost was one (1) of the main factors in the decision for the
award of contract. The time taken to complete these projects
was not allocated any points by TTSEC when awarding this
contract. It should be noted that the following timeframes
were estimated for the completion of the project: Digi data
proposed timeframe was twenty (20) weeks, InfoTech
proposed six (6) weeks and Newgen proposed fourteen (14)
weeks. Infotech offered to complete the project in the least
time while the other two (2) companies proposed timeframes
that were more than twice and thrice that of Infotech.
43 | P a g e
took into account the contract cost of TT$1,407,195,
other cost for hardware of TT$234,000 and an
unplanned cost of TT$148,435.29 (a supplementary
approval was granted this additional sum by the
Tenders Committee for the unforeseen technological
costs for JBOSS Web and Application Servers
(clustering) for the purpose of high system availability),
hotel accommodation cost of TT$ 123,130.89, air
passage TT$5,388.70, staff associated variance overrun
cost of TT$868,856.35. This brought the overall cost/
real cost of the Newgen ERMS to about
TT$2,787,077.24 ($1,379,882.24) over the contract
price, which was almost twice the original bid cost and
$ 1,145,882.24 over the budgeted cost.
77,850.00
44 | P a g e
AIR PASSAGE Trafalgar Travel Limited 5,388.70
Staff overruns:
IM's Responsibility For periods between 10,009.88
allowance and overtime (April 2015 to Mar 2016)
RM's Overtime. For periods between 8,342.04
(April 2015 to Mar 2016)
Salary Overrun
45 | P a g e
high volume of issues occurring on the ERMS. IA
nonetheless noted that the Commission was not required to
pay any additional cost directly to Newgen team to solve
these issues.
17.10 Conclusion
46 | P a g e
not having been achieved, this Value for Money-Economy
objective was not achieved for the ERMS project.
47 | P a g e
departments: the Disclosure, Registration and Corporate
Finance (DR&CF), Market Regulation and Surveillance
(MR&S), Compliance and Inspections (C&I), Human
Resource (HR), Policy Research and Planning (PR&P),
Finance and Library.
17.16 From the sample chosen only 29% of the sample used the
ERMS on a daily basis, 13% used it at least once weekly,
29% use it on a monthly basis and another 29% sampled
never used the system. If the results of the sample was
extrapolated it shows a large percentage staffers does not use
the system and or rarely use it. This was further tied to the
question “How often do you find what is searched for?” this
results indicated that 60% of the five (5) sample users, had a
70% success rate. A follow question to this was “Is it easier
to request the hard files on use the ERMS?” 100% of the
sample selected they would request the hard files. The reason
for this was to: save time in locating documents, the ERMS
searching feature was not reliable, thus requesting the hard
copy files was a double check and only the cover pages of
documents were located on the ERMS.
17.18 Conclusion
48 | P a g e
17.19 Under the Efficiency objective, the ERMS system does not
appear to have achieved any of the efficiency goals. With
respect to uploading documents to the Newgen ERMS it took
three (3) times longer with little additional benefit from the
previous Versatile ERMS. With the additional time and steps
needed to upload documents, a request from the Director of
Corporate Service Department was made for additional staff
and if granted would add cost to the Commission to an
already over budgeted system. Furthermore, the impression
on staff minds was that the system was difficult to use for
retrieving information and because of this, staff preference
was to request the hard copy files. This high demand for the
hard copy documents poses a further strain on the RM
Department.
17.21 IA reviewed the eight (8) goals and objectives of the ERMS
outlined in the proposal document ‘Electronic Records
Management Proposal’ page 4 and the ‘Project Closure
Report’ page 14. After reviewing the eight (8) goals and
objectives it should be noted, that three (3) of the objectives
were achieved, three (3) were not achieved and two (2) were
partially achieved. IA reviewed and verified that the
following three (3) achieved objectives were attained.
49 | P a g e
17.22 Findings
50 | P a g e
such should not be the primary search option for the staff.
Only about 5% of data may be displayed when a search is
conducted. It is therefore not reliable.” Considering the
aforementioned, the search capabilities of the ERMS is not
reliable and should not be relied upon to ensure all
documents search for are located. This objective was
therefore labelled as partially completed because of the
limitation of the search capabilities.
51 | P a g e
The ability to certify a document (certify a document as a
true copy of the original by getting it signed and dated),
Accept and route e-documents (An electronic document is
any electronic media content (other than computer programs
or system files) that are intended to be used in either an
electronic form or as printed output).
After reviewing the Electronic Records Management
Proposal’ page 4 and the ‘Project Closure Report’ page 14.
It was noted that ‘the ability to certify a document’ and
‘accept and route e-documents’ was an objective of the
Commission that was not delivered. These features were
however linked to Omniflow, which was not a module
provided by the Newgen team. IA could not find any
explanation or evidence on why this module was not
provided to achieve this objective.
17.26 Conclusion
17.27 Under the Effectiveness objective, the ERMS system did not
fully achieved five (5) of its eight (8) objectives. Although
the Commission was aware of these issues, to date no
solution was determined to fully complete the partially
achieved objectives or fulfil the objectives that were unable
to been achieved. Therefore, with sixty-three percent (63%)
of the goals and objectives not fully achieved, the Value for
Money Effectiveness objective was not achieved in this
ERMS project.
52 | P a g e
the projected timeframe for its implementation. This negative
impact on resources is continuous due to the added labour
intensive demand on RM department and continuous cost
being incurred by the Commission related to treating in
ongoing system errors.
17.30 Recommendation
24. (1) A person to whom this Part applies shall ensure that he
performs his functions and administers the public resources for
which he is responsible in an effective and efficient manner and
shall—
53 | P a g e
APPENDIX 2 Table Displaying the Issues and
Recommendations following KPMG’s review.
This table also reflects IA’s Follow up on the Implementation statues
of each Recommendations along with Management’s comments for
non –implementation on due dates.
Issue/ Findings Recommendations Status of Due Management’s
Implementation Dates comments for
non –
implementation
on due dates
Establish formal IM Management should Outstanding May On conduct of
procedures for document and 2017 the
restoration testing of implement procedures Department’s
backups.IM’s draft for restoration testing of strategic
Operational Manual backups for critical planning
contains a policy for systems. exercise at the
Business Continuity end of 2016, it
Management as it relates was noted that a
to Computer Contingency revision to the
Plans. While there is a Audit timelines
Backup and Recovery was warranted,
policy, there are no given the
documented procedures number of
to support the policy. Strategic
projects in
which the
Division was
engaged on an
annual basis. As
such all dates
have since been
revised.
54 | P a g e
Issue/ Findings Recommendations Status of Due Management’s
Implementation Dates comments for
non –
implementation
on due dates
Backup media are sent to Restoration testing Outstanding June The item is
off-site storage (G4S) should be performed on 2017 linked to the
every Friday and rotated a regular basis, current
on a weekly basis. It was preferably every quarter, virtualization of
indicated by the Systems to ensure the integrity, the server
Analyst that backup tapes availability and network, which
are tested in a test reliability of the data in would impact
environment, however case of an emergency. the current
the test results are not Where possible, backup defined backup
documented. It was also media should be strategies. The
noted that backups are restored and tested in a current SAN
not encrypted when sent test environment similar Upgrade and
offsite. to the “live” production Virtualization
environment. project is due to
Additionally, the results complete by
of recovery testing June 1st.
should be documented
for audit purposes.
Although, IM Data on backup tapes Outstanding May On conduct of
Management indicated should also be encrypted 2017 the
that the Commission had to prevent unauthorized Department’s
an active SLA with a access to sensitive strategic
vendor for the 2013- information held. planning
2014 period that provided exercise at the
for Quarterly reviews of end of 2016, it
the backup application was noted that a
and an annual restore revision to the
exercise, no evidence was Audit timelines
seen of restoration testing was warranted,
of backups given the
number of
Strategic
projects in
which the
Division was
engaged on an
annual basis. As
A product of the Internal Audit Department
55 | P a g e
Issue/ Findings Recommendations Status of Due Management’s
Implementation Dates comments for
non –
implementation
on due dates
such all dates
have since been
revised.
56 | P a g e