Un-classified. Date Monday 22 August 2011 Clearance of internal audit recommendations

Transcription

1 Meeting Paper title Executive Team Date Monday 22 August 2011 Clearance of internal audit recommendations Agenda item 5.0 Discussion time Purpose of paper Discussion / information [If a decision you must complete the template overleaf] 15 minutes Restrictions on public access including staff Restrictions? N If Y please give the reason for the restriction below. Presenter ET sponsor Peter Bloomfield Robert Parker Corporate Plan aim 8.3 improve our corporate governance to it becomes embedded in the ICO culture. Summary Audit Committee review performance in clearing internal audit recommendations at every meeting. Their next meeting is in September and the most up to date register of audit recommendations is presented here for information and for comments. It will be finalised at the end of this month for Audit Committee. Please note: 1. Recommendations late as of the end of August will be shown as red in the final version. 2. Where we are dependent on government 1

2 decisions to clear recommendations (greyed out in the register) this will be flagged up to Audit Committee. 3. There is an outstanding action point from the last Audit Committee for me to consider amendments to recommendations relating to performance indicators, balanced scorecards and value for money reporting (page 3). Who has been consulted? [eg staff, stakeholders, trade unions] Michael Collins and have provided updates. 2

3 Audit recommendations follow up 2011/12 Introduction This paper lists outstanding audit recommendations (internal and external 1 ) and reports on current status. Points to note [To be completed prior to the next audit committee] 1 External audit recommendations are covered in the annex. 1

4 Performance in clearing internal audit recommendations Date of Audit Committee Actions added since last meeting Actions cleared since last meeting 12/09/11 1 Outstanding high risk actions Outstanding medium risk actions Outstanding low risk actions On track Late On track Late On track Late To be completed prior to the next Audit Committee Peter Bloomfield Senior Corporate Governance Manager Corporate Governance 2

5 Audit Year No Title Risk level Follow up to 2007/08 Follow up 2007/08 Governance and key financial systems Corporate Governance Corporate Governance 2008/09 3 Equal opportunitie s recording 2008/09 4 Corporate performance framework 2008/09 1 Committee self assessment 2009/10 6 Balanced scorecard 2009/10 7 Value for money Low Owner Recommendation Response Due date Michael Collins HR Manager Christopher Graham Commissioner Peter Bloomfield Senior Corporate Governance Manager Christopher Graham Commissioner Christopher Graham Commissioner Equal opportunities information should be recorded directly onto CIPHR. The ICO needs to develop a range of key performance indicators that can, at the top level, give MB satisfaction that the overarching objectives are met. A self review is performed at the end of the financial year for each committee, to ensure it is working effectively and meeting its responsibilities. To summarise ICO performance against key objectives, a balanced scorecard report should be presented to each Management Board to provide a simple portrayal of the overall performance of the ICO. The ICO should asses how it delivers value for money. ET should then report annually to MB on how the ICO obtains value for money. This may include comparisons against other similar public bodies. Equal opportunity information will be recorded onto CIPHR once roll-out of a self service capacity is complete. This is planned for October 2011 but there is a risk that full roll-out might take longer. MB has agreed a set of measures showing performance against vision. These will be brought to the November MB. In addition supporting indicators will be developed in seminars held during September. Questionnaires have been sent to MB, AC, ET, RemCo and IRC members; results are being collated. This will happen annually. MB has agreed a set of measures indicating performance against the vision. These will be brought to the November MB. Partially complete. A report covering corporate areas came to MB. More work is needed on Operations, Strategic Liaison and Policy Delivery. Development of the balanced score card and performance indicators (see above) will feed into this work as will an internal audit of Strategic Liaison value for money. 31/03/10 31/03/10 Date cleared 1/10/09 17/08/11 31/03/10 26/04/10 3

6 Audit Year No Title Risk Owner Recommendation Response Due Date level date cleared Risk management 2010/11 1 Staff risk group Payroll 2010/11 2 Use of CIPHR Good Practice Function review 2010/11 2 Audit champions 2011/12 1 Government ICT landscape Low Low Robert Parker Director Corporate Affairs Michael Collins HR Manager Louise Webb Head of Good Practice Simon Entwisle Director of Operations Management should discuss the results of the risk management questionnaire and devise an action plan to better embed risk management. To reduce the inefficiency of inputting the information on two systems, management should investigate using reports generated from the CIPHR system to complete the payroll worksheet sent to CAPA. Auditors should be assigned as champions for an area of DP risk or of a particular sector, to be a repository of information identifying common issues/good practice in these areas which they can share with colleagues. Talks are held with the MOJ, CO and other government stakeholders to identify potential barriers to procurement activity and to better understand the government ICT landscape and its impact on the future delivery of at the ICO. The final action is for the setting up of an across ICO risk management group. Volunteers have been sought and a first meeting will be scheduled by 31/08/11. The decision has been made to use CIPHR reports to help populate the payroll spreadsheets; eg with details of new starters, sick leave etc. Direct electronic links will not however be used. Complete. As part of induction for staff a skills set matrix has been developed showing champions in specific areas and relevant staff experience in previous employment. A further document identifies information on specific issues and sectors to helps knowledge sharing and audit report preparation. There is also a team meeting standing agenda item to share learning. The ICO is liaising with the MoJ and the will continue to review government direction. It is anticipated that there will be a government update on procurement in August /03/11 31/07/11 28/07/11 30/06/11 21/06/11 31/08/11 4

7 Audit Year No Title Risk Owner Recommendation Response Due Date level date cleared review 2011/12 2(a) Options and risk analysis 2(b) 2(c) Options and risk analysis Options and risk analysis David wells An options study should be completed to allow further consideration of mechanisms to deliver services. The current contract expires in July 2012, but is to be extended to An options study should identify pros and cons of the current relationship and delivery mechanism, identify future need and the options to provide single supplier, multisupplier or in-house delivery. This should include partnering options, shared services, g- cloud and delivery options. A series of risk workshops should be completed with ET and senior management to understand the requirement, the perceived risks and the framework to ensure these are fully considered within the options exercise and procurement process. A review of services provided by the Team and Capita should be undertaken. With the options study and the analysis of need, this will allow the drafting of the '2013' requirement and assist in identifying which of the options is most likely to fit. Approval has been given for the recruitment of an experienced person on a short fixed term contract to undertake this study. The job description has been agreed and an advertising campaign is being finalised with HR. Timing has slipped however and it is now expected that a draft study will be completed by 31/12/11 and a final draft agreed by 31/03/12. A risk register will be written and engagement with ET, MB and AC will take place. Risks have already been identified through work on the strategy and will feed into planning and the scoping of the options study (see above). A risk workshop will be run as part of the scoping process. Timing has slipped and it is expected that this will now be completed by 31/12/11. Agreed. Timing has slipped and it is expected that this will now be completed by 31/12/11. 31/07/11 31/08/11 30/09/11 5

8 Audit Year No Title Risk Owner Recommendation Response Due Date level date cleared Review Review Review 2011/12 3(a) In house delivery 3(b) In house delivery 2011/12 4(a) Web strategy 2011/12 4(b) Web Strategy David wells Robert Parker Director Corporate Affairs Robert Parker Director Corporate A review of the team s skill base should be undertaken and be mapped against services and skills offered by Capita. It should include a gap analysis. This will allow analysis of the ease of developing an in-house offering and associated costs (transitional and ongoing) to inform options and how the Team will need to adapt; eg to partial in-sourcing, multiple contract out-sourcing, etc. A review of existing policy and procedures should be done to identify gaps currently met by Capita. An assessment can then be made of the need for development of existing policies / procedures or the need to develop new policies / procedures. This development overhead may be a significant element in any move to inhouse services. We recommend that in the short term the web development contract is extended by six months to allow further options on delivery to be explored as part of the options study. The Web Strategy should be revisited and an analysis undertaken of the service requirement and provision Agreed. 30/09/11 Agreed. 30/11/11 Government policy on websites and web development means that the ICO s site s future is uncertain and subject to the decisions of government. However, any re-procurement will look to align hosting and development if at all possible. We are keeping the situation under review. Government policy on websites and web development means that the ICO s site s future is uncertain and subject to the 31/10/11 31/10/11 6

9 Audit Year No Title Risk Owner Recommendation Response Due Date level date cleared Review Review procurement review Review Affairs 2011/12 5(a) Staff issues 2011/12 5(b) Staff issues 2011/12 6 Project Structures 2011/12 7 disaster recovery options completed. This will allow an informed view of who within the ICO should manage the different elements of the service (technical infrastructure, web content, security, ergonomics), and how this is to be delivered. We recommend early consideration of the TUPE aspects of the contract renegotiation and suggest all parties are approached early in the process to give an initial indication of the potential costs of the TUPE transfers. There should be a staffing strategy to consider the impact of the procurement issues such as TUPE, additional skills requirements and succession planning. Whichever option is adopted, there will be a considerable impact on existing staff which needs consideration and management. Project Board, structures and plans should be developed as a matter of urgency to ensure that the timescales to procurement are understood and managed. A new Disaster Recovery Strategy and options need to be considered to provide elements of warm stand-by and ensure continuity of operation for users in the event of an outage. This should be removed from the decisions of government. However, any re-procurement will look to align hosting and development if at all possible. We are keeping the situation under review. To be considered in the evaluation of options and to be reviewed in April. To be considered in evaluations of options with the support of Organisational Development. Will also be included in discussion of risks (see 2c) To be reviewed in April. A project board has been set up but its first meeting has been delayed due to other commitments. The project brief and PID have yet to be agreed. A gap analysis will be undertaken using findings from the business continuity internal audit and the current DR/BC provision. Work has started on a technical evaluation of improvements to the plan to give greater resilience for 30/04/12 30/04/12 30/07/11 30/11/11 7

10 Audit Year No Title Risk Owner Recommendation Response Due Date level date cleared existing contract and considered as an additional work stream outside of the contract renegotiation. remote access and regional offices. Government strategy is to consolidate data centres and is the most likely final destination for most of the ICO s hardware. Any such provision would be expected to provide adequate BC and DR. The contract extension must provide maximum flexibility around provision of DR, including early termination of Sunguard. Review Review DUIS replacement 2011/12 8(a) Contract Management 2011/12 8(a) Contract Management 2011/12 1 Skills and resources High The Capita contract needs to be reviewed and all changes incorporated prior to initial renegotiations. Where consideration is being given to the novation of contracts as part of a move to in-house contract management, the requirements of the novation process need to fully identified and understood and the impact on new and further tendering exercises explored. That a skills and resource gap analysis is done to outline and understand the level of internal knowledge and skills available, and the extent of the external requirement, to meet the specialist demands of the project. This should inform the project plan and form part of the budgeting process. Work underway and largely 31/08/11 complete. Completion now expected 30/09/11 due to other commitments for both ICO and Capita. For services brought in-house or 31/01/12 contracted for directly, work will identify processes for novation arising at contract end and in the provision of new services. Changes in Government strategy may change current legal requirements and procurement routes. The next update on this is expected in August Complete. 14/07/11 14/07/11 8

11 Audit Year No Title Risk Owner Recommendation Response Due Date level date cleared DUIS replacement DUIS replacement DUIS replacement DUIS replacement 2011/12 2a Clarity and control over project costs 2011/12 2b Clarity and control over project costs 2011/12 3 Maintaining an up to date project risk register 2011/12 4 Benefit and requirement s analysis for the new High High That prepares a plan which outlines the detailed requirement to procure and implement a full application development and test platform. This should identify procedures to be adopted and developed in order to manage the technology and clearly outline and a methodology for software migration and release management. A detailed budget should be developed, including a contingency element. Weekly reporting and tracking of costs should form part of project status reporting. That the project risk register is brought up to date to include all known risks and those recently outlined in an ET paper. The register should be reviewed weekly and form part of the project status reporting to the project board to ensure full monitoring and management of project risks. That the business benefits of the new DUIS system are fully clarified and outlined to provide measurable and achievable Brief prepared for development and testing and live environments, and a proposal received from CAPA which has been reviewed and an order placed. Deliver expected by 30/09/11. Documentation of migration and release methodology to take place during September and to be in place before environments are used. Closure expected by 30/09/11. There is a standing item at each project board meeting to review expenditure and budget, A budget tracking spreadsheet has also been created. 01/09/11 30/09/11 The full project plan, development estimates and budget will be available at the end of the define and plan stage. Complete 14/07/11 14/07/11 Business benefits have been identified. These were used to give direction to the business process workshops; the output 31/10/11 9

12 Audit Year No Title Risk level DUIS system Owner Recommendation Response Due date objectives, allowing the success of the project to be evaluated in the future. At the same time the ICO should finalise the requirements analysis and definition of the specification prior to commencing development. Both aspects should be completed as a matter of urgency. from which is being used to develop a specification during August and September. Date cleared 10

13 Annex External audit recommendations 1. Non-contractual Severance Payments (Priority 1) Observation We noted that there were two severance packages paid to employees that included non-contractual payments in lieu of notice. These payments were approved and paid without the requisite authority (in this case HM Treasury via the Ministry) as required by the ICO s Financial Memorandum and Managing Public Money. Risk There is a risk that non-contractual payments like those made during may give rise to an expectation that such payments will be made in future severance cases. There is a significant risk that such payments will not be approved by HM Treasury causing reputational damage for the ICO and would risk a regularity qualification on the financial statements. Recommendation All potential severance payments should be examined against the requirements of the ICO s Financial Memorandum and Managing Public Money. HM Treasury approval (via the Ministry of Justice) should be sought for non-contractual payments prior to them being agreed. Management response Agreed and complete. Staff have been reminded of ICO obligations in this respect and this will help ensure that these lapses in regularity are isolated events. The Treasury has been advised of this lapse in regularity and retrospective consents have been received from Treasury. 1

14 2. Changes to Capita Monthly Services (Priority 2) Observation We gave an update to the Audit Committee following our audit of the first nine months in where we identified that material changes had been agreed to monthly services without a formal agreement in place. We are pleased to note that IS projects have been closely monitored for the remainder of the Financial Year. However the risk identified remains significant. Risk There is a risk that changes or updates to services provided by Capita are arranged without formal agreement in place. The ICO is at risk of committing to costs it does not have the availability of budget to fund. Recommendation The ICO should continue to ensure that IS and Finance liaise closely to ensure that all additional costs are captured in the financial statements. Consideration should be given to introduce a formal process that enables Finance to maintain the required oversight of ongoing costs and future commitments. Management response Agreed. Close financial scrutiny will continue with the intention of creating a formal process. This recommendation will initially be fed into the current Back Office review for thoughts on how to progress. (Information Commissioner December 2011) 2

15 3. Preparation of Accounts on an Accruals Basis (Priority 2) Observation The ICO maintains its financial records using a SUN general ledger which reports on a cash receipts and payments basis. We understand that this allows the ICO to report to the Ministry in line with the cash controls contained within the Framework Document. However, a consequence of this is that in-year reporting is not conducted on a full accruals basis and as such may not give a complete view of the ICO s position at the end of each month. In addition, the use of the current system means that the preparation of the financial statements requires extensive manual intervention to transform the balances within the ledger onto an accruals basis. Risk In-year reporting on the current basis increases the risk that business decisions are made without a complete picture of the ICO s financial position, in particular its existing liabilities. Manually prepared balances are time-consuming to prepare and support. They are also subject to increased risk of human error and could be used to override the system of internal control in place over the cash receipts and payments procedures. Recommendation We are aware that the ICO is considering implementation of a new accruals based financial system. The ICO should ensure that the business case and plans for the implementation of a new system minimise the need for manual interventions and mitigate risks of error and override of controls. 3

16 Management response Agreed. Changes to the Framework Agreement are anticipated to remove the cash control. The ICO is proceeding along these lines and will ensure that the plans for implementation achieve this. The project is currently anticipating a go-live date of 1 April 2012 but is subject to procurement and budget decisions at present. (Head of Finance March 2012) 4