APPENDIX A 2 1. Background AUDIT OF ICT STRATEGY IMPLEMENTATION 1.1. This report summarises the findings from the audit of ICT Strategy Implementation. This was a planned audit assignment which was undertaken in accordance with the 2016/17 Audit Plan. 1.2. The two year Copeland Borough Council ICT Strategy was formally agreed at the Executive meeting in April 2015, following presentation of a report by the Interim Director of Commercial & Corporate Resources (& Section 151 Officer). 2. Audit Approach 2.1. Audit Scope and Limitations 2.1.1. The Audit Scope was agreed with management prior to the commencement of this audit review. The Client Sponsor for this review was Fiona Rooney, Interim Director of Commercial and Corporate Resources (Section 151 Officer). The agreed scope of the audit was to provide assurance over management s arrangements for governance, risk management and internal control in the implementation of the ICT Strategy. 2.1.2. There were no instances whereby the audit work undertaken was impaired by the availability of information. 3. Assurance Opinion 3.1. From the areas examined and tested as part of this audit review, we consider the current controls operating within the implementation of the ICT Strategy provide partial assurance. Note: as audit work is restricted by the areas identified in the Audit Scope and is primarily sample based, full coverage of the system and complete assurance cannot be given to an audit area. Cumbria Shared Internal Audit Service: Internal Audit Report Page 1
4. Summary of Recommendations, Audit Findings and Report Distribution COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy 4.1. There are 6 audit recommendations arising from this audit review and these can be summarised as follows: No. of recommendations Control Objective High Medium Advisory 1. Management - achievement of the organisation s strategic objectives achieved (see section 5.1.) 1-2. Regulatory - compliance with laws, regulations, policies, procedures and contracts (see section 5.2.) 1 - - 3. Security - safeguarding of assets (see section 5.3) 1 - - 4. Value - effectiveness and efficiency of operations and programmes (see section 5.4) 1 2 - Total Number of Recommendations 4 2-4.2. Strengths: The following areas of good practice were identified during the course of the audit: Governance arrangements for the implementation of the ICT strategy have been fully developed. Senior management are included in the governance framework. 4.3. Areas for development: Improvements in the following areas are necessary in order to strengthen existing control arrangements: 4.3.1. High priority issues: Governance arrangements have not always been effectively applied resulting in insufficient challenge to the implementation of the ICT Strategy. The ICT Strategy has not been implemented in accordance with the project management framework. Public Services Network (PSN) certification has lapsed. A risk register has not been developed for the implementation of the ICT strategy. Cumbria Shared Internal Audit Service: Internal Audit Report Page 2
4.3.2. Medium priority issues: Key messages in relation to the ICT strategy are not communicated to staff affected. Individuals have not been assigned to work streams. COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy Comment from the Interim Director of Commercial & Corporate Resources (&Section 151 Officer) This audit was requested by myself to ensure we were making solid progress on the implementation of the ICT Strategy that was agreed by Executive in April 2015. This audit has highlighted a number of areas that require further work and all recommendations have been agreed by management to be implemented. Cumbria Shared Internal Audit Service: Internal Audit Report Page 3
Management Action Plan COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy 5. Matters Arising / Agreed Action Plan 5.1. Management - achievement of the organisation s strategic objectives. High priority (a) Governance and Accountability Although clear governance arrangements for the implementation of the ICT Strategy have been documented and approved, these have not always been effectively applied. For example: Governance groups have not met regularly as set out in the terms of reference. Governance groups have not fulfilled their obligations as set out in the terms of reference. Lack of challenge on progress of implementation. Incomplete progress updates provided to the Business Theme Board. Minutes of the governance groups have not always been completed with sufficient detail to provide an accurate record of decisions, actions and responsibilities. Key officers have not been held accountable for the delivery of agreed objectives through regular appraisals. Agreed. This is a priority for us. We are revisiting the governance around ICT and a report will be presented to CLT once the Service Review is in place. Recommendation 1: Management should ensure that: Governance groups meet on a regular basis as set out in their terms of reference. Governance groups fulfil their obligations as set out in their terms of reference, including sufficient monitoring and challenge on project delivery. Provision is made for accurate minutes to be taken at all governance meetings. The objectives of key officers and accountability for these objectives should be formally agreed and documented through the appraisal process. ICT Strategy is not effectively implemented on a timely basis with consequent adverse impact on the achievement of Council s objectives. Fiona Rooney/Business Support Manager/Martin Stroud Cumbria Shared Internal Audit Service: Internal Audit Report Page 4
COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy 04/2017 5.2. Regulatory - compliance with laws, regulations, policies, procedures and contracts. High priority (a) Project Management Framework The report to the Executive in April 2015 required the ICT Strategy development to be managed in accordance with the Council s Project Management Framework. Assurance cannot be given that the implementation of the ICT Strategy has been managed in accordance with the Council s Project Management Framework. Agreed. Recommendation 2: The implementation of the ICT strategy should be managed in accordance with the Council s Project Management framework. ICT strategy is not managed effectively leading to delivery failure. Martin Stroud 03/2017 Cumbria Shared Internal Audit Service: Internal Audit Report Page 5
COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy 5.3. Security safeguarding of assets. High priority (a) Public Services Network Certification The Public Services Network (PSN) compliance process exists to provide the PSN community with: Confidence the services they use over the government s high-performance network will work without problems. Assurance that their data is protected in accordance with suppliers commitments. The promise that if things do go wrong they can be quickly put right. Full compliance with PSN is included as a high level work stream in the ICT work plan, with a requirement for completion by March 2016. During audit testing in June 2016, the MIS Manager stated that the PSN compliance certification had lapsed. Agreed. Recommendation 3: Management should seek assurance from the MIS Manager regarding PSN certification, ensuring that it is brought up to date and remains current. Disconnection from the Public Services Network. Fiona Rooney 12/2016 Cumbria Shared Internal Audit Service: Internal Audit Report Page 6
COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy 5.4. Value - effectiveness and efficiency of operations and programmes. High priority (a) Risk Register A report to the Council s Executive in April 2015 stated that risks to the implementation of the ICT Strategy will be monitored and managed through the ICT Steering Group. The Project Management framework requires a documented risk register, which is owned by the Project Manager to ensure that risks are managed as efficiently and effectively as possible. Risks to the implementation of the ICT Strategy have not been monitored through the ICT Steering Group using a documented risk register. Agreed. Whilst risks are reported and discussed, the structure of the reporting needs to align to the ICT Strategy. Recommendation 4: A risk register should be developed for the implementation of the ICT Strategy, to identify, analyse, evaluate and mitigate risks that could impact on delivery. Project risks are allowed to escalate without management action leading to strategy failure. Business Support Manager/Martin Stroud 04/2017 Medium priority (b) Communication of the ICT Strategy Service representatives attend the ICT working group meetings but their roles have not been defined. There is no clear plan as to how key messages relating to the ICT strategy are communicated back to the directorates. Agreed Recommendation 5: A clear communication plan should be developed setting out what, when, how and by whom the Cumbria Shared Internal Audit Service: Internal Audit Report Page 7
COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy messages should be circulated so that all those affected by ICT strategy delivery are kept informed. Benefits of ICT strategy are not realised because staff are unaware. Lack of staff engagement and participation. Business Support Manager/Martin Stroud 03/2017 Medium priority (c) Responsibility and Accountability for Work Streams The ICT working group haven t formally allocated responsibility for the individual work streams as part of the group s responsibility to develop and implement the ICT strategy plan. Without formal allocation of responsibility, management cannot hold individuals accountable for delivery. Agreed Recommendation 6: The ICT working group should assess the skills sets of ICT staff/ management and formally assign appropriate individuals to work streams, establishing clear accountability for performance and delivery for each aspect of the ICT strategy implementation. Individual work streams underperform with accountability for those work streams unclear. Business Support Manager/Martin Stroud 04/2017 Cumbria Shared Internal Audit Service: Internal Audit Report Page 8