NHS Fife 2015/16 Audit Computer Service Review Follow Up Prepared for NHS Fife April 2016
Audit Scotland is a statutory body set up in April 2000 under the Public Finance and Accountability (Scotland) Act 2000. We help the Auditor General for Scotland and the Accounts Commission check that organisations spending public money use it properly, efficiently and effectively.
Contents Introduction... 4 Background... 4 Audit scope and objectives... 4 Risk identification... 4 Overall conclusions... 4 Management Action... 4 Acknowledgements... 5 Findings... 6 Appendix A - Action Plan... 7 NHS Fife Page 3
Introduction Introduction Background 1. As part of our 2014/15 audit we carried out a computer service review in which we considered whether NHS Fife has an adequate control framework to manage the computer service and the systems and infrastructure providing support to the user departments. We reported our findings from the review in June 2015. As part of our 2015/16 audit we have followed up the action taken following the 2014/15 report. Audit scope and objectives 2. Audit Scotland s Code of Audit Practice requires us to assess the systems of internal control put in place by management and it is good practice to follow-up on our findings. In carrying out these follow-up reviews, we seek to gain assurance that NHS Fife has made progress in implementing actions aimed at reducing the board s risk exposure. Risk identification 3. Risk exists in all organisations which are committed to continuous improvement and, inevitably, is higher in those undergoing significant change. The objective is to be risk aware with sound processes of risk management in place rather than adopting risk averse strategies. 4. This follow-up review has focused on measuring the progress made on the risks identified at that time and not necessarily, therefore, all the risk areas that may exist. It remains the responsibility of management to determine the extent of risk control appropriate to NHS Fife. We would stress, however, that an effective internal control system is an essential part of the efficient management of any organisation. Overall conclusions 5. Management has addressed three of the four areas identified in the action plan. Although work had been done on the fourth area, service level agreements, the actions taken have not addressed the risk relating to appropriate ehealth service provision highlighted in our previous report. Management Action 6. Progress against each of the agreed actions is detailed in Appendix A to this report. One outstanding action remains from last year and the planned action, responsibilities and timescales for action in response to the identified risk exposure has been provided by management. Page 4 NHS Fife
Introduction Acknowledgements 7. The contents of this report have been discussed with the ehealth ICT Manager to confirm factual accuracy. The assistance and co-operation we received during the course of our audit is gratefully acknowledged. NHS Fife Page 5
Findings Findings 8. The 2014/15 Computer Services Review highlighted four areas of risk relating to: service level agreements development and maintenance of skills ehealth funding disaster recovery testing. 9. Although the board has made progress in improving their ehealth service levels to above the target levels specified in the service level agreements, they have not formally considered if the service levels defined in the service level agreement are appropriate to support the front line services. Since the ehealth service levels were defined in 2013 the board's front line service delivery reliance on technology has increased substantially and this reliance will continue to grow with the local implementation of the ehealth strategy. The risk remains that the ehealth service provision may be insufficient to support front line services. Refer update action plan, no.1 10. Progress has been made in relation to the remaiming three areas as follows: development and maintenance of skills: we are pleased to note that the ICT staff had been trained in project management and ICT service management and support. ehealth funding: the board has raised the non-recurring nature of ICT funding with the Scottish Government Health department and although this has not changed, continue with their local ehealth plan implementation. disaster recovery testing: the ehealth department has now conducted a disaster recovery test and scheduled further such exercises. Page 6 NHS Fife
Appendix A - Action Plan Appendix A - Action Plan No. Issue, Risk & Recommendation Management Response & Proposed Action Progress and status as at April 2016 Updated action plan 1 Defined service levels are not Refresh of SLAs ongoing. Service levels reported for both ehealth GP Update on proposed appropriate to support the level of support and for ehealth general service action: dependence and reliance that the board places on their ehealth services. Risk: The ehealth service provision may be insufficient to support front line services. Recommendation: The board should refresh their service level agreements with due consideration to the level of dependence and reliance on the service at present and the further changes planned for the future. Alan Young, ICT Manager March 2016 support shows improvement over the six months to February 2016 and has brought the incident resolution rate to above the 80% target from December 2015 for GP support and from August 2015 for general service support. The ehealth department has combined the GP support team with the general support team to create a single support team for the board. The team leaders and support teams now focus on improving the performance. Management intends to further improve service delivery by strengthening the server support team by August 2016. ICT Management carried out a SLA situation report in March 2015. This report made a similar recommendation but a decision was made to focus on improving performance against the current SLAs and continue the rollout of Windows 7 to frontline services. A review will take place in March 2017 when Windows 7 is fully However, the board has not formally embedded. considered if the service levels defined in the service level agreement is appropriate to support the front line services as the board's reliance on technology for their front line service delivery increases. Responsible officer: Allan Young Action date: March 2017 NHS Fife Page 7
Appendix A - Action Plan No. Issue, Risk & Recommendation Management Response & Proposed Action Progress and status as at April 2016 Updated action plan 2 The skills and expertise required to Each Senior Manager will The key skills gaps identified was in service Complete. deliver the ehealth service has not ensure skills are in place for management and project delivery and 21 been defined. their respective strands. This ehealth staff members attended project Risk: Key skills required to deliver the ehealth service might not be available which could impact on the range and effectiveness of the ehealth service. Recommendation: The board should formally define the skills required to provide their ehealth will be delivered at an individual level / department level but will contribute to Directorate training plan. Prince 2 was treated "globally" as it was a recognised gap identified collectively by senior management training. 23 Members of staff attended service management training, with 16 obtaining formal certificates recognising that they have mastered the training material at foundation level. The focus on project delivery has contributed to the completion of projects that were in the implementation phase for a long time. service, match these to the skills management within ehealth. available within the department and develop a resourcing strategy to fill any identified gaps. William Edwards, Head of ehealth December 2015 3 The board relies on non-recurring NHS Fife recognises the non- Board management has raised the non- Complete. funding for the provision of ehealth recurring status of our annual recurring nature of funding with the Scottish services. Non-recurring funding is ehealth funding alloction. Government Health Department and has currently available until 2017. Discussions have taken place gained a better understanding of the board's Risk: The ehealth service may not be sustainable without recurring funding. with the Scottish Government ehealth Directorate to transfer this to recurring fund. We will ehealth budget, which has enabled them to continue with the local ehealth plan implementation. Page 8 NHS Fife
Appendix A - Action Plan No. Issue, Risk & Recommendation Management Response & Proposed Action Progress and status as at April 2016 Updated action plan Recommendation: The board continue to try and rectify this. should ensure that their ehealth service is fully supported by recurring funding and that nonrecurring funding is used solely for Chris Bowring, Director of Finance the development of new services. Ongoing 4 The ehealth department has tested We will develop a plan for a A 'desktop based' network test was Complete (subject to their disaster recovery procedures in disaster recovery testing conducted in January 2016 and a further further ISO 27001 the past, but a schedule to ensure programme, with a view to exercise is planned during the first half of exercise). frequent and comprehensive testing having one scenario/test per 2016 to comply with the ISO 27001 is not in place. year. certification. Risk: Staff may not be fully conversant with recovery procedures or procedures might have become outdated. William Edwards, Head of ehealth / Alan Young, ICT Manager Recommendation: Disaster recovery procedures should be tested on a rotational basis that November 2015 ensures the all aspects are included, the procedures are effective and that staff are fully conversant with the procedures and can implement them in a variety of disaster scenarios. NHS Fife Page 9
Appendix A - Action Plan Page 10 NHS Fife