Audit, Fraud and Risk Management Software Consideration to Purchase

Transcription

1 Agenda Item Executive Member for Resources and Advisory Panel 18 July 2005 Report of the Assistant Director (Audit and Risk Management) Audit, Fraud and Risk Management Software Consideration to Purchase Purpose of Report 1 This report presents details of the recent tender evaluation exercise undertaken to identify new software systems for the Audit, Risk Management and Fraud teams. The purpose of the report is to seek Members approval for the purchase of the two chosen software applications. Background 2 The Internal Audit team currently undertake and record the results of audit work using predominately manual systems audit files, working papers and reports. Computer applications such as Microsoft Word and Excel are used to support audit work wherever possible. 3 The systems used to support the business operation are a mixture of spreadsheets and manual records. The systems have all been developed in-house. Use is also made of the Cedar time-recording system. 4 The limitations of the existing arrangements have been recognised for a number of years. Internal Audit scored only 2 out of 4 in the last CPA auditor scored judgements. The Audit Commission has also raised concerns about Internal Audit in recent management letters. These concerns include; the ability and capacity of the team to deliver the audit plan; the quality of the information systems used to monitor audit input and outcomes. The Audit Commission have consequently recommended that investment should be made in new management information systems. 5 The Fraud Team currently uses an Access Database to record the results of investigations. The database was developed in-house approximately 5

2 years ago by a previous Fraud Team manager, who has since left the Council. The database is unreliable and various parts of the system can no longer be used. The system is not supported technically by the ITT department and cannot be developed further. The system also does not provide any management or performance related information and as a consequence the Team has to maintain various spreadsheets and manual records. Manual case files are also maintained which duplicate the information recorded on the Access database. 6 The recording, analysis and reporting of fraud information is time consuming and the current processes are inadequate to facilitate decision making. The Benefit Fraud Inspectorate, in their inspection report, raised a number of serious concerns about the system and in particular the lack of performance related information to enable the service to be managed effectively. 7 Risk Management is a relatively new function within the Authority and was established following the Risk Management Best Value Review in 2001/02. It is a corporate function with overarching links to Audit. The assessment of corporate risk is information intensive and to date this has been achieved through the use of Word documents and Excel spreadsheets. 8 The team is small and to be able to work effectively and accurately it is necessary to purchase specific risk management software to assist the process. Risk Management scored only 2 out of 4 in the last CPA auditor scored judgements. The Audit Commission have also pointed out in this year s Governance Report that operational risk management needs to be embedded across the Authority. It will not be possible to extend risk management and achieve a higher CPA score without acquiring software to support the process. 9 It is recognised that the current arrangements within all three areas are ineffective and do not enable the teams to work in the most efficient manner. The existing systems have evolved over a number of years and cannot easily be developed further. Improvements in efficiency and productivity will only come through investment in improved systems. 10 A business case for investing in an integrated Audit, Risk Management and Fraud system was prepared and a bid to support and fund the implementation of such a system was made against the 2005/06 Information Technology and Telecoms (ITT) Development Plan. The bid was considered and approved by the Executive on 26 October The total approved budget was as follows; Capital 45,323 Annual revenue costs (from 2005/06 onwards) 16,931 The capital budget is used as a guide only since the hardware, software licences, training and implementation costs are financed by means of a five

3 year leasing arrangement. The leasing costs, together with the annual maintenance costs are charged against revenue budget. 11 Implementation of new systems within the Audit, Fraud and Risk Management teams will help to deliver; improved effectiveness in the arrangements for monitoring the Council s corporate governance arrangements, including the systems necessary to produce the annual Statement of Internal Control; improved reporting arrangements to Members and senior management on risk management and corporate governance matters; improved perception of the service by the Audit Commission and BFI, and hence the likelihood of improvement in the current auditor scored CPA judgements for the three teams; more effective risk management arrangements within the Council, including easier monitoring of strategic and operational risk registers; a reduction in the time necessary to complete audit assignments of between 5% and 10% (based on experience of other local authority internal audit teams); improved quality of output resulting in quicker and more consistent audit reporting and fraud case file preparation; reduced printing and stationery costs; more effective resource allocation within the audit and fraud teams so that current and developing risk areas can be effectively identified and targeted; significantly improved management information and reporting; reduced file storage requirements; improved data security particularly in respect of sensitive fraud investigations. Tender Evaluation 12 Initial analysis of the market identified a number of possible software applications which could provide an integrated audit and risk management solution. However, none of these applications also provided the functionality required by the Fraud team, without potentially expensive customisation. A number of separate fraud systems were however identified. The decision was therefore taken to procure two separate applications, one for audit and risk management and the other for fraud investigation. The two applications would however be co-hosted on the same server and be implemented in tandem.

4 13 Detailed technical and user specifications for the two systems were prepared. Potential suppliers were identified and confirmation sought that their applications would operate in a Citrix environment. Those systems which did not meet the Council s IT standard were discounted. Tenders were subsequently invited from the following suppliers; Audit and Risk Management Supplier Howarth Software Services Morgan Kai Pentana Product Galileo/Magique (.net version) AuditVision PAWS Fraud Supplier Anite Civica Intec Public Sector Business Integration Technologies (BIT) Product FIMS II FDMS Incase RITE - ICM 14 Product demonstrations were also arranged for all the applications. The tender responses and demonstrations were scored by the project team and a shortlist of the most suitable products was then agreed. Two references were then obtained for each of the short-listed products. 15 The tender submissions were scored on the basis of both price and quality (using the most economically advantageous tender approach). The results of the product demonstrations and the references were also used to inform the quality assessment. The following criteria were considered as part of the quality assessment; functionality; performance, flexibility and ease of use; training; ongoing support and product development; previous experience of similar projects; customer base and knowledge of local authority requirements. Each of the products were also subject to a detailed technical evaluation. 16 The results of the tender evaluation are summarised in Confidential Annex 1. The two products which achieved the highest scores in the tender evaluation exercise were Galileo/Magique (for audit and risk management) and Incase (for fraud).

5 17 The Howarth Galileo/Magique product meets all the requirements detailed in the technical and user specification. The application has a good look and feel and offers clear links between risk management and audit activities. Galileo/Magique is used by an extensive number of organisations, including over 50 local authorities, of which 15 have implemented the latest.net version. The supplier has a good track record of working with the public sector. The supplier also offers good ongoing technical and user support as well as a commitment to future product development. Good references were received from the Councils contacted during the tender evaluation process. The Pentana PAWS product meets all the requirements detailed in the technical and user specification. However, the product has only been implemented fully by one other local authority. The underlying technical architecture is also considered not to be as advanced as the Galileo/Magique product. 18 The Civica (FDMS) and Intec (Incase) products both meet the minimum requirements detailed in the technical and user specification. The look and feel of Incase was however considered to be marginally better than FDMS and would require less change in current working practices. Intec has a larger local authority user base for their fraud system than Civica. Good references were also received from the authorities who use Incase. In addition, the Intec product offers better value for money. Although the base cost of the two products is similar, the tender from Intec also included the supply and installation of a data interrogation module for use in proactive counter fraud work. The similar module from Civica was only offered as an optional extra. 19 The BIT fraud product is still being developed and was incomplete at the time of the demonstration. Although the product is being piloted by two authorities the supplier has no proven track record in respect of fraud case management systems. The proposal from BIT is also based on the company hosting the application on their server with access via the internet. Such an arrangement would give rise to concerns about data security and future availability since the Council would be fully reliant on the supplier to provide a secure and resilient service. The preference is instead to co-host the fraud application on the same server as the audit and risk management application. Financial Implications 20 The combined cost of the two chosen software applications is above the initial approved ITT Development Plan budget of 16,931. The additional ongoing revenue costs are 1,717pa, and these have been met through a further budget allocation from the ITT Development Plan of 1, In accordance with Financial Regulations, Executive Member approval is required because the lowest priced tenders have not been chosen in either case. Other Implications (HR and Legal)

6 22 None. Recommendations 23 Members are asked to advise the Executive Member for Resources to; - approve the purchase of Howarth (Galileo/Magique) audit and risk management software and Intec (Incase) fraud software. Contact Details Author: Max Thomas Audit and Fraud Manager Telephone: Chief Officer responsible for the report: Liz Ackroyd Assistant Director Audit and Risk Management For further information please contact the author of the report Background Papers: