Aberdeen City Council IT Governance



Similar documents
Aberdeen City Council IT Asset Management

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Disaster Recovery

Aberdeen City Council. Fleet Management Final Report

Oxford City Council Managing Capital Projects

South Northamptonshire Council Contract Assurance: Leisure Contract

Payroll Review. Internal Audit Final Report 09_ Assurance rating this review. Moderate. Distribution List. Chief Executive - Peter Sloman

How To Understand The Importance Of Internal Control

Office of the Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

Governance, Risk and Best Value Committee

Senate. SEN15-P17 11 March Paper Title: Enhancing Information Governance at Loughborough University

Bridgend County Borough Council. Corporate Risk Management Policy

Annual Governance Statement 2013/14

Avon & Somerset Police Authority

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010

) ) ) ) ) ) ) ) ) ) ) )

Special Purpose Reports on the Effectiveness of Control Procedures

Practice Note. 10 (Revised) October 2010 AUDIT OF FINANCIAL STATEMENTS OF PUBLIC SECTOR BODIES IN THE UNITED KINGDOM

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

Report of the Assistant Director Strategy & Performance to the meeting of Corporate Governance & Audit Committee to be held on 20 March 2009.

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Code of Audit Practice

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

Proposed Auditing Standard: Inquiry Regarding Litigation and Claims (Re-issuance of AUS 508)

Corporate Policy and Strategy Committee

APPENDIX C. Internal Audit Report South Holland District Council Project Management

INTERNAL AUDIT FRAMEWORK

FRAMEWORK FOR THE PREPARATION OF ACCOUNTS. Best Practice Guidance

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating:

Professional Development for Engagement Partners Responsible for Audits of Financial Statements (Revised)

Audit Committee. Directors Report. Gary Hughes Chairman, Audit Committee. Gary Hughes Chairman, Audit Committee

RISK MANAGEMENT POLICY

Compliance Management Framework. Managing Compliance at the University

Addressing Disclosures in the Audit of Financial Statements

Information Governance Policy

University of New England Compliance Management Framework and Procedures

INTERNATIONAL STANDARD ON AUDITING 200 OBJECTIVE AND GENERAL PRINCIPLES GOVERNING AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

PRACTICE NOTE 22 THE AUDITORS CONSIDERATION OF FRS 17 RETIREMENT BENEFITS DEFINED BENEFIT SCHEMES

Manchester City Council

ESM Management Comments on Board of Auditors Annual Report to the Board of Governors for the period ended 31 December 2014

REPORTING ACCOUNTANTS WORK ON FINANCIAL REPORTING PROCEDURES. Financing Change initiative

APES 320 Quality Control for Firms

Board Charter. May 2014

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting

Compliance Policy AGL Energy Limited

Entitlements Management System (EMS) Technology Update Project Health Check Review

Internal Audit Report Project Management

Information Commissioner's Office

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

HARLOW COUNCIL PERFORMANCE MANAGEMENT FRAMEWORK

Financial Services Guidance Note Outsourcing

Inquiry Regarding Litigation and Claims

Service Management and ICT Monitoring and Reporting Advisory and Implementation Services

Preparation of a Rail Safety Management System Guideline

The report rated this area Substantial Assurance and made 2 housekeeping recommendations.

Integrated Risk Management:

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

UK Corporate Governance Code: Raising the bar on risk management Why this is not business as usual and what you need to do to comply

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17

INTERNATIONAL STANDARD ON AUDITING 260 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE CONTENTS

Audit, Risk and Compliance Committee Charter

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

COMPLIANCE CHARTER 1

Request for Proposal. Supporting Document 3 of 4. Contract and Relationship Management for the Education Service Payroll

LUKHANJI MUNICIPALITY PERFORMANCE MANAGEMENT FRAMEWORK

Dacorum Borough Council Final Internal Audit Report

Annual Report of Internal Audit 2012/13

Human Services Quality Framework. User Guide

PART I - PRELIMINARY...1 Objective...1 Applicability...2 Legal and Regulatory Provision...2

for Safer Better Healthcare Draft National Standards for Safer Better Healthcare September 2010 Consultation Document September 2010

Consultation: Auditing and ethical standards

The Cadence Partnership Service Definition

Risk Management Policy and Framework

YEARENDED31DECEMBER2013 RISKMANAGEMENTDISCLOSURES

INTERNATIONAL STANDARD ON AUDITING 220 QUALITY CONTROL FOR AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

Risk Management. Policy

Project Risk Analysis toolkit

Knowledge is power. Consumer Protection Act Series #1

NOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE

Auditing data protection a guide to ICO data protection audits

Guideline. Records Management Strategy. Public Record Office Victoria PROS 10/10 Strategic Management. Version Number: 1.0. Issue Date: 19/07/2010

RISK MANAGEMENT AND COMPLIANCE

1.1 Terms of Reference Y P N Comments/Areas for Improvement

UNSOLICITED PROPOSALS

Agency Board Meeting 28 July 2015

Transcription:

Aberdeen City Council IT Governance Internal Audit Report 2013/2014 for Aberdeen City Council May 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary where applicable Terms or reference agreed 4 weeks prior 03.02.2014 20.12.2013 Green to fieldwork Planned fieldwork start date 03.03.2014 03.03.2014 Green Fieldwork completion date 14.03.2014 11.04.2014 Red Sickness absence of internal auditor performing fieldwork. Draft report issued for Management comment 28.04.2014 28.04.2014 Green Management Comments received 12.05.2014 12.05.2014 Green Report finalised 19.05.2014 19.05.2014 Green Submitted to Audit and Risk Committee 26.06.2014 26.06.2014 Green

Contents Section Page 1. Executive Summary 3 2. Background and scope 5 3. Detailed findings and recommendations 6 Appendix 1 Basis of our classifications 8 Appendix 2 Terms of reference 12 Appendix 3 - Limitations and responsibilities 14 This report has been prepared solely for Aberdeen City Council in accordance with the terms and conditions set out in our engagement letter 4 October 2010. We do not accept or assume any liability or duty of care for any other purpose or to any other party. This report should not be disclosed to any third party, quoted or referred to without our prior written consent. Internal audit work will be performed in accordance with Public Sector Internal Audit Standards. As a result, our work and deliverables are not designed or intended to comply with the International Auditing and Assurance Standards Board (IAASB), International Framework for Assurance Engagements (IFAE) and International Standard on Assurance Engagements (ISAE) 3000. Internal Audit report for Aberdeen City Council PwC Contents

1. Executive Summary Report classification Total number of findings Section 3 Critical High Medium Low Advisory Medium Risk Control design - - 2 1 - Operating effectiveness - - - - - Total - - 2 1 - Responsible Director: Director of Corporate Governance Project Sponsor: Head of Customer Service and Performance Summary of findings 1.01 The Council s current ICT Business Strategy covers the period from 2009-2015. During that period, the Council has completed a series of major organisational changes, including senior management restructuring, the introduction of Priority Based Budgeting, and a change in political administration amongst others. There have also been significant developments at a national level, including the production of a Scottish Local Government IT Strategy, changes to the PSN regime, the introduction of the Scottish Wide Area Network, and more recently the production of the Scottish Government Data Centre and Cloud strategies. 1.02 Through our review of IT Governance we have looked at the Council s current ICT Business Strategy and the proposed Enterprise Architecture governance framework that is being implemented. Based on our review we have made two medium classification findings regarding the current IT governance structures in place and recommendations for how the Council can improve its IT governance based on these findings. 1.03 The Head of Customer Service and Performance proposed the adoption of The Open Group Architecture Framework (TOGAF) as an Enterprise Architecture governance methodology that works closely with the business to an agreed set of principles in order to align technology to business needs. The framework was developed through a series of workshops involving ICT and business representatives. This was approved by the Corporate Management Team (CMT) in 28 June 2012. However, the current ICT Business Strategy does not include the implementation of an Enterprise Architecture governance framework as a strategic objective. The implementation of an Enterprise Architecture governance framework should be a strategic objective to ensure transparency and engagement across the organisation. 3

1.04 The Council currently has an Enterprise Architecture governance board that meets monthly. Requests for ICT work, including both operationally and architecturally significant work, are scrutinised and prioritised by the board, which is attended by senior business managers from across each of the Council directorates and chaired by the Head of Customer Service and Performance. However, the board does not have an approved defined role within the organisation. The role and authority of the governance board should be approved by the Corporate Management Team. Management comments The ICT Business Strategy referred to within the audit is still current, and through developing our Enterprise Architecture, we are carrying out preparatory work for the revised strategy by analysing the organisation's business plans and strategies, aligning the current ICT strategy and projects to business need, and sensechecking our alignment to emerging national strategies and developments including Scottish government data centre and cloud strategies, Local Government ICT strategy and the impact of PSN developments on our virtual environments and Bring Your Own Device (BYOD). There has been a continuing strategic oversight over emerging developments during the period of the current strategy which will be reflected in the revised document. All of this links to the development of roadmaps that will allow us to understand the relationships and lifecycles across our various business, application, technology and project portfolios and therefore allow for better governance of the EA landscape formed by the individual elements of these portfolios. Finally, we welcome the recognition of the good practice being implemented and have agreed the actions recommended in the report. 4

2. Background and scope Background 2.01 ICT has been engaged in a project to develop an Enterprise Architecture governance framework for Aberdeen City Council. This project has involved engagement with stakeholders across the business to tailor the framework to the specific requirements of the Council. From discussions with the key persons involved it was explained that the Council is one of only a few public authorities in the United Kingdom engaged in such a project. ICT Strategy 2.02 An ICT Business Strategy has been developed for the period covering 2009-2015. This strategy was approved by the Continuous Improvement Committee in February 2009 and a revised version was approved the Corporate Policy and Performance Committee in March 2012. A high-level review of the strategy indicates that it was developed based on Central and Scottish Government initiatives and with reference to the Council s business strategy at the time. However, as identified in finding 3.01, the strategy does not refer to the ongoing project to develop an Enterprise Architecture governance framework and implement this across the Council. Enterprise Architecture Governance Framework 2.03 ICT, in conjunction with stakeholders across each directorate, has been developing an Enterprise Architecture governance framework for implementation at Aberdeen City Council. The framework process has involved engaging with the Sopra Group, an external IT consultancy, to help develop a framework for the Council that conforms to good practice Enterprise Architecture principles based on TOGAF. 2.04 An Enterprise Architecture governance board has been assembled, with representatives from both ICT and Heads of Service from each of the Council s directorates, to lead the project and help develop a governance framework tailored to the specific needs of the Council. As identified in finding 3.02 however, the board does not currently have an approved defined authority giving it the power to ensure that Enterprise Architecture governance is implemented and enforced across the organisation. Scope and limitations of scope 2.05 The detailed scope of this review is set out in Appendix 2 in the Terms of Reference. We have undertaken a review of the design and operating effectiveness of the Council s controls for IT Governance in the areas contained within this Terms of Reference. Our work was undertaken using a sample based approach with our review focused on the ICT Strategy and Enterprise Architecture Framework. 5

3. Detailed findings and recommendations 3.01 Develop a comprehensive ICT strategy Control design deficiency Finding Aberdeen City Council has an ICT Business Strategy for 2009-2015 that was approved in February 2009 by the Continuous Improvement Committee, and was subsequently revised and updated with the approval of the Corporate Policy and Performance Committee in March 2012. Our high-level review of the strategy identified that it had been developed with reference to Central and Scottish Government ICT initiatives and with reference to the overall business strategy for the Council. However, we noted that it does not reflect the current work that is ongoing to develop an Enterprise Architecture ( EA ) governance framework for the Council and embed EA governance good practice within the organisation. The Corporate Management Team (CMT) approved a project to adopt The Open Group Architecture Framework (TOGAF) as an Enterprise Architecture governance methodology. Work commenced with Sopra to help develop the framework and a number of relevant IT staff have been formally trained in TOGAF and are currently working to take forward the draft work that Sopra developed and formalise it to fit the Council s business model. A formal project has been initiated to take the framework to a Level 3 Maturity within a period of 12 months from commencement. Given the current projects ongoing to develop an EA governance framework, we consider not having this set as a strategic objective to represent a weakness in the current strategy. Research indicates that one of the key factors in successfully implementing Enterprise Architecture into an organisation is having the full support of senior executive management. Including the implementation of an EA governance framework within the ICT strategy, and indeed within the wider Council business strategy, will ensure that senior executive management is committed to the project and that there is transparency across the organisation. The current ICT strategy is due to be renewed in 2015; this presents a significant opportunity for the Council to develop a comprehensive ICT strategy that sets out its vision for ICT, and how it links into the achievement of the Council s overall strategy. Risks Failure to develop a comprehensive ICT strategy increases the risk that the Council fails to achieve the ICT capabilities required to deliver its overall business strategy. Action plan Finding rating Agreed action Responsible person / title 6

Medium The strategy will include the commitment to implementing an Enterprise Architecture governance framework and have the support of the corporate management team. Including this commitment in the ICT strategy would reduce this risk to a low rating. Paul Fleming, Head of Customer Service and Performance Management Comment: The strategy is due to be reviewed in 2015 and the revised strategy will include this commitment. In the meantime, this is recognised as a priority action within the ICT Asset Management Plan, approved by Finance, Policy and Resources Committee. Work is ongoing to develop the framework, through preparing a road map of ICT for the business and its business applications, which will in turn inform the revised strategy. Target date: 31 March 2015 7

3.02 Define the role of the Enterprise Architecture Governance Board Control design deficiency Finding The Enterprise Architecture Governance Board meets on a monthly basis to discuss Enterprise Architecture at the Council and includes representatives from ICT and the Heads of Service from across each of the Council s directorates. At present though the board s role and authority has not been defined within the Council. In developing an Enterprise Architecture governance framework the role and authority of the Enterprise Architecture Governance Board should be defined. Importantly the board should have direct reporting to the Corporate Management Team and in turn be given direct responsibility from the CMT. Giving the Enterprise Architecture Governance Board clear authority over the governance of Enterprise Architecture for the organisation will give it the power to ensure compliance with the Enterprise Architecture principles defined in the framework. Risks The Enterprise Architecture Governance Board does not have the authority to ensure compliance across the organisation with the Enterprise Architecture framework resulting in the Council failing to deliver on its Enterprise Architecture objectives. Action plan Finding rating Agreed action Responsible person / title Medium The role and authority of the Enterprise Architecture Governance Board will be defined as part of the Enterprise Architecture Governance Framework and approved by the Corporate Management Team. The Enterprise Architecture Governance Board will have rules that clearly define its structure, composition and decision making. The Enterprise Architecture Governance Board will have responsibility for monitoring compliance with the Enterprise Architecture Governance Framework and reporting on compliance directly to the Corporate Management Team. Management Comment: The agreed actions are recorded as activities within the project plan for Developing an Enterprise Architecture Framework, currently scheduled for September 2014, subject to limited enterprise Architecture resource availability. Paul Fleming, Head of Customer Service and Performance Target date: 31 October 2014 8

3.03 Establish KPIs and performance monitoring to measure Enterprise Architecture governance compliance across the organisation Control design deficiency Finding Embedding a strong governance culture around Enterprise Architecture is important in ensuring the success of the Enterprise Architecture Governance Framework project. Once the Enterprise Architecture Governance Board has developed a tailored Enterprise Architecture governance framework for the Council the monitoring of performance in complying with the framework will be the next step. Developing a clear set of key performance indicators (KPIs), and embedding Enterprise Architecture governance compliance into employee performance reviews, will help foster a culture of good governance around Enterprise Architecture across the organisation. Risks The Enterprise Architecture governance framework is not embedded within the culture of the Council resulting in the benefits of the project not being obtained and a return to business as usual. Action plan Finding rating Agreed action Responsible person / title Low The Enterprise Architect Governance Board will agree a suite of KPIs, relevant to the organisation, for monitoring performance compliance with the Council s Enterprise Architecture governance framework. The Enterprise Architect will have responsibility for monitoring the KPIs and reporting to the governance board on compliance. The governance board will in turn report on compliance to the Corporate Management Team. Compliance with the Enterprise Architecture governance framework will be considered in employee performance reviews for those employees for whom Enterprise Architecture governance is relevant to their job role. Management Comment: The agreed actions are recorded as activities, and a suggested suite of initial KPIs have been drafted for development and approval as part of the Developing an Enterprise Architecture Framework Project currently scheduled for early 2015. Paul Fleming, Head of Customer Service and Performance Target date: 31 March 2015 9

Appendix 1 Basis of our classifications Individual finding ratings Finding rating Assessment rationale Critical A finding that could have a: Critical impact on operational performance; or Critical monetary or financial statement impact; or Critical breach in laws and regulations that could result in material fines or consequences; or Critical impact on the reputation or brand of the organisation which could threaten its future viability. High A finding that could have a: Significant impact on operational performance; or Significant monetary or financial statement impact ; or Significant breach in laws and regulations resulting in significant fines and consequences ; or Significant impact on the reputation or brand of the organisation. Medium A finding that could have a: Moderate impact on operational performance; or Moderate monetary or financial statement impact; or Moderate breach in laws and regulations resulting in fines and consequences; or Moderate impact on the reputation or brand of the organisation. Low A finding that could have a: Minor impact on the organisation s operational performance; or Minor monetary or financial statement impact; or Minor breach in laws and regulations with limited consequences; or Minor impact on the reputation of the organisation. Advisory A finding that does not have a risk impact but has been raised to highlight areas of inefficiencies or good practice. 10

Report classifications Findings rating Critical Points 40 points per finding Report classification Low risk Points 6 points or less High 10 points per finding Medium risk 7 15 points Medium 3 points per finding High risk 16 39 points Low 1 point per finding Critical risk 40 points and over 11

Appendix 2 Agreed Terms of reference Background IT Governance has been an area of focus over the year, with the formulation of an ICT strategy and implementation of the Advisory Board as part of the Enterprise Governance Framework which is designed to ensure the Council s Enterprise Architecture remains aligned to the Business and ICT Strategies. The IT governance Advisory Board is made up with representatives from ICT and business areas, with a focus on ensuring that ICT is supporting the needs of the organisation, and providing oversight on ICT management activities. Scope The overall scope of this review will be to consider the design and operating effectiveness of the key controls in relation to IT Governance. The sub-processes and related control objectives included in this review are: Sub-process Objectives ICT Strategy Understand how the ICT strategy has been formulated and linked to the business strategy and agreed. Understand the approach to reviewing and updating the strategy to ensure it continues to address the key objectives. Perform a high-level review of the ICT strategy against best practice to ensure that key areas of focus have been captured. Enterprise Architecture Framework Understand how the Enterprise Architecture Framework has been set up and whether it is in line with good practice. Understand and evaluate the controls in place to ensure the Enterprise Architecture aligns with Business and IT strategy and ICT are delivering the defined benefits to the business. Understand how ICT reports on Governance to ensure sufficient priority, access, clear reporting lines and escalation are embedded in the process. Understand governance controls and reporting in place to ensure ICT is delivering in line with business expectations. 12

Limitations of scope The section above sets out the scope of the matters covered within this review. Our review will be conducted based on interviews and controls will be tested on a sample basis in line with PwC internal audit methodology. It is Management s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for Management s responsibilities for the design and operation of these systems. Audit approach Our audit approach is as follows: Obtain an understanding of the key controls in place through discussions with key personnel, and review of supporting governance documentation Identify the key risks relating to IT governance Evaluate the design of the controls in place to address the key risks Test the operating effectiveness of the key controls on a sample basis Key Council Contacts Name Paul Fleming Sandra Massey David McDowell Title Head of Customer Service and Performance Operations Manager ICT Enterprise Architect 13

Appendix 3 - Limitations and responsibilities Limitations inherent to the internal auditor s work We have undertaken a review of IT Governance, subject to the limitations outlined below. Internal control Internal control, no matter how well designed and operated, can provide only reasonable and not absolute assurance regarding achievement of an organisation's objectives. The likelihood of achievement is affected by limitations inherent in all internal control systems. These include the possibility of poor judgment in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrence of unforeseeable circumstances. Future periods Our assessment of controls relating to IT Governance is as at 14 March 2014. Historic evaluation of effectiveness is not relevant to future periods due to the risk that: the design of controls may become inadequate because of changes in operating environment, law, regulation or other; or The degree of compliance with policies and procedures may deteriorate. Responsibilities of management and internal auditors It is management s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management s responsibilities for the design and operation of these systems. We endeavour to plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we shall carry out additional work directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. Accordingly, our examinations as internal auditors should not be relied upon solely to disclose fraud, defalcations or other irregularities which may exist. 14

In the event that, pursuant to a request which Aberdeen City Council has received under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004 (as the same may be amended or re-enacted from time to time) or any subordinate legislation made thereunder (collectively, the Legislation ), Aberdeen City Council is required to disclose any information contained in this document, it will notify PwC promptly and will consult with PwC prior to disclosing such document. Aberdeen City Council agrees to pay due regard to any representations which PwC may make in connection with such disclosure and to apply any relevant exemptions which may exist under the Legislation. If, following consultation with PwC, Aberdeen City Council discloses any this document or any part thereof, it shall ensure that any disclaimer which PwC has included or may subsequently wish to include in the information is reproduced in full in any copies disclosed. This document has been prepared only for Aberdeen City Council and solely for the purpose and on the terms agreed with Aberdeen City Council in our agreement dated 4 October 2010. We accept no liability (including for negligence) to anyone else in connection with this document, and it may not be provided to anyone else. 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information