Information Commissioner's Office IT Procurement Review Ian Falconer Partner T: 0161 953 6480 E: ian.falconer@uk.gt.com Last updated 18 June 2012 Will Simpson Senior Manager T: 0161 953 6486 E: will.g.simpson@uk.gt.com Paul Eckersley Manager Technology Risk T: 0113 200 2525 E: paul.j.eckersley@uk.gt.com Distribution Timetable For action Fieldwork completed 13 April 2012 Daniel Benjamin, Director of Corporate Draft report issued 3 May 2012 Services David Wells Head of IT Management 16/5/2012 comments For information Christopher Graham Information Commissioner Final report issued 16/5/2012
Contents Sections 1 Executive Summary 1 2 Detailed Findings 3 A Internal audit approach 12 B Definition of internal audit ratings 14 C Outline Project Timescales 15 Glossary The following terms are used in this report: Capita ICO's current IT service provider GPS Government Procurement Services ICO Information Commissioner's Office IT Information Technology MoJ Ministry of Justice OJEU Official Journal of European Union Options Study review to establish ICO preferred procurement strategy Project Board body responsible for representing ICO, monitoring progress and providing authorisation to project on decision TUPE Transfer of Undertakings (Protection of Employment) Law This report is confidential and is intended for use by the Management and Directors of The Information Commissioner's Office only. It forms part of our continuing dialogue with you. It should not be made available, in whole or in part, to any third party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying on this report does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this report, however such loss or damage is caused. It is the responsibility solely of The Information Commissioner s Office management to ensure that there are adequate arrangements in place in relation to risk management, governance and control.
1 Executive Summary 1.1 Background A significant proportion of the ICO's IT Services are provided under an outsource contract with Capita. This contract was due to expire in July 2012 but was extended to July 2013 in order to allow the ICO more time to consider its overall requirements and other ways in which they could be delivered. An options study was conducted with a recommendation to the Executive Team on how to proceed. The renewal will be undertaken within the framework of the Government strategy on IT procurement and takes into account the requirement for all government departments to identify savings, including opportunities through re-tenders. Key dates for the IT Procurement Project June '11 IT Procurement Project established. Nov '11 Project manager employed to establish the available options to the ICO, determine management priorities and what IT services will be required. May '12 OJEU notice to be published Aug '12 ITT to be issued to suppliers Jan '13 Select successful supplier to be done We have been asked by Senior Management and the Audit Committee to provide assistance at key stages of the process. This is our second review, on progress made and plans for the future as the ICO prepares to publish the public sector tender notice in the Official Journal of European Union (OJEU) in May 2012. Note: Management has recognised that it needs additional support to ensure a successful tender and supplier selection. We will provide initial assistance as part of 2012-13 Internal Audit Plan and Grant Thornton's Performance Improvement Team may be commissioned to provide further assistance to management in due course. 1.2 Scope The agreed focus of the second phase was to: review the project governance, management and reporting controls; provide a progress report on the project; review the options under consideration; and confirm that the potential options support the IT Strategy. Further details of our scope and approach can be found in Appendix A. 1.3 Audit Opinion Our focus during this phase of the audit has been to provide assurance over the progress towards the testing phase of the project, and to provide assistance to those preparations. At this stage, it is not possible to assess the operating effectiveness as preparation for the tender has not started. Design effectiveness Overall, we have concluded that in the areas examined the risk management activities and controls are suitably designed to achieve the risk management objectives required by management Management needs to ensure that alternative procurement arrangements are in place if government procurement frameworks are not available and establishing formal terms of reference for the project board. Amber 2012 Grant Thornton UK LLP. All rights reserved. 1
The Information Commissioner's Office Internal Audit IT Procurement Review- Phase 2 1. Executive summary Further details of our findings and recommendations are provided in Section 2. 1.4 Progress since the last internal audit review The contract extension to Capita is now in place and will expire in July 2013. The Options Study was being finalised at the time of our latest fieldwork, with the final version expected to be submitted to the Executive Team by end of April 2012. We understand that the study is likely to recommend tendering for two lots of services, with existing Government frameworks being used for the remaining services. Final details of the proposals are currently being agreed with the various stakeholders. 2 Organising the tender into separate lots may not support an effective tender process, possibly precluding some suppliers and duplicating some services unnecessarily (i.e hardware support for the servers and desktops required by each lot); and 3 Formal project controls need to be established, including detailing roles, responsibilities and authority of the Project Board, and confirming objectives of the tendering process. 1.6 Acknowledgement We would like to take this opportunity to thank the staff involved in for their co-operation during this internal audit. 1.5 Key findings The following table details the key findings from our review. Further details of our findings and recommendations are provided in Section 2. Risk / Process High Medium Low Improve't Procurement activities - 2 - - Project governance 1 2 Previous IA review - - - - Total - 3 2 - Refer to Appendix B for definitions of internal audit recommendation ratings. No findings have been rated a high priority. Each of our recommendations aims to help the ICO to establish an appropriate approach to its tendering processes in order to obtain IT services that will best meet its current and future requirements. The three medium rated findings relate to: 1 A key Government framework, web hosting and development, may not be in place by the time that the ICO needs it so those services may need to be tendered separately; 2012 Grant Thornton UK LLP. All rights reserved. 2
2 Detailed Findings 2.1 Procurement activities 1. Medium Government procurement framework not in place Finding and Implication Proposed action Agreed action (Date / Ownership) The Project Board identified that there was the opportunity to utilise Management to establish how long the existing frameworks for some of the services currently being provided tendering process for web hosting and [Action as agreed by client]. by Capita or other suppliers. One of those frameworks is for web development services would take, and hosting and web site development. At the time of this review, the work back from July 2013 to establish The web elements have been moved into framework was only at early stages of being drafted by Government when a decision about the tendering the main contract. The contingent option of Procurement Services (GPS), so there is a strong possibility that the process needs to be made. In addition, obtaining the web hosting/services through framework may not be in place when ICO need to procure those preparatory work should be undertaken so a separate procurement exercises was services. that the organisation is fully ready to reviewed. This was considered not to be a commence such alternative tendering viable option as, given the contract value, a Discussion with management has identified that whilst this was a procedures if and when they are needed. full OJEU would be required. known risk, no contingency was in place should the framework not be available to the ICO when it is needed. Framework agreements make Recommend this action is closed procurement a simpler process and organisations benefit from negotiations undertaken by GPS. Therefore, if the framework is not available and ICO have to tender directly for web hosting and development services, consideration needs to be given to when that decision has to be made, in order to allow sufficient time for a separate Date Effective: 10 May 2012 tender to be issued for those services or for web hosting and development services to be included within the Invitation to Tender currently being planned. An outline of project timescales (see Appendix C) has been established, but management have not yet established when such a decision would need to be made. 2012 Grant Thornton UK LLP. All rights reserved. 3
2. Medium Presentation of lots for tender Finding and Implication Proposed action Agreed action (Date / Ownership) ICO has mapped out all the current services being provided by Capita Management to consider re-organising the [Action as agreed by client]. and other third-party suppliers to determine what lots would be offered. lots to ensure similar services are These have packaged into two lots: Hardware Service plus Operating packaged together that maximise supplier's System Service and Applications Service plus Desktops / Office offering, but provides ICO with flexibility As noted in recommendation 1 the web Hardware Service. over the service provided to meet future elements have been brought into the main needs. contract. However, there is duplication between the two lots and it is not clear why the lots are organised as they are. For example, server hardware support and configuration is to be provided as part of the Hardware Service plus Operating System Service lot but desktop hardware support is to be delivered as part of the Applications Service plus Desktops / Office hardware Service. Most suppliers who provide server hardware support also offer desktop support as some of the skills required are common and there are some dependencies on server configuration to how desktops operate. The potential value of each lot is similar and this may be why the lots have been collated as they have been. At the time of the field visit by GT the work to split and define the service was work in progress and based on the options study. Since then more detailed reviews and definitions of the services have been developed and the summary descriptions reviewed to ensure clarity. Recommend this action is closeddate Effective: 10 May 2012 During the review, we discussed with the management the dependency on web hosting and web development government procurement framework. We agreed with management that a contingency will be needed and one such contingency would be to include web hosting and web development, However, web hosting is largely a generic service where capacity and availability of service are the key areas to consider. Web development is much more likely to be closely aligned to the organisation's needs and requires a partnership approach. Management may get better quality bids if these two services are offered separately. If lots are not correctly organised, ICO may not get the best value for the services provided, and different suppliers are providing similar services or not making best use of supplier's specialist services. Lots correctly organised should ensure ICO achieves the objectives of continuity of IT services, clarity over accountability for each service support government procurement objectives and allowing flexibility to 2012 Grant Thornton UK LLP. All rights reserved. 4
accommodate future ICO needs. If the lots are not organised effectively, the ICO may receive poor quality bids, supplier bids may overlap resulting in duplication and increased cost or suppliers may not bid at all. 2012 Grant Thornton UK LLP. All rights reserved. 5
2.2 Project Governance 3. Medium Project controls Finding and Implication Proposed action Agreed action (Date / Ownership) Prior to the appointment of the Director of Corporate Services, the IT Project Manager to document the Terms of [Action as agreed by client]. Procurement project had not been managed on a formal basis. The Reference for the Project Board that Director of Operations (acting project sponsor), Head of IT and Head of should include: Finance met as and when required and fulfilled the Project Board A governance paper has been developed, function. However, meetings were not documented, roles and roles and responsibilities of members agreed by Project Board and by the responsibilities were not been formally established and agreed. of the board and, where and when Executive Team Updating the Executive Team on progress is achieved through the additional authority is to be sought Project Sponsor being a member of the Executive Team and not by any frequency of project board meetings No further action proposed formal reporting. authority of the board to make The newly appointed Director of Corporate Services established regular meetings of the project board, which consists of Director of Corporate Services, Director of Operations, Head of Finance Head of IT and Options Study Project Manager. However, the Terms of Reference has not been established that clearly sets out the role and responsibility of the Project Board, what authority it has and when additional authorisation is required. Key decisions need to be appropriately discussed, concluded and communicated. Project Board should formally record key decisions. For example: content of the OJEU notice; agreement over the objectives of the tendering process that support how to organise the lots; and how to select which suppliers to send the ITT to. Project board need to agree with the Executive Team what the priorities are for the procurement of IT service, such as lowest cost or minimal disruption to users. These two examples of objectives may not be complimentary and the ICO may need to prioritise one over the other. decisions Responsibility for updates to the Executive Team prior to any MoJ liaison meetings determine what reporting will be required Project Board to establish the key objectives of the tendering process, in order to prioritise activities to meet those objectives. Project board should also agree what key decisions are required, when the decisions will be made and whether additional authority beyond the Project Board may be necessary, such as the Executive Team. Date Effective: 10 May 2012 2012 Grant Thornton UK LLP. All rights reserved. 6
3. Medium Project controls Finding and Implication Proposed action Agreed action (Date / Ownership) 4. Low Liaison with Ministry of Justice Finding and Implication Proposed action Agreed action (Date / Ownership) ICO is required to keep the MoJ informed of any significant events and updated on activities, through on-going liaison meetings. These meetings were attended by the Information Commissioner or the Director of Operations. [Action as agreed by client]. Prior to the appointment of the Director of Corporate Services, the Director of Operations was the project sponsor and a member of the Project Board. The Director of Operations also attended some MoJ liaison meetings. Updates to the MoJ on the IT Procurement Project were provided but they were not prepared and agreed by the Project Board. The Director of Corporate Services is now the sponsor for the project and is not expected to attend liaison meetings with MoJ going forward. The IT Procurement Project Manager should obtain the schedule of liaison meetings with MoJ, in order to prepare a formal update report of project progress and raise any issues that MoJ need to be made aware of. Project Board needs to ensure that the Information Commissioner or Director of Operations is appropriately briefed, especially if the Director of Operations is not involved in the liaison meeting. Confirm that Director of Corporate Services attends the quarterly MoJ liaison meetings Dates of next meetings with MoJ have been noted in project calendar. Reporting to MoJ, Management Board and Executive team is detailed in the Governance paper. Recommend this action is closed Date Effective: 10 May 2012 2012 Grant Thornton UK LLP. All rights reserved. 7
5. Low Complete set of Project Documents Finding and Implication Proposed action Agreed action (Date / Ownership) The Project Manager has established a Project Initiation Document for Project Manager to agree with Project [Action as agreed by client]. IT Procurement but it relates to setting up the project for the Options Sponsor what documentation set is Study and not for the wider project of procuring IT Service. According required for the project and draft those to the ICO Project Management Methodology a number of documents documents for the Project Board's Agreed. Governance paper approved by are expected to be established as part of any major project, including: consideration and approval, where ET. Weekly reporting in place, RAID logs necessary being used. PID final approval target date end May 2012 Project checklist; Project brief; Business case; Recommend this action is closed Issue, risk, action, and decision logs; Project Initiation Document; and Date Effective: 16 May 2012 Project Board meeting minutes. At the time of the review, we had access to a project brief and project time lines which related to the Options Study phase only. The project has progressed sufficiently for plans to be drawn up for the procurement activity. ICO management had recognised this and are now in the process of setting the project on a formal basis, including documentation which will support governance over the project and ensure visibility over decisions made. With a lack of detail over the intention for managing the procurement process, it is possible that: decisions are made without support of the Executive Team, services are procured that do not best support ICO requirements, and project team is unclear on roles and responsibilities. Consequently the lack of clarity may delay elements of the project or key milestones may not be achieved, which if on the critical path, may result in ICO not having continuity of IT services. 2012 Grant Thornton UK LLP. All rights reserved. 8
2.3 Progress on findings from previous review Agreed action Status progress Further agreed action (Date / Ownership) 1. Action: Director of Operations to liaise with MoJ on the issue at regular MOJ liaison meetings and via correspondence and ad-hoc meetings. See finding 2 above The ICO (Director of Operations) will liaise directly with the MoJ as our sponsoring department and primary link to central government. In addition the Head of IT will continue to review government direction using existing sources primarily trade press, websites and press monitoring. These sources have given good coverage since the ICT strategy was launched in March. It is anticipated that there will be a government update on procurement in August 2011. Date Effective: Review end of August 2011 Owner: Director of Operations Regular liaison meetings occur with Ministry of Justice, where either the Information Commissioner or the Director of Operations provides updates. Head of IT is attending government procurement conferences to ensure current government strategy is understood in addition to meeting the Ombudsman Association to share best practice. 2. Action a: Agree. Approval has been given for the recruitment of an experienced person on a short fixed term contract to undertake this study. Date Effective: Job description to be agreed and recruitment to start by end of July 2011. Action b: A risk register will be created as part of project governance (see 6). Engagement with ET, MB and AC will happen throughout the IT procurement. Risks have been identified through work on the IT strategy and been developed further by Internal Audit. The risks will feed into development of plans and the scoping of the options study. A risk workshop will be run as part of the options study scoping process. Corporate Governance can assist in this. Date Effective: August 2011 Action c: Detailed review of services provided by Capita Bill Ritchie appointed in November 2011 Awaiting risk register being established as part of the Options Study, in draft but not completed. Analysis of services provided by Capita has been completed and chart of those services now exists. This has been used to drive definition of the lots to be tendered. none See finding 4 above 2012 Grant Thornton UK LLP. All rights reserved. 9
Agreed action Status progress Further agreed action (Date / Ownership) 3. Action a: Agreed review skills of existing team, to establish the gap for an in-house solution. Date Effective: September 2011 In-house solution is not preferred solution. IT to focus on supplier and contract management skills. Intention is to recruit those skills. None Action b: Agreed review IT policy and procedures gaps between services and what might be brought in-house. Date Effective: November 2011 4. Action a: Current government policy on websites and web development means that the future of the ICO s site is uncertain and subject to the decisions of central government. However any re-procurement will look to align hosting and development if at all possible. We are keeping the situation under review. Date Effective: Review in October 2011 Owner: Head of Corporate Affairs Action b: As above. Date Effective: Review in October 2011 5. a) We recommend early consideration of the TUPE aspects of the contract re-negotiation and suggest all relevant parties are approached early in the process to give an initial indication of the potential costs of the TUPE transfers. Action a: Noted. To be considered in evaluations of options. (Consider TUPE implications if services brought in-house). Date Effective: Review April 2012 b) The Head of IT should develop a Staffing Strategy to consider the impact of the procurement issues such as TUPE, additional skills requirements and succession planning. Whichever option is adopted, there will be a considerable impact on existing IT staff which needs consideration and management. Action b: Agreed. To be considered in evaluations of options with the support of Organisational Development. Will also be included in discussion of risks (see 2c) Date Effective: Review April 2012 No longer necessary as in-house provision is not the preferred option. Management looked into recruiting web developer as part of the IT department. This was unsuccessful (skills required in one person could not be found). Management plans to use existing framework or make part of the tender to procure such a service. In-house proposition not a preferred solution. See finding 1 above None 2012 Grant Thornton UK LLP. All rights reserved. 10
The Information Commissioner's Office Internal Audit IT Procurement Review- Phase 2 1. Executive summary Agreed action Status progress Further agreed action (Date / Ownership) 6. Action: Project brief and PID to be developed, a project board will See finding 4 and 5 above be formed. Date Effective: July 2011 7. Action: A gap analysis will be undertaken using the findings from the Internal Audit of BC and the current DR/BC provision. Work has started on a technical evaluation of improvements to the give greater resilience for remote access and regional offices. Government strategy is to consolidate data centres and is the most likely final destination for most of ICO s hardware any such provision would be expected to provide adequate BC and DR. The contract extension must provide maximum flexibility around provision of DR, including possible early termination of Sunguard if required. Date Effective: Review November 2011after Internal audit report received Business Continuity is to be included as part of the tender. The existing DR provision will expire at the end of the current contract in July 2013. 2012 Grant Thornton UK LLP. All rights reserved. 11
A Internal audit approach Approach and Scope The objective of the review was to provide assurance to IT Management and the Business that the IT Procurement project will provide a robust approach to defining requirements and moving to an IT Service provision which is appropriate for the business, following the end of the current contract with Capita. We focussed on the following sub risks: The project may not engage sufficiently with Government stakeholders resulting in a failure to obtain the relevant approvals and expenditure commitments; Project governance structures, planning and reporting may be inadequate to ensure the successful replacement of the existing outsource contract; The options study may not be conducted effectively resulting in a failure to identify all possible solutions or align them properly to the IT Strategy and needs of the ICO in the longer term; Planned implementation timescales may not be achieved leading to a failure to maximise on the benefits identified in the business case. Our internal audit approach is based upon the underlying principles of the UK Corporate Governance Code (2010) guidelines on internal control that require management to identify, assess and manage the risks that are significant to the achievement of the organisation s overall business objectives. Our role as internal auditor is to provide objective and independent assurance to the Audit Committee and management that it is doing this successfully for each of the areas being audited. Our audit was carried out in accordance with the guidance contained within the Government s Internal Audit Standards (2011) and the Auditing Practices Board s Guidance for Internal Auditors. We also have regard to the Institute of Internal Auditors guidance on risk based internal auditing (2005). In accordance with our agreed internal audit plan, we agreed to undertake a review of the Information Commissioner's Office's project to identify options for replacing the existing outsourced IT Contract with Capita. This review will further inform our on-going understanding of ICO's governance and risk management activities. We achieved our audit objectives by: meeting with key staff to gain an understanding of the arrangements in place, building upon the information we have already gained through our audit planning process; assessing the effectiveness of the control mechanisms in place to mitigate identified risks; discussion of key findings with management and preparation of a draft report. 2012 Grant Thornton UK LLP. All rights reserved. 12
The Information Commissioner's Office Internal Audit IT Procurement Review- Phase 2 1. Executive summary The findings and conclusions from this review will support our annual opinion to the Audit Committee on the adequacy and effectiveness of internal control arrangements. Responsibilities It is the responsibility of management to ensure that there are adequate controls and activities in place to ensure that the ICO's business objectives can be met and that the risks to the ICO are minimised. Based on the work we have carried out, we provide an objective assessment of the adequacy and effectiveness of controls and activities established by management to manage the identified risks to the ICO. During the course of our review we have conducted interviews and, where necessary, testing/verification work to support our assessment of the adequacy and effectiveness of current arrangements. Additional information Client staff The following people were consulted as part of this review: Daniel Benjamin, Director of Corporate Services; David Wells, Head of IT; John Rackstraw, Senior IT Service Delivery Manager; Angela Muston, Solicitor; Bill Richie, Options Study Project Manager Andy Cryer, Head of Finance. Locations The following locations were visited during the course of this review: Wilmslow Office It is our reporting protocol to balance our reporting of positive practice with areas for attention. This enables the ICO to build upon its strengths, whilst focusing upon key findings and associated recommendations, which if acted upon, should enhance the control environment and improve the management of key risks. Please refer to our letter of engagement for full details of responsibilities and other terms and conditions. 2012 Grant Thornton UK LLP. All rights reserved. 13
B Definition of internal audit ratings Audit issue rating Within each report, every audit issue is given a rating. This is summarised in the table below. Rating Description Features High Key control not designed or operating effectively Findings that are fundamental to the management of risk Potential for fraud identified in the business area, representing a weakness in control Non compliance with key procedures / standards that requires the immediate attention of management Non compliance with regulation Impact is contained within the department and compensating controls would detect errors Medium Important findings that are to be resolved by line Possibility for fraud exists management. Control failures identified but not in key controls Non compliance with procedures / standards (but not resulting in key control failure) Low Findings that identify non-compliance with established Minor control weakness procedures. Minor non compliance with procedures / standards Improvement Information for department management Items requiring no action but which may be of interest to Control operating but not necessarily in accordance management or best practice advice with best practice 2012 Grant Thornton UK LLP. All rights reserved. 14
The Information Commissioner's Office Internal Audit IT Procurement Review- Phase 2 1. Executive summary C Outline Project Timescales 2012 2013 Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Authority to issue OJEU Notice 27/04 Publish OJEU Notice 30/05 (Minimum of 37 days from publication of the OJEU notice) Deadline for Expression of Interest Combined OJEU/PQQ 09/07 Prepare & Issue PQQ 30/05 Expression of interest would be evidenced by the return of a completed PQQ PQQ Returns Submission Date 09/07 Review PQQs & agree shortlist Prepare & Issue ITT + Contract 06/08 06/08 (Minimum of 40 days from the issue of the ITT) Clarification & receipt of final tenders 15/10 Evaluation & confirm preferred bidder 09/01 ICO activity Due Diligence Contract Award Supplier activity 07/03 Contract Signed 18/03 Initial Transition (Minimum of 10 days from contract award) Contract Start Date Service Freeze Project Freeze Change Freeze 10/07 2012 Grant Thornton UK LLP. All rights reserved. 15
www.grant-thornton.co.uk 2011 Grant Thornton UK LLP. All rights reserved. "Grant Thornton" means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ('Grant Thornton International'). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication.