FINAL
Internal Audit
Report
IT STRATEGY AND GOVERNANCE (NEW MODEL)
REVIEW
Document Details:
Reference:
Senior Manager, Internal Audit & Assurance:
Engagement Manager:
Auditors:
2.5.2 2014/15
ext.6567
Date: 14th November 2014
This report is not for reproduction publication or disclosure by any means to unauthorised persons.
Page 1
Internal Audit Report – IT Strategy and Governance (New Model) Review
1. EXECUTIVE SUMMARY
1.1
INTRODUCTION
As part of the 2013/14 Internal Audit Plan an audit of IT Strategy and Governance (New
Model) was carried out.
Worcestershire County Council faces unprecedented levels of change driven by customers
and the requirement to reduce costs. These cost reductions will be delivered by the 'Future
Fit' Corporate Plan and the commissioning of services with technology as a key strategic
enabler. Technology is critical to the delivery of Council Services.
Consequently the Council has developed a Digital roadmap and strategy to deliver the
Council’s business requirements but also to challenge and change how the Council
operates through the implementation of new technologies and new ways of working.
The objective of this audit is to review the adequacy and effectiveness of the governance,
processes and key controls over the definition, maintenance and delivery of the digital
roadmap /strategy to help the Council meet its business objectives.
1.2
OVERALL CONCLUSION
We have identified that there is, generally, a sound system of control designed to
meet the organisation’s objectives. However, some weaknesses in the design or
inconsistent application of controls put the achievement of some objectives at some
risk.
We identified a number of areas of good practice specifically:



A strong level of engagement with the digital strategy across Directorates, aided by the
Business Architecture Board (BAB) meetings.
Good level of understanding across Directorates as to the scale of change required to
successfully achieve the digital strategy given the historic low level of controls maturity
and complex systems landscape.
The definition of the digital strategy, as a result of the two points above, has followed a
robust and comprehensive process to ensure it not only aligns with the County
Councils objectives but encapsulates key stakeholder buy-in.
The issues identified reflect the current level of IT maturity within the Council. We have
made a number of specific recommendations to improve governance, management and
delivery of the Council’s digital strategy. These include:



Accelerating the development of an application architecture that ensures that Council
has a suite of compatible applications that are aligned to the IT and digital strategy;
Implementation of a data architecture and common data standards to enable key
systems to communicate and to give the Council the ability to extract synergies and
maximum value from the data it holds;
Improve governance and oversight of the digital strategy through development of a
Responsibility Assignment Matrix (RACI), for each governing body such as BAB, which
will enable the Council to identify current responsibilities and accountabilities between
forums together with any gaps;
Page 2
Internal Audit Report – IT Strategy and Governance (New Model) Review





Development of relevant, meaningful and measurable Key Performance Indicators
(KPI’s) and Key Risk Indicators (KRI’s) that will be used as a means of measuring and
reporting on progress of the digital strategy and associated risks to governing bodies;
Ensuring sufficient skilled resources are in place to deliver key elements of the digital
strategy and to translate Council business requirements in to IT projects aligned with
the strategy;
Implementation of a formal process to monitor future business direction, technology,
infrastructure, regulatory and legal trends to feed in to the digital strategy;
Development and implementation of a strategic IT Infrastructure plan;
Improve visibility of all Council wide IT initiatives and projects through broadening the
existing change management process to ensure they are all captured.
2. SUMMARY OF CONCLUSIONS
2.1
The conclusion for each control objective evaluated as part of this audit was as follows:
Control Area
High
An application architecture is in place that ensures
that Council has a suite of compatible applications
that are aligned to the IT and digital strategy.
A data architecture standard is in place that facilitates
application interoperability and enables the sharing of
data elements among Council applications and
systems.
An appropriate governance structure is in place that
ensures that IT related projects, initiatives and
requests are aligned to the digital strategy.
Appropriate Key Performance Indicators and Key Risk
Indicators are in place to measure and report
progress of the digital strategy and associated risks.
Sufficient skilled resources are in place to deliver key
elements of the digital strategy and to translate
Council business requirements in to IT projects
aligned with the strategy.
A formal process is in place to monitor future
business, technology, infrastructure, regulatory, legal
trends which are then fed in to the digital strategy.
An IT technology infrastructure plan that is based on
the Council’s IT strategic, tactical plans and
technology direction is in place.
Complete visibility of all planned and ongoing IT
projects and initiatives within the Council to ensure
alignment with the digital strategy, prevent duplication
and to capture opportunities for synergies.
2.2

Risk Rating
Medium
Low








The recommendations arising from the review are ranked according to their level of priority
as detailed at the end of the report within the detailed audit findings. Recommendations
are also colour coded according to their level of priority with the highest priorities
highlighted in red, medium priorities in amber and lower priorities in green. In addition, the
Page 3
Internal Audit Report – IT Strategy and Governance (New Model) Review
detailed audit findings include columns for the management response, the responsible
officer and the time scale for implementation of all agreed recommendations.
2.3
Where high recommendations are made within this report it would be expected that they
should be implemented within three months from the date of the report to ensure that the
major areas of risk have either been resolved or that mitigating controls have been put
in place and that medium and low recommendations will be implemented within six and
nine months respectively.
3. LIMITATIONS REGARDING THE SCOPE OF THE AUDIT
The following areas did not form part of this audit:

The review did not provide assurance over the overall digital roadmap / strategy or
proposed technologies.
4. ACKNOWLEDGEMENTS
Audit would like to thank all involved for their assistance during this review.
Page 4
Internal Audit Report – IT Strategy and Governance (New Model) Review
5. DETAILED AUDIT FINDINGS
Ref.
Priority
Findings
Application and Data Architecture
1
Medium The current application
architecture is immature and
requires development. This is
due to individual directorates
having brought or developed
their own applications and this
has been compounded by a
lack of cross directorate
initiatives. Additionally, the
diversity of services delivered
by the Council has resulted in a
large application portfolio.
This issue has been
recognised by the Council and
is being addressed but
progress has been slow to date
due to resource issues.
Risk Arising/
Consequence
Duplication of
application
functionality resulting
in increased costs.
Implementation of
bespoke applications
that do not support
the digital strategy.
Inability of key
applications to
communicate and use
data from other
systems.
Recommendation
The Council should ensure
that sufficient resource is
focused on developing
application architecture as
soon as possible to avoid
impact on the overall
delivery of the digital
strategy.
Management Response
Responsibility
and Timescale
The business services that
applications deliver have
never been mapped into an
enterprise architecture tool.
Therefore duplication will
definitely exist although this
has not been formally
identified.
Neill Crump
Business services are now
being mapped to applications
and progress is being made
based on high priority
applications. For example,
OneServe and Edulink is
proving duplication of
services that will be delivered
by replacing both systems
with the customer access
platform.
Timescale
based on
opportunities to
lower costs and
lead to
application
rationalisation
opportunities.
In next 6
months, this will
be related to
the customer
access
platform.
Any purchase of new
applications needs to be
centralised and approved via
BAB to ensure alignment to
Currently
delivered
Recommendatio
n Implemented
(Officer & Date)
Internal Audit Report – IT Strategy and Governance (New Model) Review
Ref.
Priority
Findings
Risk Arising/
Consequence
Recommendation
Management Response
Responsibility
and Timescale
the digital strategy. This
ensures that there is
application integration and
interoperability and
adherence to a common data
framework.
2
Medium
No data architecture or
common data standards
(format etc.) exist that
applications are required to
conform with in order to
facilitate interoperability and
data sharing / exchange.
Inability of key
systems to
communicate or use
data from other
systems. The Council
will be unable to
extract synergies and
maximum value from
the data it holds.
Implement an enterprise
data architecture which
defines the Council's data
syntax rules, enables the
sharing of data elements
among applications and
systems and provides a
common baseline data
structure. This will prevent
incompatible data elements
from being created or
modified and will enable the
sharing of data for IT and
business users.
Business modelling (process
and data flow) and data
model (for as-is source
systems and Rocket)
standards will be developed
that will allow data from
various systems (e.g.
relational databases, file
sources, and other sources
such as SAP) to be extracted
(i.e. cleansed, profiled),
transformed (i.e. joined,
aggregated, filtered) and
loaded (i.e. creation and
execution of workflows from
the data source to Rocket) to
form one or more data marts.
The business will consume
these data marts as
intelligent reports and
dashboards.
Note that this process will
identify data issues that have
existed in WCC due to the
design of previous business
process and system
Neill Crump
April 2015
based on
prioritised
reports and
dashboards
delivered as
part of the
Rocket
implementation
Recommendatio
n Implemented
(Officer & Date)
Internal Audit Report – IT Strategy and Governance (New Model) Review
Ref.
Priority
Findings
Risk Arising/
Consequence
Recommendation
Management Response
Responsibility
and Timescale
implementations. Some of
these are currently unknown.
By April next year, these will
not be all solved.
Governance Structure
3
Low
There are a number of groups
including the Business
Architecture Board, Project
Governance Group and
Technical Architecture Group
involved in assessing IT related
projects, initiatives and
requests. It is not clear how
these groups formally interact
in terms of approval of
products or services to ensure
alignment with the digital
strategy.
IT projects and
services that are not
aligned to the digital
strategy may be
approved.
Develop a Responsibility
Assignment Matrix (RACI)
which will enable the
Council to identify and track
accountabilities and
responsibilities with respect
to the digital strategy. It will
also improve and formalise
communication between
groups.
Additionally, the Council will
be able to identify and
address any gaps in
accountabilities and
responsibilities.
All of these groups have
been put in place to support
the needs of the Digital
Strategy and to ensure that
we are supporting service
areas in procuring the right
applications, are able to
maintain and support from an
ICT infrastructure
perspective and that visibility
is gained on any
enhancements to WCC's
technical architecture. The
process between TAG and
PGG is intrinsically linked.
Sarah Daniel
Aug 2015
A RACI matrix will be created
to formalise these
relationships.
Progress and Risk Monitoring
4
Low
There is no formal monitoring
of progress against the digital
strategy to measure and track
progress.
Additionally, there is no
reporting on the risks facing the
successful delivery of the
The Council will be
unable to monitor the
progress of the digital
strategy and how
successful it has
been.
Key risks may not be
The Council should develop
relevant, meaningful and
measurable Key
Performance Indicators
(KPI’s) and Key Risk
Indicators (KRI’s) that will
be used as a means of
measuring and reporting on
The digital strategy is broken
down into individual projects
that are progressed and
monitored with appropriate
risk management included
and agreed with Sponsors.
Also progress is reported
quarterly to BAB.
Neill Crump
Review and
Recommendatio
n Implemented
(Officer & Date)
Internal Audit Report – IT Strategy and Governance (New Model) Review
Ref.
Priority
Findings
digital strategy and if they are
in line with the Council’s risk
appetite.
Resource Constraints
5
Low
There are resource constraints
in terms of insufficient project
managers to accommodate the
changes driven by the digital
strategy.
Current resource planning is
poor as there is no visibility of
where individuals within IT are
spending their time and what
they are working on.
Additionally, Business Analysts
currently have insufficient IT
knowledge to enable them to
translate business change
requirements into IT projects to
be delivered by IT.
Risk Arising/
Consequence
Recommendation
identified. Risk may
not be managed in
accordance with the
Council’s risk
appetite.
progress of the digital
strategy and associated
risks.
Insufficient resource
to deliver key
elements of the digital
strategy.
The Council should ensure
that the level of project
resource available to deliver
elements of the digital
strategy is sufficient.
Inability to translate
business
requirements in to IT
projects aligned with
the digital strategy.
Information on creating
appropriate KPI’s and KRI’s
has been provided to the
Council.
The Council should
consider the introduction of
a method such as
timesheets to capture how
IT staff are spending their
time and what they are
working on. This will allow a
resource and work profile to
be built in order to provide
the Council with the ability
to determine if IT staff are
deployed and focused in the
correct areas.
Improve the IT knowledge
of Business Analysts,
through training and
Management Response
There is an annual review of
progress against the digital
strategy that reviews how
successful it has been.
A new system has recently
been set up to review PM
capacity on a monthly basis.
In conjunction with the
Development Programme
Manager, PM's allocate a %
of time against each project
to understand where there is
spare capacity or pinch
points. This has already led
to some "swapping" of
project areas to allow for
consistency on a larger, high
profile projects. The review
also looks at 6 months
ahead. There are plans to
move to a more formalised
charging system in the future
which the programme team
will comply with.
Consideration is being given
Responsibility
and Timescale
Recommendatio
n Implemented
(Officer & Date)
Update the
directorate and
digital strategy
risk register to
ensure
alignment and
include in
quarterly review
Sarah Daniel
Continue to
monitor PM
capacity on a
monthly basis
from within the
Development
Programme
Team on a
monthly basis.
This will be a
continuous
exercise.
Neill Crump
Investigate
rollout of
timesheet
system for all
staff after
commissioning
Sarah Daniel
st
1 October
2014.
Internal Audit Report – IT Strategy and Governance (New Model) Review
Ref.
Priority
Findings
Risk Arising/
Consequence
Recommendation
knowledge sharing.
Monitoring of Future Trends
6
Low
The current processes to
monitor future business,
technology, infrastructure,
regulatory, legal trends which
feed in to the digital strategy
are informal.
Inability of the Council
to identify and take
advantage of new
opportunities and
technologies.
Non-compliance with
legal and regulatory
requirements.
Lack of technical
direction leading to
over-complex,
inefficient and
ineffective solutions
being implemented.
A formal process should be
implemented to monitor
future trends including:
• Technological
developments in the context
of their potential contribution
to the realisation of the
Council’s digital strategy;
• The activities and
initiatives of other Councils;
• Infrastructure issues;
• Legal requirements; and
• Regulatory environment.
The process should also
include how future trends
are reported on.
Management Response
Responsibility
and Timescale
to further training for
Business analysts.
of infrastructure
has completed
To improve knowledge of
project staff of technical
knowledge, TAG will offer
sessions to improve
awareness of the technical
processes used by the
Council, that will aid an
understanding of the
'Infrastructure Standards'
document already available.
April 2015Neill
Crump Dec
2014
The TAG is already tasked
with identifying new
technologies available to
WCC and in conjunction with
DCoI staff (who are also part
of TAG), identify if these
technologies can prove of
benefit to WCC.
HP, as the new Service
Management provider, have
already presented proposals
to improve this area and
combined with a review of
TAG will mitigate this area
Additionally an Infrastructure
& Security Architect is being
Terry Hancox
ICT Service
Operations
Manager to
arrange
training. 1
December 2014
Neill Crump
Implement
revised terms of
reference for
TAG and BAB
to ensure this
forward view is
coming forward
.
Recommendatio
n Implemented
(Officer & Date)
Internal Audit Report – IT Strategy and Governance (New Model) Review
Ref.
Priority
Findings
Risk Arising/
Consequence
Recommendation
Management Response
recruited to drive this forward
view. The governance will be
re-shaped once the transition
to the new provider is in
place.
Responsibility
and Timescale
April 2015
Reports from TAG should be
used as input into BAB for
review by the business
Infrastructure Standards
7
Low
An Infrastructure Standards
document is in place that
describes the technologies that
are currently in use within the
Council to deliver existing
services. This document is not
a strategic IT technology
Infrastructure Plan that is
based on the IT strategic and
tactical plans and technology
direction.
Lack of technical
direction leads to
over-complex,
inefficient and
ineffective solutions
being implemented.
The Council should produce
a strategic IT Infrastructure
plan that contains the
following key components:
• Consideration of factors
such as consistent
integrated technologies,
business systems
architecture and
contingency aspects of
infrastructure components,
and directions for
acquisition of IT assets;
• Transitional and other
costs, complexity, technical
risk, future flexibility, value,
and product/vendor
sustainability;
• The plan should include
ongoing assessments of the
current vs. planned
information systems, to
further modify or enhance
the migration strategy or
The first action for this was to
put in place an ICT Managed
Service Supplier (HP). The
second step is to employ an
Infrastructure & Security
Architect. Once both of these
are in place then a plan can
be produced. The
centralisation of IT spend
and design (which has been
proposed and recommended
to SLT) needs to
implemented.
An Infrastructure plan will
give scope and limits to
opportunities available to
WCC, so that opportunities
best fit developments.
This underlines the need for
regular sessions between all
the technical teams to
exchange information and
Peter Bishop to
recruit
Infrastructure &
Security
Architect
February 2015
Infrastructure &
Security
Architect
September
2015
Recommendatio
n Implemented
(Officer & Date)
Internal Audit Report – IT Strategy and Governance (New Model) Review
Ref.
Priority
Findings
Visibility of IT initiatives
8
Low
There is still no complete
visibility of applications and IT
initiatives being brought or
commissioned by directorates.
Additionally, there is no
complete view of projects and
IT initiatives being planned
across the Council. Only key IT
projects are captured in the IT
project register.
Risk Arising/
Consequence
IT projects and
initiatives may be
ongoing within the
Council that are not
aligned to the digital
strategy.
Recommendation
Management Response
Responsibility
and Timescale
road map in order to
achieve the future state;
and
• The plan should identify
changes in the competitive
environment, economies of
scale for IT staffing and
investment, and improved
interoperability of platforms
and applications.
forward plan
The Council should
consider broadening its
change management
process to ensure all IT
initiatives and projects are
captured.
Business Architecture Board
(BAB) is in place, One of its
objectives is to provide
visibility of applications and
IT initiatives.
BAB members
to reconfirm
responsibility
with their
Directorates
Despite this, sometimes,
some initiatives do bypass
BAB.
Neill Crump to
arrange
updates to the
e-tender portal
This is best done as a new
part of TAG (where these
groups meet already.
Neill Crump
April 2015
There is a transformation
map in place that gives a
complete view of IT initiatives
known to BAB and the
project register does reflect
all of these initiatives.
As well as continuing to raise
the profile of BAB and the
responsibility of the board
members to ensure their
Directorate are accurately
represented, it is proposed
March 2015
Recommendatio
n Implemented
(Officer & Date)
Internal Audit Report – IT Strategy and Governance (New Model) Review
Ref.
Priority
Findings
Risk Arising/
Consequence
Recommendation
Management Response
Responsibility
and Timescale
Recommendatio
n Implemented
(Officer & Date)
that the e-tender application
is updated so that only
Systems & Customer Access
can upload an IT related
tender.
Enhance alignment on a day
to day level through direct
directorate engagement
through nominated Project
Managers and/or Business
Analysts to calture early
plans that may require ICT
input.
Sarah Daniel &
Neill Crump
April 2015
Key to Priorities:
High
Medium
Low
This is essential to provide satisfactory control of serious risk(s)
This is important to provide satisfactory control of risk
This will improve internal control
Limitations relating to the Internal Auditor's work
The matters raised in this report are limited to those that came to our attention, from the relevant sample selected, during the course of our audit and to the
extent that every system is subject to inherent weaknesses such as human error or the deliberate circumvention of controls. Our assessment of the controls
which are developed and maintained by management is also limited to the time of the audit work and cannot take account of future changes in the control
environment.