Saturday, 19 April 2014

One Barnet and the mess it has created - a massively critical internal audit report

For all those One Barnet evangelists who believe everything they are told, make sure you read the latest Barnet Council Internal Audit report. Of the 17 system audits carried out, 6 received a rating of limited or no assurance which is bad. Please read till the end as some of the matters are exceptionally serious.

I'll start with the limited assurance audits. The first relates to the outsourced contract for legal services with Harrow. The audit report states,
"We found an overspend on the Harrow & Barnet Public Law (HBPL) contract, with uncertainty noted in Delivery Units regarding the charging process. Further, it is unclear what income will be achieved on the HBPL contract from the provision of legal services to Re and the Barnet Group and how that will be accounted for". They recommend, "The Commercial Team HBPL contract manager should communicate the legal services charging basis to budget holders and formalise the process of recharging with Delivery Units. Uncertainty around the treatment of income from Re and the Barnet Group should be resolved by reference to the contract and without further delay".
What I want to know is why on earth this wasn't sorted out before now and how can the success or failure of this contract be measured if no one knows what it is really costing. Last year Barnet paid Harrow £3.1 million for legal professional services. So much for outsourcing making cost savings.

The second limited assurance audit relates to the HR function carried out by Capita.
"There is no requirement for the order of agency staff on the Comensura system to be approved by a more senior officer. There is therefore a risk that agency staff may be appointed without appropriate approval. This may not be in-line with the Council’s scheme of delegation and lead to inappropriate use of the Council’s resources". It also notes that "There are no checks performed by the Council to ensure that all pre-employment checks have been completed on agency staff by Comensura, in particular, the Disclosure and Barring Service (DBS) checks. There is therefore a risk that agency staff may be inappropriately employed, leading to breaches of procurement policy, potential safeguarding issues, increased fraud risk and reputational damage".

Given that the council paid Comensura £13.69 million in 2013, I find it utterly shocking that there was no approval system and no checks on who was employed. Capita have had this responsibility since September so in the last six months how much money has been wasted and how many rogues have been employed? Even worse Capita state that HR have a number of competing priorities and that implementing the new payroll system comes first so changes to the DBS checks will not be implemented until June.

The third limited assurance audit relates to business continuity - in other words keeping the council running if there is a major problem. The report states that,
"There is no corporate business continuity strategy, and this is recognised as a risk on the Council's risk register. Without a current and comprehensive strategy, there is no clear Council approach for Delivery Units. This could result in Delivery Unit approaches to business continuity which do not enable efficient recovery following an incident". They also note that "Previous business continuity incidents are not formally recorded and there is no lessons learned log. If previous incidents and lessons learned are not captured, then improvements to the business continuity process will not be made, resulting in a less effective process.

That is just poor management but Barnet seems to have been troubled  a number of times by failing to learn from its previous mistakes and it looks like that will continue to happen.

The fourth limited assurance relates to the much trumpeted outsourcing of parking services to NSL. The reports states that, "The Parking Project’s business case listed 13 financial and non- financial
benefits to be delivered to the Council throughout the five year contract period, which included income generation, service quality and savings targets. We found that controls were not in place to ensure that the future realisation of these planned benefits was monitored and managed, for example roles and responsibilities for benefit management and planned timelines for benefit reporting. The Benefits Realisation Plan produced at the end of the project had not been reviewed since the project handed over to the Clienting team in May 2012. An issue management strategy was not in place for the contract and as a result we were unable to identify how the Clienting team intended to manage and escalate issues with the contractor. In particular we were unable to identify what constituted an issue that NSL would be required to raise with the Council; defined roles and responsibilities for those involved in issue management; and documented thresholds or escalation routes for issues".

As our Parking Guru and now national media star Mr Mustard has said so many time this contract isn't delivering what it promised and no one is managing it adequately.

Now we move on to the two audits which received a no assurance rating and which are quite shocking.

The first is  IT Access Controls. The reports states that there is a lack of documented Council-wide policies relating to IT user access management. The only area which did have policies was the Integrated Children's System and that is only because it has been criticised in the past for a lack of policies. More seriously, the report also says that: 
"There is a lack of ownership for IT user management across the Council in relation to the areas audited and at a corporate level. This stems from the lack of a clear division of responsibility in this area between the Council and its IT support provider Capita". 
I have said repeatedly over the last three years that there is a massive risk that certain functions and responsibilities will fall down the gap between what the Council retains and what Capita take over. So what you may say? But here comes the killer statement from the report.
Access to Council systems is not controlled or monitored effectively. For all employees added to any Council system prior to 2010, no evidence of authorisation for access has been retained. No formal reviews of staff access levels or active users had been documented in any of the areas audited. Furthermore, there is no formal process in place for the removal of IT access for temporary staff after they have left the Council. This is appalling especially as the council has been and continues to employ hundreds of temporary staff.

The recommendations are numerous but include the following:
"a) A formal agreement should be developed between Barnet and Capita detailing the responsibility for user management across the Council.
b) An up to date listing of all Council applications should be developed and maintained and include details concerning responsibility for administration and managerial roles between Capita and Barnet".

Capita have been helping the council since last July and were formally operating the CSG contract (which includes IT) since last September yet there is no formal agreement for user management of the IT systems and according to the management comments this will not be implemented until August this year. Barnet had three years to prepare for this contract yet something as fundamental as to who is allowed to access the IT systems is overlooked.

The report also recommends that:
"A Council wide formal process to remove all users from all systems should be developed and
agreed between the Council and Capita. Barnet should seek assurance that Capita remove staff
access in a timely basis. Management should obtain ongoing assurance that polices and processes introduced are being followed in practice, including the retention of authorisation provided for IT access".

So there you have it. Barnet have to seek assurances that Capita do the job they are supposed to be doing because Barnet have handed over responsibility for one of the most sensitive and critical elements of the ways the council is run, its IT systems and have to hope and keep their fingers crossed that Capita actually do what they are supposed to do. I remain concerned that  thousands  of Capita staff dotted all around the UK all have access to Barnet's IT systems without all of the necessary policies and procedures in place to make sure those people should or need to have access.

The second audit that received no assurance relates to the Adult Social Care case management  and and documentation systems SWIFT and Wisdom. The SWIFT system has been having problems since at least 2011 as recorded in the Quarterly performance management reviews. However, in the latest audit report it states that:
"No documentation exists for the administration of either application and the responsibility for oversight of the applications is unclear. There are currently significant operational issues with the system in that it ‘freezes’ limiting its use for operational staff. This has been reported however calls to the helpdesk regarding issues with Swift have remained unresolved and senior management within the delivery unit have not escalated the matter to ensure its resolution. During the audit it was apparent that the working relationship between Adults and IT needs to be more collaborative. Management have no oversight of the backup process for Swift and there is
overarching uncertainty over whether the bespoke elements of the system are backed up at all.
Backups for Wisdom have never been tested. Northgate, the provider of Swift, have stated that
they will be unable to restore Swift in the event of a system collapse; this could result in all client
information in Swift being lost.

So what it is saying is that the system doesn't work and the helpdesk aren't resolving the problems and that if the system does go wrong there is a risk that ALL THE DATA ON ADULT SOCIAL SERVICES CLIENTS COULD SIMPLY DISAPPEAR.

I find it incredulous that such a critical system could be so vulnerable, especially as there have been concerns about this system for the last three years.  I have said repeatedly that the inertia cause by the the entire One Barnet outsourcing project was resulting in the days to day running of the council being overlooked and here is the evidence in black and white.

The report also flags up information security and access issues arising from the difficulties with the system. Because the SWIFT system keeps freezing some staff are taking information off the system to store separately so they can do their day to day work. However there is no record of where this data is stored and if it is secured. The access log system is so ineffective that there is no record of who goes into and edits client files. This is incredibly sensitive information yet the report also says that having been granted access to the system as a whole there is no classification systems as to which users can access which information.

All of these items will be discussed at the Audit committee on Tuesday 29 April. Sadly, I have no confidence that there will be any challenging questioning as we are now in election mode. It is also a major regret that the Chairman of the Audit Committee, Lord Palmer is standing down at the election as he has tried his utmost to hold the council to account supported in large part by the bloggers and active citizens of Barnet.

Anyone who tells you that Barnet's outsourcing has been a success is fooling themselves. We have had 3 or 4 years of complete inertia when the day to day running of the Council was given a low priority and investment minimised. Contractual barriers have been erected between Capita and retained Council functions which create grey areas of uncertainty over responsibility and some contractors are simply ignoring the council and doing what they want. Commissioning Council may be a buzz phrase but the reality in Barnet is a failure to deliver on the basics.

1 comment:

  1. I seem to recall watching Lord Monroe Palmer giving "Captain Chaos" / Craig Cooper a complete kicking over password access the last time this came before Audit committee. A rare example of an officer (highly / over paid senior employee) being given the treatment they deserved as Craig tried to deny responsibility for the issues outlined in an audit report that he had signed off as agreed. Lucky for us we lost his services in a reshuffle but he reappeared as a central governement procurement expert (wait 5 minutes whilst I pick myself up off the floor where I have been rolling around laughing) which was thought to be the reward for taking the rap on the customer services judicial review (the one where he signed a prose statement of what looked like a million words of waffle that wasn't structured and His Honour Judge Underhill got it off his chest at the start of the trial). A pity we can't see the employment reference, it might win the Man Booker prize.