By Tony Collins
Today’s National Audit Office report “The effectiveness of internal audit in central government” raises questions about whether the £70m cost of internal auditors is a pointless expense.
Internal auditors are supposed to be the “eyes and ears” in the organisation to highlight what is going wrong. But their reports are kept secret – so why should civil servants take any notice of them, and what incentive do the internal auditors have to blow the whistle on failing schemes if they are going to be ignored?
The NAO suggests that internal audit has not been helpful in providing early warning of IT-repeated disasters such as Firecontrol. But it does not recommend that internal audit reports are published. Neither does yesterday’s Civil Service Reform Plan.
The NAO says
“Our value-for-money studies, such as the procurement of Type 45 destroyers and the development of new fire and rescue regional control centres, have identified many instances where there has been poor value for money because core systems have not provided sufficiently realistic, robust or comprehensive information to allow effective oversight and decision-making.
“In many cases these weaknesses have not been identified by internal audit.”
The NAO concludes in today’s report that the £70m spent annually on internal audit is “poor value for money”. Internal audit in central government employs 1,000 people says the NAO.
The effectiveness of internal audit in central government – today’s NAO report
Campaign4Change 
This article highlights the weakness of the key control mechanism supporting IT systems and particularly IT systems procurement. “Audit” is necessarily a retrospective exercise; it’s also invariably focused on money – indeed the referenced report is published by HM Treasury – with the understandable focus on pound notes.
It’s a bit like you visiting your doctor to be told “we have no idea what’s wrong with you, but don’t worry we have an excellent pathologist and he’ll work it out”. How would you feel about that?
Control mechanisms need to be just that – CONTROLS. They need to be applied DURING a project – and retrospective audit is always too late. People and organisations move on; lessons learned from earlier disasters are ignored – with the inevitable consequences and the current ongoing procession of failed IT systems.
Controls need to be put in place from the start – and assertively supported by senior management. As well as being independent, controls need to be technical – not just a measurement of success (or otherwise) by how much money has been spent. And engineering discipline needs to be enforced – these are often unwieldy projects and disparate organisations are necessarily difficult to control.
Bob Evans
TestIT Software Assurance
LikeLike