By Tony Collins
It’s good to see auditors in local government doing their job well – not accepting verbal assurances and seeking proof that all is well with an outsourced system .
But what if councillors apply a lower standard – and accept verbal assurances without checking them?
A strong report by the South West Audit Partnership [SWAP] went to councillors at Somerset County Council’s Audit Committee on 2 July 2015. The report was about problems with an outsourced system, the Adults Integrated Solution [AIS].
Although not the original supplier, IBM has provided AIS to Somerset County Council under a 10-year outsourcing contract/joint venture – Southwest One – that was signed in 2007.
The SWAP report said limited progress has been made in implementing the AIS-related recommendations from its 2012-2013 audit report. It added that:
– AIS performance and response times could be “less than adequate for users’ needs”.
– Southwest One was unwilling to develop a service level agreement specifically for the AIS application.
– “Poor response time has led to the disabling of enhanced audit trails/logs that would make it possible to trace and attribute user activity in the system.” SWAP added that this was “worrying” given that the data involved was “sensitive and personal”.
– SWAP had been refused access to the contract between IBM and Northgate, the original supplier of AIS.
Are verbal assurances worth anything?
Having studied AIS from time to time over 2 years, and spoken to its users, SWAP’s auditors have been reluctant, on some of their concerns, to accept verbal assurances that all is well.
When they have sought documentary evidence to support assurances it hasn’t always been forthcoming.
SWAP said in its latest report:
“Verbal assurances were provided that the ToR for AIS Programme Board had been reviewed and that roles and responsibilities in relation to system ownership had been clarified. However, no evidence was provided to support these assurances.”
Now Somerset’s audit committee has done what its auditors wouldn’t do and has accepted verbal assurances that all is well with AIS.
SWAP’s auditors had expressed a multitude of concerns about AIS. But Somerset’s officers verbally assured audit committee councillors that a single upgrade had solved all the problems.
One officer, in a statement, told Dave Orr, a Somerset resident who campaigns for openness over IBM’s relationship with the council:
“I can confirm that all of the fundamental issues raised through the [SWAP] Audit Report [on AIS] have now been addressed…
“The AIS application is one of the top systems used by local authorities for social care services in the UK. The performance issues referred to in the Audit Report were resolved by a system upgrade.”
It’s difficult if not impossible to see how a single upgrade could address all the points SWAP made – such as the lack of a service level agreement to cover AIS or the refusal by IBM to supply a copy of its contract with Northgate.
Whenever auditors produce a hard-hitting report there will be 2 opposing sides: defenders of what’s being criticised and the auditors.
It is up to the auditors to cut through any dissimulation, obfuscation and prevarication to identify what’s going well, what isn’t, and what the uncertainties and risks are.
Auditors would not be doing their job if they always accepted verbal assurances at face value.
But what if auditors are undermined by councillors who readily accept verbal assurances from their officers who wish to defend the suppliers?
A supplier that doesn’t have to provide documentary evidence can say anything in defence of its systems and the quality of service.
Somerset’s councillors are lucky to have auditors as independently-minded as SWAP.
It’s unlikely that SWAP would accept at face value the Somerset officer’s suggestion that because AIS is widely used it’s unlikely to be a poor system.
This would be like Ford saying a particular Mondeo is unlikely to be at fault because thousands of people happily own one.
Every IT installation is different, even if the main software package is widely used. The hardware, network configuration, load on the network, facilities and interfaces installed will render every IT installation unique.
It’s conceivable that every council client of AIS could have a trouble-free service except Somerset.
Are the council’s audit committee councillors gullible to accept verbal assurances about the problems with AIS being solved without requiring proof?
Where does this leave the 775 users of Somerset’s AIS, many of whom may be having to do difficult work in managing vulnerable adults while trying to cope with what may be one of the UK’s worst outsourced systems?
Thank you to Dave Orr for providing information that made this post possible.