Category Archives: IT security

Atos pleased after it’s cleared of “sharp practice”

By Tony Collins


A Cabinet Office review of the Whitehall contracts of IT services company Atos following a Public Accounts Committee allegation of “sharp practice” has more than  exonerated the supplier.

After looking at 12 Atos government contracts, the Cabinet Office has written to the Public Accounts Committee praising Atos for going beyond its contractual obligations. Where the company has fallen short, it has taken remedial steps.

Rarely are any government statements on an IT supplier replete with praise.

It’s likely the vindication will take some MPs by surprise after failings in a project to gather and collect in one place data from all the various GP practice systems – the so-called General Practice Extraction Service.

Now Atos may in future be a position to use the statement as evidence, when bidding, of its success in delivering government IT services and projects.

Millions written off

In December 2015 the Public Accounts Committee was highly critical of Atos in its report on the extraction service project.

The NHS Information Centre accepted the system from Atos although it didn’t work properly. The Centre also made public announcements at the time on the system’s success.  In fact the system had “fundamental design flaws” and millions of pounds was written off.

The Committee said,

“Very common mistakes from past projects were repeated, such as failing to adopt the right contracting approach, failing to ensure continuity of key staff on the project, and failing to undertake proper testing before accepting the system.

“GPES [General Practice Extraction Service] started some five years later than planned; it is over-budget; and it still does not provide the full service required.

“Atos, supplier for a key part of the system, may have met the letter of its contractual obligations but took advantage of a weak client by taking the client’s money while knowing full well that the whole system had not been properly tested.”

The Committee said that the NHS official who was chief executive of the Information Centre when it accepted the flawed system was “awarded total emoluments of £470,000 for the financial year 2012–2013 including a redundancy payment of £330,000”.


The Committee found that in its approach to the project, “Atos did not show an appropriate duty of care to the taxpayer”.

“We are not satisfied Atos provided proper professional support to an inexpert client and are very concerned that it appears to have acted solely with its own short term best interests in mind.

“Atos admitted that end-to-end testing should always be undertaken and that it was supposed to have happened in this case. However, NHS IC and Atos agreed a more limited test of the Atos component due to delays in completing other parts of the system.

“The Atos software passed this test, but after NHS IC accepted the system—and to Atos’s professed surprise—the system as a whole was found not to work. Atos claims it fixed the issues relating to its software at its own expense and that the additional £1.9 million it received while doing so was for additional work related to 15 new features.

“We found that Atos’s chief executive, Mr Adrian Gregory—the company’s witness in our enquiry—appeared rather indifferent to the plight of the client; we expect more from those contracting with government and receiving funds from the taxpayer.”

“Sharp practice”

The Committee recommended that the Cabinet Office undertake a “full review of Atos’s relationships as a supplier to the Crown”.

“We expect the Cabinet Office to note carefully this example of sharp practice when determining what obligations a duty of care on contractors should entail and what sanctions would apply when performance falls short.”

The government agreed to have a review.

Findings of Cabinet Office review of Atos contracts

The Cabinet Office found no “examples of behaviour that might be described as sharp commercial practice in the course of this review”.

The review team looked at 12 Atos contracts worth a total of more than £500m a year – 80% of Atos’s work with central government.


No: Department Contract Name
1 Department for Work and Pensions (DWP) Personal Independence Payments (PIP)
2 Department for Work and Pensions (DWP) Government Gateway Agreement
3 Department for Work and Pensions (DWP) ICT in support of medical assessments
4 HM Treasury (HMT) National Savings and Investments (NS&I)
5 Ministry of Justice (MOJ) Development, Innovation and Support Contracts (DISC) Infrastructure Services Agreement
6 Ministry of Justice (MOJ) End User Computing Services (EUCS)
7 Nuclear Decommissioning Authority (NDA) Shared Service Alliance
8 Home Office (HO) IND Procurement of Infrastructure Development and Support (IPIDS) Agreement
9 Home Office (HO) Contain Agreement
10 Department of Health (DH) Information Management Services (IMS 3)
11 Ministry of Defence (MOD) Strategic Partner Framework Defence Core Network Services (DCNS01)
12 Driver and Vehicle Standards Agency (DVSA) ICT Managed Services Agreement (IS2003)

Far from finding examples of sharp practice, the review team found “examples to the contrary”. In some of the contracts, Atos was “working at risk” and going “beyond their contractual obligations to act in the client’s interests”.

“Specific examples include expediting change control notices at the client’s request in advance of formal approval, taking financial risk ahead of contract extensions and proactively supporting the redeployment of resource to assist in the avoidance of client cost. On one contract, a notice period for a number of major decommissioning events lapsed and Atos continued to deliver the services flexibly to the client’s requirements until the service could be safely decommissioned.”

Where Atos did not meet monthly performance targets, service penalties were incurred and charged to Atos. “It was evident that when operational performance fell short appropriate sanctions were applied.”


The Cabinet Office went on to say that Atos proactively and constructively engaged in the review and provided information as requested, “sometimes over and above their contractual commitments”.

The review team added,

“It is clear that Atos values its relationship as a supplier to the Crown; it has a comprehensive approach to the governance of all the contracts reviewed and the Atos leadership team shows commitment to its customers.

“In response to the PAC [Public Accounts Committee] hearing Atos has undertaken a number of initiatives to address PAC’s concerns.

“The Atos corporate programme ‘Client at the Heart’ aims to deepen the client-focussed culture within the organisation by embedding a set of values and action plans to deliver improved service for each contract they run, including all government contracts.

“In addition, whilst employees have always been recognised for achievement in quantitative and qualitative objectives, financial targets vary but typically account for only a small proportion of total reward packages.

“We see this as evidence that Atos client executives are incentivised to provide the appropriate professional support.”

An Atos spokesman told civilserviceworld that the company was “proud to be a trusted supplier” and had welcomed the review as an opportunity to demonstrate the quality of its services.

“We are pleased that the Cabinet Office has concluded that we deliver the appropriate level of professional support to our government clients,” he said.


It’s clear that Atos deserves credit for going beyond the call of duty on some contracts. It is also clear that those departmental officials the Cabinet Office spoke to as part of the review were happy with Atos.

What’s not so clear is the extent to which civil servants in general are in a position to know how well their major IT suppliers are performing.

Evidence from National Audit Office reports is that departments may not always have comprehensive, accurate and up-to-date information – and enough staff time – to give sound judgements on how well a major IT supplier is performing on a complex contract.

Indeed the National Audit Office can be scathing about the quality of contract management within departments.

In 2013 the Audit Office, in its report “Universal Credit: early progress” identified a series of astonishing failings that, taken together,  suggested that the DWP had little understanding of what its major IT suppliers were charging for, or why, let alone what their performance was like.

The DWP is the largest central government department – which leaves one to wonder whether some other departments, which have smaller budgets and fewer staff, are better or worse off in terms of understanding their IT contracts.

These were some of the contract management weaknesses at the DWP as identified by the National Audit Office in 2013:

  • Over-reliance on performance information that was provided by suppliers without Department validation.
  • Inadequate controls over what would be supplied, when and at what cost because deliverables were not always defined before contracts were signed.
  • Weak contractual relationships with supplier
  • The Department did not enforce all the key terms and conditions of its standard contract management framework, inhibiting its ability to hold suppliers to account.
  • Limited line of sight on cost of delivery, in particular between expenditure incurred and progress made in delivering outputs.
  • Poorly managed and documented financial governance, including for delegated financial authorities and approvals; for example 94 per cent of spending was approved by just four people but there is limited evidence that this was reviewed and challenged.
  • Limited IT capability and ‘intelligent client’ function leading to a risk of supplier self-review.
  • Insufficient review of contractor performance before making payments – on average six project leads were given three days to check 1,500 individual timesheets, with payments only stopped if a challenge was raised.
  • Ministers had insufficient information to assess the value for money of contracts before approving them.
  • Insufficient challenge of supplier-driven changes in costs and forecasts because the programme team did not fully understand the assumptions driving changes.

The Cabinet Office, in its review of Atos, found “inconsistencies” in departmental compliance with guidelines on contract management. It said,

“Where the evidence suggests that contract management is inconsistent [with National Audit Office guidelines on contract management] the Cabinet Office is discussing improvements with the contract owners in the Departments concerned.”

Praise where praise is due and Atos may well be a good – and perhaps outstanding – IT supplier to central government.

But if departments don’t have enough solid information on how well their major IT suppliers are performing, to what extent is any Cabinet Office statement praising an IT supplier likely to be a hopeful panegyric, based on what officials in departments believe they are expected to say?

Cabinet Office statement on Atos to the Public Accounts Committee – 8 September 2016

Public Accounts Committee report on Atos and the General Practice Extraction Service – December 2015


Officials black out IT security report after it’s published in full

By Tony Collins

In one of the most bizarre regressions since the FOI Act came into force in 2005, officials at Somerset County Council have redacted an audit report on SAP security weaknesses after the report was published in full.

The result is that anyone can see links to both reports. This is the report with parts of it redacted – blacked out. These are links to the full versions, which were published before the redactions – here and here.

The report was written by auditors Grant Thornton for Somerset County Council and highlights weaknesses in a database that is shared by the council, Taunton Deane Borough Council and Avon and Somerset Police.  The database is part of a SAP system run by Southwest One on behalf of the three authorities.

Southwest One is an IBM-led enterprise that provides IT and other services to the three authorities under a controversial outsourcing contract. Dave Orr has written comprehensively about the deal.

Somerset published the Grant Thornton report in full. The media including Campaign4Change published some details of the IT security weaknesses mentioned in the Grant Thornton report. It appears that Avon and Somerset Police asked officials at Somerset to black out details of some of the weaknesses.

Somerset-based FOI campaigner Dave Orr says the blacking out is to save the blushes of the police.

Says Orr: “Much of the redaction in the Somerset County Council IT Controls report by Grant Thornton, especially generic and available password advice in Section 3, is not based in a genuine security threat, but looks to be rooted in a Police culture that seeks to avoid criticism and/or embarrassment.”

Somerset MP Ian Liddell-Grainger says:

“SAP was built on the cheap by IBM to serve three different customers – the County Council, Taunton Deane district council and the Police. It would have made sense to bung in a few partitions to stop council eyes taking a peek at police matters, or vice versa. But that would have cost money – perish the thought.”   

 Police SAP systems’s “significant” security weaknesses. 

Universal Credit to be partly online

By Tony Collins

At yesterday’s Work and Pensions Committee hearing Howard Shiplee, Director General for Universal Credit, confirmed what many have been saying:  that UC will not be an entirely online process.

He said claimants will have to prove who they say they are. He didn’t say how but one suggestion is that claimants may have to produce documents at an interview, and may have to prove changes in circumstances.

This would make online security for UC – which has been a major sticking point –  easier to design.  

Shiplee told MPs yesterday:

“From a security point of view to have everything digital is not at this stage a sensible or appropriate solution.

“It will take some considerable time to get to a totally online system. In fact nobody is operating the types of system we are talking about which are disbursing large sums of money. Nobody is using a totally online approach. You have to prove who you are. You have to prove what you are doing when you change circumstance. If you want to open a bank account you have to go and present yourself.

“I have talked to a lot of financial institutions about this and that is exactly where they are coming from as well.”

Dame Anne Begg, chair of the committee, asked when it was decided that the original approach of “digital by default” was wrong – a “false promise that was never going to be delivered”.

Shiplee replied:

“It is very difficult to talk about promises. There is nothing wrong with having aspirations. If people don’t have aspirations to achieve things there will be no progress. Perhaps that was an aspiration a little too far at a stage in time.”

Another MP, Stephen Lloyd, Liberal Democrat, asked Shiplee about alleged interference of Universal Credit by the Cabinet Office (which is anxious to ensure that UC is not another government IT-related disaster). Lloyd asked if there is any truth in the suggestion that if the Cabinet Office doesn’t stop interfering Shiplee will quit.

Shiplee did not confirm or deny. He said:

“I cannot comment on tittle tattle that I haven’t heard. What I can comment on is that occasionally one has disagreements with people and one has to get on with things. I am charged with having a sense of urgency about these things. I make no excuse for that. There are no other issues that are holding me up…”

Asked by Lloyd on a scale of 1-10 how confident he is that UC will be delivered, and delivered in scale, with the huge volumes intended Shiplee replied:

“I have never been keen on one to tens so I will just give it to you straight. I believe UC can be delivered in the way that has been suggested.

“What we are talking about is automating a system in terms of technology but what in many ways is much more important is the culture change, the change in the way our business operates. All of these that tend to get completely ignored in these sorts of discussions.

“The technology is an enabler but many of the challenges we have not fully faced yet we will face as the business is reconfigured, as tens of thousands of our staff are retrained …there are a whole series of challenges. But can it be delivered? The answer is that there is no doubt in my mind.”

Will it be delivered?

“I believe it will be. It has to be delivered.”

Universal Credit project to abandon digital by default – Brian Wernham’s blog