Missing CDs – an excuse for ministers to attack the NAO?


What’s disturbing is the way the Chancellor of the Exchequer Alistair Darling and the Prime Minister Gordon Brown are using the incident of the missing discs to dent the credibility of the NAO, an organisation that’s not answerable to them but to Parliament.

Analysis and comment

Staff at the National Audit Office cannot be criticised for wanting so much child benefit data. They were doing their job of checking diligently for fraud and error in child benefit payments.

When the Department of Work and Pensions ran systems that paid child benefits, the NAO’s auditors did not need to request a copy of the database of claimant information. Its auditors trusted the DWP, mainly because the department did its own checks on a large sample of records – about 20,000 child benefit files.

But when the Revenue took over the running of child benefit systems under the Tax Credits Act 2002, the department’s staff checked too small a small sample – of only about 1,500 child benefit records. This wasn’t good enough for the NAO’s auditors. They decided to ask for the whole child benefit database, but suggested it was stripped of parent names, addresses and bank account details.


The idea was that NAO staff would choose their own sample test cases from millions of child benefit records supplied by HM Revenue and Customs. NAO staff would do this by loading onto systems run by consultancy and audit company KPMG the files on two CDs that had been supplied by HMRC. With the help of KPMG and software-based audit interrogation tools, the NAO’s staff were able to analyse child benefit records.

Armed with the results of this analysis the NAO staff would then travel to HMRC’s benefit offices at Washington, Tyne and Wear, to compare child benefit details from the CDs with HMRC’s other records.

It would be understandable if NAO staff did not want to rely on officials at HM Revenue and Customs to provide test cases from the child benefits database. It’s theoretically possible for test cases to be pre-checked and cleansed of any errors before being supplied to the NAO. That would negate the whole point of using a sample of cases to check for fraud or error.

It made sense for the NAO, in its own offices, to receive an [edited] copy of the child benefit database, choose the cases it wanted to check and visit HMRC’s child benefit offices to reconcile what was on the CDs with other records. The NAO should be praised for such assiduity.

The NAO can be criticised for accepting, in March and October 2007, details on millions of child benefit payments on unencrypted CDs. Even if the NAO staff who asked for the child benefit information for their audit were not those who police IT security, they should still have raised the alarm. It was difficult for them to do so, however, because they needed the data, without delay, for their audit of HMRC’s accounts.

The NAO should also have made it clear to HMRC’s senior management that it had changed its audit approach and would now do its own comprehensive tests on information from the child benefit database.

But what is much more disturbing is the way the Chancellor of the Exchequer Alistair Darling and the Prime Minister Gordon Brown are using the incident of the missing discs to dent the credibility of the NAO, an organisation that’s not answerable to them but to Parliament.

Gordon Brown and Alistair Darling have, in their choice of words, raised the suspicion that staff at the National Audit Office cannot always be trusted to get the facts right – although the credibility of the NAO rests on the ability of its staff to get facts straight.

Brown and Darling have also given the impression there is a conflict between the Revenue and the National Audit Office although there is no evidence of this.

Edward Leigh, chairman of the Public Accounts Committee, has written to the Prime Minister to ask for evidence of his claim that HMRC and the NAO are in conflict.

Gordon Brown told the House of Commons on 21 November 2007:

“There is a dispute about what the National Audit Office and HMRC said to each other about these particular data, but the important part of the inquiry [into the missing CDs and how unencrypted child benefit was transferred to them] is that it will reveal the truth of what happened.”

The day before in the House of Commons, on 20 November 2007, Alistair Darling indicated that he did not rule out a breach of HMRC’s procedures by the National Audit Office. He said:

“On child benefit, my understanding is that normally, the NAO would seek to investigate a comparatively small number of cases—perhaps as small as a dozen or so—in order to be sure that Revenue and Customs was following the correct procedures and paying them. It is not at all clear to me why seven million records would be necessary, or whether it would be possible for anyone actually to look at seven million records and properly audit them.

“If large-scale information is sought, as I understand it, the internal procedures of the Revenue and Customs require that the auditor would go to where these things are held, in Washington and the north-east, so that he could look at that information without it being taken out of a secure building. I understand that those procedures are in place. One of the things that the inquiry will have to find out is why those established procedures were breached by the individuals concerned.”

Alistair Darling also said of the National Audit Office:

“On the NAO’s original request [for an edited copy of the child benefit database], I am aware of the position that Sir John Bourn [the head of the National Audit Office] has helpfully set out for me. I have also received advice about what HMRC thinks it was asked for. One of the reasons that I want Kieran Poynter [of PricewaterhouseCoopers, who is reviewing the missing CDs incident] to investigate is to reconcile the sometimes differing accounts of what happened. I have been at pains not to allocate blame as between the NAO or HMRC.”

And when a Labour MP suggested that the NAO may have broken the law in asking for a copy of the child benefits database, Alistair Darling said little in defence of the audit office.

The Labour MP Mike Hall had asked whether the NAO’s request was compliant with the Freedom of Information Act and the Data Protection Act, and at what level the decisions were taken.

Hall said:

“There is always a responsibility on the people requesting information to be sure that they are legally entitled to have the information that they have asked for.”

Darling replied:

“That is something that we need to establish…we need to establish who was involved at the NAO and HMRC, at what level, what they were asked for and how that request was responded to. One of the things that Sir John Bourn wants to examine is the nature of information that is asked for in future, as well as the handling of those requests and of the information if it is to be made available. It is entirely sensible that we should do that.”

The NAO’s independence from government is its most important single asset.

That freedom from political interference means it can criticise, if necessary, politically-sensitive IT projects such as ID cards, the NHS’s National Programme for IT [NPfIT] and tax credits.

It’s true that the NAO was less than robust in its report on the NPfIT in June 2006. But that’s even more reason we should defend the NAO’s right to do its work without being criticised by ministers.

Gordon Brown has, by his actions, given the strong impression he does not welcome independent scrutiny of big government IT projects. And as Brown and his ministers become more secretive about the progress or not of risky IT projects – such as ID cards – it seems they’re beginning to worry about their lack of control over what the National Audit Office may say about high-risk IT-based ventures.

It was Gordon Brown who, as Chancellor of the Exchequer, presided over a decision of the Office of Government Commerce, which is part of HM Treasury, to launch a High Court action to stop gateway reviews on IT projects being published. The Information Commissioner and the Information Tribunal have ruled that early gateway reviews on ID cards should be published. The Treasury is fighting their rulings.

Gateway reviews are independent assessments of the progress or problems on risky IT and other projects and programmes. A High Court case between the Office of Government Commerce and the Information Tribunal is due to be heard next April.

While gateway reviews remain secret, the National Audit Office is the only independent authoritative voice on how well big government projects are progressing.

Perhaps that’s one reason why the NAO seems to be such problem for the Brown government.

Links:

Office of Government Commerce heads for High Court to defend secrecy on gateway reviews

Gateway reviews shredded

Missing CDs – why the NAO wanted millions of child benefit records

Missing child benefit CDs: what went wrong, and why it would have carried on regardless

HMRC calm as search for CDs continues

HMRC: Emails confirm poor CD password protection

An accident waiting to happen

Don’t worry, every detail of your life will be safe with us

Government security failure

Alistair Darling’s speech in House of Commons on lost HMRC records

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

It would be trivial for HMRC and NAO to have agreed a bit-commitment protocol that would have allowed NAO to select a random sample without ANY personal data being transferred.

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close