Policing IT in government - is the National Audit Office too timid?

Comment:

A report of the US Office of Inspector General on the loss of more than one million health records recommends that action be taken against individuals after a hard drive containing sensitive information went missing.

It highlights systemic weaknesses in government security policies; it singles out failures of an IT specialist and particular directors. It recommends that action be taken against them. A government-funded report as uncompromising in its findings is unlikely ever to be published in the UK.

There’s every reason to believe that staff at the National Audit Office are at least as competent and investigative as the researchers at the Veterans Affairs Office of the Inspector General in the US. But there’s a different approach in the presentation of reports.


In its style of reporting to Parliament, the National Audit Office is very British: its writing is characterised by understatement and politeness. The factual content of its reports is agreed with the departments and agencies; most gentlemanly and consensual.

Now and again the National Audit Office will publish a report that’s written in direct and incisive language. Its study of the Child Support Agency was unrestrained. But then it had the unwritten approval of the government for a provocative report: a minister John Hutton had already described the agency’s performance as “unacceptable”.

But the National Audit Office has yet to produce findings as direct and uncompromising as the VA Office of Inspector General’s report on the loss of a hard drive from a health centre at the Department of Veterans Affairs, Birmingham, Alabama.

The task of the Office of Inspector General is to protect departments against fraud, waste, and abuse through a broad array of audits, evaluations and inspections, investigations of suspected wrong-doing, and legal advisory and enforcement activities.

The second page of the Inspector General’s report on the loss of a hard drive in January 2007 sets the tone. It is blank other than these words:

To Report Suspected Wrongdoing in Veterans Affairs Programs and Operations Call the Office of the Inspector General’s Hotline – (800) 488-8244

If reports of the National Audit Office continue to be published in code – “there is scope for improvement with regard to its management information” rather than the Department has no proper grip on its affairs because it’s bereft of reliable management information” – it will be ignored.

There is some evidence of this.

On 13 July 2007 the National Audit Office issued a report on government on the net. The head of the National Audit Office Sir John Bourn used a polite form of wording to observe that departments have not listened to the audit office since it published similar findings years ago.

Sir John said: “Progress has been made by departments and agencies in getting more information on the web. When I last reported on this subject in 2002 I reported weaknesses in information across government on the cost and usage of its websites. Today’s report highlights that little improvement has been made in these areas.”

And in a report on the accounts of HM Revenue and Customs, which was published on 6 July 2007, the National Audit Office was unable to say simply and directly that the systems for PAYE [pay as you earn] were too old and compartmentalised to provide an overview of the affairs of individual taxpayers.

Instead it said: “… the Department’s PAYE computer systems are not well suited to the efficient administration of income tax where people have more than one job or change jobs on a regular basis.”

Had the National Audit Office reported on the South Sea Bubble, soon after the crash of the share price of the South Sea Company, when there were mass bankruptcies and suicides of investors, the NAO’s report on what went wrong could have begun: “Progress has been made in protecting the interests of future shareholders in terms of restructuring, though the potential for fraud remains a challenge.”

Links:

Loss of 1.3 million sensitive medical files in the US – possible implications for the NHS’s National Programme for IT

Department of Veterans Affairs, Office of Inspector General, Administrative Investigation, Loss of VA Information VA Medical Center, Birmingham, Alabama

1.8 million more people affected by latest Veterans Affairs data loss

May 2006: Millions of health files go missing at Department of Veterans Affairs

Internal report cites ‘indifference’ of security officers

Veterans Affairs patient record system wins innovation in government award

Department of Veterans Affairs

Veterans Health Information Systems and Technology Architecture

The medical records software used by the Department of Veterans Affairs

Report of the ministerial taskforce on the NHS Summary Care Records

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

You state that:

"In its style of reporting to Parliament, the National Audit Office is very British: its writing is characterised by understatement and politeness. The factual content of Its reports is agreed with the departments and agencies; most gentlemanly and consensual." ... "There's every reason to believe that staff at the National Audit Office are at least as competent and investigative as the researchers at the Veterans Affairs Office of the Inspector General in the US."

IMO the NAO is outdated and outmanouvered. It is outdated because it simply fails to hold SRO's to account. These are senior Civil Servants who appear more interested in turf battles about budgets and the size of their personal fiefdoms rather than the efficent use of public resources. The gentlemanly language may have had its place pre-WWII, but in an environment dominated by a catalogue of expensive, delayed and often ineffective IT systems, it is time to start calling a spade a spade. SRO's should be named and shamed - the CSA are doing it, why not the NAO? Regarding the outmanouvered point - Government Departments rarely seem to take real notice of NAO criticism - if they did why has the performance of IT projects not improved. If you look at modern corporate audit practice in the private sector, the auditors are increasingly focussing on auditing in-flight projects - trying to recommend improvements before they fail rather than stating the obvious after they failed. Why not give the NAO real teeth - allow them to challenge failing projects whilst they are still being executed, and if necessary stop work on the project until appropriate governance and contractual mechanisms are in place. At least they could then be seen to be protecting the taxpayer rather than providing anodyne reporting after the event.

Cancel
It seems to me that in so many departments in Whitehall, there is a basic culture of "we know best!" , when often they don't. Some years ago I wrote to the then PM suggesting that he, or some of his ministers in agriculture, should spend a week living and working on a farm in Cumbria, or on an intensive course at an agricultural college, learning what it is actually about. I know, too, that a highly respected rural body wrote to Defra, offering to give senior civil servants the opportunity of taking part in a course on farming etc. Shortly afterwards it emerged that the offer had not been passed on to the relevant government minister, who was clearly not amused!

"Do not disturb" and "Watch our backs" seem to be favourite mottoes of so many in power. No wonder so many feel helpless!

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close