Policing IT in government - is the National Audit Office too timid?


A report of the US Office of Inspector General on the loss of more than one million health records recommends that action be taken against individuals after a hard drive containing sensitive information went missing.

It highlights systemic weaknesses in government security policies; it singles out failures of an IT specialist and particular directors. It recommends that action be taken against them. A government-funded report as uncompromising in its findings is unlikely ever to be published in the UK.

There’s every reason to believe that staff at the National Audit Office are at least as competent and investigative as the researchers at the Veterans Affairs Office of the Inspector General in the US. But there’s a different approach in the presentation of reports.

In its style of reporting to Parliament, the National Audit Office is very British: its writing is characterised by understatement and politeness. The factual content of its reports is agreed with the departments and agencies; most gentlemanly and consensual.

Now and again the National Audit Office will publish a report that’s written in direct and incisive language. Its study of the Child Support Agency was unrestrained. But then it had the unwritten approval of the government for a provocative report: a minister John Hutton had already described the agency’s performance as “unacceptable”.

But the National Audit Office has yet to produce findings as direct and uncompromising as the VA Office of Inspector General’s report on the loss of a hard drive from a health centre at the Department of Veterans Affairs, Birmingham, Alabama.

The task of the Office of Inspector General is to protect departments against fraud, waste, and abuse through a broad array of audits, evaluations and inspections, investigations of suspected wrong-doing, and legal advisory and enforcement activities.

The second page of the Inspector General’s report on the loss of a hard drive in January 2007 sets the tone. It is blank other than these words:

To Report Suspected Wrongdoing in Veterans Affairs Programs and Operations Call the Office of the Inspector General’s Hotline – (800) 488-8244

If reports of the National Audit Office continue to be published in code – “there is scope for improvement with regard to its management information” rather than the Department has no proper grip on its affairs because it’s bereft of reliable management information” – it will be ignored.

There is some evidence of this.

On 13 July 2007 the National Audit Office issued a report on government on the net. The head of the National Audit Office Sir John Bourn used a polite form of wording to observe that departments have not listened to the audit office since it published similar findings years ago.

Sir John said: “Progress has been made by departments and agencies in getting more information on the web. When I last reported on this subject in 2002 I reported weaknesses in information across government on the cost and usage of its websites. Today’s report highlights that little improvement has been made in these areas.”

And in a report on the accounts of HM Revenue and Customs, which was published on 6 July 2007, the National Audit Office was unable to say simply and directly that the systems for PAYE [pay as you earn] were too old and compartmentalised to provide an overview of the affairs of individual taxpayers.

Instead it said: “… the Department’s PAYE computer systems are not well suited to the efficient administration of income tax where people have more than one job or change jobs on a regular basis.”

Had the National Audit Office reported on the South Sea Bubble, soon after the crash of the share price of the South Sea Company, when there were mass bankruptcies and suicides of investors, the NAO’s report on what went wrong could have begun: “Progress has been made in protecting the interests of future shareholders in terms of restructuring, though the potential for fraud remains a challenge.”


Loss of 1.3 million sensitive medical files in the US – possible implications for the NHS’s National Programme for IT

Department of Veterans Affairs, Office of Inspector General, Administrative Investigation, Loss of VA Information VA Medical Center, Birmingham, Alabama

1.8 million more people affected by latest Veterans Affairs data loss

May 2006: Millions of health files go missing at Department of Veterans Affairs

Internal report cites ‘indifference’ of security officers

Veterans Affairs patient record system wins innovation in government award

Department of Veterans Affairs

Veterans Health Information Systems and Technology Architecture

The medical records software used by the Department of Veterans Affairs

Report of the ministerial taskforce on the NHS Summary Care Records