Rushed decisions by government officials, inadequate IT security specifications, poor management information, and a failure to consistently follow good practice, left the flagship scheme open to fraud and abuse, government investigations have concluded.
The lessons learned from the failure of the scheme, which ran more than £93m over budget before it was abandoned by ministers at the end of last year, will have ramifications for all future public sector IT projects.
Pressure to launch the project by September 2000, led to problems in the contracting process between the Government and IT outsourcing company Capita, a special internal audit by the Department for Education and Skills (DfES), released in summary last week shows.
The department had no business model to assess the strengths and weaknesses of alternative policy options. It failed to keep a record of the decisions it made, did not properly assess risks, and under-resourced key project roles.
A separate study by management consultancy Cap Gemini Ernst & Young, also released in summary, criticises the education department for failing to give a clear mandate to the outsourcer to assess the security requirements of the project or to provide ongoing security management.
Structured mechanisms and procedures were not put in place to identify patterns of fraud, there were no procedures to check that security provision in the system was adequate, and no procedures to archive log files to identify misuse of the ILA online system. The Government did not follow its own guidelines on security risk analysis.
Speaking in the commons, Paul Holmes, Liberal Democrat MP for Chesterfield, accused the Government of creating "a cowboys' charter" for unscrupulous training companies to follow.
"Capita - a company that was supposedly expert in its work - failed to warn the DfES of the glaring scope for abuse in the scheme. It went on to run a scheme that was widely criticised by legitimate and experienced training providers, because of its poor complaints system, a call centre that often could not cope with the volume of work and computer software systems with inadequate security built in," he said.
Unscrupulous training providers removed money from more than 5,000 ILA accounts without the students' consent, and failed to provide training to another 1,000, government statistics reveal. More than 40 people have been arrested, and charges are being brought against 13 people.
ILA: what went wrong
Cap Gemini investigation
- Department for Education and Skills (DfES) contract with Capita gave no clear security requirements
- Government security risk analysis guidelines were not followed
- No structured procedures to identify misuse of ILA database
- No procedures for ongoing security testing of the system
- No procedures to archive access logs for later analysis
DFES internal audit
- Pressure to get the scheme running quickly led to contract problems
- Lack of a business model hindered assessment of options
- DfES did not keep adequate records. It is unclear why some decisions were made
- Unhelpful format of Capita's management information did not allow DfES to identify abuse
- Little evidence of ongoing risk management
- Staff resourcing of contract and financial management was inadequate
- Learning providers took advantage of ILA by increasing prices, mis-selling and aggressive marketing.