How a London council's visionary IT plan became a project management nightmare

In the two years between the start of Haringey Council's Tech Refresh project in June 2003 and a report warning that it had run into difficulties in June 2005, information released publicly on the scheme had indicated that it was progressing well.

In the two years between the start of Haringey Council's Tech Refresh project in June 2003 and a report warning that it had run into difficulties in June 2005, information released publicly on the scheme had indicated that it was progressing well.

The project's origins date back to 2002 when papers released by the council showed that it was planning big IT investments to meet its "vision for 2005" and a need to "establish new effective working methods". A key aim of the IT investments was to meet government targets on making all public services available electronically by December 2005.

But exactly what each system would cost, what the risks were and what changes to working practices were required were not always spelt out in the published papers. Neither was it clear whether studies had been done to see if staff would change their way of doing things, or how success would be measured.

In 2002 Deloitte and Touche, whose auditing arm was also the council's internal auditor, was said in council papers to have been working on "developing a business process re-engineering framework" as part of its engagement on information systems strategies.

By April 2003, the E-government Advisory Committee, comprising a small group of councillors, was told that officers, Deloitte and Touche, and outsourcing supplier Northgate had been working on a set of strategies to meet "the council's priorities and vision".

The strategies were "significant in terms of the potential investment required to deliver," said the committee's minutes dated 17 April 2003. Deloitte and Touche had been commissioned to undertake a "further review" on the functions and roles of IT services.

The main reasons for this review included a move to managed services, new government demands for e-government, a proposed new IT architecture and "the drive to provide services in a horizontal rather than a vertical way."

On the refresh of technology it was proposed there be a "partnership between the council, Northgate and Deloitte and Touche". No mention was made in these minutes of April 2003 of any plans for an open tender to appoint members of the partnership.

The next move was to hire analyst group Gartner to comment on technical aspects of the plans. "The next steps would involve a review and validation of the proposals by Gartner and the completion of negotiations towards the formation of the partnership," said the April 2003 minutes.

The following month, May 2003, Gartner provided the council with a Powerpoint presentation on the advantages and disadvantages of a move to a thin-client infrastructure - putting software on servers rather than on local PCs.

Gartner pointed out the risks of such a move in detail but generally endorsed the change. One proposal was that there should be Citrix server farms to access legacy applications based on SAP, Siebel, Radius and other systems.

By the time the council's Executive Committee had met and reported on 10 June 2003, it was recommending a move to the "proposed thin client architecture for the technology refresh, noting the endorsement of the approach by Gartner Group."

The Executive Committee also recommended that the council agree to being "assisted in delivering the refresh by Deloitte and Touche, primarily in the design work, and the council's infrastructure supplier Northgate primarily on the implementation."

The June 2003 report to the Executive Committee said that Haringey's IT services already had a working partnership with Deloitte and Touche which had been established using an initial tendering process through the Office of Government Commerce's "S-Cat" - services catalogue.

Under S-Cat, the OGC appoints through open tendering a large number of suppliers. For a specified number of years government users can then buy a range of IT services from the named suppliers as and when they wish without going to a specific open tender. Deloitte and Touche was among the suppliers listed on the S-Cat.

But to appoint Deloitte without a specific European Commission open tender, and under S-Cat, the council needed to waive its standing order 6.4 - requirement to tender.

The Executive Committee recommended that the standing order be waived "as the current relationship with Deloitte and Touche, their expertise in this area, their independence from the infrastructure provider (Northgate) and their knowledge and understanding of the council are sufficient such that it is in the council's interest so to waive."

The Executive Committee's report dated 10 June 2003 also said that Deloitte and Touche was being put to a use "beyond that for which it was originally contracted and in delivering that which it helped to specify and cost."

In light of this, the council needed to be "confident both that the proposed approach, in principle, cost and scale, is valid and that there is a robust contractual relationship governing the arrangement."

It added: "The agreement with Deloitte and Touche is further to and larger than existing agreements and is, therefore, best treated as a new contract."

No mention was made in the report that Deloitte and Touche's auditing arm was also the council's main internal auditor, though there is no statutory requirement for the council's Executive Committee to highlight this point.

The budget for Tech Refresh was set at about £9m, including up to £1.6m for Deloitte and Touche, and up to £1m for Northgate. Public sector specialist law firm Bird and Bird was appointed to give legal advice, but finalising the arrangements for the project was left to an interim appointee - the interim director of support services or, in his absence, the director of finance.

A fortnight after that meeting, Tech Refresh began. The date was 23 June 2003.

During the following year, 2004, Tech Refresh was said by the E-government Advisory Committee to be "progressing well", but by 14 June 2005, the Executive Committee reported that Tech Refresh was facing a "number of difficulties" which were "due to the scope and complex nature of the programme" and "remedial action has taken place to mitigate against future risks going forward".

Later in the same report it was said that on the basis of re-planning action taken to date, the total gross budget requirement for the project was £19.1m over a three-year period from 2003 to 2006, and that an extra £3.1m would be needed in 2005/2006.

The report did not mention the original budget was only around £9m. Nor did it mention any specific problems with the project or give details of the extra spending.

It was not until the Audit Commission's report of January 2006 that details on the causes of the overspending and its full extent emerged. By then the costs of the project had risen to £24.6m but suppliers had absorbed £5.5m of this.

An official at the Audit Commission said it was not necessarily its duty to report publicly on the early signs of an IT project in trouble. It said it could only base its reports on the information supplied by the council.

Last week a council spokesman said the IT modernisation project was delivering real benefits and was almost complete. "Tech Refresh is a major programme upgrading IT infrastructure across the council, which is already significantly improving services and beginning to save money.

"Extra costs were reported in May 2005 and at that point programme management was brought in-house. The programme is now 95% completed, on schedule and in line with revised budgets.

"The council asked the district auditor (not our internal auditor) to examine the project in detail, and this report was accepted by the council in January. An action plan is underway to address the auditor's recommendations, and current spending on the programme is in line with budgets."

A spokesman added that "projects should not overspend like this, which is why we are taking action."

Deloitte and Touche said it was "subject to client confidentiality and cannot comment".

Audit board spells out safeguards

Should auditors such as Deloitte and Touche, Haringey's internal auditors, undertake other non-audit work for the same client?

At Haringey Council, audit work was carried out by Deloitte and Touche's LLP (limited liability partnership) audit arm. Work on the IT project was carried out by Deloitte Touche's consultancy operation, with the knowledge and approval of the council's executive.

There are no statutory, regulatory, or other, rules that stop auditors doing other non-audit work. The auditing regulator, the Audit Practices Board, publishes an ethical standard "Non Audit Services provided to Audit Clients" which gives general guidance on avoiding the perception of a potential conflict of interest.

The standard points out that there are various threats to the independence of the auditor in carrying out non-audit work such as IT services. It warns, for example, that an auditor could avoid taking actions that would be against the interests of the company's non-audit work, or the fees it receives for this.

Another threat is the possibility that the auditor may need to re-evaluate the non-audit work. Its role of auditor and supplier to the same client could lead to a perception that its independence and objectivity may be diminished by having the two roles.

A further danger is if the audit firm becomes aligned with the views and interests of management. "This may in turn impair or call into question the auditors' ability to apply a proper degree of professional scepticism in auditing the financial statements," said the Audit Practices Board.

The guidance proposes safeguards, but says if these do not eliminate or reduce to an acceptable level the threats to an auditor's objectivity, including any perceived loss of independence, the firm should either not undertake the non-audit work, or withdraw from the engagement.

Specifically on technology-related work, the Audit Practices Board warned that the design, provision and implementation of IT by audit firms for their audit clients "creates threats to the auditors' objectivity and independence". It proposes safeguards, but says an audit firm should "not undertake an engagement to design, provide or implement IT systems for an audit client" where, for example, "for the purposes of the IT services, the audit firm would undertake part of the role of management".

There is no evidence that Haringey Council was concerned about the possibility of a conflict of interest over Deloitte's appointment.

Watchdog slams council

Lessons of council's out of control project

Read more on IT project management