220527AuCtteePaper1Annex1ICT_Strategy_FINAL
Cairngorms National Park Authority
Internal Audit Report 2021⁄22
ICT Strategy Review
March 2022
Cairngorms National Park Authority
Internal Audit Report 2021⁄22
Cyber Security Review
Executive Summary 1
Management Action Plan 4
Appendix A – Definitions 8
Audit Sponsor
David Cameron — Director of Corporate Services
Key Contacts
Sandy Allan — Information Systems Manager Daniel Ralph — Finance Manager
Audit team
Paul Kelly — IT Audit Director Ashley Bickerstaff — IT Audit Manager Dominic O’Neill — IT Auditor Natasha Williams — IT Auditor
Executive Summary
Conclusion
Our review has identified several areas for improvement in relation to ICT strategy within the organisation. When updating the IT & Data Strategy in future, management should define objectives and/or outcomes to be achieved from its implementation. This should be used as the basis of developing annual IT operational plans.
As part of future development of the IT & Data Strategy, management should develop a financial strategy which sets out, at a high-level, the expected capital and revenue investment needed to support its implementation.
Background and scope
The Cairngorms National Park Authority (CNPA) is reliant on its technological infrastructure to support the delivery of its key business objectives. It is crucial that the infrastructure, systems and devices are maintained at a level capable of supporting the Authority’s business plans and strategy. For that reason, it is essential that an ICT strategy is in place which adequately defines technological direction.
It is essential that organisations have clarity over medium and longer term planned ICT investments that provide a robust infrastructure and systems which meet the needs of the business.
Our review has sought to confirm the effectiveness of processes and governance in place for the implementation of the Authority’s ICT strategy.
Control assessment
There is alignment between the ICT Strategy and Authority corporate strategy.
There has been adequate planning activity to translate the ICT Strategy into operational plans.
The ICT Strategy is supported by a financial strategy.
There is adequate governance in place to oversee development, approval and delivery of the ICT Strategy.
| Control Design | Control Operation |
|---|---|
| 4 — Yellow | 1 — Amber |
| 3 — Yellow | 2 — Amber |
Improvement actions by type and priority
Four improvement actions have been identified from this review, all of which relate to the design of controls themselves. See Appendix A for definitions of colour coding.
| Grade |
|---|
| Grade 4 |
| Grade 3 |
| Grade 2 |
| Grade 1 |
Key findings
Areas for improvement
We have identified areas for improvement which, if addressed, would strengthen CNPA’s control framework. These include:
- The IT and Data Strategy does not contain clearly defined objectives and/or outcomes. In addition, the action plan included within the document does not clearly set out the timeframe for the delivery of the actions and success measures are not documented.
- There are no IT operational plans in place which set out how the IT & Data Strategy will be delivered.
- The IT & Data Strategy does not contain a high-level financial strategy which sets out the expected capital and revenue requirements over its duration.
These are further discussed in the Management Action Plan below.
Acknowledgements
We would like to thank all staff consulted during this review for their assistance and co-operation.
Management Action Plan
Control Objective 1: There is alignment between the ICT Strategy and Authority corporate strategy.
1.1 ICT Strategy
Amber
Cairngorms National Park Authority (CNPA) established an IT and Data Strategy in June 2021, with a focus on a two-year timeframe of deliverables. This was designed to be aligned with the “New Normal” project that was introduced in May 2021 which aims to implement a blended model of working (part-home and part-office working). The CNPA IT and Data Strategy documents the link with this project and the deliverables create the environment for the success of the project.
Our review identified that the IT and Data Strategy does not contain clearly defined objectives or outcomes, other than migration to cloud-hosted solutions. In addition, whilst an action plan is set out in an appendix to the strategy, this does not detail delivery dates or action owners.
Risk
Without clear timeframes for delivery there is a risk that the objectives will not be delivered in alignment with the needs of the business. This may impact on the delivery of corporate objectives.
Recommendation
We recommend that the action plan within the IT and Data Strategy is updated to include action owners and delivery dates. There should be regular reporting to the SMT on the progress of the completion of actions.
We recommend that when the new CNPA Corporate Plan is established a new IT and Data Strategy should be developed aligned with the corporate plan.
The Strategy should also be reviewed with the approval of the Strategy by the appropriate oversight group fully documented and included within the document’s version control.
| Management Action | Grade 3 (Design) |
|---|---|
| Recommendation agreed. We will develop a 2022⁄23 project plan to update the strategy. We will separately put in place a new IT and Data Strategy to align with the new Corporate Plan. | |
| Action owner: | Due date: |
| Project plan = Information Systems Manager | 30 June 2022 |
| New IT Data Strategy = Director of Corporate Services | 30 September 2023 |
Control Objective 2: There has been adequate planning activity to translate the ICT Strategy into operational plans.
2.1 IT Operating Plans
Amber
Our review identified that there has not been any operational plans documented which set out delivery tasks in support of the IT and Data Strategy.
Risk
Without a formal operational plans, management will not be able to gain assurance that all relevant tasks and activities associated with the delivery of the IT and Data Strategy are appropriately planned. This could result in the organisation not having sufficient financial and human resources available to deliver strategic imperatives.
Recommendation
We recommend that annual operational plans are developed which sets out a workplan for each financial year. This should include core operational tasks associated with maintaining a functioning IT environment as well as improvement and change activities relating to delivering the IT and Data Strategy. Planning in this manner will ensure that there are appropriate financial and human resources available to meet agreed IT and data priorities.
We also recommend that there is regular monitoring of delivery of the IT operational plan to allow management to gain assurance that it is being delivered in line with expectations. This monitoring will also allow management to identify and implement actions where plans are not tracking as expected.
| Management Action | Grade 3 (Design) |
|---|---|
| Recommendation agreed. We recognise that in moving away from what has been a “steady state” operation mode for several years that the scale of change in the organisation and in the IT operations needed to support it require formal operational plans to establish required tasks and timelines and allow enhanced management control around delivery. | |
| Action owner: | Due date: |
| Information Systems Manager with Head of Finance | 30 June 2022 |
Control Objective 3: The ICT Strategy is supported by a financial strategy.
3.1 IT Financial Planning
Yellow
The IT and Data Strategy is not supported by a financial strategy.
We did note that the CNPA budget for 2021⁄22 (March 2021) set out budget requirements to deliver a programme of transformation work which developed into the New Normal project. We also noted that the CNPA spending review in September 2021 set out the budget changes required to deliver the New Normal project, with this including some elements of the IT and Data Strategy. These include Cyber Security software, website and records management augmentation and cloud-based ICT licensing.
Risk
There is a risk that, without an underpinning and agreed financial strategy, the IT and Data Strategy may not be financially sustainable. This could result in expected enabling technologies and improvements in IT that are necessary to support flexible working not being funded due to a lack of financial planning.
Recommendation
We recommend that the next development of the IT and Data Strategy includes a financial strategy. This should set out, at a high-level, indicative capital and revenue costs associated with achieving expected outcomes from the strategy. This should be allocated for each financial year. This will allow management to make an informed assessment of the financial viability of the strategy and to ensure that financial requirements of the strategy are fed into annual budgeting/spending reviews.
| Management Action | Grade 2 (Design) |
|---|---|
| Recommendation accepted. We will more clearly link the provisions of the IT and Data Strategy to the provisions of the budget / forward financial forecasts and define the financial implications of decisions inherent in the strategy. | |
| Action owner: | Due date: |
| Director of Corporate Services | 30 September 2023 |
Control Objective 4: There is adequate governance in place to oversee approval and delivery of the ICT Strategy.
4.1 Governance arrangements
Yellow
The IT and Data Strategy was presented to Senior Management Team (SMT) in June 2021. The discussion of the strategy, including feedback, is documented in the minutes of the meeting; however, the approval is not explicitly noted.
We did note that the Corporate Services Management Group (CSMG) issues log records SMT approval of the strategy in June 2021. We also noted that the Strategy does not contain any document control to detail versions and approvals.
We also noted that there are no formal arrangements for oversight of delivery of the IT & Data Strategy. We did identify that the Organisational Development Programme Board provides some elements of this.
Risk
There is a risk that the organisation does not have appropriate arrangements in place to document the approval and oversee delivery of the IT & Data Strategy. This could result in the organisation not taking appropriate action to achieve expected outcomes.
Recommendation
We recommend that management explicitly document approvals of strategies within minutes of meetings.
We recommend that management establishes formal governance arrangements for the approval of updates to the strategy as well as oversight of delivery. Governance over the IT & Data Strategy should be the responsibility of an existing internal governance group.
| Management Action | Grade 2 (Design) |
|---|---|
| We will continue to recognise the Senior Management Team as the governance body with responsibility for oversight of delivery of the IT and Data Strategy and for future revisions to it. | |
| Action owner: | Due date: |
| Director of Corporate Services | 31 March 2023 |
Appendix A – Definitions
Control assessments
| Rating | Definition |
|---|---|
| R | Fundamental absence or failure of key controls. |
| A | Control objective not achieved — controls are inadequate or ineffective. |
| Y | Control objective achieved — no major weaknesses but scope for improvement. |
| G | Control objective achieved — controls are adequate, effective and efficient. |
Management action grades
| Grade | Definition |
|---|---|
| 4 | Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation. |
| 3 | High risk exposure — absence / failure of key controls that create significant risks within the organisation. |
| 2 | Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation. |
| 1 | Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues. |
© Azets 2022. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales. Registered No. 09652677. VAT Registration No. 219 0608 22.
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.