Official Report

 

  • Public Audit and Post-legislative Scrutiny Committee 07 February 2019    
    • Attendance

      Convener

      *Jenny Marra (North East Scotland) (Lab)

      Deputy convener

      *Liam Kerr (North East Scotland) (Con)

      Committee members

      *Colin Beattie (Midlothian North and Musselburgh) (SNP)
      *Bill Bowman (North East Scotland) (Con)
      *Willie Coffey (Kilmarnock and Irvine Valley) (SNP)
      Alex Neil (Airdrie and Shotts) (SNP)
      *Anas Sarwar (Glasgow) (Lab)

      *attended

      The following also participated:

      Joanne Brown (Grant Thornton UK LLP)
      Caroline Gardner (Auditor General for Scotland)
      Jillian Matthew (Audit Scotland)

      Clerk to the committee

      Lucy Scharbert

      Location

      The Sir Alexander Fleming Room (CR3)

       

    • Decision on Taking Business in Private
      • The Convener (Jenny Marra):

        Good morning and welcome to the Public Audit and Post-legislative Scrutiny Committee’s fourth meeting in 2019. Agenda item 1 is a decision on taking business in private. Do members agree to take items 3 to 5 in private?

        Members indicated agreement.

    • Section 22 Report
      • “The 2017/18 audit of Scottish Social Services Council—Governance and transparency”
        • The Convener:

          Item 2 is on the section 22 report “The 2017/18 audit of Scottish Social Services Scotland—Governance and transparency”. I welcome our witnesses: Caroline Gardner, the Auditor General for Scotland; Jillian Matthew, senior manager at Audit Scotland; and Joanne Brown, director at Grant Thornton UK LLP. I invite the Auditor General to make a short opening statement.

        • Caroline Gardner (Auditor General for Scotland):

          Thank you, convener. Today’s report is about the management of an information and communications technology programme in the Scottish Social Services Council. The external auditor gave an unqualified opinion on the 2017-18 accounts, which means that she is satisfied that the accounts provide a true and fair view of the body’s financial position and that there are no significant errors in the accounts. However, the council fell short of the expected standards of governance and transparency in implementing a new digital strategy.

          The Scottish Social Services Council and the Care Inspectorate share a building in Dundee. They also share services, including finance, human resources and ICT, and they have joint posts across the two organisations.

          In June 2017, the council agreed a digital transformation strategy, which covered new infrastructure, an update to Microsoft Office and a new case management system, but the strategy did not clearly set out the intended benefits. In March 2018, the council decided that implementing the strategy meant that it needed to end the shared ICT service.

          A service level agreement covered the shared services, but there was a lack of formal governance arrangements. That meant that there was no clear process for ending the shared service, and the council did not consider the implications for value for money. The decision to end the shared services also meant that the digital transformation project had to be expanded to include setting up a new network. That incurred on-going ICT support costs, which were not factored into the strategy.

          Overall, the council’s planning, monitoring and reporting of its digital transformation project were inadequate. In the absence of a proper business case and a fully costed budget, the council cannot demonstrate that the project, which is expected to cost at least £4.1 million, has delivered value for money.

          I am joined today by Jo Brown from Grant Thornton, who is the appointed auditor, and by Jillian Matthew from Audit Scotland. Between us, we will do our best to answer the committee’s questions.

        • The Convener:

          Thank you very much. I ask Colin Beattie to open our questioning.

        • Colin Beattie (Midlothian North and Musselburgh) (SNP):

          This seems to be yet another example in a pattern of information technology projects not being handled in a particularly good way. I realise that, like Registers of Scotland, the Scottish Social Services Council is outwith the control of the Scottish ministers, but it seems to have engaged at a very late stage with the board that was set up—

        • Caroline Gardner:

          The office of the chief information officer.

        • Colin Beattie:

          Yes. The council seemed to engage at a very late stage in the process. Did it not know that the office existed?

        • Caroline Gardner:

          You are right to say that the council engaged with the office of the chief information officer at a late stage. That reflects the chief information officer’s new approach, which deliberately focuses on larger ICT projects—those that cost more money and, generally, take place in larger organisations. The office has limited resources and it has to focus them, so I understand that prioritisation, but there is a risk that smaller bodies and smaller programmes, such as the council’s, will slip under the radar. We see such problems less frequently in bigger bodies because of the rigour of the framework that is being applied.

        • Colin Beattie:

          To me, £4 million is a lot of money, although it might not be seen as that in the grand scheme of Government projects. Was any part of the process that the council followed considered to be adequate?

        • Caroline Gardner:

          What went wrong in the project was what has gone wrong in many others: people did not get the building blocks right at the beginning. Unless people are clear on what they are trying to achieve, have a clear scope and budget for the programme and have identified, assessed and managed the risks, things are likely to go wrong further downstream.

          As my report sets out, that initial work was not done in this case, so it has not been available to the auditor or my teams to look at. In such situations, problems start to escalate and we get another ad hoc response that seeks to fix things, when the problem was in the foundations at the start of the process.

        • Colin Beattie:

          If I am correct, no losses have been sustained yet, although there has been a notional cost associated with the work that has been carried out. At what point did internal audit become aware of the issue? How was it escalated to the board?

        • Caroline Gardner:

          I ask Jo Brown to pick that up from her perspective as the external auditor.

        • Joanne Brown (Grant Thornton UK LLP):

          The external audit perspective is that internal audit did not look at the ICT project because it is not part of the internal audit plan. Back in 2016, internal audit looked at the shared service arrangement and the service level agreement that was in place between the council and the Care Inspectorate. At that point, it recommended actions to strengthen the service level agreement, which were agreed by management, although they do not seem to have been followed through over the years. Internal audit did not look at the ICT project.

        • Colin Beattie:

          Was this potentially major project not on internal audit’s radar? Was internal audit unaware of it?

        • Joanne Brown:

          As the external auditor, it is quite difficult to comment on the engagement and the discussions that management had with internal audit but, to date, the ICT project has not been included in the internal audit plan.

        • Colin Beattie:

          Does internal audit have a reporting line to the board?

        • Joanne Brown:

          Internal audit has a direct reporting line to the accountable officer for the council and a direct reporting line to the audit committee, as part of which it has free access to the council convener.

        • Colin Beattie:

          Internal audit must have had some input into the project. Are you saying that, because the project is not in the internal audit agreement, it was deliberate policy not to look at it?

        • Joanne Brown:

          Obviously, I cannot comment on the conversations that internal audit would have had with the accountable officer, but the internal audit approach would have been based on risk and priority of internal audit resource. I imagine that conversations about the project took place, but it was not included in the internal audit plan.

        • Colin Beattie:

          As the external auditor, you look at what internal audit is doing. It is clear that the project was discussed at board level. Did the board discuss it with internal audit? Is there any evidence of that? If not, why not?

        • Joanne Brown:

          From the board’s perspective, the reporting on the ICT project at council level has been a bit sporadic and inconsistent. The council has not had regular updates on the project.

          We look at the work that internal audit does in the context of our financial statement audit and we consider whether we would place reliance on internal audit from that perspective, but we would not, typically, place reliance on internal audit.

        • Colin Beattie:

          As external auditors, did you look at the project?

        • Joanne Brown:

          The concerns that we, as external auditors, had about ICT governance, shared services and decision making on the project were outlined in our annual report. We looked at the issue from a governance perspective, and our concerns are reflected in our annual report.

        • Colin Beattie:

          So the negatives in the way in which the project had been put together and managed were picked up by external audit rather than by internal audit—

        • Joanne Brown:

          That is correct.

        • Colin Beattie:

          —because the project was not in the internal audit programme.

        • The Convener:

          Does the Auditor General have something to add?

        • Caroline Gardner:

          I will amplify what Jo Brown said by stressing that one concern that we have about governance is that the programme board was chaired by the accountable officer and there was, as Joanne Brown said, very limited reporting to the board of the council about the project’s scope, its costs and the progress that it was making. Getting that governance wrong in the first place makes it harder for the checks and balances that ought to be operating to be effective.

        • Colin Beattie:

          Notwithstanding that, it seems that, once again, we have a case in which internal audit has done its job and ticked all the boxes but the problem has not been identified.

        • Caroline Gardner:

          I again make the point that the system of checks and balances is meant to work as a whole. Without a clear line of sight in approving a project and reporting it to the board, that risk management will not work as well as it should.

        • Liam Kerr (North East Scotland) (Con):

          I will look at things that were going on around the digital improvement project. My understanding from the report is that there was one ICT system, which the Scottish Social Services Council and the Care Inspectorate shared. The SSSC has now come out of that system, but I presume that the Care Inspectorate is still using it. That begs the question whether there is an on-going cost to the Care Inspectorate now that it has this huge system that only it is using. If so, is the SSSC paying any form of contribution to the Care Inspectorate?

        • Caroline Gardner:

          As with many aspects of the case, the issue is quite complicated. You are right that, when the Scottish Social Services Council withdrew from the shared ICT contract, the Care Inspectorate was left with a number of costs that had previously been shared, which it had to continue to bear in the short to medium term. The council, to support its work, has taken on one of the members of staff who were involved in delivering the shared services, so that is being managed to an extent. However, when the council decided to pull out of the shared service agreement, no consideration was given to the overall value for money to the council and the public purse as a whole, which is clearly a failing.

          Since then, the Care Inspectorate’s ICT has moved on. Jo Brown can tell you a bit more about that.

        • Joanne Brown:

          Since then, the Care Inspectorate’s ICT arrangements have moved on, and it has just commenced an ICT project. There have been a number of discussions between the Care Inspectorate and the Scottish Social Services Council about the ending of the service level agreement. Under the agreement, the council will continue to pay the Care Inspectorate up to the end of March 2019. Conversations are happening between the two sponsor bodies about the potential ramifications from 2019-20 onwards, and we will look at that as part of our future audits.

        • Liam Kerr:

          So the Care Inspectorate and, by definition, the public purse are not out of pocket as a result of the decisions taken by the council.

        • Joanne Brown:

          There are on-going costs that the Care Inspectorate continues to pay, which it was paying under the shared service agreement. When that agreement ends, it will still incur those costs without necessarily providing services to the council. There is a potential risk that, because of the decision, the Care Inspectorate will be out of pocket for a short time.

        • Liam Kerr:

          I understand. The report says that

          “The Scottish Government has provided around £3.1 million funding”

          towards the project, which is costing about £4 million. The Auditor General said in her opening remarks that there was no proper business case or fully costed budget for the project. On what basis did the Scottish Government advance £3.1 million to the SSSC? Is there documentary evidence that the Scottish Government has seen that we have not?

        • Caroline Gardner:

          That is a good question that we probed as part of preparing the report to the committee. The funding that the Government provided to the Scottish Social Services Council was an allocation in its overall funding allocation, and the council thinks that it will, within its overall funding, be able to deliver the things that it is now committed to delivering. However, there is no clear line of sight between a business case and a budget and the funding that the Government has provided. I ask Jillian Matthew to talk about what she knows about that.

        • Jillian Matthew (Audit Scotland):

          We have had discussions with the chief social work adviser at the Scottish Government, which is the sponsor department. There was no clear business case for the project, but there was a digital transformation strategy, which a lot of the project was based on.

          Documentation and proposals were prepared throughout the past few years about what the project would look like and what was going to be implemented. However, things have changed quite a lot over that time. Decisions were made on the basis of the initial documents, but there was not really a clear business case setting out exactly what the project would look like and what the benefits would be.

          The costs changed throughout that time, and a clear budget was never really set out. The Scottish Government had updates on how the project was progressing, but they were at quite a high level. There were also updates on the budget, but they were not set against a clear initial budget for what the project would cost. As things were added, and because of issues such as the shared service agreement being terminated, the costs increased.

          09:15  
        • Liam Kerr:

          I am sure that you can see where I am going with this. From reading the report, it feels as though the Scottish Government’s oversight of that public money was insufficiently robust. The committee will undoubtedly explore the decisions that the council made, but the Scottish Government has not fulfilled its oversight role or ensured that a sufficient case was in place before it authorised anything or released funds. Is that a fair conclusion to draw from your report?

        • Jillian Matthew:

          From the discussions that we had with the Scottish Government at the end of last year when we were preparing the report, it was clear that it had been getting high-level updates but was not aware of some of the detail. As we started to share some of the information with the Government about the risks, the lack of governance and how the project had been managed, it became clear that the Government had not been looking at the issue in that level of detail.

        • Caroline Gardner:

          To be clear, in this case, we agree that there was not sufficient clarity about what was intended to be achieved and how much funding was needed to do it, and there was not enough reporting back to ensure that it was being delivered as planned.

        • Willie Coffey (Kilmarnock and Irvine Valley) (SNP):

          I feel as though we are dusting down some of the usual questions in relation to ICT projects. What caused your intervention? It seems lucky that the issues were caught at a reasonably early stage before we heard the story that we are familiar with from past examples. What brought about the intervention?

        • Caroline Gardner:

          You are seeing one of the benefits of there being independent audit of all public bodies in Scotland. Jo Brown, as part of her audit work on the council, identified a problem with the expenditure and particularly the governance. That was set out in her annual audit report to the body and to me, and I used my powers under the Public Finance and Accountability (Scotland) Act 2000 to draw the issue to the attention of Parliament. That is the way that it is intended to work.

        • Willie Coffey:

          Good.

          Do you have any sense that the organisation knew of the existence of Audit Scotland’s “Principles for a digital future” report and was applying those principles? It appears that it was not.

        • Joanne Brown:

          In discussions with the accountable officer, as we were exploring some of the risks that we have highlighted in our annual report, there was an acknowledgement, in the context of that report, of the digital strategy and the guidance, but a lack of clarity about how the council applied that guidance to the project.

        • Willie Coffey:

          That brings in the question of skills and expertise. I know that some of my colleagues want to go down that route, but we always seem to arrive back at that issue. Do we have the proper skills in sufficient quantities within such organisations to drive forward such projects? We are not talking about a huge project. It involves a case management system and an upgrade to Office 365, and building it on the organisation’s network. That does not sound hugely demanding, so why has it fallen foul of problems at an early stage?

        • Caroline Gardner:

          As the committee has explored on a number of occasions, skills are a problem. They are scarce in the economy generally and the public sector often struggles to pay enough to attract people in a market that has seen more pay inflation than many parts of the economy. Small bodies have a particular problem with that.

          As I said, the chief information officer has put in place a framework that contains many more checks and more oversight of what is happening with projects, as well as the ability to draw on central expertise, but that has tended to be applied to the bigger bodies and programmes rather than smaller ones such as this one. I completely take Mr Beattie’s point that £4 million is not a small sum of money, but it is small compared with the costs of some of the very big IT projects elsewhere, particularly the social security project, which is taking a lot of attention at the moment.

          The problems that we are aware of at the moment tend to be in smaller bodies that do not have the skills and that underestimate the investment that is required to succeed.

        • Willie Coffey:

          Where are we now with the project? Is there a review of how to set about such projects and deliver them properly, adopting the standards that many committee members are familiar with, as we have discussed ICT projects at length in the committee? Where exactly are we with the delivery?

        • Joanne Brown:

          The council has identified and is taking forward a number of actions. It expects that the new ICT will be implemented from March this year. The council is considering, albeit retrospectively, the benefits of the spend and the improvements that will come through the case management system. The council is quantifying those benefits and carrying out a value-for-money assessment, and it has committed to reporting on that and scrutinising it further.

        • Willie Coffey:

          Is that properly under way, in your view? I think that that is the assurance that we are looking for.

        • Joanne Brown:

          There were a number of actions, and a number of things have already happened, including the action on the sharing of the services and the service level agreement. A revised agreement has been put in place, but an independent look is being taken at the service level agreement for the wider shared service between the council and the Care Inspectorate.

          As I said, a number of actions have been taken, and the council is committed to doing that further work during 2018-19. As part of our audit, we will ensure that those actions are taken.

        • Willie Coffey:

          Thank you. I know that colleagues want to come in.

        • The Convener:

          Thank you, Mr Coffey.

          Auditor General, are you convinced that a separate system was needed in the first place? The SSSC and the Care Inspectorate shared an IT system—my colleagues have explored that a little. Was there sufficient reason for them to separate their systems at such high cost?

        • Caroline Gardner:

          It is difficult to give a definitive answer to that because of the lack of an options appraisal. I think that the key driver for having a separate system from the council’s point of view was the need to renew its case management system, which is a core part of the way that it does business. With hindsight, I think that it would have been quite possible to look at whether that could have been delivered in a way that was aligned with the Care Inspectorate’s updating and upgrading of its IT systems. The problem was that the case management system that was purchased would not operate on the network that was run as the shared service, but we know that the Care Inspectorate has now upgraded its IT systems. I think that it would, at least, have been possible to explore the option of moving forward together rather than the council going off on its own.

        • The Convener:

          Yes, but that option was not properly explored in the first place. It sounds as though the council had a case management system that it thought was not compatible with the Care Inspectorate’s system. It now turns out that it was. In the meantime, it has incurred an expense of £4.12 million. Is that right?

        • Caroline Gardner:

          The council bought a case management system without considering whether it was compatible with the network that it shared with the Care Inspectorate. It then purchased a new network on which it would run, and in the meantime the Care Inspectorate has refreshed its IT. It would have been possible at the outset for the council to say, “Here’s what we need to achieve—can we look at how it’s possible to do that as part of the shared services?”, rather than simply deciding to go and deliver its own programme in isolation from the shared service.

        • The Convener:

          Is it not real negligence for a publicly funded organisation to buy a new piece of equipment that is essential for the work that it does but not even check out whether it has the ability to use it?

        • Caroline Gardner:

          It is certainly poor governance, which is why I have reported it to the committee today.

        • The Convener:

          It is a short report, and in the grand scheme of things it is a smallish project, but at the same time, the amount of money is £4.12 million. I have been making arguments in the chamber about spending a couple of million pounds to save more than 400 jobs. Joanne Brown might be better placed to answer this, but given that we are talking about taxpayers’ money, do you think that there is sufficient recognition in these organisations that such things cannot just be signed off without proper investigation, that people work hard to pay taxes and fund such projects and that, therefore, to squander £4.12 million in this way is frankly wrong?

        • Joanne Brown:

          In discussing our annual report and agreeing an action plan, the council acknowledged that the governance could have been stronger, that there could have been greater transparency and that a better process could have been put in place. I think that, with hindsight, it would have done things very differently—obviously, that is difficult, because everybody would do things differently with hindsight.

          The council embarked on a case management system that it needed from its business perspective for registration. Alongside that, other costs were incurred. As the Auditor General explained, if the council had taken a step back, thought about the governance and had a relationship with the Care Inspectorate that allowed it to have that debate, it would not necessarily have had to move away from the shared service in the way that it ended up doing.

        • Anas Sarwar (Glasgow) (Lab):

          I will follow on with a couple of more general questions, rather than focusing on the case of the Scottish Social Services Council, because recurring themes arise from a number of your reports on IT issues and governance and leadership issues. Why are we so poor at IT projects? That is not a criticism of any particular Government; we are generally poor at IT projects. Has there been any analysis of why?

        • Caroline Gardner:

          I should start off by saying that it is not only the public sector that is poor at IT projects. For example, in the financial services sector, TSB had major problems with its IT last year and the same has been true of RBS over the past few years. However, I have no doubt that if we were to break down the reports that I have brought to this committee over the past six years, IT is probably the biggest single category.

          The issues probably come back to the question of skills that Mr Coffey explored. It has been difficult, historically, for the Government and public bodies to develop the skills that they need in a world in which those skills are in demand in organisations that can pay higher salaries and in which, because of its rapidly changing nature, there is a need to keep developing people so that they keep up to speed.

          In response to a number of critical reports from me, the Government has put in place the office of the chief information officer with a much stronger oversight framework of big IT projects. I reported last year, for example, that the starting point for the new social security systems looked much stronger than what we have seen in the past for things such as the common agricultural policy futures programme and the previous Police Scotland scheme. We are still seeing the benefits of that investment and that stronger grip coming through. However, it is also the case that a number of smaller bodies, such as the Scottish Social Services Council, are not able to access that Scottish Government core expertise because of the size of their projects or to develop and retain the staff to do them well themselves. It is a challenge.

          As well as the questions of waste that the convener raised, I am also concerned about the opportunity cost. Investing in IT and doing it well is a way to generate efficiencies and to provide better services to users and members of the public. We are losing that opportunity to get better value for money, as well as, in some instances, wasting money directly.

        • Anas Sarwar:

          I will come back to the skills of individual staff in a moment, but surely, with big IT projects such as the one that we are discussing, it is less a case of having in-house staff with the skills to develop the project and more a case of having the skill to identify the right people to develop and deliver the project. Is the lack of ability to reach out and identify the right people to carry out IT development projects a United Kingdom-wide problem in the private and public sectors? Is there information about best practice in companies or public sector bodies in other countries across the globe and how they get it right? There might not necessarily be people with the right skills to develop the IT in house, but they are probably better at identifying the right people to do such development. Is there best practice to learn from?

        • Caroline Gardner:

          I think that there is best practice. Mr Coffey referred to “Principles for a digital future”, which was our attempt to bring that to the attention of public bodies. The problem is that, unless the accountable officer and the board think about the risks involved, they do not recognise the need to buy in that expertise.

          If your starting point is to upgrade Microsoft Office, replace the hardware and buy a case management system off the shelf, that does not sound too hard, if you are not thinking hard about it. It is when you get into it and start to understand the interactions and complexities that you realise that you cannot do the things that you were expecting to without spending more money or starting in a different place. It is a case of understanding clearly at the beginning what it is that you are looking to do and what the risks are. That, in itself, requires a certain level of expertise.

        • Anas Sarwar:

          If you do not have that expertise in house, is it partly a case of recognising that you need to identify that expertise and get the work done by whoever has the expertise? Are we failing to ask who are the right people to get in from outside to consult on the project and tell us what is the right thing to do rather than making the judgment ourselves?

        • Caroline Gardner:

          It is clear that people failed to do that in this case, but we can see from the accountable officer’s letter to this committee that they are now doing it. My frustration is that, in the same way that, five years ago, my advice to any new accountable officer would have been, “Make sure that you understand how your governance and financial systems work and what your position is,” I find it hard to understand how any accountable officer cannot think, “An IT system—that’s a risky thing. I need to make sure that I have the advice that I need on it.”

        • Anas Sarwar:

          Because there is such inconsistency.

        • Caroline Gardner:

          Yes.

          09:30  
        • Anas Sarwar:

          Leadership and governance issues are raised in committee every week, or almost every week. No matter whether in relation to projects in health services, education services or anything else in the public sector, we clearly have a challenge in identifying people with the appropriate skills to do the job that we need them to do. It happens in the public sector over and over again, and there is probably scope for a much wider look by you and Audit Scotland at what we are doing wrong. Is it that we do not produce the right people, that we do not look for or headhunt them in the right way, that we do not pay them appropriately or that we simply do not have the skills in our country and we need to identify them elsewhere? There is a body of issues around identifying the right people to do the jobs. Are we looking at it in a more holistic way, rather than just looking at the individual areas where we consistently get it wrong?

        • Caroline Gardner:

          We have looked at it in two ways. One has been, as you say, to look at it case by case where things have gone wrong; the other has been to look across sectors, such as the national health service and the care sector, in which we know that it is getting harder to find the right people.

          As you say, this theme keeps coming up in our work, and we will explore whether we can do more to shine a light on it with the resources that we have and the work that we currently carry out. You are right—it is getting increasingly difficult. In this case, there is no question about the quality of leadership of the organisation as a whole, except for the blind spot about IT and the risks that come with it.

        • Anas Sarwar:

          Are we also analysing the merry-go-round between those organisations, whereby the same people pop up in different places doing different jobs? Somebody goes somewhere and lasts a couple of years, they either do an okay job or mess something up, and then they go and get an equally well-paid job somewhere else in the public sector. It looks like a circle of people consistently looking out for each other. Has the issue of people repeatedly popping up been looked at?

        • Caroline Gardner:

          We do not have evidence that that is a widespread pattern. Clearly, there have been individual cases in which people who are seen to have failed in one job have been moved somewhere else rather than held accountable for the failure. However, it is not doing justice to the quality of management and leadership across public services in general, in which there are some very difficult jobs, to characterise it as a cycle of failure and people being moved on rather than dealt with. I recognise that people feel strongly about some particular circumstances—the committee has explored cases where things have gone wrong—but that is not a factor in the report that is in front of you today.

        • Anas Sarwar:

          I have a final question, which follows on from Colin Beattie’s questions at the start of the meeting.

          What oversight role should the Scottish Government, the Scottish ministers or committees play to identify problems much earlier in organisations so that positive intervention can take place?

        • Caroline Gardner:

          As well as the work to develop the office of the chief information officer, which is progressing and prioritising bigger programmes, the other thing that we have discussed a number of times in the committee is the differing quality of the sponsorship relationship between Scottish Government departments—in this case, the office of the chief social work adviser—and the bodies that operate in their area of policy and are accountable to them. In some places, that works well but, in other cases, it is quite an arm’s-length relationship and, as in this case, the department is not aware of or not probing significant developments.

          We are looking at that as part of our audit work across the piece to get a sense of where the right balance lies between giving bodies the responsibility to deliver what they are accountable for and spotting problems as they start to emerge and dealing with them rather than letting them run on.

        • Bill Bowman (North East Scotland) (Con):

          The conclusion to your report starts by saying:

          “The SSSC has fallen short of the expected standards of governance and transparency”,

          which anonymises the issue a bit. Who on the ground got it wrong and should have got it right?

        • Caroline Gardner:

          The accountable officer is accountable for the operation of any organisation. In this case, the accountable officer was the person who chaired the programme board. Also, the council, as a board, has the responsibility to see what risks the organisation faces and ensure that it has the information that it needs to monitor how risks are being managed.

        • Bill Bowman:

          Were there people in the organisation who could have done this, or should have been able to?

        • Caroline Gardner:

          Do you mean the delivery of the programme?

        • Bill Bowman:

          Yes.

        • Caroline Gardner:

          I would say not. As I said in answer to an earlier question, the failure was in the identification of the risks and making sure that they were managed appropriately.

        • Bill Bowman:

          Reference has been made to examples in the private sector. Normally, if such a failure happened in the private sector, there would be consequences. Have there been consequences for individuals in this case?

        • Caroline Gardner:

          So far, the consequence is the report to the committee, which brings to Parliament’s attention the things that have gone wrong in this case.

        • Bill Bowman:

          So the council has not done anything to deal with people who have not done their job.

        • Caroline Gardner:

          I ask Jo Brown if she would like to add anything in relation to the council’s oversight of the programme.

        • Joanne Brown:

          The level of the council’s governance and awareness of the programme has now increased, as a result of the report and our being in front of the committee. Regular updates on the ICT programme, which were not given previously, now go to the council. Other than that, there have been no consequences.

        • Bill Bowman:

          In paragraph 14 of the report, you taunt me again by mentioning the Forth replacement crossing project, which opened but then closed the next day. Is that how you would like ICT projects to be run?

        • Caroline Gardner:

          No, Mr Bowman. I know that we disagree on that project. In my report on it, and when I have been in front of the committee, I have recognised that work continues to be done to finalise the Forth replacement crossing. I hope that my report shows clearly that the extent to which the project was delivered to time and budget was quite unusual compared with other large infrastructure projects internationally.

        • Bill Bowman:

          I am happy to disagree with you, Auditor General.

        • Caroline Gardner:

          I hope that it will soon stop inconveniencing your journeys. [Laughter.]

        • The Convener:

          You are stretching my patience a little on this matter, Mr Bowman.

        • Liam Kerr:

          To clarify, Auditor General, I think that you said in response to Bill Bowman that the accountable officer has fallen short—I appreciate that I am slightly putting words in your mouth. To be clear, is the accountable officer the chief executive?

        • Caroline Gardner:

          Yes.

        • Liam Kerr:

          Is the current chief executive the same chief executive who was there when all the decisions were made?

        • Caroline Gardner:

          There has been a change of chief executive in recent times. Given the complexity of the timeline that we set out in the report, I ask Jo Brown to clarify when the change took place.

        • Joanne Brown:

          There has been a change in chief executive. The previous chief executive left the organisation in April. At that point, the council appointed an interim chief executive, who was a director in the council. That director then became the permanent chief executive in August this year.

        • The Convener:

          It was last year.

        • Joanne Brown:

          Yes—last year. Sorry.

        • The Convener:

          I just want to be clear.

        • Liam Kerr:

          To pick up on Anas Sarwar’s point, just out of interest, where did the former chief executive go?

        • Caroline Gardner:

          She is now the chief executive of the Scottish Council for Voluntary Organisations. She was recruited to that role outside the public sector.

        • Liam Kerr:

          I see.

          I would like to lift the corporate veil, because I know exactly where Bill Bowman was going with his point about the accountable officer. Who has fallen short here? On whose shoulders does the responsibility rest?

        • Caroline Gardner:

          I have said to the committee previously that there is no doubt that, in formal terms, the accountable officer of any organisation is accountable for the performance of their organisation, for ensuring value for money and for ensuring that the standards of governance that are expected of them are met. Given that the committee has probed other cases in detail, it will know that that does not mean that the accountable officer does everything, but they are accountable. That is the nature of the role.

        • Liam Kerr:

          I understand.

          On a slightly different point from Bill Bowman’s, paragraph 14 of the report mentions the guidance that you have published. Was the SSSC aware of all that guidance and the tools that you have provided to help people with such projects? If it was not aware of that guidance and those tools, why not?

        • Joanne Brown:

          From conversations with the accountable officer, I know that the council would have been aware of all the guidance, the tools and some of the checklists, but those checklists were not used. The council will need to learn from how it has managed and governed the project, and it will need to apply the lessons that have been learned from other projects. Although the council had a general awareness, it did not apply the guidance to this specific ICT project.

        • The Convener:

          Mr Sarwar, do you have a question?

        • Anas Sarwar:

          My questions have been covered by Liam Kerr.

        • The Convener:

          As members have no further questions, I thank the Auditor General and her team for their evidence.

          Before I close the public part of the meeting, I put on record that we have received Alex Neil’s apologies for missing the meeting.

          09:39 Meeting continued in private until 10:34.