Public Audit and Post-legislative Scrutiny Committee

Meeting date: Thursday, March 14, 2019

Official Report 691KB pdf

---

Section 22 Report

---

“The 2017/18 audit of Scottish Social Services Council”

Agenda item 2 is consideration of the section 22 report, “The 2017/18 audit of Scottish Social Services Council”. I welcome to the meeting our first panel of witnesses, who are Lorraine Gray, chief executive, and Maree Allison, director of regulation, Scottish Social Services Council. I understand that Lorraine Gray wants to make a short opening statement.

The Scottish Social Services Council has successfully delivered its digital transformation programme, which went live on 11 February. The programme was an upgrade to existing systems and a move to the cloud in order to modernise our systems. We are already seeing the benefits of the upgrade from stakeholder feedback and in financial terms, as we will make an annual saving of £416,000 from next year.

As with any programme of work, we recognise that there are areas in which we could have done better. We have taken forward the recommendations in the external audit report that was completed by Grant Thornton. However, we do not accept all the criticisms that were levelled by Audit Scotland or the comments that were made by this committee on 7 February. There are errors and misunderstandings in the evidence that was presented and in the conclusions that the committee came to.

We welcome the opportunity to put forward evidence that demonstrates that, overall, this was a well-managed programme of work, which is already delivering significant benefits to internal and external stakeholders.

We continue to have substantial shared services with the Care Inspectorate and to work closely together to deliver those services. We have had shared services with the inspectorate since we were established in 2001, but, as the committee will see from our written submission, the SSSC has transformed since that time from a small organisation with few registrants to a much larger organisation. The shared infrastructure was preventing us from realising our strategic priorities so, as the committee is aware, we established our own information and communications technology service.

During this morning’s meeting, I believe that we can provide reassurance that that was the right decision to ensure that the SSSC continues to effectively regulate the social service workforce and, thereby, protect some of the most vulnerable people in Scotland. The work was critical to our fulfilling our statutory function of protecting the people who use social services. The systems in question hold the personal information of nearly 130,000 registrants, and the case management system manages the more than 2,000 cases that we are investigating. That is our primary purpose and those are our most important systems. If they fail, we fail.

The audit has given us the opportunity to reflect on the areas in which we could have improved. We realise that we were too solution and delivery focused, which, on occasion, has been at the expense of governance. In future, we will ensure a more stringent programme management and governance approach.

We have carried out a health check review with the Scottish Government’s programme and project management centre of expertise, and we received its draft report yesterday. I am pleased to say that it has given us a green/amber status, although there are a number of recommendations, which we can share with the committee.

We could have done better in relation to some of the areas that are outlined in the section 22 report. However, there has been a successful outcome to the programme of work, which is down to the hard work and dedication of the staff at the Scottish Social Services Council.

Thank you for that opening statement.

Before we move to questions, I will make a couple of remarks, just for clarity. We have a submission from the former chief executive of the Scottish Social Services Council, which is included in the public papers. She was due to attend today but, unfortunately, she is not able to do so.

I also point out that we are in a highly unusual situation, as I think that this is the first time this session that a public body that is being investigated has rejected or taken issue with Audit Scotland’s findings. I therefore intend to take a couple of questions on that issue, after which we will move on to the substantive findings of the Audit Scotland report.

Our witnesses will appreciate that the committee is not here to adjudicate between the Auditor General and the SSSC, but the situation is extraordinary. This is the second time that I have been a member of the committee, and we have never before had such a situation arise. How was the situation allowed to get to this stage? Why were there not the usual discussions and agreements before the Auditor General’s report was issued?

We received the section 22 report on 26 November 2018. It was a bit of a surprise to us—the external auditor had warned us about it the day before. We had a telephone conversation on 5 December with the auditor’s office and we then submitted some of our evidence. Substantial changes were made to the report, and then we received the final version.

Until the committee meeting on 7 February 2019, we had accepted many of the points—we accepted that we could have done better and that there were issues with governance. We submitted a letter to the committee for that meeting, outlining what we plan to do in taking forward the recommendations. However, at the meeting on 7 February, one of the statements that was made was that we brought in no outside expertise. However, as page 3 of our submission shows, we had significant external expertise. Those are not matters of opinion; they are matters of fact.

Given that, it is extraordinary that the discussions did not seem to come to the point at which such dissent was noted in the Auditor General’s report. I would have expected that to have been done, but there is nothing there.

I ask Maree Allison to respond to that.

My recollection of the section 22 report is that the issue of external expertise was not highlighted as an area of huge significance. When we responded to the draft section 22 report, we provided Audit Scotland with a detailed note of our comments on it. On the first page of that note, we highlighted the external expertise that we had brought in. We said that we had brought in Scottish Government procurement officials to assist with the procurement and that we had brought in the Scottish Government digital transformation team to assist with the procurement and selection of a new supplier; to give specialist advice on our technical architecture survey, current-state analysis and digital strategy; and to assist with specialist technical expertise during the first six months of the contract. We also brought in a digital transformation lead—an external consultant—to take forward some of the work. The note also referred to the fact that some of the project was reviewed by the office of the chief information officer. We highlighted that to Audit Scotland, which is why it was a surprise to us that, in its evidence to the committee, that became an area of criticism for us.

I have a couple of specific questions on the Auditor General’s report that relate to that issue. The Auditor General said that there was no clear business plan at the start of the project. Is that correct?

That is one of the misunderstandings. The project started because we were coming out of the contract for what we called our Sequence system, through which we held all the records of our registrants and managed our fitness-to-practise cases.

Did you have a business plan?

At that point, we were doing a lift and shift. We asked the Scottish Government digital transformation team to carry out two pieces of work for us: a current-state analysis and an infrastructure review. The findings from those provided the information that helped us put together the invitation to tender. We had two big documents, but I accept that we should have pulled the findings from them into a much more coherent business case.

There was no business plan, as such.

There was an overarching business plan at the very beginning of the process.

But not for the project.

The beginning of the project was a relet of a contract.

Was there a separate budget for the project?

The money came from our existing budget. We were given money from the Scottish Government to upgrade and relet the Sequence system, but that was part of our overall grant. You will find the figures on page 5 of our submission.

Did you have a risk register for the project?

Yes.

The Auditor General said that you did not.

We did.

We provided Audit Scotland with copies of the risk register for the project, which evolved over time. My recollection is that the Auditor General’s report criticises how we managed risk, but I am not sure whether it says that there was no risk register. There certainly was a risk register, which evolved and was reviewed during the project.

What about the benefits that would come from having a risk register? It would have been part of the business plan but, on top of that, you should have looked at the quantitative and qualitative benefits. Did you do that?

If we had not progressed with this piece of work, we would not have had a register for the 130,000 people whom we register. We had a system. The contract was coming to an end, so we needed to get a new supplier. We were lifting our system and shifting it to another supplier. That was the benefit. If we had not done that, we would have come out of contract, and the system that holds—

With respect, that is not the point. A process needs to be followed, from the business plan to looking at the benefits and so on. Did you follow the process?

Was that information set out in a business case? The information on what we were aiming to do and why we had to do it was set out in our current-state analysis and in our invitation to tender.

I want to pick up the point about the budget. Colin Beattie asked whether there was an item-by-item budget for the lift and shift project. Lorraine Gray said that there was a budget, but it was within the bigger budget. Was there a detailed budget for this discrete project?

Yes. When the project commenced, we went out to tender to procure a new supplier. The tenders came back with the figures on how much it would cost us to do the lift and shift. We had funding specifically for the project, and the digital budget and what we were spending—or were anticipating to spend—on specific items were detailed separately in our budget reports. A criticism that has been levelled is that the funding was included in different sections in overall budget papers and that the individual funding should have been separated. We accept that that would have been clearer.

Where do you want to go from here, in terms of the rift—if I can put it that way—with the Auditor General? It seems as though it continues, and that you are still not satisfied that you have been correctly represented. Today, both sides have the opportunity to air their views. My experience of Government is that officials get a draft report from the Auditor General, primarily for them to check that the facts are correct and that the balance and context are accurate. Were your comments on the draft report not incorporated sufficiently to satisfy you? What do you want to happen?

It is an overstatement to say that there is a rift. We accepted the section 22 review, overall, but we did not agree with all of it. Factual inaccuracies were corrected, but we have differences of opinion. We are more than happy—I sense that Audit Scotland will feel the same—to sit down and have that discussion.

Carrying out the health check review over the past three days has allowed some of the challenges around programme management to be crystallised for us in a much clearer way. We want to have that discussion and to learn the lessons, because we are not disputing that there are lessons to learn. However, we would like recognition that we have delivered the project successfully and that it is doing what we want it to do.

09:15  

There was one particular comment in the health check that clarified for me the reason for certain comments in the section 22 report. That comment was:

“There was a strong sense of cohesion and trust amongst SSSC EMT, Council and the operational management teams. Organisational leadership, from the CEO and Directors, was very strong and had a clear focus and engagement”

on digital transformation.

“The Review Team held a strong opinion that that these strengths engendered an over-reliance on ‘business-as-usual’ relationships and business decision processes. Programme roles and responsibilities were not clear”.

Because of all those things, we probably did not go into change mode and take a programme management approach. Maree Allison and I have discussed that, and what we are now clear about is that the two of us had too many hats on. That is what I mean when I say that we were driven to achieve the outcome. At times, we should have paused; I do not think that our decisions would have been different, but at times, we were too focused on delivering the project.

So you have learned the lessons.

Yes.

If you ever had to do something like this again, you would abide by those lessons.

Yes.

I presume that they are very well documented now, so a future generation can look back and see what mistakes they should avoid making.

Yes.

Finally, can you confirm your total grant from the Scottish Government in the current year?

Are you talking about the digital budget funding?

That, and your total grant.

The grant-in-aid that we received for ICT development in the financial year that is just coming to conclusion was £953,000, and we received a total of £15.7 million in grant-in-aid.

Did you say £15.7 million in total?

Yes.

That is a big grant. What do you do with all that money?

I will let Maree Allison tell you that.

Our primary focus—indeed, our statutory public protection requirement—is the registration and regulation of the social service workforce. We have quite a substantial staff group of, I think, 270, whose focus is on registering, as Lorraine Gray has said, nearly 130,000 people. That number is going to grow to about 160,000 in the next couple of years. Very large numbers of people are applying for registration, and staff are processing and assessing those applications and dealing with inquiries.

We also have to investigate any fitness-to-practise concerns that might arise about what is a small percentage of the workforce, and we hold in our offices evidential hearings that are akin to employment or regulatory tribunals, with an independent panel hearing evidence and cases being presented by solicitors. The majority of the staff in the organisation deal with that core statutory function.

We also have staff involved in workforce development, which is another prime focus of the council, and they are developing tools and improving the workforce’s capacity and capability.

Thank you.

Picking up on some of the evidence that has just come to light and the discussion that we have had about the difference between factual inaccuracy and opinion, I note that Lorraine Gray said that the factual inaccuracies had been corrected, but there remained a difference of opinion between the SSSC and what is in the Auditor General’s report. In her submission, the former chief executive said that she wanted to

“correct some factual inaccuracies relating to the evidence session on 7 February”.

Were there factual inaccuracies, or differences of opinion?

We corrected factual inaccuracies in the draft section 22 report, and there were additional inaccuracies at the committee meeting on 7 February. Maree has highlighted—

But were those inaccuracies in the evidence from Audit Scotland or in our conclusions on that evidence?

It was in relation to bringing in expertise. When the Auditor General was asked about that, she suggested that we had not brought in expertise. That was inaccurate.

Thank you very much. I will bring in Willie Coffey.

Good morning. If you do not mind, I will focus on the software development project that was at the core of all this. Are you familiar with Audit Scotland’s “Principles for a digital future” guidelines, which were issued in May 2017?

Yes.

Would you say that you applied those guidelines to the project?

Yes, but I will ask Maree Allison to speak in more detail about that.

The guidelines were highlighted to and discussed with us by one of the technical architects from the Scottish Government’s digital transformation service, who went through them with us in September 2017, and they were also formally discussed at one of our programme boards. At that point, the architect highlighted to us an area around governance that, to my recollection, was about supplier management and risk management, and we were due to bring in a digital transformation lead to assist with improving those areas. There was a review of and a focus on the matter, and looking at the matter now in light of the work that we have undertaken and what Audit Scotland has highlighted, I think that there are areas that we absolutely complied with and did a very good job on and other areas where, as we have already said, we accept that we could have done better.

Did you apply a project management methodology, and if so, which?

At the beginning, this was a small project about moving a contract. However, it got bigger, and we have set out the reasons for that. We aim to try to manage successful programmes—that is our methodology—but we accept that we did not follow that, and we are now looking at how we bring into the organisation additional expertise with regard to managing a programme office. We do not have that; we brought in some of it, but it is definitely something that we need to look at strengthening in the SSSC.

You said a moment ago that you applied the guidelines, but you are now saying that you did not apply any formal methodology. Is that what you are saying?

The aim was to apply them, but the reality, as set out in the health check, was that we operated too much in a business-as-usual mode.

With regard to the software upgrade, at what point was it discovered that the original source code that would have enabled the upgrade was lost, and what has the organisation done to recover it?

The source code was not about the upgrade, but about the move. When we appointed the new supplier, it carried out due diligence for us to ensure that everything was ready for the move, but it established that the source code was missing. I am not a technical person, but it was described to me as the DNA of our whole system. The challenge for us, then, was to decide whether to continue and put the system at risk or to rebuild the system, but I will ask Maree Allison to tell you what we did about that.

The issue was uncovered in summer 2017. The contract was awarded towards the end of May, and when the new supplier came in and started the due diligence of the system that was being hosted by our original supplier, it was discovered that the software in question was missing. The original supplier had subcontractors who were responsible for the software, but over the lifetime of the previous contract, those subcontractors had been taken over by another company and all the original people had moved on. Our supplier undertook a huge amount of work to identify where the software was, but it could not find it.

We considered legal options under the contract, but because we knew that we were moving to a new supplier and that the whole system was going to be looked at, we decided that it would not be appropriate to take any legal action. The supplier had carried out as much work as it could, but the software could not be identified or located.

Basically, you had to build a new system from scratch, because there was no original source code to upgrade.

Yes.

There were missing bits. It was not clear how critical those bits were, so doing a straightforward upgrade would have been really risky.

It probably would have been impossible, if you did not have the source code.

About a year into the project plan, you decided that you needed your own technical network infrastructure to deliver the project. That seems a bit late in the day to realise that you needed your own infrastructure to hang your system on. Why did it take so long to come to that conclusion?

The picture was evolving. The new infrastructure was not required in order to access Sequence, which is our registration system—it would have been possible to achieve that on the existing network. However, when we understood that we had to completely rebuild Sequence because of the missing software, we realised that we had to deal with the case management situation.

Sequence, as a customer relationship management system, was dealing with our fitness-to-practise work but not effectively, and that had been highlighted as a real risk. We knew that we wanted to address that. However, it appeared to us that if we were to pay to build into Sequence the functionality that effectively dealt with the fitness-to-practise work, we would subsequently end up having to spend more money to purchase a proper case management system. We did not want to spend money twice. At that point, we said that we needed to deal with the case management system and look at purchasing a new one.

The system that dealt with the critical issues most effectively was one that had more challenges regarding running it on the existing network. It was stated in the previous evidence-taking session that the case management system that we purchased would not run on the existing network. That is not correct—it would. The issue was discussed at one of our programme board meetings. It is minuted that when we made the decision to purchase the system, we knew that there were challenges, but that it would run if we hosted it in-house on the premises. At that point, we were trying to find a cloud solution, and challenges arose regarding how we would access it.

The issue arose as the project evolved; it was not something that we were anticipating at the beginning, when we were just looking to lift and shift Sequence.

To put in your own network infrastructure at a later stage to support Sequence must have added to the overall cost of delivering the project. How much did it cost to deliver that?

The cost of the network, including its nuts and bolts and the bits and pieces to run things, is £441,000.

It is important to state that, if we did not have our own network, we would have had to pay for lots of workaround solutions. Those could have worked, but they would not have been ideal.

External contractors—presumably software engineers—were deployed on the project. A series of three of them came and went, usually on six-month contracts. That issue is mentioned in the Audit Scotland report. Is the most recent contractor, who is still with you, due to leave at the end of a six-month contract?

No.

How do you get the continuity of service from those contractors?

That challenge is one that everybody faces, not just us. One of our challenges is being based in Dundee. The first contractor left because there were so many challenges around shared services. The second contractor, who came from the west, left when they were offered a position in an organisation. The contractor that we have now will stay with us until we bring in a permanent solution next year, for which we now have the budget.

Do you own whatever source code you are deploying at the moment? If you do, you will be able to upgrade the network at a later stage, should you wish to do so.

Yes.

Why is being based in Dundee a challenge?

As you know, Dundee is a beautiful city, but so many of the people whom we have tried to get for our project are in the central belt. The first person was from Dundee, but it seems to be more challenging to find people in Dundee, because a lot of people are based in Edinburgh and Glasgow.

09:30  

I would like to pick up on something that Lorraine Gray raised. The Auditor General was critical about the late stage at which the SSSC brought in external expertise. However, you stated earlier and in the submissions that you asked the Scottish Government for support early on. Can you recall when you sought that support from the Scottish Government, what its extent was and how you asked for it? Also, did you get all that you asked for?

We first met the Scottish Government’s digital transformation service on 2 June 2016, when we were beginning to look at the project. We knew how important the systems were to the organisation. In June 2016, we asked for a statement of work setting out how the service could support us and what some of the challenges would be—that was after a number of face-to-face meetings. We then met the service in the organisation and two people from the service were appointed. They helped us with the invitation to tender and the current-state analysis, and their advice was very good. We had a really good working relationship and got exactly what we needed.

Looking back, we probably needed more advice about programme management, which was one of things in the health check, but the technical advice was excellent. We also worked with the Scottish Government procurement service as we went out to tender. We brought in expertise from the beginning of the project, before anything started, so that we did not make technical mistakes and got it right.

To be clear, a department of the Scottish Government effectively signed off the project at an early stage and you were comfortable that it had given you all the support that you needed to go live. Is that correct?

No. We are talking about a period of two years. The Scottish Government digital transformation service came at the beginning to advise us. We did not want a system that would not take us to the future; we wanted to think about where we wanted to be and what future we imagined. The advisers outlined where we were and where we needed to get to. They then helped us with some of the technical matters and came to our programme board, and they were with us until February 2018, which is when we employed an agency for the digital technical expertise. The Scottish Government digital transformation service was not involved in the decision about whether we were ready to go live. That was a decision of the organisation. We were ready on 11 February, and it was very successful.

You referred to previous evidence that this committee has heard. In response to a question that I raised in that previous session, I heard that the SSSC was

“aware of all the guidance, the tools and some of the checklists, but those ... were not used.—[Official Report, Public Audit and Post-legislative Scrutiny Committee, 7 February 2019; c 17.]

By way of clarification, is that one of the factual inaccuracies that you refer to? Is that statement incorrect?

As Maree Allison said in reply to Mr Coffey’s question, we did refer to and use “Principles for a digital future”.

So, in your view, the statement that the committee heard is not correct. Did you use the checklists?

Yes, we used those checklists. We discussed them at a programme board meeting and that was minuted.

Moving the conversation on slightly, Maree Allison said that you have had a lot support throughout the project from the various agencies that have been listed. If so, what is your view of how the issues arose? Clearly, there were issues. You said that there was a lot of support and Lorraine Gray talked very favourably about the Scottish Government support, so what went wrong? Whose support was inadequate, or was did the problems arise at the SSSC end?

I think that we received really good support. I go back to the point that we have delivered the project in this financial year within our budget. When we look at other organisations, we see that people in roles like Maree’s and my previous role have often been taken off business-as-usual work to work only on a programme, but we continued to do our business-as-usual work while we worked on the programme. That was what went wrong, and that is what came out of the health check.

What has also come out of the findings is that there was a lack of clarity of role. In the health check, staff were asked who was the programme manager, who was the senior responsible officer and who was something else. They said, “Oh, that was Lorraine,” but I could not have been all three things. That highlighted that lack of clarity, which was the result of us being too involved in too many aspects. Part of that was to do with trying to manage the costs.

If we were to do this again, we would say that we need a programme manager who oversees the work and is not necessarily involved in all the business-as-usual work. I am sure that some members here have excellent experience of programme management, and they will agree that that is a lesson that should be learned. As I said, directors were perhaps too involved in some of the operational work that was going on.

Earlier, you talked about the money for the project that came as part of your grant from the Scottish Government. Did the Scottish Government sign off on something that said, “We will give you £3.1 million as part of your grant in relation to this project”—I think that the figure was £3.1 million, more or less—or did it just say, “There’s your grant money; crack on”?

Our sponsor team receive our budget request every year. It sets out in detail the funding that we are seeking and what it is to be used for. The digital funding was awarded to us as a result of the team reviewing our budget submissions in which we set out the funding that we were looking for in relation to digital and why we were looking for it.

So, the Scottish Government reviewed what you submitted and said that it looked worthy of a budget allocation of £3 million or so and agreed to advance that money as part of the budget.

Yes, over a two-year period.

I wish to explore a point that Liam Kerr just raised. It is about the interaction with the office of the chief information officer. I think that you said earlier that the Auditor General said on 7 February that you did not engage with external support. Is that correct?

That is what was said. We did engage with the office of the chief information officer, and I would be happy to set out that timeline.

I have the Official Report in front of me and, over the past 20 minutes, as I have been listening to you, I have been reviewing what was said. On 7 February, the Auditor General said:

“You are right to say that the council engaged with the office of the chief information officer at a late stage.”—[Official Report, Public Audit and Post-legislative Scrutiny Committee, 7 February 2019; c 3.]

She did not deny that there was an interaction with the office; she simply said that it occurred late.

I suppose that what is considered late is a matter of opinion. Our first interaction was in September 2017—

I am concerned about the veracity of information and evidence that is being presented to committee. I feel that the Auditor General’s comments were misrepresented earlier in your evidence. On 7 February, she said that you engaged with the office of the chief information officer “at a late stage.” I do not think that she said that there was no engagement at all.

I beg your pardon if I have given that impression.

We also have a letter from the Auditor General, dated 8 March, that says:

“The Scottish Government’s digital team were represented on the SSSC’s programme board, but only from September 2017 to January 2018.”

Is that correct?

The very first programme board took place on 5 September 2016, and the Scottish Government’s digital transformation service was at that meeting. We had engaged with the service in June 2016.

If the Government’s digital team was at that meeting a year earlier, there is no evidence of that in minutes, because the audit found that there was only evidence of it being involved from September 2017.

I have to disagree with that. The minutes state who attended the meetings, and those minutes were available.

I will need to double-check this, but I think that those minutes were all provided to Grant Thornton as part of its work on the accounts. With regard to the section 22 report, we were responding to the specific criticisms in the draft report. This issue was not in the draft report, so we provided Grant Thornton with a selection of minutes that were relevant to the issue that was raised in the original draft section 22 report. The point about when we engaged the digital transformation service was not in that draft report, so those specific minutes were not provided.

We said to Audit Scotland that that was not all the documentation in relation to the project and that if the auditors needed anything further, they should let us know. In our submission to Audit Scotland, we said that we brought in external expertise at key points and that we talked about the Scottish Government digital transformation service assisting with the procurement and selection of the new supplier and providing specialist advice.

Audit Scotland never came back to us to ask about when, specifically, all that happened, which is why it was a surprise to us when the Auditor General, in evidence to the committee, commented on her concern regarding the accountable officer not saying at the outset that she needed to get in expertise. I think that what Lorraine Gray was trying to say is that that is the point that we disagree with, because the accountable officer did bring in expertise, right at the very outset in 2016.

Do you accept that anyone watching this would think that there is a real lack of clarity and, therefore, governance in your organisation?

I hope that what they are hearing is us explaining why there are issues of disagreement and providing answers.

I will explore some governance issues later. Anas Sarwar will continue the questioning.

To follow up on the convener’s question, are you saying that the external support element is the only inaccuracy, or are there other inaccuracies from our meeting in February that you want to challenge?

In evidence, there was discussion about the SSSC purchasing a case management system that it knew would not run on the Care Inspectorate’s network. That is inaccurate. Meeting minutes, which were provided to Audit Scotland, recorded that there was a discussion about whether the system would work on the Care Inspectorate’s network and that there was confirmation that it would.

So you are saying that there are two inaccuracies. Is there a third?

Those are the two inaccuracies.

You said earlier that you accept that you had too many hats on and that, looking back, although you would have divvied up the roles differently, you would have made the same decisions. Do you stand by that? Would you still make the same decisions?

Yes.

What failure do you accept?

The review said that there was a lack of clarity when it came to roles and who did what in relation to the programme management, but I do not think that there was criticism of the decisions that we made. We accept that we operated too much in business-as-usual mode, because we had a clear idea of where we wanted to get to. Quite simply, we should have—

Just to clarify, it sounds as though you are saying that you wish that there had been more people to make decisions. You would have divvied up the decisions that were to be made, but you would have made the same decisions and had the same outcomes. Is that right?

I believe so.

What lessons have you learned?

We recognise now how difficult it is to evidence our work, which was highlighted through the audit. We have had a slightly different outcome through the review. If I could go back, there would be a number of areas on which we would have written down more stuff.

So you are saying that your mistake was to not write down enough stuff, but there were no flaws in the decisions that were made and you would do the same thing again.

We made the right decisions to get to where we needed to get, to have a system that met our statutory needs, to have modern systems, to ensure that our staff were able to do their jobs properly and to achieve efficiencies. The outcomes were right, but the process could have been vastly improved.

That is why Colin Beattie’s point from the start of the meeting has stuck with me. I have been on the committee for less than six months, but I have never before heard anyone challenge an Audit Scotland report in the way that you have done this morning and in your written evidence. It sounds as though you are saying, “We could’ve written some more stuff down and divvied up the responsibilities a bit better, but we did the right thing and we got it right—they are wrong.” I am not sure that that reflects well on your organisation or the individuals who lead the organisation. Do you accept that?

Perhaps I am describing the situation in too simplistic a manner. We have delivered a system that meets our needs and we are being criticised about governance and transparency—that is what the audit report is about.

Lots of organisations can say, “We have delivered the system,” but if it went £20 million, £40 million or £60 million over budget, that still means that mistakes were made. It is necessary to accept the mistakes that were made.

We accept that mistakes were made on governance issues and programme management, that there should have been a better business case at the beginning and that there should have been more detailed reporting to the council. Those were the main issues in the section 22 report.

09:45  

I want to follow on from Liam Kerr’s questions about the interaction with the Scottish Government. Would you describe the interaction with the Scottish Government as a high level of interaction that involved a high level of oversight? You mentioned that there were minutes from 2016 that recognised that the Scottish Government was in the room. Being in the room then and being in the room a year and a half later does not sound like hyperactive involvement or big oversight. How would you describe the level of oversight and the level of interaction with the Scottish Government?

The digital transformation service’s role is not an oversight role; it is a support role. It was in formal meetings in rooms, but it also supported us through the delivery of the programme. It was involved in the evaluation of the tenders and in helping us to deal with the technical side, which we did not have expertise in. When the contract was awarded, it was incredibly supportive of how we dealt with issues such as the missing software, and how we would take assurance and make decisions when there were real technical questions from the supplier on the table. It was heavily involved and very supportive, but there was not always oversight.

Was it highly involved or sporadically involved, or was there arm’s-length involvement in the project from the start? Was it heavily involved?

It was heavily involved at the start.

Was the level of detail and frequency of the involvement high or low?

High. After the contract was awarded, there was a decrease in involvement, but that was appropriate because we were moving into the delivery stage. The involvement was higher at the outset.

Okay. So the level of detail was high and the level of involvement was high.

Yes.

Was the involvement high from the start? Was it high or medium towards the end?

I would probably class it as high at the start and moving into medium when we were in the delivery phase until the project ended in 2018. Lorraine Gray can correct me if I am wrong, but I think that that was due to resources in the digital transformation service moving into other, much more high-risk and high-priority areas.

Does Lorraine Gray agree with that?

Yes.

So you think that the team was fully engaged and fully involved and knew exactly what was going on.

It was often based in our office, but it is important to say that the advice was technical. It was fully engaged in the technical advice and the technical decisions that we were making.

It knew what was going on.

Yes.

Liam Kerr has a supplementary question on that point.

So the Scottish Government was totally involved and accepted the lack of a business case, the lack of a budget and the lack of a cost benefit analysis. Is that correct?

If we go back to some of the—

Is that correct?

That is correct.

Good morning. I want to build a little on Anas Sarwar’s comments. I have seen interactions between organisations and auditors. If I understand things correctly, the documentation for some things that you say that you did exists somewhere, but it is not nicely set out and you have to hunt to find it, and there are some aspects of what you did that could have been done better. Is that correct?

Yes.

There is the mantra that, if something is not documented, it was not done. Has that been put to you?

Yes.

Is that the situation behind some of the comments?

Yes. It is about where the documentation is and how to find it. Maybe decisions were made in too many different places. We are not saying that we did it all right; we accept that we did not. We did not document things properly in some areas.

Do you think that, if you had documented in a more standard and formal way, you would have done things differently, or better?

Some of the decisions would have been the same, but the process would probably not have been so stressful for staff. I think that it would have taken us longer but, on reflection, we should have taken longer and not rushed to get to the finish date.

To follow up on Mr Sarwar’s comment about budgets, did you do the work within your budget?

Yes.

So the budget costs did not run away.

We did not have to go back and ask for any more money.

ICT projects are notorious for being expensive and complex, so why was internal audit not involved in the process?

There was an internal audit, but it was of our digital strategy, which set out the overarching principles. That was done on 13 May 2018. However, we are considering our internal audits for the next two years, and the issue will be prioritised. I accept that we should have had an internal audit to get that reassurance.

So Audit Scotland is correct in saying that the ICT project was not included in the internal audit.

That is correct.

I think that the expenditure on the project was roughly £4 million. Is that correct?

Overall, it was £4 million.

You told Mr Neil that your overall budget is £15.7 million, so £4 million is a substantial chunk of that. Why on earth would the project not be included in the internal audit plan?

I just point out that it was £4 million over two years.

That is still a substantial amount of your budget.

Yes. It was not included in the internal audit plan—

Why?

I cannot comment on that.

But you were heading up the organisation.

I was not.

You were not the accountable officer, but I think that you were next in line.

Yes, I was one of the members of the executive management team. The matter was not included in internal audit. The honest answer is that I do not know why. It will now be included in the next year. We are setting that out just now.

But the money has already been spent.

Yes.

So the question is one for the former chief executive, who we hoped to hear from today.

Yes.

The Audit Scotland report raises issues about governance of the SSSC and joint governance arrangements with the Care Inspectorate. Can you explain, briefly and in layman’s terms, the governance arrangements in your organisation?

We have a council that is made up of council members, who are appointed by the Scottish Government. We then have a resources committee and an audit committee, which are made up of council members. The chair of the Care Inspectorate also sits on our council, and our convener sits on the Care Inspectorate board. On our executive management team, we have a director of corporate services—at the moment, it is the head of shared services—who is 70 per cent Care Inspectorate and 30 per cent SSSC. That is how the shared services are dealt with at executive level. As I say, the chair and the convener sit on each other’s boards.

Are the governance arrangements fit for purpose?

The governance on shared services has not been fit for purpose, and there is now a focus on that. The arrangements have been too informal. I think that, because we share the same building, we have allowed the arrangements to become too informal, which has led to some of the challenges that we have faced. That is now a priority for us to deal with.

Is there a plan to reform the governance arrangements?

We have been discussing the issue with the Care Inspectorate and we feel that we need expert advice on that. We have asked the Chartered Institute of Public Finance and Accountancy to carry out a review of the governance of the shared services, which will be delivered at the end of June, although we hoped to have it a bit sooner. We are meeting relevant people in the Care Inspectorate to look at the shared services strategy and the shared services risk register.

I want to say to the committee that the relationship between the SSSC and the Care Inspectorate is good, and we still have substantial shared services.

I will follow up the convener’s questions by asking about the role of the chair. Who is your chair, by the way?

Professor Jim McGoldrick is our convener.

What role did the chair and the council members play in overseeing the project?

The resources committee, which is made up of council members, made the decision to agree the tender for up to £5 million for the new systems—[Interruption.] Excuse my coughing. I will ask Maree Allison to finish the answer.

Take your time.

As Lorraine Gray said, the resources committee, which is made up of council members, made the decisions on the award of the contract for Sequence, on refreshing and upgrading our hardware, our laptops and our Microsoft Office 365 operating systems, on creating our own network, and on pulling out of the ICT shared service. The resources committee and council members made those critical decisions.

I presume that they took those decisions on the basis of recommendations from full-time staff.

Yes.

As a matter of interest, did the resources committee reject any of your recommendations at any time?

No.

What role did the committee play in monitoring the project?

We accept that that is one of the areas in which there could be improvement. There were reports to every council meeting. There was a bit of information in the chief executive’s report, and there was a bit in the budget report. We have now pulled things together, so that one report contains all the information. We accept that monitoring could have been better so, since October, our system has changed.

Did council members play a proactive part in monitoring the project?

Although they accepted our recommendations, they asked many challenging questions about the risks, about whether we could afford the project and about other options that we could have looked at. There was challenging scrutiny.

Once approval was given to the project and its budget, did council members proactively monitor progress and ask questions? Clearly, there must have been issues that arose. Were they referred to council members? Did they monitor the project closely?

They did, because the key decisions were made over a period of time. The decision on the original contract was made in 2017. The next key decision that the resources committee was involved in was made in December 2017, so there was scrutiny of the project at that time. The next decision was made in March 2018, and that involved scrutiny of the whole project. The final decision that the resources committee was involved in was in August 2018. As you can see from that timeline, the resources committee had oversight and the opportunity to ask challenging questions. However, as Lorraine Gray said, we did not ensure regular standardised reporting on the project’s progress, which would have allowed for more frequent scrutiny by the resources committee.

How often does the council meet?

The council meets four times a year, and the resources and audit committees meet every two months or—

So there was no special sub-committee looking at the project, even though the project was critical to the future of the organisation.

No.

Your audit committee is a sub-committee of the council. I take it that internal audit reports to the audit committee.

Yes.

Internal audit was not involved in the project. Is that right?

That is correct.

If the audit committee was not receiving reports from internal audit, it would not have been able to scrutinise the project. Is that right?

There was reporting to the audit and resources committees about spend and about some of the risks, but there was not an internal audit.

You said that there was audit of an overall strategy, but no internal audit of the project.

There was no internal audit of the project, but the audit committee was aware of the project, because we reported to it through general reporting.

You would tell the audit committee, “It’s going all right—this is happening and that is happening”, but there was no robust audit.

There was no internal audit.

It strikes me as really strange and worrying that there was no internal audit for such a huge project. This committee’s job is to protect the public pound, and I would expect internal audit to do the same in your organisation, because we are talking about taxpayers’ money. If a £4 million project is not considered worthy of internal audit, what else does not receive internal audit? Is the rest of your budget scrutinised by internal audit, or have other projects been missed?

This was our only big project. Audit would scrutinise risk. If it would be helpful, we could send you the information on what we are being audited on in the next two years.

10:00  

The remaining £11 million of your budget all comes under—

Staffing.

Okay. It accounts for staffing. What does internal audit do?

It looks at things such as performance reporting—

What does that mean?

It is about how we report on our key performance indicators and whether we have systems in place to demonstrate proper procurement. I am trying to think of some of the other things that are coming up next year.

Internal audit is about to do an audit of our fitness-to-practise processes, which will include looking at whether we are properly forecasting the number of—

So it is more about process than about spend. We are talking about your expenditure—the chunk of spend outside your staffing budget.

There are internal audits, and work on financial reporting is coming up. However, you are right to say that internal audit tends to be about process, and whether processes are delivering what they are meant to deliver.

Did the board know that there was no internal audit oversight of the IT project.

Yes.

What did it do about it?

I am not sure that I know how to answer that.

The board knew that there was no internal audit oversight of the £4 million IT project, but they did not do anything about it.

When you say “they”, do you mean the council?

Yes.

The internal audit plans are discussed and agreed by the audit committee, and then a report is given to the council on what the audit committee has agreed internal audit will cover over the next year.

So, the council knew that there was no internal audit oversight of the £4 million project, but it did not do anything about it.

Maree Allison said that the internal audit committee signed off a plan that missed out internal audit of the huge £4 million spend on the project.

When you say “internal audit”, do you mean our internal auditors or the audit committee? Our committee is called the audit committee, but we also have internal auditors. I am not totally clear about who you mean.

Your internal audit function is carried out by your internal auditors.

Yes.

They did not carry out an audit of the IT project.

There was not an audit of the IT project.

Did the council know that or not? I am not quite sure.

The council knew that there was no audit.

The chairman, Jim McGoldrick, and the chief executive at the time, Anna Fowlie, both knew that there was no internal audit.

Yes.

As members have no further questions, I thank the witnesses very much indeed for their evidence.

10:02 Meeting suspended.  

10:06 On resuming—  

I welcome our second panel of witnesses to the committee’s meeting, all of whom are from the Scottish Government: Paul Johnston is the director general of education, communities and justice; Colin Cook is the digital director; and Michael Chalmers is the director of children and families. I invite Paul Johnson to make an opening statement.

Thank you, convener. I am grateful for the opportunity to provide evidence to the committee in response to the Auditor General’s report, “The 2017/18 audit of Scottish Social Services Council”.

I am the relevant portfolio accountable officer for the Scottish Government. Sponsorship responsibility sits in the office of the chief social work adviser, which is a division of the children and families directorate, which is led by Michael Chalmers, who is with me today.

There are lessons that the Scottish Government can learn from the report. Those lessons will inform how sponsor teams monitor public investment in digital projects of this nature in the future. I am convening a session for sponsor leads across my areas with input from Audit Scotland, to ensure that there is clarity on the role that sponsor teams adopt in their support and scrutiny of sponsored bodies.

I will make a couple of points about the facts that are in front of us today. It was clearly essential for the SSSC to invest in re-implementation of the Sequence core registration system. That important system has been renewed, and the work that was needed has been done. In addition, the software and hardware upgrades have been delivered successfully. Investment in the new case management system was based on expert advice, the system has been delivered and it is demonstrating efficiency and cost savings year on year.

However, we consider that the section 22 report has raised valid concerns about reporting on and governance of the digital project in the SSSC. There are lessons to be learned: reporting and governance need to be improved. I accept that the Scottish Government’s sponsor team could also have had stronger engagement with the digital work, as it progressed.

I am happy to take questions on the actions that have been and will be taken in response to the Audit Scotland report. In addition to Michael Chalmers, I am supported by Colin Cook, who is the director of digital, with responsibility for the Scottish Government’s digital agenda, including the central transformation team and the office of the chief information officer.

Thank you very much. I assume that all three panellists heard the evidence that the committee has just taken. Is that correct?

Yes.

In that case, you will know that, especially towards the end of the session, we heard a lot of evidence about the SSSC’s interaction with the Scottish Government. I will explore a little of that with Colin Cook, who I think has responsibility for the office that is involved.

However, my first question is to Paul Johnston. I think that you said at the end of your statement that the Scottish Government could have done better in its oversight of the project. Is that correct?

That is to do with how the sponsor team operated. I am responsible for the sponsorship arrangement. I can describe to the committee what the sponsor team did. There was engagement with the SSSC throughout the process, but having considered very carefully what the Auditor General has said in her report, I accept that lessons are to be learned about how we engage with sponsored bodies, particularly when a digital programme is under way.

Maybe Colin Cook can give us a bit more detail on that. What went wrong in your department? Paul Johnston seems to be saying that there was not enough oversight, or that there are lessons to be learned because of how that oversight was carried out. What went wrong with your engagement in the project? It was a huge spend—it cost £4 million.

Can I come in before I pass on to Colin Cook, convener?

Of course.

From my position and my careful review of the report, I have not identified any criticism of the work that was done by colleagues in Colin Cook’s area. It is important to recognise the different functions in the Scottish Government. As far as I can see, the digital transformation team has supported the SSSC, and that support has been valued and helpful, as seems to be acknowledged by all parties. However, I accept our need for greater scrutiny in sponsor teams. The sponsor team has the strategic relationship with the body, and provides on-going support and scrutiny. I accept that that could have been stronger in this case. Colin Cook can describe what happened in the digital team.

That is helpful. On 7 February, the Auditor General told the committee that engagement came “at a late stage.” You heard the SSSC refute that: it said that engagement happened at an early stage. Maybe Colin Cook can shed some light on the matter.

I will build a little on what Paul Johnston said about there being different parts of the Government that engage in the work. As he said in his introduction, there are two separate teams in the digital directorate and, having heard the earlier evidence, I think that it is critical to make the distinction clear. One team is the office of the chief information officer. The job of the chief information officer and that office is to provide assurance of digital products, particularly major ones, to ensure that we apply the lessons that Audit Scotland has developed and that we are learning over time.

Alongside that team, organisationally separate, but also under my command, is a digital transformation team. That team is designed to support and help digital transformation projects to be delivered on time, on budget and to the standards that are expected. Team members are hands-on technical project managers and user researchers, and it is that kind of support that is available for projects. The two teams are separate.

It is important to understand that, just because someone brings in the digital transformation team, that does not mean that they are provided with a magic free pass on audit and assessment. Programmes that are run only by my directorate would also be subject to audit and assessment. That is right and proper.

Those are the two functions. Do you want me to go through the level of engagement of both or one in particular? I think that both have been raised today.

Would you—briefly—give us some clarity? We have heard different stories. Clearly, the Scottish Government needs to oversee spend at such a level. We have heard evidence that there was not sufficient oversight. Why was that?

Perhaps I can focus on the office of the chief information officer.

Whatever you consider to be the best way to answer that question, we are happy to listen.

The SSSC engaged with the office of the chief information—OCIO—from August 2017. All digital and information technology projects across the Scottish Government have to be registered with the chief information officer, and we maintain a register of those projects.

If that project has an estimated whole-life cost of more than £5 million, it is treated and regarded as a major project, which is consistent with the “Scottish Public Finance Manual”. That means that it is subject to the stop-go process that is organised and administered by the CIO. That gives the CIO the power to stop a project at various stages if, in our or her opinion, it does not meet the standards that would be expected.

10:15  

This project did not meet the threshold.

In the case of the SSSC project, the whole-life cost fell beneath that threshold. When the project was registered, we looked at it and made an assessment of it. On that occasion, because we recognised that it was an important project, we asked for a risk assessment to be carried out which, again, is a standard piece of work from the public finance manual. We agreed with the assessment that it was a relatively low-risk project and was, therefore, not subject to the major project assessment process. Even so, the OCIO continued to have regular informal engagement with the SSSC throughout the project, but that was not part of the project assessment process. That covers that side. Would you like me to talk about the support that we gave?

You are saying that there are scrutiny arrangements for ICT projects costing more than £5 million, but that the Scottish Government’s scrutiny of projects that cost slightly under that are much less robust. Is that correct?

Such scrutiny is less detailed, because we prioritise the projects that have the greatest impact on people in Scotland and the efficiency of public services.

Sure—but we have heard evidence that the Scottish Government’s oversight of the SSSC project was probably not as good as it should have been. Why was that?

What we heard in evidence was a review or analysis of the sponsorship arrangements that operated. I am sorry to go back to—

I am sure that there will be lay people watching this evidence session who think that the Scottish Government has responsibility, that it is your money and that how you choose to organise internally how it is spent is your business. However, can you try to make it clear for the committee?

There is a distinction to be drawn between the sponsorship arrangements and oversight of a body, organisation or agency that is subject to the sponsorship team and arrangements, and oversight of a particular project that is being delivered by that agency. If it is an IT project, it is subject to scrutiny by the chief information officer. Is that clear?

Not particularly, but I am going to move on now.

I will try one more time, convener, if I may, because I am not quite following Colin Cook. The evidence that we had from Audit Scotland suggests that the Scottish Government was getting high-level details about the project but not the intricate detail. As you saw from the earlier evidence, the SSSC seemed to think that the Scottish Government’s fingerprints were all over the project. Can you tell me who is right, on that analysis? Very briefly, were your fingerprints all over it or were you only receiving high-level detail?

I am afraid that we cannot get away from the fact that there are three different elements of Scottish Government involvement; there are specialist skills. The digital transformation team was most closely involved. I heard in this morning’s evidence that that team was involved throughout in providing specialist support and advice to the SSSC. Colin Cook has just described the role that the office of the chief information officer played, which was a more limited role given the overall cost of the project. Then, separately, I have responsibility for the sponsorship team, and I accept that, given all that we have now learned from the report, the sponsorship team could have been more proactive and searching in its relationship with the SSSC.

The report indicates that the Scottish Government provided around £3.1 million of funding for the digital improvement. Can you take me back to the start and tell me the basis on which that funding was approved? What documentation was provided to say, “This is the right way to spend public money. The funding should be advanced in full”?

I will pass over to Michael Chalmers on that in a moment, but I first want to say that at no point were we presented with an overall cost for all the elements of the project that we are now aware of. We have heard in evidence that the project developed over time and that some issues arose. We received and scrutinised year-on-year budget requests. Michael Chalmers can say more about that.

The sponsor team has quarterly assurance meetings with the SSSC, and was first made aware of what was described earlier as the “lift and shift” approach—the replacement of the core system for registrants, which was called the Sequence system—in February 2016. When the 2017-18 budget was fixed, which was March of the next year, a draft budget would have been provided to the sponsor team, setting out the cost, including the digital cost. That would have been done through the resources committee of the SSSC. The papers that went to the resources committee, in which the executive had set out the budget, would also have been available to the sponsor team, which would have scrutinised that process.

Forgive me, but you are talking about budgets and draft budgets, whereas the Auditor General’s report was clear that there was not a separate detailed budget for the project. This morning, the SSSC said that whoever authorises the movement of funds knew that there was no budget and no clear business case and that no quantitative or qualitative cost benefit analysis had been done, and yet they signed it off anyway. I am trying to establish whether that is correct. When that use of public money was signed off by the Scottish Government, was it fully aware that none of those basic preliminaries was in place?

There was no business case setting out the costs and benefits. That goes back to the point that the chief executive made earlier that, when the initial budget for the spend on IT was approved and when the 2017-18 budget was agreed, that referred to the replacement of the Sequence system, which was to expire in September 2017. That system was core to the statutory functions of the SSSC and so had to be renewed. The assurance that was given to the sponsor team that approved the budget was that a procurement process would be gone through.

There was no budget—that is what we have learned from the Auditor General’s report. To reflect back what I am hearing and reading, an application was made for a significant amount of public money that had no basic grounding, but somebody in the Scottish Government said, “Fine—advance the money.” Is that the case? If so, are you comfortable that sufficient scrutiny is being applied to budget applications?

It is not the case that there was absolutely no preparatory work. The papers that went through the resources committee of the SSSC would have set out an indication of that work. There was engagement with the Scottish Government’s procurement service to get an indication of what the contract parameters would be. There was then to be a process whereby the SSSC would engage in detail with procurement to comply with procurement requirements, which would provide assurance on value for money for the public purse. There had to be a provision in the budget to allow that process to go forward.

As Paul Johnston said—

Sorry, but I want to put that question to Paul Johnston, as he has oversight of all of this. There was no clear business case, no separate detailed budget and no cost benefit analysis, but somebody signed off and said, “Just give them the money.” Are you comfortable with that, Mr Johnston?

Let me be clear: at no point was an entire programme signed off. We had an annual budgeting exercise. It is important to recognise that the first phase of the work was essential—it was the upgrade to Sequence, which was subject to a full competitive procurement exercise, thus ensuring value for money. That was the key component of the digital transformation programme. However, I absolutely accept that there should have been a full business case that covered the programme from start to finish, in so far as the council could have worked it through. We know that things change and that unexpected complications arise, but I share the Auditor General’s view that, in this case, there should have been, at the outset, an attempt to articulate the full programme.

I will take responsibility for work with sponsor teams across the Scottish Government. We must learn lessons from the project and ensure that, in our scrutiny and challenge of sponsored bodies, what we expect is clear from the outset. What we expect is the suite of documents that has been referred to.

I have a question for Colin Cook. How many £4 million-plus IT projects are there at any one time?

I will get the completely accurate figures. More than 200 projects have been registered this year. Currently, 25 have been assessed as major projects, and we are assessing 13 projects that we believe will become major projects. If I do the maths quickly, 38 projects will therefore potentially fall into the categorisation of major projects.

What amount of money are major projects over?

They are projects over £5 million or projects with a significant reputational risk.

Do you not think that any project that costs millions of pounds—no matter what number we put on it—poses a reputational risk or a risk to the public purse?

All projects, all expenditure on IT projects and all expenditure on anything have to be treated with seriousness.

So you do not believe that a £4 million project requires the level of oversight that a £5 million project does, and you believe that such a project is not as relevant to the public interest and the public purse.

Under the current way in which we structure and operate the OCIO, which is a function that we have built up progressively and which we have continued to build up and develop over the past couple of years, we have focused our attention on the major projects. The 25 projects that are currently on the register account for 48.8 per cent of the costs that are recorded on the database, and the other 13 projects account for 42.7 per cent. Therefore, they are at least 90 per cent of the costs. The response is proportionate to where we are. We balance the needs of the projects and the availability of human and financial resources, and focus them on the projects that make the biggest financial difference.

The 200 projects that are on the IT project list will have variations in their timelines. Some of them will be one-year projects. What is the longest project?

I am afraid that I do not know what the longest project is. There is a variety of timelines. Some projects will be very small, and there will be relatively small procurements that can be deployed within a few weeks or months.

Do the projects go from thousands of pounds to millions to pounds in value?

Yes, they do. Roughly speaking, the projects on the register account for £1 billion-worth of spend.

As currently stand, a £4 million project over two years does not have the highest level of scrutiny.

As things stand, a project that is not assessed as a major one—as I said, major projects can include projects under £5 million but, in the main, the discussion is financially driven—is not subject to the major projects assessment process that the OCIO operates.

From what we have learned with the SSSC, do you think that the process needs to be recalibrated and that a £4 million project over two years should be regarded as a high-priority one?

There is definitely something for us to reflect on and learn from. As I said, we have been building the office of the chief information officer for the past couple of years. Part of my ambition is to generate greater confidence in the ability of the Government and the Scottish public sector more widely to deliver IT projects. That process will continue. We have made great strides and great improvements. When I took up the job a couple of years ago, I made it one of my priorities to say that we would build an assurance process with teeth. That is an on-going process. I will continue to look at and learn from that process and, if what you suggest is the way to go, we will look to find a way of expanding the process.

Given the number of issues, scandals, press reports and challenges that there have been around IT projects, do you accept that the public would find it ludicrous that a £4 million project over a two-year period does not have the highest level of scrutiny from the Scottish Government?

I hope that the public would understand that we are talking about the independent assessment and scrutiny of the office of the chief information officer. That is not the only way in which a project should be scrutinised or the only thing that should give the public the confidence that a project is well run. We have managers and leaders across the public sector who are devoted and dedicated to ensuring that public sector money is spent appropriately. I am talking about how we have chosen, at the moment, to prioritise the expertise of the chief information officer.

10:30  

Mr Cook, is it not too simplistic to have a financial cut-off? We are talking about a new IT system for the SSSC, which was pulling apart from the Care Inspectorate—that is an additional risk. Does your department not take the additional risk into account? Do you just say, “It is less than £5 million, so we’ll put it on a lower level of scrutiny”?

No, we assess risk in the round and take a risk judgment if a project involves a vital public service, or something along those lines. In this case, we did not assess it as a major risk project—and neither did the SSSC—because when it started, it was about the replacement of a core system.

How could the data that the IT system collects—the very personal data of vulnerable people and the people who work with them—not be regarded as high risk?

Please answer briefly, then we will move on.

I still do not believe that there was a major risk intrinsic to this IT project, even though it was an important and high-value project. I accept that, as we develop the OCIO, we will perhaps change the thresholds.

I will continue with the theme of how the Scottish Government oversees external agencies that are within its ambit. Paul Johnston, you said that there are three groups involved. The sponsorship team in your department is one of them, but there is no one here from that team. Is that right?

Michael Chalmers has responsibility for the sponsorship team.

Okay. There are also the two teams under Colin Cook, and other people such as the procurement team, which you have mentioned. In a project such as this, how often do those Scottish Government teams get together to review the project and compare notes?

From my review of the case, I know that there was engagement between the sponsor team and the other teams that you mentioned.

What about collective engagement?

That was not in place from the outset, which is one of my other areas of learning. The joining up of different teams with different functions must happen earlier in the day to ensure that there is good sharing of information. Some people were off working with the SSSC and bringing it the technical expertise that we have heard about, and I have been assured that connections were made. Michael Chalmers might have more information, but I cannot tell you how frequent that was. From my review, I know that there is a need to ensure that those connections are made more frequently and as part of the regular way in which we do business.

So, basically, those three teams—let alone procurement and other teams—never got together to look at the project collectively.

There was communication between them.

Just answer the question, yes or no. Did they ever get together to discuss the project collectively?

I have been advised that they engaged with each other. Whether that exactly meets your request—

You are not answering my question. Forget the flannel. I have asked you a straightforward, simple question. Did they—those three branches of the Government—ever hold a meeting together to discuss the project? Yes or no?

I think that they did hold meetings.

But were they all together?

What I have tried to say is that they communicated with each other but that they did not communicate frequently enough.

Mr Johnston, will you answer the question? Did all three teams have a joint meeting—yes or no?

Yes, I think that they did.

Can we have the minutes of those meetings?

I can get back to the committee with further details. I do not have minutes in front of me. I will hand over to Michael Chalmers, if he has more details about the way in which they engaged, for example whether that was in telephone conversations or with meetings.

I cannot add to that and we might have to come back to the committee. However, as Paul Johnston said, when we reflected on it, we accepted that there should have been better communication between our sponsor team and the teams that you mentioned. They should have spoken more and had fuller discussions.

Who is responsible? From what you are saying, it seems that you are not clear about whether they met to discuss the project even when it apparently got into trouble. We need clarification of that—yes or no. If they met, we would like to see the minutes of those meetings to see what action was taken and agreed. That request should come from the committee, not just from me.

Can I establish which is the lead group in the Scottish Government in terms of the SSSC? Who is the named person, as it were, who makes sure that all branches of the Scottish Government work together? We hear a lot about joined-up government, but this does not look like joined-up government—it looks like dysfunctional government if it allows this to go on. Which group is responsible? Who is the lead? Who should organise all the groups within the Scottish Government to make sure that they work across Government as a team?

That is the sponsor team.

Right, and did it do that?

No. I have accepted that the sponsor team should have engaged more proactively with the SSSC and joined up more effectively across Government.

Why does it always take a section 22 report before we say that we must learn lessons? Why are you not ahead of the curve?

We have pointed out the steps that we took in this case, and the fact that the ICT transformation has been delivered and is delivering benefits. However, I am very clear that our organisation always needs to be ready to learn and to take on board lessons. I am sorry that those were not identified in advance of the Audit Scotland report, but I can assure the committee that they have now been very clearly learned and taken on board. We will be implementing those lessons and sharing them across other sponsor teams in the Scottish Government, and I sincerely hope that we will not be back here having the same conversation about another sponsored body.

There is a good example that might give some comfort on our ability to get ahead of the curve. I said that we have developed and now have maturity in the chief information officer’s assurance process. From 1 April this year, the responsibility for that assurance process is transferring to a single team in the Scottish Government under the director for internal audit, to bring together the different types of audit that are available from the Scottish Government. That will certainly help communication processes between people who are looking at different aspects of the audit process.

That is a welcome development, but presumably the sponsor team will still be the lead team that makes sure that that joins up with all the other bits and pieces.

Yes.

Does Michael Chalmers accept that?

Yes.

I will move on. At the core of our agenda are, in a sense, the differences between the SSSC and the Auditor General. In evidence this morning, we have heard, specifically in relation to what was said at the committee meeting on 7 February, which I was not at, that there are two outstanding issues on which there is a clear difference between the Auditor General and the SSSC—and there are probably others resulting from the report. In the opinion of the Scottish Government, who is right and who is wrong?

The SSSC has provided some clarity on a couple of factual issues. The committee heard that this morning, and I have considered the SSSC’s very detailed submission. Subject to those clarifications, I do not take issue with anything that the Auditor General said in her report.

So the Auditor General is right, then?

The Auditor General is right. If there are factual issues, such as the timeframe within which external expertise was sought, those facts have to be allowed to speak for themselves. However, I accept all the challenges and conclusions that the Auditor General put in her section 22 report.

Were you, personally, and the Scottish Government sponsorship team involved in or sighted on the emerging differences when the Auditor General’s draft section 22 report came back from the SSSC, with the council strongly disagreeing with aspects of the report and challenging its accuracy? When were you sighted on that? When did you become aware of it? Did you become involved in the situation? What role did you play?

I will ask Michael Chalmers to answer that.

The sponsor team saw a draft of the report—I think that that was shortly before publication. However, I think that some of the contentious issues came up as a consequence of the evidence session with the Auditor General, rather than as a consequence of the report.

No, my question is: you got sight of the Auditor General’s report before it was published, but when did you become aware of the challenge to the report?

I think that it was after the evidence session in February; I am not sure that that was clear from the draft report.

So you did not know until it was published.

We saw the report before it was published in draft—

Specifically on the differences—

The differences became clear to us after the evidence session in February.

So you and your sponsor team were not aware of the exchanges between the Auditor General and the SSSC over its challenge to her report.

We knew that the SSSC wanted to set out its own position on the programme, which it has done this morning.

Please answer simple questions in a simple, factual way. When did your sponsor team know that there was a fairly heated dispute between the Auditor General and the SSSC about the contents of the Auditor General’s report?

I am not clear that I am talking to the same point that you are making. I am not trying to be evasive.

I am just asking you to answer the question. When did you become aware of that? It has been said that this is the first time there has been a public, robust challenge from a public organisation to one of the Auditor General’s reports—

The first time this session.

You are in charge of the sponsor team, so when did the sponsor team become aware of that and what action did it take, if any?

I think that the sponsor team became aware of the factual points of difference that you have referred to after the evidence session in February, but it had seen the report in draft before it was published in December.

So the team knew nothing about it until the report came to this committee.

Knew nothing about what?

The SSSC’s unhappiness with the Auditor General’s report.

We were aware in December that the SSSC was not happy with the tenor of the report because it felt that the programme was successful, and therefore it did not necessarily accept all the report’s conclusions.

Once the sponsor team became aware of that, what—if anything—did it do about it?

We had meetings and discussions with the SSSC, and, along with the chief social work adviser, who heads up the sponsor team, I met the SSSC executives in January. That was part of the lessons learned process. We looked at steps that could be taken in response to the Auditor General’s report.

Did you agree a list of action items?

Yes—I think that that has been set out in the SSSC’s evidence this morning.

Can we get copies of the minutes of those meetings?

Yes.

One thing that really strikes me about our session with the previous panel and our session with you is the number of conflicting statements. For example, Lorraine Gray, who was on the previous panel, said that the project was delivered within budget. However, paragraph 10 of the Auditor General’s report states:

“The SSSC has advised the auditor that the overspend”

on the budget

“will be partly funded by ICT money from the Scottish Government carried over from the previous year and partly funded from underspending in other budgets.”

Presumably, that underspend is to do with savings that have been achieved elsewhere. Those are contradictory statements. What is the truth?

The figures that I have received accord with those set out by the Auditor General.

So there was an overspend.

Yes.

IT projects tend to overspend. At what point were you aware that there would be an overspend?

I do not have a specific date. I will hand over to Michael Chalmers in a moment in case there is a date to hand; if not, we can follow that up with the committee.

The information that I have is that we were notified that the project was going to cost more than originally expected. However, the SSSC did not come to the Scottish Government seeking additional resources; rather, it provided an assurance that it would be able to meet those additional costs from savings elsewhere in the organisation.

From the Scottish Government’s point of view, the amount of money that we allocated over the course of those two years was not exceeded.

The SSSC advised that the overspend would be

“partly funded by ICT money from the Scottish Government”

that was carried over from the previous year. Can it do that without reference to the Scottish Government or without advising the Scottish Government that there is an overspend and that it will have to dip into money that has been carried over?

10:45  

We would absolutely expect there to be engagement with the Scottish Government sponsor team on matters of that nature—

But did the SSSC engage?

My understanding is that that engagement took place, but Michael Chalmers might have more to say on that.

I have already mentioned the budget approval process, and the issue would have been part of that process in the February or March leading up to the approval of the SSSC’s budget. It was made clear that there was an overspend; however, it was suggested that that would be funded from the previous year’s underspend, and that was approved.

So from what you are saying and from what the Auditor General has said, Lorraine Gray’s statement in the previous evidence session that the project was delivered within budget was incorrect.

I am not sure how Lorraine Gray expressed that—

I think that she said that it was delivered within budget.

The way that I would express it was that extra money was not required on top of the budget that was agreed from the Scottish Government. I think that the council funded it from efficiencies elsewhere.

Paragraph 10 of the Auditor General’s report says:

“In 2019/20, the project moves into a maintenance phase”—

which is fair enough—

“and ongoing development subject to funding available.”

Where is that funding coming from? Is it coming from the Scottish Government? What is the “ongoing development”? It is not maintenance. Does that mean that further work needs to be done on the system?

I do not know what that specifically refers to—I would need to check with the SSSC—but we are in the process of looking at the 2019-20 budget now.

I just want to know the dimensions of this “ongoing development”. Is the system as it has been delivered fit for purpose, or are there still bells and whistles to be attached to it?

As I understand it, the system has been implemented effectively, so it is fit for purpose.

The system has been up and running for only four weeks, so time will tell whether it is stable enough to survive the test of time.

We have heard that there was no business case; no project management methodology was applied, despite the guidelines that exist for digital projects; the IT spec changed right from the start; there was no internal audit of the IT project, and the council knew as much; there was no network to run the project on, so the council had to install its own; and there was no software to upgrade, because it had been lost. Is that what success looks like?

No. I think that we have made it quite clear that we accept what the Auditor General has said. There were failings in governance and oversight, and the SSSC has, in the main, accepted that. It is responsible and accountable for the use of the money that is passed to it, and I welcome the fact that it has set out some detailed actions that require to be taken forward.

I deliberately asked the SSSC witnesses whether they were aware of Audit Scotland’s framework for IT development projects, “Principles for a digital future”, and whether they had applied it, and they told me that they had. However, when I picked out one aspect and asked whether they had applied that, they said no. There is therefore a bit of a doubt over what they were saying they had applied. Was your sponsor team aware of whether the SSSC was or was not applying those fine principles?

My understanding is that the sponsor team had certainly received assurance that the council was aware of and applying the principles. Based on what the council has said, it seems that they were adopting an agile methodology—I think that we have heard that—but I fully accept that the full range of principles was not fully applied.

We have been here many a time discussing IT projects, and it is kind of the same story every time. When are we going to stop having these sessions and continually questioning IT developments, and when are we going to begin to get these things right consistently?

Colin Cook has already pointed to some of the improvements that have been made, and I note the Auditor General’s evidence about some of the good practice that she has seen. However, I share the committee’s wish for good governance and accountability in all our IT projects in the public sector in Scotland.

Will this cause you to review from now on the monitoring and scrutiny that you apply, even to projects below the £5 million threshold, just so that you can establish whether basic IT development principles are being applied?

My commitment is to having a review and further support for sponsor teams in this area. I regard that as necessary.

What we have heard from Colin Cook is a commitment to looking at the thresholds or triggers that would lead to closer involvement of the office of the chief information officer. That, too, is necessary work that we will take forward.

Just for clarification, as part of the reviews that you have undertaken and the learning points that you have taken on board, have you looked across existing projects, even those under the £5 million threshold, to see whether there are any similar circumstances in which sponsor teams have not been speaking to one another or, indeed, to the organisation in question?

The work with the sponsor teams that I have described will be undertaken in the coming weeks. It is in train, but it is not completed, so I cannot answer your question. I am happy to provide further information in due course.

But you are looking at that.

Yes. I can assure you that that work is being taken forward in relation to the sponsor teams, but Colin Cook might have more to say about the assurance processes for which he is responsible.

We are constantly learning and reviewing the findings that are made and the reports that are written. There is a unique dimension to this case, because we are talking about a shared service that is not a core Scottish Government shared service. As a result, there are very few other cases with precisely the same technical situation, but there are lessons to be learned and we will learn them. We are also committed to increasing the range of advice, guidance and tools that are available.

But perhaps, as Willie Coffey has suggested, every case has something unique. The point is finding the trigger.

Of course.

I look forward to hearing more about that. Thank you.

In the course of overseeing this project, how many times did Colin Cook and Michael Chalmers go up to Dundee to meet people in the SSSC?

I am afraid that I did not at any point go to Dundee to meet the SSSC.

I went once, but not in relation to the project. However, the chief social work adviser, who is the senior civil servant responsible for the sponsor team in my directorate, met SSSC senior executives on a quarterly basis.

In Dundee or in Edinburgh?

In both.

So the two most senior Government officials in charge of the project never set foot inside the SSSC’s offices to sit down with people on the ground and see how the project was being delivered. Is that right?

I think that Colin Cook wants to clarify something.

I meant to mention that, as I said right at the beginning, an OCIO representative had meetings on a quarterly basis, even though the project was not subject to the major projects assessment process.

Were those meetings in Edinburgh?

I do not know. Typically, the OCIO goes out to the organisations, but I am not aware of what happened in this case.

I should point out that the project was discussed in my discussions with the chief executive, which included meetings with the chief executive of the Care Inspectorate. There was no meeting specifically to go through the project.

This might seem overly simplistic, but I always feel that you get a much better feel for what is happening in an organisation when you go through the front door and sit down with the people in charge of these projects. It worries me a bit that neither Colin Cook nor Michael Chalmers were in the building to see that.

I ask Paul Johnston for his reaction to some of the governance issues that we have heard about.

I am concerned about them. As I have said, I take on board what the Auditor General for Scotland has brought to our attention in the section 22 report, particularly on the need for a full business case at the outset and the scrutiny that is then exerted by our public bodies. I am very clear that improvements require to be made.

Do members have any other questions?

I just have one quick question about governance. As part of your review, Mr Johnston, will you be looking at the role, effectiveness and performance of the council’s chair and board? I have to say that, given the answers to some of our questions on that matter, I am not convinced—nor, I suspect, are other members of the committee—that the non-executive directors of the board were taking the kind of proactive approach that would be expected with such a big project that made up, when taken on an annualised basis, an eighth of the organisation’s entire budget. The poor performance of non-executive directors on public boards is a continuing theme that we see right across the board, and this, it would appear, is another example.

Council members are appointed by the Scottish ministers, and we will look at whether additional support is required there.

I thank the witnesses for their evidence.

I briefly suspend the meeting to allow a changeover of witnesses.

10:54 Meeting suspended.  

10:56 On resuming—  

I welcome our third panel of witnesses. With us from Audit Scotland are Caroline Gardner, Auditor General for Scotland; Claire Sweeney, audit director, performance and best value; and Jillian Matthew and Gemma Diamond, senior managers. I invite the Auditor General to make an opening statement.

I presented my report on the 2017-18 audit of the Scottish Social Services Council to the committee on 7 February 2019. The council did not demonstrate good governance or project management in implementing its new digital strategy. As I set out in the report, a number of basic steps were not followed.

Over the past few months, the SSSC has submitted to us, and now to the committee, a lot of technical documents about the systems to be implemented. The audit team has spent a considerable time reviewing them. None of them provides assurance that the project was well governed. There are significant gaps, with no clear business case, budget or statement of the expected benefits. There was a lack of clear governance, and no regular, detailed monitoring of costs and risks.

As the committee has heard this morning, the SSSC thought that it was setting out to buy new software to replace its registration system, Sequence. At that point, it did not understand the complexities and the interactions with other systems and infrastructure, so it could not foresee the scope of the work that would be involved.

It is important that all significant projects are managed well, not just so that auditors and the committee can understand how public money is spent but so that the people who are responsible can make good decisions based on all the information that they need. That is the basic purpose of good governance.

My team and I are happy to answer the committee’s questions.

We will concentrate on the substantive issues that your report raises, but you have come back to us today because, for the first time in this parliamentary session, a public body has taken issue with your findings. I do not know whether we have a fully clear picture of whether the disagreement is factual or is based on opinion—both those words were mentioned this morning. Will you address the SSSC’s reaction in the evidence that you have heard?

Of course. First, it is important to say that I am appointed by Parliament to provide you with independent, evidence-based reports on public bodies, and I take that responsibility seriously. We go through a number of processes at all stages to ensure that the evidence is agreed on a factual basis, and I then use my professional expertise and professional judgment to come to the conclusion that I draw and present to you.

Like you, I am not clear what the factual inaccuracies are that are being referred to. I wrote to the committee after the evidence session on 7 February to give clarification on the external expertise that had been brought in, which I think was not adequate given the programme’s scale and significance.

11:00  

Issues were raised about the use of the “Principles for a digital future” checklist. We would say that the SSSC referred to it but did not use it, and that was probably reinforced in your evidence session.

A third point that I noted was that we had stated that the case management system would not work on the shared infrastructure. To be clear, the point that we draw out in the report is not that it would not work—the system was compatible in the sense of technical operation—but that the SSSC identified very late on that the shared infrastructure did not provide sufficient security for the sensitive information about care workers and in particular fitness-to-practise investigations.

In all three of those areas, there was no factual inaccuracy; instead, there is a difference of view on the significance of the issues. To refer to a difference of opinion in that context probably betrays a misunderstanding of the role of audit. I am appointed by the Queen on the Parliament’s recommendation to give you my view on the quality of governance and the use of financial management. You have heard what my view is. The SSSC might not agree with that, but it is my professional judgment as Auditor General.

I take it from your answer that you stand by the findings and content of your report.

Absolutely.

I will ask for a bit more detail on that. The SSSC has taken issue with some findings of the report, but it looks to me as if perhaps it could have provided more detail to you. Is that the case?

I would say that it is not the case. I will defer to the team in a moment, but the problem that we had with the report was not a lack of detail; it was a lack of understanding of what question we were asking. We have been clear that we do not dispute that there were a number of reports and technical analyses of the different stages of the work that the SSSC went through, but we have never seen evidence that, at the beginning, the SSSC fully understood the scope of the work that it was starting on. Particularly given the significance to the council’s core business of registering social care workers and maintaining their fitness to practise, the council should have had that core understanding before it embarked on procuring a replacement for the Sequence system.

We received significant amounts of documentation from the SSSC. The appointed auditor and the team in Audit Scotland went through all those documents, but none of them gave us what we were seeking, which was a business case and clarity about the finances and the governance arrangements. Some of the issues that were raised in the audit report have been drawn out in evidence today. We certainly received an enormous amount of documentation, all of which we have been through, and the appointed auditor has also reviewed it in detail.

Given what you heard this morning, Auditor General, are you more concerned now about governance arrangements at the SSSC than you were when you published your report?

What we have heard this morning has confirmed for me the sense that the people who are accountable for the digital strategy simply have not understood the concerns that we and the external auditor have raised with them over the past six months and more. That is a concern. You heard reference to the successful implementation of the system and to the efficiencies and savings that have been generated. We will look at that through the 2018-19 audit next year but, at this point, we have not seen evidence of that.

The starting point has to be an understanding of why good governance is important for a system and strategy that are as significant as the ones that we are talking about. I agree with Colin Cook that, in cash terms, this is by no means the biggest project that is going on in the Scottish public sector but, as you heard from Lorraine Gray and Maree Allison, it is central to the council’s ability to carry out its work. That highlights the need to understand why good governance from the beginning is so important.

I have been struck by the sheer verbiage that we have been battered with today. It seems that a lot of things are fairly obscure. I will ask just one question. To come back to what I asked Paul Johnston about in connection with the budget, Lorraine Gray basically said that she was within budget. Did she mislead us in stating that?

We were all listening carefully to the evidence that you received this morning. You are right that there was a lot of it and that some of it was contradictory. My interpretation of what you heard is that there really was no budget for the system as a whole—that is one of our findings—but that the overall costs of the system were absorbed in the budget for the SSSC as a whole. My report sets out that, in order to do that, the SSSC had to carry forward digital funding from the previous year and make savings under other budget heads. We can give you a bit more information on that if it would be helpful. I imagine that Lorraine Gray was referring to the SSSC’s ability to deal with those costs within its overall budget by making savings elsewhere.

That is not necessarily bringing in the project within budget.

We do not think that there was a budget for the project that we could reconcile to the amount that was spent.

I have one small point on that. Paragraph 10 of your report refers to

“ongoing development subject to funding available.”

What does that mean?

I am not entirely sure what it means. There is an overall digital strategy so, potentially, other aspects of that are still to be implemented. However, we got no more detail about what those aspects are.

We heard from Lorraine Gray that she kind of accepts the section 22 report and might disagree with its analysis rather than its factual content. Auditor General, you hit the nail on the head about there perhaps just being a lack of understanding of what the report is all about.

Lorraine Gray referred to two “factual inaccuracies”—about the “late stage” at which external support was sought and the case management system—that were made at our meeting on 7 February. Do you completely stand by the comments that you made that day?

Yes. I wrote to the committee after that meeting to try to clarify them. The convener queried exactly what comments in the Official Report of 7 February the accountable officer was referring to, and I am not entirely sure what they are. However, in my letter, I clarify that the SSSC brought in external technical leads—as we say in the report—that were not operating at a strategic level to oversee the programme as a whole, and that the early engagement with the Scottish Government was with the procurement directorate around what was then thought to be a procurement exercise to replace the Sequence software that the SSSC uses for registration. That was not the expertise that would have been needed to understand the difficulties with replacing Sequence, given the lost code; the additional work that would be required if the SSSC wanted to improve the case management capabilities; the challenges that came from trying to implement the case management approach on shared infrastructure; and the other issues that the committee has heard about in evidence so far. Strategic expertise at that stage would have helped the SSSC to understand what the programme was about and to set it up in a way that had a greater chance of success in the ways that we expect to see.

You also heard Lorraine Gray say that she accepts that although she and her colleagues probably had too many hats on and that they should have divided up the hats a lot better, if they had done that, they would still have made the same decisions. What did you think as you listened to that?

I thought that that was one of the instances that reinforced for me the SSSC’s failure to understand what our “Principles for a digital future” was intended to achieve. Throughout that document, you will see the importance of leadership and expertise running all the way through a programme, from its initial scoping to its delivery. For me, that is not so much about the number of hats that people are wearing; it is about investing at the right stages to understand what you are taking on and therefore what expertise you need, what external support might be required and what governance arrangements are in place to keep things on track.

I presume that you disagree with Lorraine Gray’s comment that the only thing that the SSSC should have done differently was to have written more things down.

I disagree with that, yes.

Basically, the SSSC does not get it.

It was a difficult section 22 report for the team to finalise, because of the volume of information that kept coming through to us, as Claire Sweeney referred to. The engagement with people from the SSSC was very much designed to help them to give us the evidence that we would need to change our judgments and to make them less unfavourable. We did not receive such evidence, and what the committee has heard today reinforces that fundamental problem.

Crucially—

We need to move on, so you must be very quick.

Colin Cook talked about a £4 million project being below the threshold of what is considered high risk. Can any work be done to determine what the correct threshold for projects should be?

The committee touched on that point on 7 February. Given the scale of the digital transformation that is going on in Government and the shortage of such skills, I recognise that the Government needs some way of prioritising projects. Its prioritisation approach is reasonable and appropriate. Later this year, we will report back on the Government’s overall digital transformation. If there was a failing in Government, it was, as Paul Johnston said, that the sponsorship relationship was not robust and challenging enough to test the assurances that people in the SSSC were giving the Government.

I asked the chief executive of the SSSC a couple of times whether she was aware of the “Principles for a digital future” document and whether she had applied those principles. She said yes, but when I asked about particular aspects of the document, such as project management methodology, she said that she was not aware of them. That did not give me—or, I am sure, other members of the committee—any confidence that the SSSC applied the principles of the document in any way. The sponsor team needs to take some culpability, because everyone must have known that the principles were not being applied. What on earth can we do to overcome this continual problem?

We saw references to the document in the minutes that were provided to us, but we did not see evidence that it was being used in a way that would have improved the oversight and governance of the programme. The responsibility probably lies with the sponsor team, because it needed to ask not only the question, but for evidence of the way in which the document was being used and the difference that it was making to the governance and oversight in the organisation.

We were told that there was no internal audit oversight of the £4 million project. It is amazing that an audit team did not think it appropriate to bring the audit of such a project into the scope of its activities. What are your comments on that?

Again, that goes back to my initial comment that the SSSC thought that it was simply procuring a new piece of software to replace an old piece of software. Had that been the case, we might well not have expected such a project to be part of an internal audit plan. If the SSSC had understood the scale and complexity of what it was getting into, I imagine that it would have wanted and expected there to be an internal audit as an additional source of assurance. I certainly would have done, as accountable officer.

From what we have heard this morning, it seems that there have been failures at three levels. The executive senior management team has taken primary responsibility, and it clearly made a number of big mistakes in handling the project from day 1. However, yet again, we have an example of a board that does not seem to be doing its job in properly managing and monitoring its senior management team and organisation. Yet again, we have heard about the failure of the civil service to engage in joined-up government, despite all the lip service that we get about it. People need to get their act together, so have you any plans to deal with the role of the board and the role of the civil service?

Every annual audit looks at the role of the board. Alongside the audit of the financial statements each year, an assessment of governance is squarely part of the wider dimensions of public audit. As the committee knows very well, problems that I bring to its attention are often the result of, or are heightened by, a board not exercising its important scrutiny role effectively. That work is already covered. We have reported on the role of boards more generally, but that was some time ago, so we will keep in mind whether we can add something to that work by taking forward the thematic review.

Paul Johnston referred to work that we have agreed to do with the Government to review the differing sponsorship relationships between his directorates and the bodies for which they are responsible. I hope that the Scottish Government considers carrying out such work more widely. It is certainly true that the quality of sponsorship is very variable, and the scope of what sponsor teams do differs. The SSSC case is an example of the sponsor team not testing or challenging what it was being told enough, so it was not able to intervene at a stage when it would have made a difference.

There also seems to have been a basic lack of co-ordination within the Scottish Government. There was the sponsor team, the two teams under Mr Cook and other teams such as the procurement team. It is clear that the impression was of anything but joined-up government.

We do not yet know about that, because we have not completed the review that I have referred to. However, I suspect that it comes down to the approach that the sponsor team took as much as anything.

Will you publish a report on that at some point?

We have agreed that the review that we are doing with Paul Johnston is a way of helping the sponsor team to learn lessons from this example. However, as I have said, we are considering whether we should do a wider piece of work and report to the committee in due course.

Will that work with Paul Johnston result in a publicly available report?

That is not the intention at the moment. The intention is to help the sponsor team to learn lessons from our experience of doing the work. If we uncover something that I think needs to be brought to Parliament’s attention, I will do that. However, that is not our intention at this stage.

I think that we would be interested in hearing at the end of the process what you found and what action has been taken within the Government to try to rectify very serious shortcomings.

I will bear that in mind.

Are you happy that you will have a collaborative relationship with the SSSC going forward?

It is fair to say that it has been difficult for my team and for Joanne Brown from Grant Thornton over the past six months. I know that she is working hard to rebuild an appropriate relationship. As you will know, it is not unusual for there to be areas of disagreement between auditors and the bodies that they audit, and that is generally a healthy thing. However, there needs to be enough engagement to ensure that we and Joanne Brown can carry out our work effectively, and we will invest in ensuring that that is the case.

You will put the effort into that.

Of course.

As there are no further questions for Audit Scotland, I thank everyone for their evidence.

11:16 Meeting continued in private until 11:27.