§ Ruth Kelly
The information requested is as follows:Inland Revenue There is a full right of access for audit (including National Audit Office) and security interest across the whole of the Inland Revenue and the IT supplier. This enables the reviewing bodies to fully cover any area of risk as determined by their work planning processes.
All major new computer projects or enhancements have to provide an audit trail of all computer activity by users. IA monitors activity to detect potential fraud and misuse. There is a standard set of audit checks carried out over these developments in order to ensure compliance with all legal and departmental requirements and IA has a seat on the project steering committee to ensure appropriate consideration is given to audit findings.
IA has a specialised computer audit team of qualified professionals who carry out a programme of technical audits over the provision of IT services both hardware and software. They use an international computer audit standard (CoBIT) to risk assess the services and to measure provision against a set of detailed controls. All findings are reported to the responsible senior manager and followed up to ensure appropriate action.
Overall, IA and DSU have a direct reporting line to the Departmental Audit and Security Committee to raise issues that are high risk or that IA/DSU consider are not being addressed adequately by managers.
As already referred to, National Audit Office also carry out pieces of review activity across the Partnership and often work in joint teams with IA and/or DSU.
The Treasury uses a combination of line management overview and procurement scrutiny to determine whether information technology hardware and software products are being used properly in the Department. These are supported by internal audit and security reviews wherever appropriate. Staff identified as making unacceptable use of IT will be subject to disciplinary procedures.275W
There are two overarching controls over the use of IT in the Treasury: the Departmental IT strategy which sets the tone for the use of IT, and the annual Business Planning and Budget Planning round which subjects all proposals to high-level business scrutiny.
Further down the line, all IT purchases, whether hardware or software, are required to be supported by a business case to ensure that there is a formal requirement by the Department for the facilities. After implementation, the Treasury has guidelines (promulgated to all staff) on the acceptable use of information technology. Certain rules are enforced (e.g. construct and length of passwords and enforced screen savers) and firewalls are used to protect HMT systems from attack, to protect staff from unwanted correspondence (spam) and to disable unacceptable internet web access.
In general, line managers are responsible for enforcing the acceptable use of IT facilities provided to their staff. However, they have access to the resources of the departmental internal audit and security teams to investigate specific incidents. There are also more general internal audits of IT themes and running contract arrangements to ensure that processes are sound, efficient and effective. The Department is required to conform to Government security regulations and is subject to security audits to ensure that it remains compliant.
HM Customs and Excise Guidance and standards are published covering the procurement, development and use of IT hardware and software. HM Customs and Excise has developed a single approach to the management of business change—the Business Change Lifecycle. This covers all stages of IT system development and is aligned with the OGC Gateway Review process. It identifies the stages and products that must be produced to comply with the HMCE standards. Once implemented the use of hardware and software is controlled through security standards and acceptable use policy.
It is the responsibility of all managers to ensure that the IT systems provided to their staff are used in accordance with the guidance and standards, although additional assurance mechanisms are in place. Managers can call upon the services of our Internal Investigation Division to investigate specific incidents. Compliance is also monitored through an internal assurance programme which contributes to the annual Statement of Internal Control. Our Internal Audit Division also provides assurance over the operation of IT systems through their annual programme of audits. Systems are selected for examination based on a risk assessment, and take account of the significance and materiality to achieving the Department's business objectives. In addition, external audit is carried out by the NAO. Their audit programme includes IT security and specific controls for key systems.
§ Mr. Boateng
A Centre of Excellence was established within HM Treasury, Inland Revenue and HM Customs and Excise in June 2003 to integrate the essential functions which underpin the successful delivery of all types of acquisition based programmes and projects. As cost benefits will not accrue until improvements start to take effect, it is too early to measure cost savings. All Centres of Excellence are currently developing future plans and as part of this process measurement of savings will be defined.