Risk & Audit Department
Ol
ympic Delivery Authority
Report on General IT Controls
Reference Number – WP20
Overall Report Rating –
NEEDS IMPROVEMENT
May 2007
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Contents
EXECUTIVE SUMMARY ..................................................................................................................................................................................................................................... 3
OVERALL REPORT RATING ................................................................................................................................................................................................................................. 3
KEY FINDINGS ...................................................................................................................................................................................................................................................... 3
KEY ACTION ITEMS ............................................................................................................................................................................................................................................. 6
BACKGROUND...................................................................................................................................................................................................................................................... 8
CONTEXT .............................................................................................................................................................................................................................................................. 8
OBJECTIVES AND SCOPE ...................................................................................................................................................................................................................................... 8
APPROACH............................................................................................................................................................................................................................................................ 9
A. GOVERNANCE ............................................................................................................................................................................................................................................... 10
B. IT CONTROL ENVIRONMENT ................................................................................................................................................................................................................... 16
C. THIRD PARTY MANAGEMENT ................................................................................................................................................................................................................. 21
APPENDIX A: OVERALL REPORT RATING DEFINITION ...................................................................................................................................................................... 25
APPENDIX B: RISK MATRIX CRITERIA ..................................................................................................................................................................................................... 26
APPENDIX C: PRIORITISATION OF FINDINGS AND ACTION ITEMS ................................................................................................................................................ 28
2
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Executive Summary
The objective of this audit was to examine the general IT control environment and assess whether it provides a reliable, secure and effective
control framework for the processing of key information needed by the organisation and other stakeholders.
Overall Report Rating
This report has been given an overall report rating of “Needs Improvement” in accordance with the Risk & Audit report definition criteria as
outlined in Appendix A. The “Needs Improvement” rating was assigned because of the number of major issues identified, particularly in relation
to:
•
consultation and communication between the business and IT department on programme decisions which have an IT impact
•
the contractual arrangements with, and management of, third party contractors
Management were aware of these control weaknesses which may have resulted from the rapidly evolving operating environment and, prior to the
audit, management had commenced some mitigation activities. However, we noted that whilst the overall assessment of the IT control
environment relating to user access and change management was satisfactory, some minor process improvements were identified in this area.
Key Findings
There is insufficient communication between senior management and the IT department in relation to programme issues and decisions which
may have an IT impact. As a result the IT department may not be fully aware of the impact on IT of decisions made at a high level, in a timely
manner. Within the procurement and contract negotiation process there has been, and continues to be, limited involvement of IT specialists.
Typically IT specialists have been consulted at a late stage or have not been fully integrated into the process. This has resulted in a lack of
effective means by which the ODA can manage and monitor the third party contractors going forwards. We noted that there are a number of
existing contracts which have inadequate clauses relating to IT governance, such that the ODA may encounter problems in the future with regard
to enforcement of policies and procedures, and rights of access to gain assurance that adequate IT controls are in place.
In addition, the ODA has not yet put in place a framework of policies and procedures relating to the management and monitoring of third parties,
from an IT perspective. Going forwards, this may result in inconsistencies and informality in the processes for managing third parties, increasing
the likelihood of non-compliance with ODA IT polices and procedures.
3
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Governance of IT, in particular the IT strategy and budgeting process, is not robust. The IT Governance arrangements are in the process of being
negotiated with CLM, the Delivery Partner. The roles and responsibilities of the ODA and CLM IT departments are still to be agreed, with initial
indications of ODA IT retaining responsibility for internal IT and provision of advice to the programme at a project sponsor level. We noted that
the IT budget is developed without full consideration of the detailed costs and alignment with a formal IT strategy. A draft IT strategy (ODA IT
Vision) document was developed in 2006 however, this was not approved. This strategy has a number of deficiencies and has not been updated
to reflect recent and significant organisation developments within the ODA.
Key Risks
The key risks identified during the course of the project are illustrated in the matrix below. ODA’s
Risk Management Framework was used to
rate the identified risks, and is outlined in Appendix B. The below matrix plots all the risks associated with findings described throughout the
body of this report. The risks with an overall severity rating of major are summarised in the table below for your reference.
Risk Matrix
Likelihood
Rare
Unlikely
Possible
Likely
Almost
Consequence
Overall Risk Severity
Certain
Fundamental
Fundamental
Major
Major
C1, C2
A2, C3
Moderate
Minor
A3, A5,
Moderate
A1, A4
B1, B2
Insignificant
Minor
B3
Insignificant
4
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Major Risks
Ref
Summary Finding
Summary Risk
Report Page
Ref
A2
Lack of timely communication with IT.
There is a risk that business decisions may be made without full
P12
understanding of the associated IT related risks. Lack of timely
communication may mean that IT is not fully aware of projects with an IT
impact, or of potential issues which may impact the overall programme.
This may result in the need to handle IT requests at short notice, potentially
impacting IT work on other parts of the programme and potential unplanned
and more expensive IT expenditure. In extreme cases, due to the lack of
notice, it may not be possible to address the issues and provide adequate IT
services and solutions to meet the organisational requirements.
C1/C2 Limited IT contractual requirements in
ODA and its contractors may not comply with government legislation e.g.,
P21, 22
existing contracts and limited IT
Freedom of Information Act (FOIA), Data Protection Act (DPA), as well as
engagement in the procurement and
National Archive (TNA) requirements resulting in reputational impact and
contract negotiation process
financial penalties. In addition, the third parties may not comply with ODA
.
policies, procedures and standards.
ODA may have limited remit to enforce IT polices and procedures on third
party contractors, potentially resulting in IT control weaknesses and
reputational impact, as well as increased costs and inefficiencies.
C3
Lack of processes and procedures for
ODA may be unable to adequately manage and monitor third party
P24
monitoring third parties
contractors; potentially resulting in non-compliance with ODA policies and
procedures, potentially resulting in security breaches and reputational
impact.
5
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Key Action Items
Detailed action items are included throughout the body of this report. ODA’s
Risk Management Framework was used to rate identified risks, and
the criteria used to prioritise findings and action items is outlined in Appendix C. In addition, the below table provides a summary of the high
priority action items.
Ref
High Action Items
Agreed Implementation Date
Primary
Secondary
Report Page Ref
Responsibility for
Responsibility for
Action Item
Action Item
A2
Whilst the IT department is making significant efforts to
June 2007
Dennis Hone,
Simon Pitt, Head of P12
align its function to the business environment by assigning
Director of Finance
IT
project managers to specific areas of the business, this
and Corporate
approach should be formalised within the IT strategy
Services
document and communicated to stakeholders. The IT
strategy document should include the IT department’s
approach to communication, including its IT spend
decision making process, to make this transparent to the
wider organisation and to facilitate more timely
consultation with IT.
A2
The IT department and wider ODA need to take joint
June 2007
Dennis Hone,
N/A
P12
responsibility to work together to communicate and
Director of Finance
consult on IT topics on a timely basis. This responsibility
and Corporate
can be championed by the Director of Finance and
Services
Corporate Services, to raise awareness and promote the
two way communication and engagement between the IT
department and wider ODA, to facilitate the IT planning,
procurement and budgeting process.
C1
ODA should finalise relevant IT policies and procedures
July 2007
Dennis Hone,
Simon Pitt, Head of P21
and formally issue these to third party contractors as soon
Director of Finance
IT
as possible.
and Corporate
Services
C1
The IT requirements within existing contracts (other than
July 2007
Dennis Hone,
Simon Pitt, Head of P21
the Remediation Demolition contract) and projects should
Director of Finance
IT
be identified and, where considered relevant based on a
and Corporate
formal risk assessment, arrangements should be put in
Services
place for monitoring the provision of these IT services by
the third parties.
6
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Ref
High Action Items
Agreed Implementation Date
Primary
Secondary
Report Page Ref
Responsibility for
Responsibility for
Action Item
Action Item
C2
Procurement should engage IT within the procurement and May 2007 and onging
Morag Stuart, Head
Simon Pitt, Head of P22
contract negotiation process.
of Procurement
IT
C2
The ODA IT department should continue liaising with the
May 2007
Simon Pitt, Head of
Celia Carlisle,
P22
legal teams to identify and agree standard terms and
IT
Head of Legal
contracts to enable adequate clauses in relation to IT to be
included within contracts going forwards. The use of such
clauses should be determined based on a review of the
associated risks and benefits to the ODA so that a
balanced and cost effective approach can be taken.
C3
Whilst contractors are contractually responsible for
July 2007
Dennis Hone,
Simon Pitt, Head of P24
management of the IT services and solutions required to
Director of Finance
IT
support the provision of procured services, IT
and Corporate
management should assess the risks associated with the
Services
loss of data, or security breaches of contractor IT systems,
and the level of oversight they should retain over the
contractors’ IT environments.
C3
IT should develop third party management and monitoring
July 2007
Dennis Hone,
Simon Pitt, Head of P24
policies and procedures as soon as possible and implement
Director of Finance
IT
these for key third parties. This should include the
and Corporate
development of a third party audit plan, based on an
Services
assessment of associated risk.
7
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Background
Context
The Olympic Delivery Authority (ODA) has been set up to deliver new venues and infrastructure in time for the 2012 Olympic and Paralympic
Games (“London 2012”). The ODA works alongside the London Organising Committee for the Olympic Games and Paralympic Games
(LOCOG) which will organise, publicise and stage the London 2012 Games. LOCOG and the ODA operate as discrete organisations, however
they work closely together and share offices and Information Technology (IT) infrastructure.
The current IT environment at the ODA is under development. During the last 12 months IT related projects have been undertaken to assess and
develop the IT infrastructure at the ODA. The IT environment is complicated as it must dovetail with CLM who are engaged to provide
programme and project management experience and to implement a suite of supporting IT function s to achieve joint ODA/CLM objectives.
In April 2006, an Initial IT Security Situation Assessment was performed by Ernst & Young to understand the ODA’s current IT security
requirements. This identified “quick wins” that the ODA should implement to improve its current IT security controls and “next steps” that the
ODA should perform in order to further enhance and maintain its IT security controls as it evolves and develops over the coming year.
During the summer of 2006 a project was undertaken to identify the requirements and procure the ODA Back Office Systems and Services
(BoSS). Following from this, Fujitsu have been selected to implement and manage the identified BoSS, with an expected delivery date of June
2007.
Objectives and Scope
This review examined the general IT control environment and assessed if it provides a reliable, secure and effective framework for the processing
of key information needed by the organisation and other stakeholders.
The review examined the existence and operation of key controls since 1 April 2006 in the areas listed below.
The scope of this review was reduced to the extent that we were able to rely on ODA relevant controls assessed as part of the LOCOG external
financial audit. The scope included the following areas:
•
Overview of the IT function
•
IT Governance
•
Programme governance and management
8
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
•
Third party management
•
Access Controls
•
Software / Systems Development
•
System and Network Security Controls
•
Problem and incident management
•
Physical and Environmental Controls
•
Back Ups, Contingency Planning and Disaster Recovery
Out of scope of this review were any controls or systems that have been implemented for LOCOG. Specifically, we did not perform a review of
the Information Management systems which are being implemented for LOCOG, which are to be used by the ODA.
Approach
This project was conducted in accordance with the Risk & Audit Department’s audit methodology. The approach included:
Interviews with IT and business personnel responsible for applications within the user departments (as agreed with Simon Pitt, the
nominated key contact within the ODA IT department).
Review of external audit documentation of the IT control environment prepared as part of the LOCOG external audit, and confirmation of
controls for the ODA through inquiry.
Review of relevant, available documentation.
Process or control walkthroughs were performed to help validate information gained through management discussions.
9
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
A. Governance
IT Governance helps provide stakeholders and IT management with comfort that IT is aligned to short and long term business goals and
priorities. Effective IT Governance requires the support of senior management within an organisation, particularly when making business
decisions that potentially have an IT impact. In making business decisions, IT related risks should be considered and decisions should be
communicated to IT in a timely manner to enable IT management to adequately plan and budget for support and resource requirements.
Underpinning effective IT governance is an up to date IT strategy. The IT strategy should be aligned to the organisation’s business strategy and
should include areas such as the definition of IT principles that guide IT decision making, the current and future IT state and competencies, and
the IT operating model and governance structure. In addition, the IT strategy should define the organisation’s transformation plan for achieving
the desired future state of IT.
The ODA IT governance processes and operating environment is currently in a state of significant change. The ODA is currently working with
CLM, their Delivery Partner, to negotiate and clarify the IT related roles and responsibilities of the ODA and CLM, IT Governance arrangements
and an overall IT strategy. For the ODA, the time critical nature of the programme is a significant factor to consider in the IT Governance
arrangements and decision making processes.
It is understood that the ODA IT department is to be responsible for the provision of the internal IT at the ODA and to provide advice, at a
project sponsor level, regarding IT services and solutions within other areas of the programme. CLM will project manage IT implementation for
Programme related IT. Management represented that an Integration Manager is being appointed to oversee the IT services and solutions to be
provided for contractors on the Olympic Park.
Finding
Action Items
Management Response
A1 IT Budgeting and Lack of IT Strategy
1. The IT Strategy should be modified to
Primary Action Item Owner: Dennis Hone, Director
IT budgeting and forecasting of IT spend is not
accommodate recent developments (eg,
of Finance and Corporate Services
currently aligned with an overall IT strategy. In 2006,
appointment of CLM and Fujitsu) and specifically
Secondary Action Item Owner: Simon Pitt, Head of
the ODA developed an IT Strategy (ODA “IT Vision,
extended to include the following:
IT
Aim, Objectives and Key Principles Guidance for Third
•
Governance of IT
Party Contractors”), which remains in draft and has not
•
Decision making processes, specifically in
been approved. Since this strategy was drafted, there
Implementation Date: June 2007
respect of investment
have been significant developments (eg. appointment of
CLM, appointment of Fujitsu to deliver back office
•
Alignment of ODA, CLM, Fujitsu and others
Comments:
systems). It is understood that this draft strategy
in delivering IT projects and services.
document will now form the basis of a new ODA IT
In addition, the revised IT Strategy document
The ODA deferred the finalization of the IT strategy
strategy which is being developed in conjunction with
should be approved by the EMB.
until certain strategies in many business areas were
the Delivery Partner, CLM.
developed; and CLM had agreed and justified the
This strategy should then be used to drive the IT
business and IT programme in place. The current IT
10
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
Discussions about the approval of IT spend indicated
budget and guide the IT project prioritisation and
strategy and CLM/ODA programme of IT work will be
that this is typically performed on a project by project
IT spend decision making process.
updated and approved by the EMB.
basis. While scheduled projects may appear on the
2. Refer to recommendations from the Business
annual budget with an allocation, there are a large
Planning Review, relating to process improvements
The IT Budget is an amalgamation of CLM and ODA
number of unscheduled projects for which IT spend is
in the budget process and re-forecasting process.
activity with the Head of IT acting as Project Sponsor
required to be approved and this is made via the
Such improvements can assist in obtaining clear
and CLM taking on the Project Manager role for
Executive Management Board. It is understood that
oversight of the annual IT budget and monitoring
programme support IT. For 2006/07 (start up) budget
there is limited provision made within the IT budget for
performance against this.
processes were by necessity based on broad estimates
such unscheduled projects and that these are reviewed
3. Going forwards, a sufficient discretionary project
and affordability criteria, however the agreed
and approved on a case by case basis. This situation is
budget should be allocated out of the agreed IT
programme of work between CLM and ODA now
understood to be common across the ODA as a result of
budget to fund unplanned IT projects and
provides a factual basis for further budgeting.
the ODA being within the start up phases in 2006-07
requirements.
and in the initial stages of working with CLM.
See responses to A2.
4. To gain a clearer view of the cost of IT, the IT
In addition, IT spend is frequently subsumed within
department should:
wider third party contracts and the ODA IT department
may be unaware of the full cost of IT to the
•
Actively engage in the Procurement process
organisation. A clearer view of the cost of IT could be
(refer to Finding B1) to gain oversight of
determined by reviewing the budgets in these contracts.
proposed IT spend in contracts.
•
Review IT spend within existing third party
contracts and projects and, where considered
Risks:
relevant based on risk assessment and
Without adequate controls around the IT budget process
resource prioritisation, arrangements should
and allocation, and lack of alignment with an overall IT
be put in place for the ODA to maintain
strategy, there is an increased risk that IT demands on
oversight of the third party IT spend.
the overall budget may be higher than stakeholder
expectations or else may result in reduced budget
allocation to scheduled projects due to the uncertainty
Action Item Priority: Medium
around unplanned projects and the need to retain a
contingency budget. This is particularly of concern due
to the number of IT projects identified within the work
streams. Business cases for these IT projects may be
developed and spend approved without a strategic view
of the provision of IT services. This may lead to a
fragmented and inefficient IT environment. Further
complexity within the IT environment may arise due to
the lack of visibility over IT spend within contracts.
Risk Severity Rating: Moderate
11
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
A2 Lack of Timely Communication with IT
1. Whilst the IT department is making significant
Primary Action Item Owner: Dennis Hone, Director
Based on our discussions with IT management, we
efforts to align its function to the business
of Finance and Corporate Services
understand that there have been occasions when there
environment by assigning project managers to
Secondary Action Item Owner: Simon Pitt, Head of
has been a lack of timely communication with IT. This
specific areas of the business, this approach should
IT
has resulted in IT being informed, at short notice, of the
be formalised within the IT strategy document and
requirement for the provision of IT services. For
communicated to stakeholders (Refer to Finding
example, the provision of IT services to CLM staff who
A1). The IT strategy document should include the
Implementation Date: June 2007
were relocated to Lee Valley sports centre and to the
IT department’s approach to communication,
Galliford-Try Site Office.
including its IT spend decision making process, to
make this transparent to the wider organisation and
Comments:
to facilitate more timely consultation with IT.
CLM and ODA IT have agreed a governance structure
Risks:
2. The IT department and wider ODA need to take
for IT and are in the process of finalising an “IT
Without IT consultation at early stages in an initiative,
joint responsibility to work together to
Strategy and Work Programme” for presentation to the
there is a risk that business decisions may be made
communicate and consult on IT topics on a timely
ODA EMB on 16 May 2007.
without full understanding of the IT related risks.
basis. This responsibility can be championed by
The Director of Finance and Corporate Services has
Additionally, without timely communication and
the Director of Finance and Corporate Services, to
already taken action to set up a working group to
consultation of IT, there is a risk that the IT department
raise awareness and promote the two way
effectively embed IT and other corporate functions into
may not be fully aware of and informed at an early
communication and engagement between the IT
appropriate decision making processes.
stage of projects where there may be IT impact, or of
department and wider ODA, to facilitate the IT
potential issues which may impact the overall
planning, procurement and budgeting process.
programme. The lack of IT involvement at early stages
may also result in the need to handle IT requests at short
notice, potentially resulting in resource being redirected
Action Item Priority: High
from other tasks, impacting and delaying other parts of
the programme and increasing the likelihood that IT
services and equipment need to be procured at short
notice. This may result in unplanned and potentially
more expensive IT expenditure due to the short time
scales. In extreme cases, due to the lack of notice, it
may not be possible to address the issues and provide
adequate IT services and solutions to meet the
organisational requirements.
Risk Severity Rating: Major
12
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
A3 Existence of Draft IT Policies and Procedures
1. The policy and procedure documents should be
Primary Action Item Owner: Simon Pitt, Head of IT
A number of the ODA policies and procedures eg, the
finalised and approved at the earliest opportunity
Secondary Action Item Owner: N/A
Information Systems Acceptable Use Policy - Code of
and should be issued to third party contractors.
Practice, Dormant Account Policy, and Disaster
2. IT induction and awareness training should be
Recovery policy, have been drafted but not finalised
performed for staff and contractors. The
Implementation Date: May 2007
and approved. At the time of the audit, the ODA were
Information Systems Acceptable Use Policy - Code
in the process of reviewing the ODA policies and
of Practice should also be issued to ODA staff and
Comments:
procedures to make them more applicable to the ODA
contractors and they should be required to sign up
situation with regard to reliance on third party
to agree that they will comply with this.
Policies will continue to be revised in line with the
contractors. The IT department has recently recruited
changing business environment.
an IT security manager who is revising these to reflect
An updated Information Security Policy is now in place.
the ODA’s role and that of the third party contractors.
Action Item Priority: Medium
This policy was approved by the Information Security
We also noted that staff and contractors do not currently
Working Group on the 13/4/07. As from April 2007, all
receive IT induction and awareness training.
induction packs contain an Information Security
Awareness Booklet.
All new inductees (both permanent and contractors) will
Risks:
be shown an Information Security presentation as part
If these documents are not finalised and approved, ODA
of their roles. In addition, an Information Security
staff and contractors may not comply with the policies
Awareness Programme is being developed to educate
and procedures. This may result in, for example,
all staff permanent and contractors.
weaknesses in IT security arrangements, inappropriate
use of the IT systems by staff and contractors and
inadequate provision of disaster recovery services.
Risk Severity Rating: Moderate
13
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
A4 Regulatory Compliance Policies and Procedures
1. Regular training and education sessions should be
Primary Action Item Owner: Celia Carlisle, Head of
The ODA policies and procedures in relation to
held to increase staff awareness of the FOIA and
Legal
compliance to the Freedom of Information Act (FOIA)
DPA and their responsibilities in relation to the
Secondary Action Item Owner: Pieter De Waal,
were approved by the ODA Board at the Board Meeting
acts.
Project Manager - Legal
on 25 January 2007. Although key staff handing FOIA
2. Policies and procedures relating to the acts should
requests were aware of the approved FOIA policies and
be finalised, where applicable, and circulated to
procedures, there was limited circulation of these
staff, as appropriate.
Implementation Date: July 2007
policies and procedures to staff generally. In addition,
Action Item Priority: Medium
the ODA policies and procedures for compliance with
Comments:
the Data Protection Act (DPA) had not yet been
finalised and approved. Whilst training and awareness
The ODA are updating the intranet procedures and are
had been provided to ODA employees and contractors
also adding an easy to use step-by-step handling
in 2006, some staff eg, new joiners, may be unaware of
procedure. There is a Freedom Of Information (FOI)
the procedures to follow in relation to the FOIA and
help page for staff on the intranet which is to be more
DPA.
visible and easier to read when the Intranet is
redesigned. There is an FOI page on the external
Risks:
website and requests are routed to the Communications
There is a risk that employees and contractors of the
department to be assessed and managed. This is to be
ODA may receive requests for information but may be
made more prominent when the website is redesigned.
unaware of their significance and hence appropriate
As a result of a change of personnel handling the FOI
action may not be taken within the timescales required.
requests in the Communications team, processes were
This may result in breaches of the FOIA and the DPA,
formalised and improved with assistance from the Legal
potentially resulting in legal action against the ODA.
team. A dedicated FOI resource is to be appointed
within the legal team who will take over the
Risk Severity Rating: Moderate
responsibility for FOI administration and processing.
The processes may then need some minor adjustment.
Further FOI staff training is planned. This will be
performed by the Legal and Communications teams.
The presentations have already been prepared. There
are also plans to raise FOIA awareness via input into
the HR "arrivals manual" for new joiners.
The ODA has recently appointed a Records Manager
and they will take on responsibility for Data Protection
Act (DPA) compliance, including the development of
policies and procedures. It is expected that DPA
awareness will be incorporated into the awareness
programme for FOI.
The implementation date of July 2007 is dependent on
website re-launch and how quickly the legal department
is able to acquire the additional resource.
14
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
A5 Scope for Improving IT Project Management
1. We support IT management in formalising their
Primary Action Item Owner: Simon Pitt, Head of IT
Processes
approach to managing IT projects consistently.
The approach to managing IT projects is an area that
There is scope for improvements in the tracking
Implementation Date: May 2007
has been under development over the last twelve
and documentation of IT projects. IT management
months. Scheduled projects appear in the approved
should formalise the IT project process (including
budget and a spreadsheet is maintained of smaller
EMB approval) to clarify the documentation
Comments:
projects. The documentation of the projects is an area
requirements for individual projects, and should
The comments are taken positively. Historic projects
that is being improved, with the Project Manager now
review compliance with this process on a periodic
may not have had all formal documentation in place – a
requiring scoping documents, approved budgets and
basis.
conscious decision was taken to not “back date” this
Project Closure reports, requiring sign off from key
2. For budget review and audit purposes (Refer to
documentation as many of the “projects” were small
stakeholders. At the time of the audit, the process had
Finding A1), IT management should consider
internal “packets of work” with no external costs or low
not been formally documented and approved, and was
retaining a log of those scheduled and unscheduled
impact.
not being consistently applied.
projects that have been completed and formally
All new Projects should comply with a formal PID and
closed.
PCR. The definition of an IT “project” needs
clarification. It is agreed that an “IT Project Process”
summary document be drawn up to help clarify the
Risks:
Action Item Priority: Medium
processes, definitions, reporting requirements and
Without clear tracking and documentation of project
project initiation, tracking and closure.
scope and closure, there is a risk that the scope, risks
and interdependencies of IT projects may not be clear
and may not meet the project sponsor’s requirements,
with potential financial and time implications.
Risk Severity Rating: Moderate
15
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
B. IT Control Environment
The ODA IT environment is currently undergoing significant change, with CLM, the Delivery Partner, expected to take on a significant role in
the delivery of IT services to the ODA going forwards. The IT solutions currently in use at the ODA are interim arrangements, involving
significant use of spreadsheets, which are expected to be replaced during the next twelve months.
The ODA is currently in the process of implementing a Back Office System and Service, in conjunction with the third party, Fujitsu. As such the
OpenAccounts finance application is to be replaced by Oracle Financials. This system is also to replace the existing IT solutions supporting the
HR and procurement processes. CLM is also planning to implement Active Risk Manager to replace the existing spreadsheets that support the
Risk Management process. Other planned system implementations include the Electronic Document and Records Management (EDRM) system
and Enterprise Content Management system which are expected to be implemented in 2007.
Finding
Action Items
Management Response
B1 Weak User Access Controls
1. We understand that the OpenAccounts system is to
1. Primary Action Item Owner: SianWilliams, Head
Within OpenAccounts, a number of weaknesses in user
be replaced by Oracle Financials and that through
of Finance
access controls were identified. It is understood that
this implementation the issues identified in relation
Secondary Action Item Owner: N/A
issues were also identified in the “Banking, Receipt and
to OpenAccounts, in both this review and the
Payment review”. Whilst remediation was put in place
“Banking, Receipt and Payment review” are to be
following that review, these new processes need to be
addressed. However, Finance should:
Implementation Date: May 2007
embedded and incorporated into day to day joiner,
• Confirm interim controls are consistently
leaver and mover processes:
implemented until Oracle controls are
Comments:
operating.
•
There are no formalised procedures for
The Financial Systems Accountant is to train another
authorising new users, amending their access
• Segregate the roles of user administration and
member of the team, the Financial Controller, to run the
levels or deleting user profiles when an employee
review of user access.
reports for the review of user access. Having two
changes role or leaves the organisation.
• On a periodic basis, review user access to
people skilled to run the necessary reports will facilitate
•
There are weaknesses in the password controls,
validate that the access rights to the IT systems
consistent and ongoing control implementation. The
such that users are not required to change their
and network remain in line with users’ job roles
Financial Controller will also review the reports on a
password on first login and there is no minimum
and to identify redundant accounts.
monthly basis and pass to the Head of Finance for
length or password complexity enforced due to
• Review the user accounts and profiles present
formal sign off.
limitation in the application.
within the system and disable/remove those
Management have reviewed the identified redundant
•
There is no segregation of duties between the
which are not necessary for the operation of the
accounts, and identified the following:
roles for user administration and the review of
application and are not used by the business.
user access.
This is particularly important due to the
•
Demo: (Demonstration User): This is used for the
TEST environment, and Open Accounts help desk
implementation of the new Oracle system to
•
A number of generic profiles and accounts (i.e.
use when helping sort any problems (proxy in).
reduce the likelihood that, during the
16
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
accounts not owned by a single person) are
implementation process, additional user
Password on Demo will only be known to systems
present within the application.
accounts are not set up.
accountant.
We also noted that there are no formal processes around
2. IT should formally establish and communicate
•
NAO1: set up for NAO. Management discussed
the removal of users at the network level. This includes
procedures for terminating a former employee’s
this account with NAO but as the account cannot
the access controls for the private directories for the
access to the organisation’s systems and network.
be used to edit anything they felt it is ok.
individual departments. In addition, the access to the
The IT team and system administrators should be
•
POP1, POP2: These accounts have now been
Private directories is not reviewed on a periodic basis.
promptly informed when an employee leaves the
deleted
We noted that, at the time of the audit, there were three
organization. This procedure should be
The Financial Systems Accountant will put in place a
users on the access control list for the Procurement
accompanied by the appropriate supporting
process for new user requests, a form will be completed
department, who had left the organisation over 25 days
documentation.
and then signed by Head of Finance before user is set
previously, one of whom was a user unknown to the
3. With the implementation of Oracle, IT should take
up.
Head of Procurement and the Procurement Manager. In
the opportunity to introduce formal access control
mitigation, a dormant account policy is enforced, which
procedures and enforce password controls in line
requires accounts that have not been used for 21 days to
with the ODA IT Security policy for the Oracle
2 & 3. Primary Action Item Owner: Simon Pitt, Head
be disabled.
system. We understand that due to the current size
of IT
Risks:
of the finance function of the ODA, it has been
Secondary Action Item Owner: N/A
possible to communicate user administration
The risks arising from weak user access controls:
changes for OpenAccounts by word of mouth.
•
It may be possible for someone to request a user
However, as the organisation grows, these
Implementation Date: August 2007
account to be set up in relation to a different job
procedures become more unmanageable. The new
role or function to their own, thus resulting in
Oracle system is to support business processes
users being granted an inappropriate level of
within multiple departments, including HR,
Comments:
access to the system, or leading to circumvention
procurement, as well as finance. Therefore, the
Oracle Finance will go live in June 2007, single sign on
of segregation of duties controls.
user base for Oracle will be larger and more
to Oracle via active directory will be implemented by
complex, increasing importance of implementing
•
Without user termination and regular user access
August 2007. This will centralise the administration of
strong user access controls around the new system.
review processes, there is a risk that redundant
access controls within the IT Team. The processes
User access requests can take the form of emails or
profiles may be left on the system for a period
which are applied to all other user access to ODA
be made on a standard form, authorised by
after an employee has left the organisation or
systems will then apply.
specified individuals within individual departments
users may have excessive access rights to data
and should be retained by the appropriate systems
The leavers process has been in place for some time and
held on the systems, thus creating an exposure to
administrator as an audit trail.
has operated centrally for all systems other than Cedar
unauthorised access attempts and data
Open Accounts. However processes will be formalised
modification. This leads to an increased risk of
across ODA.
fraud, loss of service of IT systems, and financial
Action Item Priority: Medium
loss. This is particularly of concern due to the
large number of contractors within the ODA.
•
Weaknesses in password controls can compound
the risks associated with deficiencies in the user
access removal processes.
•
The lack of segregation of duties between the user
administration and access review processes
17
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
permits the user administrator to grant themselves
or other users’ unauthorised privileges within the
system and then remove the corresponding entries
from the access/activity report. Such access, and
potential associated malicious activity, may then
go unnoticed by management. This may lead to
the confidentiality and integrity of business
information being compromised and loss of
system availability. This increases the risk of
sabotage, damage to reputation and potentially
financial loss and fraud.
•
If someone is able to directly log into a generic
account, as this is not assigned to an individual,
there is reduced user accountability for activities
performed. This may encourage unauthorised and
malicious activity and the lack of accountability
means that it is difficult to identify and stop those
causing errors or irregularities.
Risk Severity Rating: Moderate
18
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
B2 Lack of Logging and Monitoring of Log Files on
1. IT should enable the ‘Audit Object Access’
Primary Action Item Owner: Simon Pitt, Head of IT
OpenAccounts Server
function to facilitate monitoring of critical files and
Secondary Action Item Owner: N/A
We noted that on the CPAP01 server hosting the
directories.
OpenAccounts application that the ‘Audit Object
2. IT should implement procedures for the regular
Access’ function is not enabled. Security logs are
review of security and audit logs for the critical
Implementation Date: June 2007
cleared too frequently and there is no regular review of
application servers.
the security logs. In addition, system audit logs are not
3. Log retention policies should be adjusted to assist
Comments:
reviewed on a regular basis.
with such reviewing. Logs should be backed up
1. We have reviewed the auditing and log capture on the
and archived on a regular basis depending on the
Open Account system, taking into account the
Risks:
business requirements and size of log files.
recommendations below and raised an RFC to address
If comprehensive audit logs are not maintained and
this. The action was completed on 9 April 2007.
reviewed, there is an increased risk that unauthorised
Action Item Priority: Medium
2. There is a current project to centralise the correlation
activity may not be detected and addressed in a timely
and monitoring of all logs. In the meantime, we have
manner.
created a Log Review spreadsheet for log reviews on
Failure to retain log files for an adequate period of time
Open Accounts and, other critical and mission critical
increases the risk that unauthorised activity may not be
systems.
traced at a later date or may result in system failures
3. Audit Logs recording user activities, exceptions, and
being untraceable, preventing the identification and
information security events have now been
correction of problems or security incidents in an
implemented as appropriate and kept for an agreed
accurate or timely fashion. The lack of evidence may
period to assist in future investigations and access
also negatively impact upon the success of disciplinary
control monitoring. Logs will be kept securely and
action or criminal prosecution of an individual
access to logs managed and monitored. Log retention is
undertaking unauthorised activity.
covered in our Information Security Policy (Section
Failure to review audit logs in a timely manner
10.10).
increases the risk of unauthorised access to server
resources being undetected for an extended period of
time. Lack of monitoring gives a potential intruder
sufficient time to find a weakness in security and
potentially obtain access to sensitive data and programs.
Risk Severity Rating: Moderate
19
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
B3 Non-compliance of Account Lockout Settings
1. IT should change the Default Domain Policy
Primary Action Item Owner: Simon Pitt, Head of IT
with Security Policy
configuration to be in line with the ODA Security
Secondary Action Item Owner: N/A
We noted that account lockout is set to 4 invalid logon
Policy.
attempts, which is not compliant with the ODA IT
Implementation Date: April 2007
Security Policy which details that account lockout
Action Item Priority: Low
should be set to 3 invalid logon attempts.
Comments:
Industry good practice is to set network accounts to
Completed. A Change was raised in order to rectify this
lockout or delay further logon attempt after three
situation as soon as the issue was raised. We are
invalid logon attempts. We understand that the ODA IT
grateful to internal audit for identifying this issue,
Security Policy also stipulates that this value.
which was immediately rectified.
Risks:
Failure to implement the defined account lockout
increases the risk of an unauthorised individual being
able to compromise the system by executing a brute
force “dictionary” attack against user accounts. Such
attacks are used to attempt to guess user passwords and
gain unauthorised access to the IT systems, potentially
resulting in disclosure of sensitive information or
violating the integrity of the data.
Risk Severity Rating: Minor
20
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
C. Third Party Management
Ineffective control and management of third party contracts in relation to IT may have both financial and security implications. The ODA is in
the process of negotiating many contracts that may have IT implications. As such, it is expected that there would be consideration of IT, and
consultation of IT specialists, during the procurement and contract negotiation process. It is understood that some of the contracts, that have
already been agreed and signed, do not include full consideration the IT related contractual requirements e.g., for rights of audit over the third
party, enforcement of compliance with ODA policies and procedures and government regulatory requirements. Other contracts are currently in
negotiation, or are to be negotiated in the immediate future.
Finding
Action Items
Management Response
C1 IT Contractual Requirements in Existing
1. As noted in Finding A3, the ODA should finalise,
Primary Action Item Owner: Dennis Hone, Director
Contracts
where necessary, relevant IT policies and
of Finance and Corporate Services
Following our review of the LDA Legacy Remediation-
procedures and formally issue these to the
Secondary Action Item Owner: Simon Pitt, Head of
Demolition contract, we noted that there are no
contractor as soon as possible.
IT
contractual clauses relating specifically to IT. For this
2. The IT requirements within other existing contracts
contract, we are aware that there is a significant budget
and projects should be identified and, where
allocation for IT, worth £1 million, for the provision of
considered relevant based on a formal risk
Implementation Date: July 2007
onsite IT services for a site office. The ODA has little
assessment, arrangements should be put in place for
control either over this IT spend or the subcontractor
monitoring the provision of these IT services by the
Comments:
who has been appointed to provide the IT services. We
third parties.
understand that there was no due diligence performed in
Following receipt of advice from ODA Legal the
relation to the appointment of the IT subcontractor and
following policies and procedures were issued to the
that it is understood that they do not have experience
Action Item Priority: High
LDE legacy Remediation-Demolition contractors:
within the government sector and are not aware of the
•
Third Party Security Policy - draft
specific requirements in relation to this. It was noted
during our review that IT service performance issues
•
Third Party Security Assessment - final draft
arising from power cuts have already been experienced
•
Network Connection Agreement and Code of
at the site office.
Connection - final draft
Furthermore, we understand that there is no disaster
•
Information Security Policy - ODA final draft
recovery provision for the IT services that are being
•
Procedures - email access
provided to the site office under this contract.
•
Policy deviation - Risk acceptance form
We understand that the ODA IT department is
discussing the IT service provision and the need to
•
Security Awareness handbook
comply with the ODA standards and this is currently
•
Intranet Security model
taking place out of good will on the part of the
•
Policy and Operating Procedure for London 2012
21
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
contractor and subcontractor, as the contractual
IT Equipment Rooms v1_1
arrangements are such that the contractor has agreed to
•
Policy and Op Proc Access to Mailboxes v1_0
undertake responsibility for the providing the IT
services required to fulfill their contract.
•
Data Access Security Model v1_0
It is understood that the ODA legal team has advised
•
Backup and Recovery Policy FINAL v1_0
that there is a clause in the contract that requires the
•
London2012 Dormant account policy Draft
contractor to comply with policies and procedures that
Version1.3
are issued to them.
A review of all other contracts is underway and will be
Risks:
completed by July 2007.
The ODA has little contractual control over the IT
services being implemented at the site office as part of
See response to C3 for monitoring.
this contract. There is a risk that the contractor may not
be willing to comply with the ODA policies, procedures
and standards and it will be difficult for the ODA to
enforce such compliance.
The inability of the ODA to easily enforce the relevant
policies, procedures and standards, particularly in
relation to the need to demonstrate value for money
from IT, may mean that the ODA aims are not met and
may also mean that government legislation e.g.
Freedom of Information Act (FOIA), Data Protection
Act (DPA) and the National Archives (TNA) is not met.
Without adequate rights of audit and agreement of
SLAs and KPIs, the ODA may find it difficult to gain
visibility of and monitor the quality of service and
compliance with policies and procedures. This may
result in additional cost and reputation implications.
Risk Severity Rating: Major
C2 IT Engagement in the Procurement and Contract 1. Procurement should engage IT within the
1. Primary Action Item Owner: Morag Stuart, Head
Negotiation Process
procurement and contract negotiation process.
of Procurement
There is limited or no engagement of IT specialists
2. The ODA IT department should continue liaising
Secondary Action Item Owner: Simon Pitt, Head of
during the procurement and contract negotiation
with the legal teams to identify and agree standard
IT
processes. We noted that the ODA IT department has
terms and contracts to enable adequate clauses in
limited visibility over the procurement and contract
relation to IT to be included within contracts going
negotiation process, and has had limited input to the
forwards. The use of such clauses should be
Implementation Date: May 2007 and ongoing
contract drafting process to help bring consistency into
determined based on a review of the associated
22
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
contracts and include relevant IT contract clauses to
risks and benefits to the ODA so that a balanced
Comments:
enable effective control and visibility of third party
and cost effective approach can be taken.
The ODA has now developed standard contract terms
contractors in relation to IT e.g. agreement of SLAs,
relating to IT and has embedded relevant work
KPIs, appointment of IT subcontractors, compliance
instructions relating to IT in all contracts. The
with IT policies and procedures covering areas such as
Action Item Priority: High
Procurement department is continuing to work with IT
security, Freedom of Information Act (FOIA), Data
and other functions within the organisation to ensure
Protection Act (DPA) and the National Archives (TNA)
consistency of process and true embedding of policies
and value for money.
throughout all contracts.
We understand that multiple procurement and legal
teams are working on various contracts and there is
limited sharing of information and awareness of the
2. Primary Action Item Owner: Simon Pitt, Head of
importance of inclusion of IT consideration during the
IT
contract negotiation process.
Secondary Action Item Owner: Celia Carlisle, Head
The IT department is currently working with the ODA
of Legal
and CLM legal teams to identify standard IT clauses
that should be included in contracts going forwards.
Implementation Date: May 2007
Risks:
Comments:
As evidenced in Finding C1, without the engagement of
ODA IT specialists in the procurement and contract
The ODA has now developed a set of documented
negotiation processes, there is a risk that the ODA has
procedures in relation to IT to be performed prior to
limited remit to enforce policies and procedures on the
entering into contracts with any third party services.
third party contractors, and appointed subcontractors.
Information security requirements are integrated into all
This may weaken the ability of the ODA to act in the
third party contracts.
role of the “intelligent client” and gain oversight of and
effectively manage the contracts. As the number and
complexity of contracts increases within the ODA, so
does the ODA's exposure to risks associated with those
contracts. There is the potential that deficiencies within
the contracts may result in increased costs and
inefficiencies in relation to IT as well as risks to
reputation and national security arising from breaches
of security through non-compliance with ODA policies
and procedures.
Risk Severity Rating: Major
23
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Finding
Action Items
Management Response
C3 Lack of Processes and Procedures for
1. Whilst contractors are contractually responsible for
Primary Action Item Owner: Dennis Hone, Director
Monitoring Third Parties
management of the IT services and solutions
of Finance and Corporate Services
There are currently no IT related policies and
required to support the provision of procured
Secondary Action Item Owner: Simon Pitt, Head of
procedures in place to manage and monitor third party
services, IT management should assess the risks
IT
contractor compliance with the contract and ODA
associated with the loss of data, or security
policies and procedures.
breaches of contractor IT systems, and determine
the level of oversight the ODA should retain over
Implementation Date: July 2007
the contractors’ IT environments.
Risks:
2. IT should develop third party management and
Comments:
Without defined IT related policies and procedures for
monitoring policies and procedures as soon as
Outsourced areas are integrated into the internal control
management and monitoring of third party contractors,
possible and implement these for key third parties.
there is a risk that, going forwards, informality and
This should include the development of a third
system and there is a method of monitoring and
inconsistencies may be taken in the approach to monitor
party audit plan, based on an assessment of
controlling the third party service provider on an
and manage third party contractors. This increases the
associated risk, incorporating aspects such as:
ongoing basis with regular reporting from the service
likelihood of future non-compliance with contractual
provider. In addition, the ODA will regularly review
•
Third party contractor risk assessments
arrangements and ODA policies and procedures,
and monitor the security practices and processes of the
potentially resulting in security breaches and
•
Regular third parties self assessments of
service provider, including performing periodic audits
reputational impact.
compliance with ODA policies and
on the security adequacy and compliance of the service
procedures
provider. Third party contracts include explicit security
•
ODA compliance verification audits
requirements, including incident response requirements.
Risk Severity Rating: Major
•
Reporting on service quality and performance
against SLAs and KPIs.
A third party contractor audit plan is under development
and will be in place in July 2007.
Action Item Priority: High
24
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Appendix A: Overal Report Rating Definition
Overall report ratings are provided for each audit deliverable to indicate a general level of internal control, risk mitigation and performance. It
is used by management to provide an overall indicator of report contents and severity of findings, which have been identified and require action.
Report Category
Report Category Summary
Report Category Definition
Excellent
Overall internal controls
Only a small number of minor or insignificant risks or control weaknesses were identified.
were in place, operating
Line management will address the low priority action items as, and when, required.
effectively and adequately
mitigated key risks
Good
With limited exceptions,
A number of minor or insignificant risks and control weaknesses were identified, and, if taken together,
overall internal controls
may indicate a general weakness in the control environment to be addressed as a low priority.
were in place, operating
Line management will undertake actions to strengthen the control environment.
effectively and adequately
mitigated key risks
Satisfactory
Overall internal control
A number of moderate and minor risks or control weaknesses were identified. Or, recognising the first
and risk mitigation
year of operation of the ODA, some major risks with mitigation strategies were identified. These
activities were satisfactory weaknesses may result in inefficient or ineffective resources, and a decrease in management control.
Line Management will address identified action items within the agreed timeframes. Risk & Audit will
apprise the Audit Committee of the status of agreed actions, and in particular when agreed
implementation dates have not been met.
Needs
Overall internal controls
A number of major or moderate risks were identified. There were weaknesses in controls which could
Improvement
and risk mitigation
compromise or undermine management control, there were largely inefficient or ineffective use of
activities require
resources, or there were risks which were not effectively mitigated.
improvement
A number of high and medium priority action items were identified and will be addressed by Line
Management within the agreed timeframes. Risk & Audit will apprise the Audit Committee of the
status of agreed actions, and in particular when agreed implementation dates have not been met.
Unacceptable
Overall controls were not
A number of fundamental or major risks were identified. Either the design of controls did not
in place, operating
appropriately mitigate identified risks, there were numerous indicators that controls were not
effectively or mitigating
functioning as designed, or there were largely inefficient or ineffective use of resources.
key risks
A number of immediate and high priority action items were identified and will be addressed by Line
Management as a matter of priority. Risk & Audit will apprise the Audit Committee of the status of
agreed actions and in particular when agreed implementation dates have not been met.
25
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Appendix B: Risk Matrix Criteria
The
ODA Risk Management Framework requires risk severity to be determined using a five by five risk matrix. The tables below outline the
likelihood and consequence assessment definitions used to facilitate categorising the risk severity of audit findings and risks.
Likelihood Risk Assessment Criteria
Likelihood Category
Likelihood Category Definition
Almost Certain
Expected to occur in most circumstances
Likely
Will probably occur in most circumstances
Possible
Could occur at some time
Unlikely
Not expected to occur
Rare
May occur only in exceptional circumstances
26
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Consequence Risk Assessment Criteria
CONSEQUENCE DEFINITION
Risk Group
Fundamental
Major
Moderate
Minor
Insignificant
Strategic
Inability to deliver
Severe impact on ability
Significant impact on
Material impact on
Little impact on ability to
programme, project or
to deliver programme,
ability to deliver projects
ability to deliver project
deliver project or
business objective
project or business
or business objectives
or business objectives
business objectives
objective
Operations
Inaccurate or delayed
Inaccurate or delayed
Delays in obtaining
Delays in obtaining ad
Delays in obtaining ad
information used in key
information used for
accurate management
hoc information
hoc information in
decision making
internal reporting
information
isolated instances
Inefficient or ineffective
Inefficient or ineffective
Inefficient or ineffective
Inefficient or ineffective
Inefficient or ineffective
controls in a critical
controls in a significant
controls in a material
controls in some
controls in a very minor
component of the control
component of the control
component of the control
components of the
component of the control
environment arising
environment arising
environment arising
control environment
environment arising
from, inter alia: resource
from, inter alia: resource
from, inter alia: resource
arising from, inter alia:
from, inter alia: resource
management;
management; information management; information resource management;
management; information
information technology
technology; management; technology management;
information technology
technology management;
management; or asset
or asset and property
or asset and property
management; or asset and or asset and property
and property
management.
management.
property management.
management.
management.
Compliance
Failure to comply with
Failure to comply with
Failure to comply with a
Failure to comply with
Failure to comply with a
critical mandatory legal
mandatory legal or
mandatory legal or
recommended legal or
recommended legal or
or regulatory
regulation requirements
regulation requirement in
regulatory requirements
regulatory requirement in
requirements
an isolated instance
an isolated instance
Financial
Adverse impact on actual Adverse impact on actual Adverse impact on actual Adverse impact on actual Adverse impact on actual
revenue or actual costs >
revenue or actual costs
revenue or actual costs
revenue or actual costs
revenue or actual costs
£20 million
between £10 - £20
between £5 - £10 million
between £1 and £5
less than £1 million
NAO audit qualification
million
NAO raises isolated
million
NAO raises some low
on the reports or accounts NAO raises significant
control weaknesses or
NAO raises process
priority process
control weaknesses or
management issues
improvement suggestions improvement issues
management issues
27
O L Y M P I C D E L I V E R Y A U T H O R I T Y – G E N E R A L I T C O N T R O L S
Appendix C: Prioritisation of Findings and Action Items
The following criteria has been used to prioritise findings and action items. The Risk Severity Rating has been derived from
ODA’s Risk
Management Framework which uses a five by five risk matrix to define risk severity.
Risk Severity
Finding & Action
Priority Definition
Rating
Item Priority
Fundamental
Immediate
weakness which could negate management control and the ability to direct and manage ODA’s business
affairs
weaknesses may result in largely inefficient or ineffective use of resources
issues categorised as immediate could have the potential to severely impact the operation of the ODA
Major
High
weakness which could compromise management control and the ability to adequately direct and manage
ODA’s business affairs
weaknesses may result in significantly inefficient or ineffective use of resources
issues categorised as high could have the potential to significantly impact the operation of the ODA
Moderate
Medium
weakness which could undermine the system of management control, and the ability to demonstrate proper
accountability, probity and openness in business operations
weaknesses may result in inefficient or ineffective use of resources
issues categorised as medium could have the potential to materially impact the operations of ODA
Minor or
Low
weaknesses which could have a minor impact on the system of management control
Insignificant
weaknesses may have a minor impact on the efficiency or effectiveness of processes or use of resources at
present
28
