Public Audit and Post-legislative Scrutiny Committee

Meeting date: Thursday, January 23, 2020

Official Report 515KB pdf

---

Section 22 Report

---

“The 2018/19 audit of Disclosure Scotland”

Item 2 on our agenda is a section 22 report, “The 2018/19 audit of Disclosure Scotland”. I welcome our witnesses to the meeting. They are Caroline Gardner, Auditor General for Scotland; Gemma Diamond, audit director, performance audit and best value at Audit Scotland; and Gary Devlin, partner at Scott-Moncrieff.

Auditor General, I invite you to make an opening statement.

Thank you, convener.

Disclosure Scotland performs two main functions. It carries out disclosure checks on criminal histories for employers and it manages the protection of vulnerable groups scheme, which protects children and vulnerable adults.

I put on record that Disclosure Scotland’s 2018-19 accounts were unqualified.

My report details the history of Disclosure Scotland’s new protecting and safeguarding Scotland programme. Disclosure Scotland completed the transfer of all its activities to the new system on 25 September 2019, which was five days before the system that it replaced closed down.

The most recent estimate for the cost of the PASS programme is £78.5 million. As illustrated in exhibit 1 of my report on page 5, that is significantly more than the estimates in the outline business case that was approved by the Scottish Government in October 2015 and those in the subsequent full business case. Further, the system that is currently in operation is described as a minimum viable service and it lacks some of the functionality that was originally envisaged. Manual workarounds are still required.

My report details a number of issues that the programme experienced. In summary, those relate to too low a level of optimism bias being applied to a complex and innovative programme; a lack of financial reporting and oversight; ambiguity over the role of the various governance groups that were overseeing the programme; and a limited amount of contingency planning.

Gary Devlin and Gemma Diamond will do their best to help me answer the committee’s questions.

It feels like groundhog day. Here is another information technology project coming to the attention of the committee, with what look like similar problems to those of the previous examples that we have seen. Will you give us an indication of what went wrong with this software development programme?

I share your frustration, Mr Coffey. As you know, I have reported on a number of failed IT programmes over my time as Auditor General. In 2016, we published a set of principles for digital programmes, and a number of those principles were not applied in this case. There is no guarantee that applying them would avoid problems arising, but they certainly increase the likelihood of success in programmes of this type. As always, the starting point is the overall governance and management of the programme from the beginning.

Gemma Diamond was the author of that set of principles. She might want to give you a bit more colour about that before we get into the specifics of the programme.

The themes that come through in the section 22 report on Disclosure Scotland’s programme, including governance and optimism bias, all feature in the principles for digital programmes document. With digital programmes, we have often talked about the importance of having good behaviours, processes and systems in place from the very start and all the way through.

The Disclosure Scotland programme has a slightly longer history, and it started before our principles document was published. When the document was published, the programme was in the main delivery stage and we would have expected those principles to be adhered to better than they were.

In this example, and in recent discussions, we have heard about the agile development methodology, which seems to be the development methodology that suits most software development projects that we hear about these days. As I understand it, it was deployed in this case, but the project still—I hesitate to say “failed”. However, the initial estimate was dropped and then increased back to the original forecast.

There is something going on with software development programmes that we need to get to the bottom of. In my experience, if you do not do the work at the front end of a piece of software development, there is no guarantee that you will get what you want at the end of it. In the organisations that we have some control over, do we have the people in place who can understand and are capable of specifying the technical requirements of a piece of software?

We think that an agile methodology was an appropriate methodology to use for the programme, which was complex and innovative and used cloud technology. It was the first time that police data had been used in that way, and the methodology should eventually really improve the service for the people who require disclosure. An agile methodology was therefore appropriate. However, as I said on page 9 of my report,

“There was limited experience of agile methodology in the governance groups”

involved in Disclosure Scotland. We have seen that problem before. People have thought that they were using an agile methodology and have not understood the rigour that it requires. Gemma Diamond might want to build on that.

Absolutely. A key issue that we have seen before, particularly at the strategic level, is that leaders in governance boards who have overseen programmes have needed to understand the agile methodology and the kind of information that they should expect to receive. A lot of information, monitoring and reporting are produced with an agile methodology. We see in this example that it was not clear what information was going to what board and what decision making was in place at each board.

Agile methodology is designed so that the process is iterative. People find out things and things change as they go along. We absolutely understand that the situation was very complex and that things would change, but we would have expected, throughout the programme, more regular and more transparent reporting on how much it would cost, what the key decisions were, and what changes to the whole process those decisions meant.

BJSS, which is the company involved, has a really good reputation and a long and good track record in deploying such technology, so it cannot be the issue. There must be another element. I think that it is about the skills in the department that commissioned the software. The lack of skills in it may have given rise to the issue.

What happens with sponsorship? The software should have been under the gaze of the sponsor department so that it could try to intervene at as early a stage as possible to prevent such a thing happening. What happened in the Government department’s oversight and sponsorship?

I refer to exhibit 1 in the report and the full business case extension that happened in September 2018. At that point, the sponsor department was starting to be concerned about the progress in implementing the PASS system. That was partly due to the escalating costs, and part of those escalating costs was to do with the programme management. The Scottish Government sponsor department, through the Fraser figure in the Scottish Government, therefore nominated a member of the Scottish Government team to sit on the transformation programme board. That individual reported back to the sponsor department. At that point, the Scottish Government was reflecting on a programme that was starting to become higher risk in terms of delivery and cost.

Do those people have the software development skills that people need at the front end of any development project to get it right? Are they managers? What are their skills?

If we reflect on what the section 22 report says, we see that you are absolutely right. Those skills are needed on the client side at the outset in the planning stage. It is clear that the senior leadership teams and the governance groups did not follow the best practice guidelines on implementing governance in an agile project—and there are good guidelines in place for how to do that. Examples of not following best practice include experts in managing agile projects not being on the team, and the role of each governance group not being specified adequately so that there was clarity on governance, who was accountable, and who was exercising scrutiny and assurance.

The final part of best practice is training for the senior leadership team, so that everyone who is exercised in governance understands the agile approach and is confident enough to raise some of the queries. The individual whom the Scottish Government inserted into the transformation programme board had that level of experience. However, at that point, the programme had been under way for a significant time and some of the issues were baked in.

That leads me to the question why such people are not involved at the outset. The individual became involved in 2018, but the outline business case started in 2015. Surely such individuals need to be involved at the start. They seem to come in when things go wrong, rather than at the beginning in order to get the specifications right.

Gemma Diamond mentioned Audit Scotland’s national report on the good governance of digital projects, which says that the skills, resources and capacity of any organisation that is implementing a major transformation programme, particularly an innovative IT project, need to be looked at very carefully. That needs to be done at the outset because, if good governance decisions are not made at the outset, those issues will follow you throughout the programme. Unfortunately, that is what happened in this case.

We have heard that common message so many times. Who is next? Is there any way that you, we or anyone else can ask about the IT projects that are on the horizon and ensure that the management processes that will give such projects a realistic chance of success are embedded at the outset?

I very much hope that I will not have to report on another IT project during my time as Auditor General. The committee knows that the Government’s digital directorate has set up a register of major projects that it is using to prioritise its engagement with large projects as they are being developed—from the beginning—as you are suggesting. I do not know whether Gemma Diamond can say anything more about that.

Absolutely. When we presented our “Enabling digital government” report to the committee back in June 2019, we talked about the changes that had been made to the assurance process for the oversight of digital programmes. We also talked about the need for the Government to have better processes to be able to prioritise which programmes need support, and about the skills shortage and how to prioritise where skills go within the central Government sector. Across all such programmes, there needs to be collaboration across the sector to be able to share skills.

In our report, we said that the Government had not had enough resource to be able to share the lessons learned from all the assurance reviews. Although assurance reviews were being undertaken on individual programmes, there was nothing that brought out common lessons and built those into training programmes for future leaders and people who work on such programmes. We considered that to be a significant risk and that sharing the lessons learned would prevent the same things from happening in future programmes.

Are you content that if the guidelines that you have described are followed, that should be sufficient to allow any department or agency to do the work right the next time round? Is anything missing from the digital skills guidelines that have been put in place?

The guidance, training and support are available, but there is a skills shortage. There is not enough of the skilled resource to go around. A significant number of digital transformation programmes are being undertaken across the whole of the public sector, and our 2019 report said that there needs to be better collaboration so that we can ensure that the right skills go to the right places. That applies across the whole of the public sector.

You are right about the skills gap in the public sector. Is there a hesitancy about going out and finding the relevant skills, either by headhunting someone into the public sector or by using the skills that exist in the private or voluntary sectors, or is there just a skills gap across all three sectors in Scotland?

Much more often now, the public sector is bringing in the appropriate skills from the private sector—people are being brought in on a consultant basis on short-term contacts—but there is a shortage of certain skills across the whole market.

In that report last year, we made the point that the Scottish Government still finds it difficult to compete with the private sector on salaries in order to be able to bring in the appropriate skills. That is particularly the case in markets such as Edinburgh and Glasgow, where there are strong financial services organisations that are looking for similar skills. It is a widespread issue.

10:15  

Clearly, we have an IT skills gap. To be fair, that is not just in Scotland. For Governments across the United Kingdom, IT projects are a huge challenge—they go over budget, take far too long and there is a massive skills gap. Can we learn from international examples how to take a much better approach to IT skills, or is it a global as well as a UK problem?

When we produced “Principles for a digital future: Lessons learned from public sector ICT projects” back in 2017, we looked internationally to see whether the issue was unique to Scotland or common in the public sector across the world. That both reassured us and made us slightly pessimistic, in that we found that, across the world, auditors were raising the same issues about the same situations.

However, there are international developments that the Scottish Government can look to, particularly in places such as Australia that have had similar issues and projects that had difficulties. The Scottish Government can look to see how the arrangements that those countries have put in place have helped them to solve some of the same challenges.

Do the same challenges or problems exist in the private sector?

There are absolutely some of the same challenges. We see that in some of the banks, where IT failures have had an impact on customers. However, with those private sector failures, the same level of information is not available to find out what went wrong and why.

Willie Coffey asked about the issues at the start of the project. I want to ask more about that before I bring in John Mason to drill into the costs. At the start of the project, there were two key areas where mistakes appear to have been made: first, on the costs and secondly, on the timescale. Why did that come about?

One of the key questions is about the process that led to the overall estimated cost of the programme reducing from £77 million in June 2015 to £34 million in October of that year. We know that part of the difference was due to the reduction in the optimism bias to the minimum allowed under the Treasury green book guidance. Clearly, that was a risky decision for a system of such complexity, innovation and importance to the running of the organisation. Beyond that, we do not know much about what else led to the reduction, but that has to be an important question.

We are more concerned about the reduction in the costs than we are about the timescale. It was an innovative programme. The problems became apparent relatively early on and were dealt with through rescoping the work and redesigning. As you say, the issue of whether there was a good baseline at the start is one of the important points. Gary Devlin might want to add to that.

I have only two things to add to the Auditor General’s comments. The key aspect is optimism bias. With any innovative, complex and major transformation programme that is IT led, you will inevitably face challenges throughout the programme, and over time, those will add to cost. When you start off, you do not know what they are, which is why you include an optimism bias. In this case, it is clear that an optimism bias was not set at the appropriate level for such an innovative, complex and large-scale project. We can see that in the change in estimated cost, which dropped significantly from £77 million in the initial outline business case to around £35 million in the revised business case. Broadly speaking, the cost has ended up where it started.

The other aspect is set out in paragraph 11 on page 6 of the report. The key elements of additional cost are related to the additional capital cost of addressing complex challenges throughout the project, which added £10.4 million. The BT contract had to be extended; it was very expensive—much more expensive than the PASS system will be to operate in future—and cost an additional £5.8 million. There is also a £6 million additional cost for manual workarounds. Broadly, that explains the move from the full business case number to the final number.

There will be people watching who will be asking what optimism bias is, and how on earth it can impact something to the tune of £30-odd million. Would you mind explaining very briefly in layman’s terms how that works?

When you set out on any complex project of any description—not necessarily an IT project—you know at the start that you do not know everything that is going to happen. In a major building project, for example, you do not know what you will find when you dig up the ground to do groundworks, or what complex challenges you might find in the architecture of a system or building. This building here is a good example of some of the unknowns that there are at the start of a project. Over time, developers of systems have identified that as a key issue. In programme management, when you are about to invest significant amounts of money—whether in the private or public sector—the standard practice is to assess the risks that are associated with the project. If it has been done before, and often, you can be much more confident about costs, but if it is new and innovative and has never been done before, you are less certain about costs.

When you are budgeting to cover for those unknowns, you make a spectrum of allowances, and that is called optimism bias. Often, when management get to the point of initiating a project, they are invested in it and very keen on doing it and have convinced themselves that it is a great thing to do, so they tend to be optimistic about the outturn. Optimism bias compensates for those natural instincts of management—that is, of human beings—to err on the side of the best possible outcome. It forces them, in a logical way, to factor unknown costs into their budgeting.

That was helpful—thank you.

I will continue that line of thinking. Paragraph 21 on page 8 states that

“the Treasury Green Book sets out good practice”

in relation to optimism bias. It appears that there is a range of practices. However, paragraph 22 states that the full business case

“adopted the lowest level allowed for this type of programme”.

It sounds as if Disclosure Scotland was within the parameters but had gone too low.

Yes—there were a number of elements to it. The minimum for optimism bias is 10 per cent of costs and the maximum, for a highly innovative programme, is 200 per cent of costs. The guidelines state that you should address that by starting at the upper level of the range and justifying why you should decrease the optimism bias at all, at any level. Disclosure Scotland did not go through that process and did not arrive at the minimum level in any evidential or documented way. As we have said, this is a highly innovative project, so we would have expected the optimism bias to be much closer to the maximum number than to the lower number.

Would there have been any checks on, or any third party looking at, what Disclosure Scotland was saying at the time, or are we looking at that only in retrospect?

There should have been more challenge and scrutiny at that point, which might well have picked up the optimism bias issue.

The report states that the Government rejected the initial business case of £77.2 million—presumably as too expensive, although we ended up at £78.5 million—and that Disclosure Scotland went back with a business case of £34.1 million. If I said that I would like to buy a house but that it was a bit too much at £200,000, and the seller came back and said £90,000 instead, I would be pretty suspicious that it would have no electricity or that the walls would be weak. Surely, the Government, or whoever approved such a dramatic drop in cost, should have been questioned.

We agree that scrutiny and assurance levels at that point did not work as well as they should have.

That is the case for both the Government and the governance groups in Disclosure Scotland. We set out in paragraph 14 the four groups that should have had a role, but none of them appears to have been applying the sort of challenge that Gary Devlin talked about. They felt that they were managing, rather than challenging, the project.

We started with an estimated cost of £77.2 million, which went down to an unrealistic level, and ended up at £78.5 million. Is it just coincidence that the £77 million and £78 million cost estimates are close together?

It is actually—although, in a way, it is not surprising, because the initial business case had a higher level of optimism bias factored in.

The optimism bias covers anything going wrong.

Yes, if Disclosure Scotland had gone for the highest level, that would have covered a significant proportion of the overspend.

It is also coincidental in another sense. I draw your attention to exhibit 2. Although Disclosure Scotland has a system up and running that does what is required, it is a minimum viable system—it has not got some of the things that it had hoped for at the point of the initial business case. You can see in the exhibit the gap that is required to be covered by manual workarounds to make the system work at all and, above the dotted line, the ambition that the organisation had hoped to achieve when the initial business case was put together. The numbers are similar, but the organisation has got less for the £78 million that it has spent so far.

Right. I was trying to compare exhibit 2 with exhibit 1. Exhibit 2 shows the present position—or at least what the position was when the report was written. Is there still space for the system to improve and move closer to where it was meant to be?

There is. Gary Devlin can talk you through that.

Additional investment will be required to do that. The manual workarounds are currently costing £2.7 million, which will reduce to about £2.14 million. Those are in place to enable Disclosure Scotland to get to the core solution—the exhibit 2 graphic on page 7 of the report shows that. Disclosure Scotland’s capital budget gap this year is £9.5 million. That is broadly an indication of the amount of capital investment that is required in order to remove the manual workarounds. In addition, the Disclosure (Scotland) Bill is, as you know, going through Parliament—it has just passed stage 1. If agreed to, that will change again the requirements and processes for disclosures, so there will be a further change in addition to a core solution.

On the Auditor General’s point, that position is still some way from achieving the initial ambition for the project, which was for the process to be fully digitised and for the system to be much more functional.

That is now unachievable.

I would not say that it is unachievable—it would simply cost more capital to achieve.

I quite liked John Mason’s analogy about the house. Disclosure Scotland made a business case, which was rejected. It then suddenly came back with a cheaper business case. On page 5 of your report, you say:

“The Scottish Government approved the revised projected costs of £34.1 million.”

Which department signed and sealed the revised business case?

It was the justice department, which Disclosure Scotland forms part of.

I looked around to find out information about Disclosure Scotland. That led me to a subset of the Scottish Government website, which is where the organisation’s information is. I looked for board minutes and found only minutes for September 2019, audit committee minutes for November 2018 and the 2018 annual report and accounts. There must be more than that.

One of the issues that Audit Scotland raises continually is the transparency of public bodies. Government agencies do not have to publish minutes of audit committees and board meetings in the same way that many other public bodies do. There is a variety of approaches to publishing minutes of meetings. We have raised the issue as the local auditor with Disclosure Scotland and said that it should consider being more transparent.

It is not just a question of being more transparent; there is obviously more up-to-date information that Disclosure Scotland has not put on to the website.

That is right.

I noticed that there were redacted items in the minutes that were available. Is that common?

It is common when dealing with issues that are commercial in confidence.

Interestingly, one of the chief executive’s key points was that, because of climate change,

“board lunches will no longer contain meat.”

That does not sound like an issue that a body such as Disclosure Scotland has a prime focus on.

That is something that you could put to the accountable officer and the Scottish Government.

10:30  

Coming back to what we might call more mundane issues, I think that the report is concerning in relation to the financial oversight. It states that no financial information was provided to the transformation project board, even though it was responsible for authorising the expenditure, and that

“there is no evidence that the additional budget was formally approved by any of Disclosure Scotland's governance groups.”

Was there never a discussion in the transformation project board about who should be scrutinising the budget? The Scottish Government was on that board.

Paragraph 14 and the subsequent paragraphs point out that the roles of the four separate governing bodies had never been properly defined and that, as a result, there was some confusion over people’s roles in the governance of the project. That confusion is evident. In answer to your question, when there is confusion, governance groups assume that some other governance group is managing the scrutiny and assurance aspects. In this case, the scrutiny and assurance were not sufficient for a project of this type and scale.

In cases such as this, I usually ask what the audit committee was doing. I see that it was at its request that some information was put together for the board on the matter. I think that it was in November 2018 that the contract with BT was extended until the end of September 2019. It might have been expected that having to budget for those costs might have raised the profile of the issue and got people looking at it more closely.

I agree. I attend the audit committee of Disclosure Scotland, and I know that it was asking questions—that comes through in the annual report.

When you examine the governance of a public body, you tick boxes to say that it looks as though, on paper, adequate governance is in place, and that is what happened with Disclosure Scotland. It has a transformation programme board, which reports to a board, there is a leadership team and there is an audit committee. On paper, that looks as though it should be fine. However, the issue is that not all of those governance groups are clear about what their roles are in relation to the programme, and the audit committee felt the need to step in and seek more detailed financial and other information late in the project, because it was becoming clear that that information was not going through the other governance groups.

I saw a reference, perhaps in the board minutes, to internal audit. Who conducts those internal audits?

The Scottish Government’s internal audit team.

Do you have any comments on that team’s performance in this regard?

I have none. About a year ago, the internal audit team undertook a review and reported many of the issues that also come out in the Auditor General’s report.

To whom did it report?

It reported to the audit committee.

And did the audit committee pass that on to the board?

Yes. The accountable officer sits on the audit committee, and many of the audit committee members also sit on the board.

So things were known about and were reported, but there were no consequences.

There was confusion over the roles of the individual governance groups, which hampered effective scrutiny of the project.

It is probably also worth mentioning the impact of the hard deadline around BT’s involvement. The work was being carried out on a BT platform that had been in place for a long time. It was expensive, as Gary Devlin has described, and Disclosure Scotland wanted to expand what it could do, as well as reduce costs. The BT contract was extended at some point during the programme, when it became clear that the PASS programme would not be available in time. BT then made it clear that it could not and would not extend again. Had there not been a system in place, it is not clear how these very important disclosures would have been handled. That might have also led to a focus not on what was the right thing to do but on the need to get the system up and running.

So the focus was on delivering the service, because the consequences of not doing so would have been even worse than the issues of finance that arose.

We have heard about all the issues. Have there been any consequences for anyone as a result of the project not going well? You might not know the answer.

It depends on what you mean by consequences.

Was anyone found responsible?

In late 2018-19, the challenge was significantly greater. It is unusual for a Scottish Government sponsor directorate to appoint a member of staff to oversee or to support the scrutiny of a transformation programme board and report directly back to the Scottish Government. In a sense, that would have sent signals to the senior leadership team in Disclosure Scotland about the importance of managing this project better and delivering it on time. The consequences of not doing so would have been significant.

There does not seem to be any mention of departures from boards or leadership teams.

That has not happened to date—to my knowledge.

I have two questions. First, as Gemma Diamond said, the principles that the Auditor General outlined in 2016 were not adhered to in this case. Obviously, that contributed to what ended up as a bit of a disaster in terms of the cost and how the project went. Furthermore, the Scottish Government representative on the project board was not effectively appointed until well into the process. Is it not time that the permanent secretary issued an order, if I can put it as crudely as that, that those principles must be adhered to, and that the minute a project board is set up for an IT project, a relevant and qualified Scottish Government official must be on that board?

It is fair to say that it is hard for us to understand why we keep seeing failures of this scale because of some of the basic—although not easy—requirements that should be in place. As Gemma Diamond said earlier, the outline business case predated our publication of the principles documents but, nevertheless, we were codifying what was already known rather than producing something brilliant out of the ether ourselves. There is therefore some substance to your point.

Gemma, will you say a bit more about the way the Government is promoting the principles, so that the committee can think about what else might be required?

Our report of June last year, “Enabling digital government”, set out the assurance arrangements that the digital directorate has in place for all major digital programmes. Those arrangements apply throughout the lifetime of a programme, so they are now designed to apply to the programme from its inception and at key points along its journey. We have seen that the principles are written into the guidance that bodies have to follow, and they have to show that they are adhering to them through the assurance process. If the assurance process does not get enough assurance at particular points in the process, it has the power to stop a programme for remedial action before it carries on.

The assurance process is still quite new and finding its feet. It comes back to skills and capacity and having enough people with the right skills to be able to look in detail at the assurance of programmes. A significant number of digital programmes are going on across the Scottish Government, so it needs enough capacity and skills to be able to scrutinise all those programmes. In our report, we said that the Government needs better processes to prioritise skills and capacity so that it can fulfil its scrutiny and challenge role, and undertake the assurance process across all the digital programmes that are in place.

Are you saying that you would be fairly comfortable that the principles would be adhered to in any new project, even from when the business case is approved? I take your point about capacity; the Government has to build its own capacity through getting appropriately qualified people who can sit on the project board, and so on. However, are you saying that you are comfortable that such projects are at least attempting to ensure that the principles will be followed?

The assurance process covers the heart of the principles and looks at them with a different gaze. However, the assurance process is not for all digital programmes. We talked earlier about the process being used for high-risk programmes or those that will cost over £5 million, so some of the smaller programmes will not be covered by the assurance process. It is certainly not used for the whole suite of digital programmes.

However, we have seen before that projects under £5 million can still go awry and cost the public sector a fair amount of money. Is there a need to apply to smaller projects a set of principles or an assurance process that are not as complicated? Five projects under £5 million at £3 million each is £15 million. If they are all out by 50 per cent to 100 per cent, that is potentially a £15 million overrun for the public sector. That is money that we cannot afford, and taxpayers should not have to fork out for such mistakes. Is not there a need for a parallel process for smaller projects that does not use up inappropriate levels of resource?

We have certainly said that the Scottish Government needs to think about how it prioritises its resource and that resource is best directed at the programmes that really need it, which might be smaller ones under £5 million that are high risk, in that they will deliver a direct service to the public. We know that smaller bodies really struggle to get the right skills and capacity in place. They are unlikely to have them themselves; they need to get them from somewhere, and they can really struggle with that.

There is limited resource. The Scottish Government digital directorate has on its list more than 300 digital programmes, so it needs to prioritise where best to place its skills, capacity and resource. It is building training programmes that are available for all public sector leaders and people who are undertaking digital programmes. Audit Scotland thinks that it is essential that lessons that are learned from digital programmes are built into the training programmes so that the lessons are shared more widely.

We all recognise the dire shortage—across the economy and across the world—of people with IT skills. To be fair to the Scottish Government, I note that it is operating in that context, so it is good that it is trying to expand general capacity, as well as its own capacity.

Is there a need for a core team of experts? I will pick up on one of Willie Coffey’s points. I have a background in the computer industry, in which I worked internationally a number of years ago. The problem that we are discussing was a problem internally in the computer industry. A company would get the IT department to set up a programme to manage order flow, for example, but if we did not specify fairly precisely, right at the beginning of the process, what we needed as the customer of the internal IT department, it usually ended up in disaster.

The required expertise is quite specific. Is there a need for a team at the centre that has the expertise to specify what is required of new IT programmes? It seems to be that—depending on the organisation—a different team is pulled together every time. If we had a team that was a central resource, people could call on it right at the start, as Willie Coffey said. The overrun for building the Scottish Parliament building, for example, was primarily due to the fact that we did not properly specify the design work up front.

The digital directorate is trying to build up capacity and expertise so that it can support programmes as required. Again, it comes back to having enough capacity to service need, and to having the right information about programmes so that the directorate can provide the necessary support.

The committee might remember the report from last year that Gemma Diamond referred to—“Enabling digital government”—which aimed to summarise the big programmes that are currently on the Government’s register. There are some really big peaks, particularly to do with social security, and we recognise that there is a trade-off, at the moment. The social security work seems to be being managed well; it is being delivered broadly to cost and on time. There are some questions for the future, as the work ramps up, but the Government would say that it is making decisions about where to prioritise.

The bigger question is where the skills come from and how to prioritise what it is they are supporting.

10:45  

Some small countries, such as Estonia, are miles ahead on all this stuff. Maybe we need to send a team to Estonia and just copy what Estonia is doing.

Do you mean that we should send a virtual team to Estonia? [Laughter.]

Absolutely.

I have a separate point, which builds on one of Bill Bowman’s points. Last week, we heard about the situation in Bòrd na Gàidhlig, whose minutes, agendas and all that sort of stuff are not even on its website, which I think is crazy. As you know, under our wider remit, we are looking at freedom of information legislation and its implementation. Should the permanent secretary to the Government not be making it absolutely clear to every public body that, in this day and age, unless there are issues of confidentiality or disclosure, their minutes, agendas and papers should, generally speaking, be placed on their website timeously and be easily accessible by the general public?

There is a need for some sort of push by Government. As Gary Devlin said, that is something that auditors look at routinely. Last year, we produced guidance on what auditors should be doing and we briefed the committee on that. “On Board”, which is guidance for public bodies, sets out expectations that are, I think, applied differently in different bodies.

Auditors can only recommend—we cannot require bodies to do things. What we are discussing are instances in which something else has gone wrong, with levels of openness and transparency being contributory factors. It probably links to the variation that we talked about before, the expectations that sponsor departments’ figures and Fraser figures set, and the way in which departments carry out their responsibilities. A push on that would be timely.

Do you seek the views of external software contractors on projects for their sense of what is going wrong? The company that is involved in this instance is really good: it has a great reputation and has received a Queen’s award and so on. It would be useful for us to hear external contractor’s perspectives, and any others that might follow.

I am pretty sure that there was a two-phase process. Gary Devlin can tell you more.

That is a great point: external contractors are an integral part of improving how we deliver IT projects. BJSS was involved in supporting Disclosure Scotland; in fact, it was a significant part of the partnership delivery team for the project, and helped to design the second phase of it. It was significant in terms of its laser focus on how to ensure delivery by the September 2019 drop-dead deadline. It was very helpful to Disclosure Scotland in managing that.

We must always be careful with commercial companies because they have vested interests in the outcome through the profit motive and drive, but they are an essential part of learning about how we could manage such processes better.

It is a normal part of the software development cycle that at project close-out, you hear everyone’s views about what went right and wrong. It would be an important if, through our learning, we could hear such perspectives in the future.

As members have no further questions, I thank the Auditor General and her colleagues for their evidence.

10:48 Meeting continued in private until 11:12.