Further detail

Electronic Data Retention and iVPD (Appendix A)

a. Background:
• This report is a review of controls related to electronic file storage, destruction and retention processes.
• The audit also performed a targeted review of the Interim Vulnerable Persons Database (iVPD) considering data issues relating to consent, communication, retention and destruction, as this is a known risk area.

b. Internal Audit Findings:
o BDO provide limited assurance over the design and operational effectiveness of the organisation’s high level electronic retention and iVPD processes in place.
o The iVPD system itself exhibits areas of good practice relating to system process controls, quality assurance, and audit trails. The surrounding iVPD processes relating to user access controls, training oversight and completion, staff declaration and information sharing agreements require improvements to align with good practice and mitigate the respective risks in place.
o Nine findings have been raised with key themes including:
o Electronic retention mandatory training completion targets not being achieved and a lack of staff declarations relating to policies and procedures understanding.
o iVPD user access review limitations and a lack of central oversight of general user access.
o Information sharing agreements not being in place.
o Administration of iVPD policies and procedures, including improvements needed in the evidencing of approvals.
o An opportunity to enhance the information contained within the seeking views aide memoire.

c. Summary of Findings:
Number of findings Number of actions
High 0 0
Medium 5 9
Low 4 5
Total 9 14

d. SPA Considerations:
• Of the total 14 actions made, Police Scotland has fully accepted nine, partially accepted three and not accepted two.
• In the management response information is provided on the rational for partially or not accepting internal audits recommendation.

 
Investment Prioritisation (Appendix B)

a. Background:
• This review covered the investment governance framework, governance and processes in place. The review also assessed the processes for developing, monitoring and re-forecasting the annual budget.
• The purpose of this review was to provide management and ARAC, with assurance over the design and operational effectiveness of the business case and investment prioritisation controls as well as the key budget setting processes in place. It also assess whether controls and processes regarding investment prioritisation and budget setting are well designed and operating effectively.

b. Internal Audit Findings:
• BDO provide limited assurance over the design and operational effectiveness of the organisation’s investment prioritisation processes.
• Whilst the budget setting process is well understood and controlled; the investment prioritisation process lacks transparency over decision making and clear prioritisation criteria.

c. Summary of Findings of:
Number of findings Number of actions
High 2 5
Medium 3 4
Low 1 2
Total 6 11

d. SPA Considerations:
• All recommendations made have been agreed.
• We recognise the strength of assurance provided over core budget setting whilst also acknowledge there are areas for improvement in the investment portfolio area that will inform future budget setting.

FMOR Project Review (Appendix C)

a. Background:
• The Force Middle Office reform project (FMOR) report is an advisory review on the FMOR project, rather than providing assurance.
• The purpose of the review was to provide greater visibility and understanding of what happened with the FMOR project and identify learning opportunities to apply to future projects.

b. Internal Audit Observations:
• The FMOR Project was initially scoped well and there was a clearly defined roadmap for successful delivery, with sufficient buy-in from divisions and resource approval.
• As the project progressed, the approved resource was not recruited and the FMOR project was not delivered to expectations. BDO understand that this was due to the project being deprioritised due to resource constraints, however, BDO have been unable to validate this.
• Ultimately, the execution of this review was challenging due to a lack of sufficient audit trail. When requesting evidence to demonstrate the rationale of the project “deprioritisation” and the formal sign off of project closure, BDO have had to rely on representations from key stakeholders as no formal audit trail was provided.
• We raised a number of recommendations relating to the effectiveness of the approach to project management. It will be important that the observations raised in this review are applied across all applicable project management scenarios at Police Scotland.

c. Summary of Observations:
• BDO have highlighted several observations that present risk to Police Scotland’s project management and governance practices, as exemplified by the FMOR project.
• The scope of the review was limited to only looking at the FMOR project, which was terminated prior to Police Scotland making changes to the project management process.
• BDO has scheduled an audit in 2024/25 to review the Change Process and any findings noted in this report will be reassessed within the new audit to confirm they have been addressed within the new process.
• The key findings were as follows:
o Governance Process for Project Closure:
Despite sufficient audit trail retained throughout Project Initiation to Phase one and two to demonstrate approvals have been obtained, BDO have been unable to obtain evidence to review whether appropriate project escalation and closure procedures have been followed.
BDO understand that there was no demonstratable formal sign-off within Police Scotland regarding this. Given its importance, Project Close procedures should have been followed as per Stage Gate Framework, which includes producing an End Project Report and obtaining ultimate approval from Change Board.
o Formalisation of resourcing requirement decision making process below Change Board level.
Through reviewing the documentation produced for the project, BDO understand that resourcing assessments at initial stage of the project, and escalation of resourcing issues during the project, were approved by, and communicated to the Change Board. However, we have not been able to follow through the audit evidence to demonstrate how the project has been “deprioritised” due to resourcing constraints, and it is not clear why the resources were not recruited to deliver this project as approved.
o Tracking of Objectives and Benefits of the Project throughout its Lifecycle:
While the objectives and benefits of the FMOR project were defined within the FMOR Project ToR and Potential Project Assessment, there was no formal tracking of progress against objectives or benefits throughout the lifecycle of the project.
o Tracking Financial Impact of the Project throughout its Lifecyle:
Up to project closure (i.e. throughout the 30 months of the project life cycle), ongoing financial assessments were not carried out for delivery of the project to track costs or quantify savings. Cost and Resourcing assessments were approved at Board level at the initial stage of the project.

d. SPA Considerations:
• Police Scotland has recognised the findings in this report and state that it is not reflective of the robust project management in place for other projects.
• It has been agreed that no changes will be made at this time, however, ARAC has already approved in the internal audit plan for 2024/25 a wider review of project management that will consider if the issues highlighted with this project extend wider.