Report Summary
This report provides members of the Scottish Police Authority's Audit, Risk & Assurance Committee with an overview of the final three internal audit reports from the 2022/23 internal audit plan.
To access the full document please open the PDF document above.
To view as accessible content please use the sections below. (Note that tables and some appendixes are not available as accessible content).
Meeting
The publication discussed was referenced in the meeting below
Audit, Risk and Assurance Committee - 22 June 2023
Date : 22 June 2023
Location : online
Further detail
FURTHER DETAIL ON THE REPORT TOPIC
Change Management – Digital Evidence Sharing Capability (DESC) (full report at Appendix A)
Background:
In 2019, the Scottish Government launched a procurement exercise for a new Digital Evidence Sharing Capability (DESC) to support efficient access of digital evidence across criminal justice partners.
The Digital Evidence Programme Team was set up across Community Justice Partners, including Police Scotland, to support the DESC project. The Scottish Government provided initial programme leadership, research and delivery, funding and procurement of the strategic technology platform.
The project was temporarily halted due to the impacts of the Covid-19 pandemic, but was restarted in July 2020 with the contract to provide the digital solution awarded in October 2021.
Since then Police Scotland has worked in collaboration with the appointed supplier and partners to support DESC.
Police Scotland took on the role of “lead delivery partner” in December 2021 after submission and approval of a Memorandum of Understanding with the SPA.
The Scottish Government has intimated its intention to novate the contract to the SPA, in line with Memorandum of Understanding, at a date yet to be confirmed. SPA and Police Scotland have previously highlighted areas of ongoing concern that will require to be addressed before novation takes place.
Internal Audit reviewed the overarching project governance arrangements in readiness for novation of the contract. They also considered the extent to which the previously identified issues have been resolved.
Internal audit findings:
The overarching project governance arrangements for the DESC project were generally well designed with good arrangements for partnership working.
A number of identified recommendations are highlighted where processes could be improved upon.
Recommendations are indicative of underlying resourcing and capacity issues available to support project delivery, which whilst not unique to the DESC programme, if not addressed may lead to further delays or a high technical deficit.
The audit highlighted findings in addressing recommendations raised from external reviews and a lack of clarity around the benefits realisation process. Further work is required in these areas before contract novation occurs.
Summary of recommendations:
TABLE
Five of the eight recommendations have already been addressed. Two are scheduled to be completed by the end of June with the final recommendation scheduled for October.
SPA conclusions:
DESC is a key project for the Scottish criminal justice system to enhance efficiency and effectiveness. The project is also a pathfinder on the future use of key technologies for Scottish policing such as cloud based storage.
SPA welcomes the findings of the internal audit contributing to the overall assurance being sought and gained.
Change Management – Resource Deployment Unit
(full report at Appendix B)
Background:
The Resource Deployment Unit (RDU) is tasked with ensuring the required number of people with the appropriate skillset are available in the right place, at the right time, in the most cost-effective manner, with care for wellbeing.
Police Scotland are looking to restructure the way the RDU operates and an Initial Business Case (IBC) has been drafted.
Internal audit findings:
Overall, the IBC for a national RDU was found to be compliant with appropriate guidance. Without reform, the RDU function will not be able to effectively respond to modern day policing demands.
The audit identified some discrepancies including the application of outdated data and core issues within the daily operations of some resourcing teams.
Quality standards setting out performance expectations and operational outcomes have not been set.
The IBC is does not contain options for introducing new or alternative approaches to delivering functions.
The IBC has limited information on estimated costs.
The outcome would incurs a large expense at a time where real-life challenges of the RDUs need to be addressed amid budgetary pressure.
Summary of recommendations:
TABLE
Police Scotland have indicated a target date of October 2023 for eight actions.
However, a target date has not been set for one of the very high risk actions (3.1) and the timescale for implementation of a moderate risk action (4.1) is reliant on the approval of the IBC.
SPA conclusions:
The audit highlights the importance of the RDU to ensure efficient and effective policing deployment.
The current financial climate enhances the importance of having an effective RDU.
The number and risk grading of findings has resulted in Azets highlighting this report in their annual internal audit opinion.
Forensic Services Physical Data Management
(full report at Appendix C)
Background:
A data security incident in late 2021 highlighted the risks associated with tracking casefiles.
A review of the incident from 2021 was completed by internal audit (reported to ARAC March 2022) with the intention to review wider process and practice at a later stage.
Forensic Services creates many thousands of casefiles annually and manages an archive of many years of material across several sites. Each case created will have an electronic casefile and, in many cases, supplemented with a physical casefile.
Internal audit findings:
The review identified weaknesses in Forensic Services processes, systems and data which does not allow the organisation to clearly identify all physical casefiles held and where these are held at a point in time.
There is no single system or data source that could be regarded as an inventory of physical case files, or which supports accurate electronic records of casefile movements..
The inability to track and trace the movement of casefiles is a common factor in casefiles being identified as missing and also in not being able to close the investigations promptly.
Weeding and disposal of physical casefiles beyond their retention period has not been regularly undertaken.
Summary of recommendations:
TABLE
All recommendations are scheduled to be addressed by Dec 2023
Management did not accept one recommendation (1.1b) and partially accepted another (1.1a) (details in the report).
SPA conclusions:
Since the incident in 2021 the awareness and importance of Physical Data Management in FS has been enhanced.
SPA Forensics services handles approximately 42,000 case files per year. While robust processes and procedures will reduce the probability of loss, due to their manual nature the probability of loss cannot be completely mitigated.
Forensics is currently exploring proposals to introduce Radio Frequency Identification (RFID) to enhance the control of physical files.