Poor security and performance continue to dog adult care software used by a troubled outsourced shared services joint venture, according to a stinging report by auditors.
The Southwest One (SWO) vehicle was formed by the council, supplier IBM, former Avon and Somerset Police Authority (ASPA), Somerset County Council (SCC) and Taunton Deane Borough Council (TDBC) to provide nine services including ICT, finance, human resources and payroll services to the public partners.
Auditors appointed by SCC said that the Adults Integrated Solution (AIS) application provided by supplier Northgate to manage adult care cases was not well managed with a lack of internal controls.
The report said: “In spite of continued discussions between SWO and Northgate and related infrastructure modifications, performance issues persist.”
Issues reported by the auditor include:
- Responsibilities related to AIS have not been formally documented including the naming of a system owner;
- No reports or processes, other than database monitoring that ensure the ongoing integrity of AIS data and the appropriateness of payments;
- If the SCC data centre was unavailable for any reason, applications could be unavailable for a month or even more;
- Slow performance and response times
A detailed assessment also found that client records can be created with a minimum of information.
“Key personal identifiers such as data of birth, National Insurance number and NHS number do not need to be entered and this both increases the risk of duplicate records and provides less data with which to identify those that have been created.”
In addition, many of the 775 users of the system have more access than they need to perform their jobs, the auditors found.
Several generic user IDs, “established by Northgate and whose purpose is unclear”, are made available to five “super users”, with the password distributed via email, the report said.
In addition, the time-out for the application is one hour.
“Although users typically leave the application on and lock the screen when they go out to lunch, this process is inefficient, leaving sessions unavailable for others and insecure, since the user could forget to lock their screen and allow bypass of all security.
During the investigations, SWO refused to share AIS vendor support contract with the auditors, the report said. “We are therefore unable to determine whether the contract adequately addresses performance, guarantees and penalties.
However, the auditors “noted that issues identified in new release testing are not always addressed by Northgate resulting in workarounds having to be implemented by AIS users.
“In addition Northgate do not track and share with ASC the remaining unresolved issues. As a result new releases are not implemented with all identified problems resolved and the full benefits of automation are not being derived as workarounds are added.”
SouthwestOne also refused to release details of licensing of AIS with the auditors, they said.
Their report warned: “Although noncompliance with licensing laws is now the responsibility of Southwest One, if a problem were to arise SCC could be negatively impacted.”
The report said that the majority of the concerns raised above apply to all one hundred and twenty applications supported by SWO for Somerset County Council, of which sixteen, including AIS, are classified as critical.
In April, TDBC found that the 10-year contract with SWO has delivered less than a third of the £10m savings anticipated.