§ Mr. AllanTo ask the Secretary of State for Environment, Food and Rural Affairs what audit mechanisms are in place to determine whether information technology(a) hardware and (b) software products are being used properly in her Department. [150930]
§ Alun MichaelA considerable amount of work is going on in Defra to improve our IT facilities and systems. We are also seeking to improve usage and exploitation of the capacity of the Department's systems in the interests of efficiency and service delivery. It is against that background that the variety of audit mechanisms need to be understood. They are:
1. Departmental audit:
The IT Audit Branch of the Department's own Internal Audit Division conducts a continuous programme of audit assignments (approximately 15–20 per year) in order to provide an assurance concerning the management of our IT systems' (hardware and software) lifecycle—specification, procurement, development, implementation, operations and decommissioning. The scope of audit assignments included in the programme is determined using a risk-based approach and ranges from in-depth examination of single projects or operational systems, to "horizontal" reviews of management processes which can be expected to apply reasonably consistently across projects or systems—for example, software licensing, infrastructure change management, IT governance.
Internal audits contribute to an assurance that hardware and software products are being used properly within the Department, in the sense that projects/systems contribute effectively and efficiently to the achievement of Departmental objectives, are compliant with legal and regulatory requirements, 491W apply mandated or claimed standards and acknowledged best practice, and are appropriately economical in the use of funds and other resources.
The Department's Security Branch conducts a rolling programme of IT security audits focusing on compliance with Departmental IT Security policies throughout the Defra estate. It also co-ordinates the implementation of BS7799—the British Standard for the Management of Information Security. Internal Audit Division is responsible for independent review of achievement of compliance with tis standard.
2. Other internal tools and mechanisms:
There are IT-supported administrative systems in place to assist with the identification and management of IT assets (hardware and software).
A fixed asset inventory is maintained on the Department's Resource Accounting and Management Information System (RAMIS) and holds details of fixed assets valued at£2,000 or more, including IT assets.
The e-Business Directorate holds information about the software installed on our Office Systems network as well as about major server and application development software, and ensures that the correct number of software licences is held. An IT inventory management application is used to identify hardware on Defra's Local Area Networks.
"Audit Logs" recording information concerning users' access to and activity on the Department's IT systems are automatically specified and implemented for all significant IT systems. These are generally for the benefit of system owners in day-to-day management of the system, but may sometimes be used by Internal Audit to examine for signs of improper use of the systems.
3. External audit bodies and mechanisms:
External audit bodies which may examine IT management functions include reviews by NAO, and by EU Audit (where the system/function in question is involved in administration of EU-funded schemes). As with internal audit, external audits of administrative functions may also touch upon IT management issues and may prompt internal audit follow up.
All new major IT-enabled business change programmes within Defra are subject to OGC Gateway Reviews and Health Checks, which examine and report on the management of Programmes, and can also be regarded as a form of external audit.