NSW Police, Health fail IT-contract audit

The NSW auditor-general has come down on the NSW Police Department and the NSW Department of Health in a recent IT-contract audit, after the two were found to be engaging in lax contract-management operations. The two agencies, however, are challenging the findings and offering reasons for their actions.

The report (PDF), released today by NSW Auditor-General Peter Achterstraat, criticises the NSW Police Department and the Department of Health for poor contract management, after Achterstraat analysed two long-term contracts from the agencies to determine value for money. The auditor-general examined two contracts from the Department of Health that cover application-support services at an approximate value of $7 million, while the NSW Police Department's infrastructure-maintenance contract was reviewed.

"Neither agency demonstrated that they continued to get value for money over the life of these long-term contracts, or that they had effectively managed all critical elements of the three contracts we reviewed post-award," the auditor-general found. "This is because both agencies treated contract extensions or renewals simply as continuing previous contractual arrangements, rather than as establishing a new contract and financial commitment.

"Consequently, there was not a robust analysis of the continuing need for the mix and quantity of services being provided, or an assessment of value for money in terms of the prices being paid," the auditor-general said in his conclusion.

The auditor-general found, in the case of the Department of Health contracts, that the Health Support Services division failed to adequately review or test the price that it was paying for services rendered against the market, failed to engage in direct negotiation for both contracts without proper approval and failed to record some key decisions, including service-level clauses.

Other findings from the auditor-general's report on the Department of Health were that:

• Monthly payments were made in advance, and without corresponding safeguards
• No contract-specific roles and responsibilities for key agency personnel were documented, and there was no assessment of whether agency personnel had the skills and experience to manage the risk in the contracts
• No contract-specific risk assessment was undertaken
• Limited contract-management plans were in place
• No supplier-performance or contract-performance reports were prepared for management.

The review recommends that by June, the Department of Health prepares "a new risk-based contract-management plan for all new services", and, by December, "completes a risk assessment of existing services contracts, and prepare contract-management plans for those identified as high risk".

The auditor-general also found similar contract-management issues within the NSW Police Department.

"Various contract documents, including approvals and agreed contractual obligations, were missing. The supplier's performance was not formally reviewed against the service-level requirement, and some contract extensions were not properly approved. We found that while Police claims that it is receiving satisfactory services from its supplier, it could not demonstrate that it continued to receive value for money. This is because the contract had been renewed six times without police reviewing whether the price being paid for the services was reasonable."

The auditor-general recommends that the Police Department should require "all contracts to be supported into a business-needs analysis", while reviewing value for money regularly.

In its responses to the report, however, both the Department of Health and the NSW Police Department challenged the report and its findings.

"Additional context relating to the maintenance of custom-built legacy applications may have added value to the report," the Department of Health proffered in its response, adding that "the impact of legacy systems is of particular importance to NSW Health, and relates to the contracts reviewed in this audit. A number of NSW Health's IT-legacy systems have been developed in response to identified and very specific needs in managing information, and this purpose-built development has been undertaken by individual vendors, restricting support options.

"Unfortunately, the report did not adequately consider this context."

The Department of Health added that its compliance with procurement frameworks is "far greater than the report presents".

The NSW Police Department offered a similar response, adding that many of the recommendations requiring it to develop contract-management plans and structures for all contracts are impractical.

"The NSW Police Force supports the principle behind this recommendation; however, implementing the recommendation for 'all' services contracts is not practical, and impractical to resource.

"The NSW Police Force has approximately 180 service contracts. These contracts vary in value from $10K per annum to $2 million plus per annum, some are over extended periods and others are short-term engagements only. The implementation of this recommendation would require significant investment in staff resourcing," wrote Nick Kaldas, acting commissioner of the NSW Police Department.

The auditor-general's office told ZDNet Australia that it cannot make its recommendations mandatory; it can only act in an advisory role.

"We report to parliament, and make recommendations; we can't direct nor control anybody. We would hope that our recommendations are adopted as written, and the people that make those decisions are the government of the day," the auditor-general's office said in a statement.