As budget pressures continue, the need to boost efficiency means that the government now outsources an ever wider range of activity – from IT projects to the running of prisons and administration of benefits. As a result, it is crucial that internal audit teams play a full role in ensuring that the specific risks related to outsourcing are properly managed, and learn from the experience of past problems.
The advantages of outsourcing can be substantial. It can give the government access to technical expertise that it does not have in-house, cut down administrative work and get better value for money for the taxpayer. But these benefits can only be realised if outsourcing arrangements are designed and managed effectively, with proper assessment and control over the risks.
Unfortunately, there is an assumption that outsourcing the service also outsources the risk. This is not the case; failing to plan for outsourcing risks can result in service failures, delays in the implementation of new projects and significant additional costs. These problems leave the public feeling let down, undermining any value outsourcing was set to deliver. If a supplier fails to deliver on time, or delivers inadequate services, both the commissioning body and the outsourcer can end up under attack and public confidence in them is damaged.
Examples of systemic failures in outsourcing are plentiful across the public sector. Perhaps most notorious was the NHS database system, Connecting for Health, abandoned in 2011 at a cost of £10bn following failed outsourcing to a technology consultancy. As a result of such negative experiences, there is now a growing knowledge and understanding of how to manage outsourcing risks.
One department which has made considerable progress in recent years is the Ministry of Justice. The department contracts for a wide range of services, including the operation of large facilities such as prisons, the maintenance of court buildings, and the provision of electronic tags for offenders. In 2013-14, it spent £2.6bn in total with commercial suppliers.
A Contract Management Programme Board was set up in 2014 on the back of failed contracts for the electronic monitoring of offenders, involving providers over-charging for work that had not taken place. This possibility had already been spotted by the department’s internal audit team in 2010, when it undertook an audit of the electronic monitoring contracts and identified a control weakness and the vulnerability to fraud. Its recommendations on how to mitigate these risks were accepted by management but not implemented until it came to contract renewal.
Following on from failures in the tagging project and several others highlighted by the 2013 cross-government review of contracts, the Ministry of Justice has stepped up internal audit activity around outsourcing and procurement. The head of internal audit now sits on and reports to both the Contract Management Programme Board and the new Commercial and Contract Governance Committee, which the department established in 2014. The department has developed a tiered approach to review all contracts with annual spend greater than £10m, ensuring a more detailed examination of those which are higher risk. It is also no longer relying on a purely systems-based approach, but complementing this with an element of substantive testing and a focus on the consequences of the failure of controls.
In order to increase internal audit’s coverage of outsourcing, the department recruited three new members of staff with a background in contract management and put them through the International Association for Contract & Commercial Management (IACCM) certification. The team also bought in some external resource from its Big Four partner to help develop the methodology. In subsequent years, more of this work is being undertaken using the in-house team, as they were able to benefit from the skills transfer in the first year.
It is our view that civil servants across all departments can learn from the Ministry of Justice's example, and not propose important outsourcing projects without first getting full assurance from their internal audit teams that the potential risks have been properly considered and effective controls are in place. Internal auditors can review the supplier selection process and assess whether the organisation has adequate and effective policies and procedures for tendering. They also have a key part to play in contract management, ensuring the right performance management systems are in place.
It is important to get internal audit involved as early on in the process as possible; they can assist by reviewing the process by which a decision was taken to seek a service externally. This could have a bearing on whether an outsourcing should proceed. It is also vital to keep tabs on outsourcing risks once contracts are up and running. Too often, ‘right to audit’ clauses that allow their oversight are not actually used.
We hope that the IIA's new report on outsourcing, which shares experience from across the public and private sector, will help civil service internal audit teams to make sure that outsourcing helps, not hinders, the delivery of high quality public services.