FUJ00079780
FUJ00079780
ICL Pathway Internal Audit Plan : 1998 Ref: IA/PLA/oo1
Version: 1.0
Date: 19/01/99
Document Title: Internal Audit Plan : 1998
Document Type: Plan
Abstract: This document provides details of the ICL Pathway
Internal Audit Plan for 1998. It also provides a brief report
on audit activities and draws conclusions based on the
reports output and experiences gained during the year.
Status: Approved
Distribution: Martyn Bennett John Bennett
Tony Oppenheim Steve Muchow
Liam Foley John Dicks
Mike Coombs Terry Austin
John Hobson Kieran McGuirk
David Groom Warren Spencer
Library
Author: Jan Holmes
Comments to:
Comments by:
COMMERCIAL IN CONFIDENCE Page 1 of 9
© 1999 ICL Pathway Ltd
ICL Pathway
FUJ00079780
FUJ00079780
Internal Audit Plan : 1998 Ref: IA/PLA/oo1
Version: 1.0
Date: 19/01/99
0.1
0.2
0.3
bl
[2]
0.4
0.5
Document control
Document history
Version Date
ou 28/04/98
0.2 28/04/98
03 12/05/98
0.4 20/05/98
1.0 19/01/99
Reason
Initial draft
Following feedback from MHB.
Following feedback from DG. Removal of process element to
Internal Audit Manual.
Removal of audit activity in June, July and August to make
room for Acceptance work.
Raised to approved and including 1998 Resume.
Approval authorities
Name
M. Bennett
J. Bennett
Position Signature Date
Director Quality & Risk
Managing Director
Associated documents
Reference Vers Date Title Source
CR.FSP/o06 2.2
IA/MAN/o02.
Abbreviations
08/09/98 Audit Trail Functional Specification Pathway
Internal Audit Manual Pathway
Changes in this version
COMMERCIAL IN CONFIDENCE Page 2 of 9
FUJ00079780
FUJ00079780
ICL Pathway Internal Audit Plan : 1998 Ref: IA/PLA/oo1
Version: 1.0
Date: 19/01/99
0.6 Table of content
VIMtrOdUctiOn .....eecscessecssesseessessecseesseeseesseeseessessecseesseeseessessecssssecsessseeseessssscseeseeses
ZSCOPC veeeecesecesesesesseesesescssesesessseeseseseessacsescseenssesssssesessesssesssessesessessacseseseeesseseeeeeeeieee
3 Audit Plan Content....
4 Internal Audit Plan : 1998
5 1998 Resume of Activity
5.1 Background ..
5.2 1998 Audit Achievement:
5.2.1 NR2 Mid Stage Audits .........c.scecssssesseeseesseessessessssseeseessessessssssessesseeesnes
5.2.2 Reconciliation Exception Database ............:ssesseesseessieessiessseessensies
5.2.3 The Validation Centre ....c.ccccsssessseesesssssesseseereseesssnesneseenssnesesseeneeneaes
5.2.4 Customer Services .....ceccccecsesseseeessessesessesesessessessesesseersseesssnesesseeneseeses
SONNY N ADAAUVA BDA
5.2.5 Honourable Cancellations .....ccccccccseseesessesseessesnesesesseseesesesneees
o
5.2.6 Early Lessons in Joint Working ..........cccssssesessesseeseesesseesessessenseesees
5.2.7 And Later SUCCESS .....ceeseessesseseesesseseesessesesessecseseesesnecesseenssueaeeseeneeseaees
ao
5.3 CONCIUSION Lecce esseseseseeneseseeeseenesssesneseceesesnsueseeeeeensasseeeeseeateneneeeeeneneee
Re}
COMMERCIAL IN CONFIDENCE Page 3 of 9
FUJ00079780
FUJ00079780
ICL Pathway Internal Audit Plan : 1998 Ref: IA/PLA/oo1
Version: 1.0
Date: 19/01/99
Introduction
Schedule Ao3 and Requirement 697 establish a right of audit access to ICL
Pathway by the sponsor organisations, their external auditors or other agents
operating on their behalf. This could entail ICL Pathway being subject to a
continual programme of audits by external organisations and the potential for
disruption in normal operations. Audits carried out by external organisations
will have their own objectives and any benefit to ICL Pathway would be
secondary.
The Internal Audit function in ICL Pathway has been established to meet two
key objectives :
a. To provide the interface between ICL Pathway and the sponsor
organisations in the implementation of the requirements of the Audit
Trail Functional Specification [1].
b. To provide an independent audit capability within ICL Pathway, as a
service to management, and on which the Internal Audit units of the
external organisations can potentially place their reliance.
The ICL Pathway Internal Audit function is described in the Internal Audit
Manual [2].
2 Scope
This document describes a series of planned audits to be executed during 1998
in support of both objectives identified above.
The document does not include any sponsor organised audit activity.
3 Audit Plan Content
The Plan contains the following information :
a. Identification of audit subject Area/System/Department.
b. Shared Reporting Indicator (SRI). [Y = shared; N = internal]
c Planned start date.
d. Actual start date.
e. Completion date. (Defined as date Report issued).
f. Audit Report Reference
COMMERCIAL IN CONFIDENCE Page 4 of 9
FUJ00079780
FUJ00079780
ICL Pathway Internal Audit Plan : 1998 Ref: IA/PLA/oo1
Versio 10
Date: 19/01/99
4 Internal Audit Plan : 1998
MSQA#h : Design (NR2) N_ I Novig97 2/u/97 04/12/97 IA/REP/oo2
MSQA#z2 : Development (NR2) N_ I February 10/02/98 03/03/98 IA/REP/003
MSQA#s : Product Integration Testing (NR2) N_ I March 18/03/98 17/04/98 TA/REP/005
MSQA#4 : T &I (NR2) N_ I April 01/04/98 20/05/98 IA/REP/006
POCL/BA Release 1c Post Implementation Review Y I April Cancelled
Consolidated MSQA Report N_ I May 15/05/98 18/06/98 IA/REP/o04
Reconciliation Exception Handling Y I May 01/06/98 01/07/98 IA/REP/007
Customer Requirements N_ I May Cancelled _
Customer Services fi] I September 16/11/98 January 1999 TA/REP/on
Sub Contractor Control N_ I October Cancelled
Acceptance Technical Testing & Witnessing (facilitation role) Y I October 26/10/98 06/11/98 Unreferenced
Payment Card Helpdesk Operation Y I November Cancelled
The Validation Centre (late addition) N_ I November November 19/11/98 TA/REP/o10
[1] Ultimately dependent on scope of audit.
COMMERCIAL IN CONFIDENCE Page 5 of 9
FUJ00079780
FUJ00079780
ICL Pathway Internal Audit Plan : 1998 Ref: IA/PLA/oo1
Version: 1.0
Date: 19/01/99
5.1
5.2
5.2.1
1998 Resume of Activity
Background
During 1997 it became increasingly clear that a dedicated audit function was
required in QRM to address the contractual audit requirement, the scope of
which was increasing with each passing day. The work to be undertaken then
and in the future included :
a. Interpreting the contractual audit requirement and, working with
Systems Division, document and provide assistance in their
implementation.
b. Liaising with the Internal Audit units of BA and POCL ensuring that
their service requirements were being addressed.
c Operating as the prime interface with these groups in the event of their
wanting to audit aspects of our business.
d. Conducting audits within the ICL Pathway domain to provide assurance
to management about the controls in place and, as a by product,
assurance to BA and POCL Internal Audit that such a programme of
work was taking place.
In October 1997 the Internal Audit function was ‘born’ from a standing start
with no personnel, processes, plans or relationships in place. An Audit Manager
was appointed and work started to establish the unit. In August 1998 an
additional Auditor was appointed bringing the unit’s strength to 2.
Girobank and other QRM resource has been used in conducting audits during
the year.
1998 Audit Achievements
This resume concentrates on the last element of work, conducting a
programme of audits during 1998. The following paragraphs provide a brief
synopsis of the execution or the audits, the outcome and any conclusions that
might be drawn.
NR2 Mid Stage Audits
Four Mid Stage Audits were conducted and the results consolidated into a
single Improvement Programme. There were 1 main areas of concern which
were being addressed through some 32 specific corrective actions. The areas for
concern were :
a. The control of documentation sets and baselines.
b. Documentation content and the potential for implementing
OPENframework principles on the project.
COMMERCIAL IN CONFIDENCE Page 6 of 9
FUJ00079780
FUJ00079780
ICL Pathway Internal Audit Plan : 1998 Ref: IA/PLA/oo1
Version: 1.0
Date: 19/01/99
5.2.2
5.2.3
5.2.4
5.2.5
c Protection of assets, particularly intellectual property rights.
d. Inadequate programme metrics.
e. Rework costs, particularly PinICLs.
f. The adequacy of unit and link testing.
g. The interface between Development and PIT.
h. The review arrangements between Design and Test & Integration.
i. The software delivery mechanism in PIT.
je The relationship with The Solution Centre.
k. The impact of the new ICL Trading Rules.
As at 20'" January 1999 there were 12 corrective actions at status ‘closed’, 14 at
status ‘Action’ and 6 at status ‘Open’ and there was no evidence that the
Corrective Action Plan had been reviewed since the beginning of July. A review
of the CAP with the responsible bodies identified that all corrective actions bar
eight had been addressed and could be closed. The remaining ‘Open’ actions
were all part of an OPENframework initiative taking place in Design. This is
ongoing and the status will be reviewed during the Design MSA for R2+.
There will be a repeat series of Mid Stage Audits for R2+ during 1999.
Reconciliation Exception Database
The operation of RED by the Business Support Unit is a core activity and one
subject to close scrutiny by the customer. It was felt appropriate to take an early
look at this activity with a view to assisting BSU management establish effective
controls over its operation. The audit results suggested that not much
assistance was required, the unit was well controlled and only relatively minor
recommendations emerged.
The Validation Centre
The role of TVC becomes more important the closer the project gets to National
Roll Out. The audit of this unit identified some fundamental process issues,
particularly around the relationship between TVC, PIT and Celestica. A
worthwhile exercise.
Customer Services
Again, this audit was undertaken with a ‘looking ahead to NR2 and NRO’ focus.
Overall the opinion was very favourable with a number of relatively minor
recommendations emerging around the operation of the Service Support
Centre. BSU/RED was again audited but here it was to see how the earlier
recommendations had been applied to the move from FELo1 to BRAo1.
COMMERCIAL IN CONFIDENCE Page 7 of 9
FU.
ICL Pathway Internal Audit Plan : 1998 Ref: IA/PLA/oo1
Version: 1.0
Date: 19/01/99
5.2.6
5.2.7
5.3
Honourable Cancellations
Audits can be cancelled for a number of reasons, some valid, some not.
Excluding the Ric PIR which will be discussed later the following audits were
cancelled :
a. Customer Requirements. Due for May but was delayed until it became a
victim of competing assignments during Q3.
b. Sub-Contractor Control. Due for October but cancelled due to EPOSS
Task Force and PinICL QFP commitments.
c Payment Card HelpLine. Due for November but subsumed into the
Customer Services audit.
Early Lessons in Joint Working
During Qz the Audit Panel felt it would be useful and instructive to attempt to
conduct some Joint Working Activity. The subject would be a Post
Implementation Review of Release 1c and the key objectives would be to see
how well all parties had performed and identify any issues that needed to be
addressed before NR2 and NRO. Early meetings agreed Terms of Reference,
proposed dates and personnel. The agreed approach was that each Audit Group
would review activities inside it’s own domain and come back to a ‘show and
tell’ session afterwards. An overall report would be produced and this would be
shared.
It was at this point that BA announced that they had been advised by their
Contracts people that while they anticipated being able to see the outcome of
the POCL and Pathway work they, BA, would not be sharing anything with
anybody!
Needless to say the whole concept fell apart and the audit was abandoned.
And Later Success
The informal approach in Q2 was overtaken by a more formal requirement for
the Authorities to audit Technical Testing as part of the Acceptance process and
carry out witnessing of selected tests during Q4. Again TORs were agreed and a
team of auditors from POCL and BA spent a couple of weeks poring over
process, Test Strategies, HLTPs and Scripts. Our role was to facilitate this and
the subsequent witnessing of acceptance tests.
The audit was a success and the Authorities Auditor’s report, while trying hard
not to be too enthusiastic, clearly indicates that they were impressed with the
degree of organisation and control exercised in the area by Pathway.
FUJ00079780
IJ00079780
COMMERCIAL IN CONFIDENCE Page 8 of 9
FUJ00079780
FUJ00079780
ICL Pathway Internal Audit Plan : 1998 Ref: IA/PLA/oo1
Version: 1.0
Date: 19/01/99
Conclusion
It has not been easy juggling the demands of the customer, the delivery of the
audit solution and the introduction of an audit programme. That said I believe
the audits conducted during 1998 have been worthwhile and have resulted in
recommendations of value to Pathway.
The process is not yet right, for example the follow-up of Corrective Action
Plans needs to be more rigorous but this has to be matched by an acceptance by
the individuals responsible for those actions, and their Directors, that they have
to include these actions in their plans and execute them.
Pathway also has to be wary of viewing internal audits as the ‘silver bullet’ that
of itself will improve the quality of the Pathway product and services. A key
objective in conducting audits is to provide assurance that Managers are
managing and delivering their plans to requirements, be they time, function,
quality or cost. They do not aim to provide a backstop quality control function
to Managers nor to act as an organisation’s conscience where that organisation
relinquishes that responsibility.
COMMERCIAL IN CONFIDENCE Page 9 of 9