ICL
Pathway
FUJ00079784
FUJ00079784
Internal Audit Plaw : 1994 Ref: IA/PLA/oo2
Version: 2.0
Date: 04/05/00
Document Title:
Document Type:
Internal Audit Plan : 1999
Plan
Abstract: This document provides details of the ICL Pathway
Internal Audit Plan for 1999. It also provides a brief report
on audit activities and draws conclusions based on the
reports output and experiences gained during the year.
Status: APPROVED
Distribution: Martyn Bennett John Bennett
Mike Coombs
David Groom
Library
Author: Jan Holmes
Comments to: Jan Holmes
Comments by:
COMMERCIAL IN CONFIDENCE Page 1 of 13,
© 2000 ICL Pathway Ltd
FUJ00079784
FUJ00079784
ICL Internal Audit Plaw : 1994 Refi IA/PLA/oo2
Version: 2.0
Pathway Date: 04/05/00
O Document controt
0.1 Document history
Version Date Reason
Ou 07/12/98 Initial draft
0.2 19/01/99 Second draft for Management Team circulation
1.0 26/01/99 Raised to issue following agreement from Management Team
1 20/08/99 Half year revision to reflect progress to date
1.2 04/01/99 Full year revision including 1999 Resume
2.0 04/05/00 Raised to issue status for formal sign-off
0.2 Approvel authoritiey
Name Position Signature Date
M. Bennett Director Quality & Risk
0.3 Associated documenty
Reference Vers Date Title Source
hi] CR/FSP/006 Audit Trail Functional Specification Pathway
[2] IA/MAN/004 Horizon System Audit Manual (NR2) Pathway
[3] IA/MAN/oo2 Internal Audit Manual Pathway
0.4 Abbreviationy
COMMERCIAL IN CONFIDENCE Page 2 of 13
FUJ00079784
FUJ00079784
ICL Internal Audit Plaw : 1999 Ref: 1A/PLA/oo2
Version: 2.0
Pathway Date: 04/05/00
O.S Changes mw thiy veriow
COMMERCIAL IN CONFIDENCE Page 3 of 13
FUJ00079784
FUJ00079784
ICL Internal Audit Plaw : 19949 Ref: IA/PLA/oo2
Version: 2.0
Pathway Date: 04/05/00
0.6 Toble of content
UMTOMUCHION oo... eeeeccceescsessesesteseseseeeeneseceseeuenesesecesnenesssesesueseeesteseseseeesteneacseeteneneeesees
ZAudit Plan Content ......cecccssessssecsessesessescseesssseseeseesesesessesesseeansneeesseeatsneeeearenseeeeee
4Maintaining the Plan... ccceccecssseesesesesseesessesesseesssesesseessseesesscsesssesssseseearensaneses
5Internal Audit Plan : 1999.
61999 Resume of Activity
6.1Background
6.21999 Audit Achievements
6.2.1Customer Services
6.2.2Change Management.
6.2.3Implementation/NRO Preparation .........csseesseeseesseeeseesseesseesseesses
oo oo io io Mo CLE
6.2.4Security Policy Deployment ........ ccc sees eens
3
6.2.5Systems Division CSR + Development ........cccceesseseeeeesteseeseeneseees
3
6.2.6Dublin Development Cent?re ..........cccceeeeeceseeseeeseeesseensseneeseeneeenee
3
6.2.7ISO.Q001 Coverage .....seessesecsesecseesssesesseessseesesseessseesssnssesseessaeseeseensantese
6.2.BCancellations .......sccccsceccsecssecsseeesseesseessseesssecsseesseeesseessseessvessseesserssseesse LO
6.2.gJoint WOrKINg 0... esseesecseeseesseestesnesseesseestessessessssseeseesseesesneeseeeseenseste LO
6.3Conclusions and Projections ......c.ccce eee essesesseseseesesseeesseensseseseeneaseeee pT
6.3.11999 CONCIUSIONS......c.cecceseesesseseseesessestesessesuestesessesteseeseessstesesseseseesesee DD
6.3.22000 PrOjectiOns ........ccsccsessesseseesesseseesessesesesseeesesesssssseesssnsseeseeneanesees u
COMMERCIAL IN CONFIDENCE Page 4 of 13
ICL
FUJ00079784
FUJ00079784
Internal Audit Plaw : 1994 Ref: IA/PLA/oo2
Version: 2.0
Pathway Date: 04/05/00
Introductiow
Schedule Ao3 and Requirement 697 establish a right of audit access to ICL
Pathway by the sponsor organisations, their external auditors or other agents
operating on their behalf. This could entail ICL Pathway being subject to a
continual programme of audits by external organisations and the potential for
disruption in normal operations. Audits carried out by external organisations
will have their own objectives and any benefit to ICL Pathway would be
secondary.
The Internal Audit function in ICL Pathway has been established to meet two
key objectives :
a. To provide the interface between ICL Pathway and the sponsor
organisations in the implementation of the requirements of the Audit
Trail Functional Specification [1].
b. To work with the sponsor organisations in Joint Audits as described in
the Horizon System Audit Manual (NR2) [2].
b. To provide an independent audit capability within ICL Pathway, as a
service to management, and on which the Internal Audit units of the
external organisations can potentially place their reliance.
The ICL Pathway Internal Audit function is described in the Internal Audit
Manual [3].
Scope
This document describes a series of planned audits to be executed during 1999
in support of both objectives identified above.
The document does not include any sponsor organised audit activity.
Audit Plaw Content
The Plan contains the following information :
a. Identification of audit subject Area/System/Department.
b. Shared Reporting Indicator (SRI). [Y = shared; N = internal]
c Planned start date.
d. Actual start date.
e. Completion date. (Defined as date Report issued).
f. Audit Report Reference
COMMERCIAL IN CONFIDENCE Page 5 of 13
FUJ00079784
FUJ00079784
ICL Internal Audit Plaw : 1999 Ref: IA/PLA/oo2
Version: 2.0
Pathway Date: 04/05/00
4 Maintaining the Plaw
The Plan will be updated on a quarterly basis to reflect any changes brought
about by sponsor request and to firm up on dates left deliberately vague at the
beginning of the year.
The details of Actual Start, Completion Date and Report Reference will also be
added.
COMMERCIAL IN CONFIDENCE Page 6 of 13
ICL Internal Audit Plaw : 1999
Pathway
Versio
Ref: IA/PLA/oo2
2.0
Date: 04/05/00
FUJ00079784
FUJ00079784
S Internal Audit Plaw: 1999
Subject Ares Complete Report
Customer Services (completion of 1998 audit) N_ I September 98 16/11/98 09/03/99 IA/REP/ou
Systems Division : Design (R2+) N_ I February [1] 08/09/99 28/10/99 IA/REP/o15,
Change Management - Interface between Change Control & Delivery N_ I February 18/03/99 02/06/99 TA/REP/o12
Programmes Division : Implementation/Roll Out (NR2) N_ I March 31/03/99 08/09/99 TA/REP/o13,
Systems Division : Development (R2+) N= I April fb) 08/09/99 28/10/99 TA/REP/o15
Security Policy Deployment [P&S Acceptance R698/C2 Schedule Ao2] N_ I April [2] 11/03/99 12/07/99 1A/REP/o1g
Systems Division : Test & Integration (R2+) N_ I} May [i] 08/09/99 28/10/99 TA/REP/o15
Acceptance Review Audits [Audit Acceptance] Y I May-June [3] I 10/03/99 30/06/99 TA/ACR/oo2
Programme Office N I Q2 Cancelled
Business Development [Potential joint audit with POCL] y 1Q@ Cancelled
Invoicing/CCS [Potential joint audit with POCL & BA] Y I Q3 [4]
Quality & Risk Management N I Q3/Q4 Cancelled
Security Audit of Celestica Manufacturing Process N_ I May 06/10/99 18/10/99 TA/REP/o16
Dublin Development Centre (Data Warehouse) N_ I October 13/10/99 29/11/99 TA/REP/o17
ISOg001 Compliance Audit Report N_ I December [5] _ I 30/11/09 15/12/99 TA/REP/o18
COMMERCIAL IN CONFIDENCE
Page 7 of 13
ICL
Pothway
FUJ00079784
FUJ00079784
Ref: IA/PLA/oo2
Version: 2.0
Date: 04/05/00
Internal Audit Plaw : 19949
Notes :
il
[2]
3]
[a]
[5]
Postponed pending re-organisation to Q3.
Received 12" July and raised to Issue 9 December without amendment.
Complete date deemed to be date Acceptance Closure Report issued.
Became joint with POCL following BA withdrawal. In the event became
an activity to agree commercial audit trail with POCL.
A report of reports showing internal audit coverage against ISOgoo1
Requirements
COMMERCIAL IN CONFIDENCE Page 8 of 13
ICL
FU.
Internal Audit Plaw : 19949 Ref: 1A/PLA/ooz
Version: 2.0
Pothway Date: 04/05/00
6.1
6.2
1999 Resume of Activity
Background
The first half of the audit year was overshadowed by the involvement of
Internal Audit staff in the Acceptance process. Although not the largest or most
complex element of the system the fact that both customers (POCL & BA) were
actively involved in the audit solution ensured that acceptance planning
meetings were long and interesting affairs and that attention to detail and the
interpretation of the printed word was paramount. The removal of the Benefit
Payment Card from the solution during May simplified the final parts of
acceptance but meant that considerable effort that had already been expended
in steering Acceptance was redundant. During June and July Internal Audit was
also actively involved in the decommissioning work and acted as the prime
interface with BA in the handing over of BA data to BA Internal Audit.
The early part of 1999 was also spent in inducting and acclimatising the new
Auditor into both ICL and Pathway. This resource transferred to Group Internal
Audit in November.
1999 Audit Achiewementy
This resume concentrates on the programme of audits conducted during 1999.
The following paragraphs provide a brief synopsis of the execution or the
audits, the outcome and any conclusions that might be drawn.
62.1 Verification Centre
This audit was conducted in November 1998 and reported in January 1999.
However, it was not possible to close the Corrective Action Plan until October
1999 after a security review of the Celestica manufacturing process had been
carried out. The reasons for the delay have been explored and are trivial. The
effect however, was to render the security review worthless since it should have
been completed before roll out commenced mid year.
6.2.2 Customer Servicey
This audit was started in September 1998 and reported in March 1999. It is the
intention to re-visit areas of Customer Services during 2000. 34 Corrective
Actions were raised and the closure statistics are :
Open after 40 weeks 3
35 - 40 weeks to Close 3
30 - 35 weeks to Close 5
FUJ00079784
IJ00079784
COMMERCIAL IN CONFIDENCE Page 9 of 13
FUJ00079784
FUJ00079784
ICL Internal Audit Plaw : 1999 Ref: IA/PLA/oo2
Version: 2.0
Pathway Date: 04/05/00
25 - 30 weeks to Close 4
20 - 25 weeks to Close
15 - 20 weeks to Close 2
10 - 15 weeks to Close 1
5 - 10 weeks to Closeo
0-5 weeks to Close 1
Closed immediately 6
62.3 Change Management
Concern had been expressed during 1999 that there appeared to be a
breakdown of process between the Change Control process and the actioning of
approved CPs into the development lifecycle. An audit was commissioned into
this aspect of Change Management and identified a number of areas for
improvement. It also ventured into other areas, including time recording, and
made recommendations accordingly. 12 Corrective Actions were raised and the
closure statistics are :
Open after 22 weeks 6
15 - 20 weeks to Close 5
0-5 weeks to Close 1
6.2.4 Implementotion/NRO Preparation
This audit was undertaken with a ‘looking ahead to NR2 and NRO’ focus. The
audit got off to a slow start, due in part to the Auditor’s lack of familiarity with
Pathway’s organisations and processes. Despite this, and some early resistance
to the report content, the recommendations have been well received by this
part of the organisation as evidenced by the acceptance and closure of
corrective actions. 27 Corrective Actions were raised and the closure statistics
are:
Open after 14 weeks 2
10 - 14 weeks to Close 3
5 - 10 weeks to Close10
o-5 weeks to Close 3
6.2.5 Security Policy Deployment
This audit was included in the programme primarily to support the Policies and
Standards Acceptance activities. The work was conducted by personnel from
the Alliance & Leicester BS under the terms of the prevailing contract, one of
whom has subsequently joined Pathway. Although the audit was conducted in
the middle of the year the corrective actions were not fully identified or agreed
COMMERCIAL IN CONFIDENCE Page 10 of 13
FUJ00079784
FUJ00079784
ICL Internal Audit Plaw : 1999 Ref: IA/PLA/oo2
Version: 2.0
Pathway Date: 04/05/00
until mid November. 14 Corrective Actions were raised and the closure
statistics are :
Open after 6 weeks 7
0 - 4 weeks to Close 3
Closed immediately 4
6.2.6 Syytemy Division CSR + Development
During 1998 a series of Mid Stage Quality Audits was conducted in the then
Development Directorate. The 1999 Plan included a repeat series to be
conducted during the year. During Qi a major re-organisation of Development
was being planned and it was decided to postpone the CSR+ audits until Q3 and
carry out a single pass across the lifecycle. This became a significantly larger
piece of work than originally intended, took more resources than planned and
spawned a secondary MSQA into the Dublin Development Centre. The report
was issued during the last week on October and the CAP during the first week
in December.
Many of the corrective actions are likely to take some time to complete but it is
pleasing to report that 5 of the 27 raised have already been closed.
6.2.7 Dublin Development Centre
This audit was a supplementary to the CSR+ Development audit and covered
the Data Warehouse development. The timescales for report and CAP
production are similar and so far 4 of the 9 actions raised have been cleared.
6.2.8 ISOIOO1L Coverage
The CSR+ Development audit identified that the achievement of ISOgoo1, a
contractual requirement, was not being given sufficient management attention.
The ISO Programme Board was established to address the shortcoming and to
support this various audits completed during 1999 were re-visited and the
observations mapped against the requirements of ISOgoo1. It is proposed to
continue this during 2000 to provide evidence of the continuing audit
programme required by the Standard.
6.2.9 Cancellotiony
Inevitably there were some cancellations from the original programme
published in January. They were :
a. Programme Office. As the scope of the Change Management audit had
expanded and elements of PO activity were to be looked at by the CSR+
audit it was decided to cancel this audit.
b. Business Development. The uncertainty surrounding future business
made this audit redundant.
COMMERCIAL IN CONFIDENCE Page 1 of 13
FUJ00079784
FUJ00079784
ICL Internal Audit Plaw : 1999 Ref: 1A/PLA/oo2
Version: 2.0
Pathway Date: 04/05/00
c Quality & Risk Management. This became a victim of time at the end of
the year and will be an early candidate for 2000.
6.2.10 Joint Working
Apart from Acceptance work there were no opportunities to carry out any joint
audits with POCL or their agents. The Acceptance activities included two
‘audits’, carried out to prove the principles of audit access (R697) and the audit
trail (R699) :
a. Commercial Audit Trail. A visit to FELo1 by POCL/BA to review the
Common Charging System, Data Warehouse and __ invoicing
arrangements followed by a trip to BRAo1 to look at the Reconciliation
Exception Database. Five minor recommendations were made, one of
which was rejected and the other four have been cleared.
b. Operational Audit Trail. A visit to FELo1 to test the content, retention
and accessibility of the audit trail. A number of audit data extractions
were made for each party which led to some investigative work when
POCL were unable to reconcile the data to their sources. (NB. We were
ultimately shown to be right!)
6.3 Conclusions and Projectiony
6.3.1 1999 Conclusion,
Acceptance was a major distraction in 1999 and, to an extent, resulted in audit
activity being pushed to the second half of the year. That said the programme
was largely completed and the cancellations were low risk. Those audits that
were completed were, I believe, well received and worthwhile.
Pathway management’s attitude to Corrective Actions is improving, but only
very slowly, and the expectation still seems to be to wait until pushed for a
response by Internal Audit. A prime example of this was the audit of the
Verification Centre which reported in January 1999 but did not close down the
final Corrective Action until October, fully 10 months. There was no pressing
reason for the delay other than lack of management attention and action.
There are signs that a more proactive approach is being taken and I commend
Implementation’s recent efforts to close down their actions.
6.3.2 2000 Projectiony
Resourcing will be a problem in 2000. Stanley Loam, a qualified auditor who
joined us in Q3/98, has transferred to Group Internal Audit and I anticipate
using A&TC resource. This was tried in 1999 with only moderate success - it’s to
be hoped that better resource is available this year.
COMMERCIAL IN CONFIDENCE Page 12 of 13
FUJ00079784
FUJ00079784
ICL Internal Audit Plaw : 1999 Ref: IA/PLA/oo2
Version: 2.0
Pathway Date: 04/05/00
Recent changes in POCL personnel will inevitably lead to an element of re-
education and my intention is to reactivate the Audit Panel which proved
successful in bridging the gap between the Contract and working level
activities, hopefully to include Security matters.
It is also my intention to introduce the concept of the Audit Committee into
Pathway such that audits are conducted on its behalf, reports are made to it and
functional directors and managers are accountable to it for their corrective
actions. I anticipate that this Committee will consist of Managing, Programme
and Quality and Risk Directors from Pathway and, potentially, a representative
from Group Internal Audit.
COMMERCIAL IN CONFIDENCE Page 13 of 13