You are reading 1 of 2 free-access articles allowed for 30 days
The unpublished internal HSE report also outlines how a large number of recommendations from ICT audits made over the last number of years have not been implemented.
The report, which was prepared for a meeting of the HSE Audit Committee in April, states that the HSE needs to obtain service assurance reports from organisations that have control over key ICT processes.
“Management should develop and implement appropriate policy and guidance on assurance activities surrounding outsourced information and communication technology arrangements and formalise contracts and service level agreements where none exist for suppliers of ICT services,” according to the report.
Actions should also be implemented to address control weaknesses in outsourced ICT arrangements, the report adds.
Another serious issue outlined in the report is that a number of weaknesses in ICT general controls raised in prior years have not been resolved, despite agreement that they would be addressed.
The document states that the recommendations from 14 ICT audits, comprising 78 findings between 2012 and 2015, have yet to be fully addressed. These are due to be completed this year.
Also, in 2016 there were 110 ICT audit findings unimplemented and 31 so far in 2017.
In April 2017 there were 29 open and tracked ICT audits with a total of 219 open findings/recommendations.
“Management appear to be having more success at addressing low-risk ICT audit findings when compared with medium- and high-risk findings,” according to the report.
“This may be correlated with the degree of effort that is required in driving appropriate actions, but also raises questions about how audit recommendations are prioritised, tracked and monitored by management.”
HSE management should implement sustainable process improvements to prevent re-occurring audit findings and monitoring mechanisms to ensure audit findings are addressed in a timely manner, the report stated. “Management should also consider issuing regular learning notes to key staff when findings are addressed for an area where weaknesses are systemic or widespread in nature,” it added.
The HSE’s total ICT capital budget for 2017 was €55 million, which was criticised as being completely inadequate by recently departed HSE Chief Information Officer Mr Richard Corbridge.
The HSE is also still awaiting Government approval for its business case to roll-out a national electronic health record, which was costed at €875 million to roll-out over 10 years.