Internal Audit Briefing Document - Altair Data Transfer
Introduction:
Until recently, the administration of the Pension Fund has been managed through a collaboration with Surrey County Council as part of Orbis Business Operations. However, there is currently a project in place to disaggregate the administration team and bring East Sussex Pension Administration back in-house.
The current contract for the pension administration system, Altair, was due to expire in early 2021, and a new contract between the East Sussex Pension Fund and Aquila Heywood was negotiated for the provision of Altair at a total cost of approximately £1.7m over five years, beginning April 2021.
Given the timescales involved in the project to transfer to the new system, with the original planned go-live on 1 April 2021, there was only limited time to provide audit advice and support into this. We therefore agreed, via a terms of reference agreed on 3 March 2021, to focus specifically on reviewing the arrangements for data migration and testing, where there are clear information governance risks and risks to the quality, completeness and accuracy of data. Given the short timescales involved in the transition, it would not have been possible for us to complete any additional work in this area.
We would like to take the opportunity of thanking project management and the project team for their assistance in completing this short review, at a time of considerable pressure to them.
Conclusion:
In completing our work, we identified various issues/risks for consideration by project management as part of their go-live decision. In discussing these, we are comfortable that adequate arrangements are in place to mitigate the issues raised and this was reported to the Oversight Group on 25 March 2021 and the Change Advisory Board (CAB) on 26 March 2021. The decision to proceed with go-live was made by CAB at the same meeting.
Findings:
Proposal to Maintain a Duplicate Database
We had some concerns around the proposal to maintain a duplicate database within the Surrey County Council (SCC) version of Altair, (for a period of 6 months) for business continuity reasons, as we understood this was to be done on a ‘good faith’ basis, outside of the Inter-Authority Agreement, and could result in data relating to members of the East Sussex Pension Fund (ESPF) being lost should SCC experience a data breach.
We also raised concerns around the information governance arrangements within the project, to ensure there was appropriate liaison with, and approval, from the Data Protection Officer in relation to data being held outside of the organisation, and to ensure there was a Data Protection Impact Assessment (DPIA) in place for the transfer of data and the disaggregation of the administration function.
We understand that these issues are being addressed as part of the collaborative effort between the Fund and the Information Governance Team, as agreed at the exceptional meeting of the Change Advisory Board on 26th March.
Potential Unauthorised Changes to the ESPF Module within the SCC Database
We raised a potential issue that, although there were plans in place to ‘lock down’ the ESPF module within the SCC database to reduce the risk of changes being made in the SCC database that are not reflected within the new ESPF system, we were unaware of plans to confirm that no such changes had been made. Since our work, however, we understand that there is a plan for Aquila Heywood to undertake a final reconciliation of the database before and after the data transition which will highlight any differences for investigation.
Technical Risk Assessment
No technical risk assessment has been completed by IT&D on this instance of Altair, as IT&D consider that the one completed on the previous version is sufficient.
We did, however, make a general observation around information security and it has since been confirmed that only a small number of officers will be given administration rights over the Altair system to create and remove users and reset passwords. In addition, a quarterly review of access levels and permissions is proposed to maintain information security.
Project Risk Register
Although there is a risk register in place for the disaggregation and Altair implementation, at the time of our work, some risks had not been assigned an individual owner, potentially resulting in appropriate mitigations not being implemented as required. The project team have since amended these risks to remove the whole team ownership and assign two individuals as owners; one member of the project team and an employee from Aquila Heywood, in order to exercise full oversight.
User Acceptance Testing
We noted that there were two versions of the user acceptance testing (UAT) programme in place, with some overlap between the two. We highlighted the need for the project team to ensure that the programmes exercised sufficient coverage over the whole system in order to ensure that no defects existed post-go live.
We also noted two defects recorded within the defect tab of the UAT spreadsheet, one rated ‘critical’ and one ‘low’ which hadn’t been resolved when completing our work. The ‘critical’ defect was escalated to the Head of Pensions Administration for resolution, whilst the ‘low’ defect has been noted to only impact three members, meaning that it does not require resolution for go-live. We understand from the CAB meeting of 26 March 2021 that all the UAT of the MSS Portal, Altair data migration and dual payroll is being signed off by the Head of Pensions Administration.
Altair Database
The new Altair database is being held on an Oracle server, which required external involvement to set up due to a lack of specialist knowledge in-house. We suggested that the risks relating to the logistics and associated costs of maintaining the system and responding to issues where in-house knowledge and provision is unavailable, should be considered. The Head of Strategy and Engagement agreed, at the meeting of the Oversight Group on 25th March, that she would take this issue forward from an IT&D perspective.
Jodie Lulham, Senior Auditor
31 March 2021