NES Scotland digital chief says development of Turas platform shows the need for new approaches to providing assurance on projects
Organisations working on agile projects need to build a good dialogue with auditors to ensure they understand the key elements of the approach, a leading official of NHS Education for Scotland (NES) has said.
Christopher Wroath (pictured), the organisation’s director of digital transformation, outlined his thinking at Whitehall Media’s Public Sector Enterprise ICT conference this week.
He said it has been one of the main learnings to emerge from the development of Turas, the unified digital platform for data and applications used by NHS and social care staff in Scotland.
Wroath recounted a problem with the initial audit of the platform project when the internal auditors used a checklist based on the waterfall methodology that was not relevant to the agile approach taken by the project team. Examples of the supposed shortcomings were that they wanted to see a business case when the project was instead built on a digital vision, and specification requirements when it used a backlog of the desired functionalities in the project.
This led him to realise that, while it is important for an audit to provide reassurance to an organisation that a project is on track, it should not be “something that is done to you”.
“In fact, it’s about making sure the organisation can have reassurance that you’re doing what it needs you to do,” he said.
“Being an agile person I think that’s really important, because for agile to work you have to plan around the business benefit and that has to be checked off correctly. So I realised that I didn’t want to have something done to me, but to work with the auditor to find out what I could do to show quite how excellent it all was.”
In response, he began to talk to the auditors about what the project was intended to achieve, how the agile approach was meant to make it possible, and what was needed to provide the assurance to senior officials in NES.
It was not necessary to change the governance of the organisation, but: “We needed come up with a different way of giving assurances, start developing the artifacts we were using on a daily basis in our agile development in such a way we could present what we were doing in a way auditors could check off.”
Records and decisions
One of the needs to emerge was to make a record of business decisions and of elements of the software development being delivered as required, and it was necessary to ask the auditors what type of decisions they wanted reported.
“And you need to do that at the beginning,” Wroath said. “Don’t just wait for the auditors to turn up.”
He also said it is critical to have an “authorised environment” in which people in different roles can make day-to-day decisions without feeling they will be challenged retrospectively. This applies particularly to the product owner in an agile project.
“This comes back to the audit,” he said. “It’s important for the decisions to be reported in such a way that product owners will not feel they are going be hauled over the coals if at some point down the line it was found not to be good.”
Wroath said this has contributed to the success of the Turas project. The platform is now live with five niche applications and a sixth scheduled for addition next April.
He added that he is finishing work on a handbook on agile in the public sector that will go for approval by Audit Scotland and should be available within a few weeks.