Electronic procurement card: review management report

Electronic Purchasing Card (ePC) transactional data released to the Scottish Labour Party via a Freedom of Information (FOI) request was subsequently given to various media outlets in August 2023. This report provides a summary of the reviews undertaken and the key findings from these reviews


2. Reviews Undertaken

Following the excess data release, the First Minister commissioned from the Permanent Secretary a review of ePC covering three specific areas:

1. Undertake a cyber investigation into the data handling;

2. Review the current policy and procedures; and

3. Review the current compliance with the policy and procedures.

2.1 Cyber Investigation Review

Regarding the first of the three areas above, a full cyber investigation was undertaken and completed which identified that the excess data had been released accidentally via FOI request. On establishing that both card holders and wider SG staff names had been shared publicly, guidance was sought from the SGs Information Assurance and Data Protection team who fully assessed the situation and confirmed that the release was assessed as of low risk. The Information Commissioners Office (ICO) were also made aware of the incident.

After carrying out an extensive review a final report was produced which includes a range of recommendations to improve both data security and protection, summarised below:-

  • Improved controls and governance on access to systems and the information available from these.
  • Enhanced cyber terms and conditions to be added to next ePC – Payment Solutions Contract (due August 2024).
  • More awareness on best practice in how data is shared. If there is a requirement to share sensitive data with external parties, Objective Connect should be considered.
  • More training for individuals involved in the FOI process.

To support and address any cardholders’ concerns emails were issued directly to those individuals offering them support and wellbeing guidance and to address any questions.

2.2 Internal Audit Review

The Permanent Secretary commissioned the SG Internal Audit Division to undertake an independent review on elements two and three above. The scope of the review was to provide assurance to the Permanent Secretary as Principal Accountable Officer on the propriety and approval of a targeted group of transactions. This included reviewing 194 transactions that had been the focus of reporting or commentary in the news and social media, totalling £37,075.24, full list of transaction are included at Annex A. The scope of the review also included providing recommendations for improvement regarding the ePC policy and guidance to further reduce the risk of potential non-compliance with the policy and/or instances of potential card misuse.

To avoid any perceived conflict of interest, one transaction which was made by a cardholder in the Directorate for Internal Audit and Assurance was excluded from the Internal Audit review but was reviewed separately by the Scottish Procurement and Property Directorate (SPPD). Details of the transaction are included at Annex A. On review of the information provided by Internal Audit SPPD found that the appropriate policy was followed.

The key findings from the Internal Audit review include:

  • Of the 194 transactions reviewed by Internal Audit, 193 were assessed as appropriate under the current policy.
  • The transaction that was not appropriate under current policy was identified as a fraudulent transaction on the system. The cardholder confirmed they did not use the card for this purchase but were notified by the Royal Bank of Scotland that the transaction was fraudulent, with the card subsequently being de-activated. The expenditure was refunded.
  • All purchases reviewed were made by approved cardholders, with the exception of the fraudulent transaction.
  • There are a number of opportunities for strengthening compliance with the policy and guidance, including:
    • ensuring the criteria for being assigned ePC roles and responsibilities are met;
    • maintaining an appropriate audit trail and updating the ePC Policy to make clear the roles and responsibilities for this and the nature of evidence which should be retained;
    • ensuring policy requirements regarding obtaining quotes for purchases over £1000 are adhered to and can be evidenced;
    • improving the level of detail recorded on the nature of transactions;
    • There were a number of categories of expenditure (e.g. away days/staff development/team building and associated purchase of supplies and hospitality, alcohol, role-specific expenditure and traffic fine) which were considered appropriate under the current policy, these categories of spend will be reviewed and policy will be updated to include the necessary exclusions.

Internal Audit has made five recommendations for improvement to the ePC policy guidance and associated processes, which are summarised below:-

  • Review of ePC Policy and guidance – including reviewing categories of exclusions and out of scope spend, the number and distribution of card holders, card usage and limits, making clearer the requirements of those with ePC responsibilities regarding retaining an audit trail to support the transaction, and including guidance on the process to be followed in the instance of a fraudulent transaction and the policy regarding re-payment of monies (see information on UK Government position below).
  • Recommended mandatory training and periodic refresher training for those with ePC responsibilities.
  • Compliance and Controls, Monitoring and Reporting – where the existing controls and compliance monitoring processes should be reviewed and enhanced.
  • Compliance and Controls Cardholders and Usage - The ePC Team should review the number of cardholders – taking into consideration business need, and business continuity requirements. Historical expenditure and usage should be considered, and the number of cardholders should be rationalised if current numbers are found to exceed business need.
  • Information Governance - Smart Data On-Line (SDoL – Royal Bank of Scotland’s secure online management information system) retains financial records for three years, after which, they are automatically deleted. The ePC Team, in liaison with Information Governance colleagues should investigate whether this is in line with relevant SG retention policies.

Review of ePC controls and compliance will feature in Internal Audit’s forward programme of work.

2.3 Benchmark with UK Government ePC policy

In addition to the Internal Audit review, we have also engaged with the UKG to benchmark wider ePC policies and to identify any lessons learnt and where improvements could be made. We have identified three areas that strengthen current protocols and policy which we will implement:

1. UKG policy states that receipts and invoices must be retained for all transactions on ePC cards for 3 years; currently this is not required within SG policy.

2. UKG monthly limit is £10,000 and a single transaction limit of £5,000 per transaction. A business case is required to increase or decrease the limit with a specific form used for audit purposes. The SG policy uses monthly and single transaction limits of £25,000 and £5,000 respectively.

3. UKG policy states if card is used inappropriately card holder would need to pay monies back. This recommendation is not currently included in SG policy.

Contact

Email: epc_mailbox@gov.scot

Back to top