Part 1: Introduction
1.1
In this Part, we discuss:
- why we did the audit;
- what we audited;
- what we did not audit;
- how we carried out our audit; and
- the structure of our report.
Why we did the audit
1.2
Traditionally, public sector organisations (organisations) build and manage their own information and communications technology (ICT) infrastructure,1 and store and back up their information.
1.3
In 2010, the Government Chief Information Office (the GCIO2) started work on Infrastructure as a Service, which allows a potential pool of about 380 organisations to buy virtual servers, storage services, and backup services from selected private providers of ICT infrastructure services (ICT providers). This means that organisations can use what they need as their business needs change without having to buy new physical infrastructure or change staffing levels.
1.4
Organisations started using Infrastructure as a Service in 2012/13. It was expected to produce significant benefits for organisations.
1.5
Some organisations have used Infrastructure as a Service for about five years. Because it was one of the first shared ICT services,3 Infrastructure as a Service was expected to play an important role in encouraging organisations to outsource ICT services to ICT providers in an easy, effective, and efficient way.
1.6
We carried out an audit because we wanted to assess whether the GCIO was adequately monitoring and reporting Infrastructure as a Service's progress towards achieving its expected benefits.
1.7
We also wanted to find out:
- whether the expected benefits from Infrastructure as a Service were being achieved for organisations and for the wider public sector; and
- whether the GCIO was applying lessons to improve its broader implementation and management of changes to public sector ICT infrastructure.
What we audited
1.8
We focused our audit on the GCIO's role because it is the lead agency for Infrastructure as a Service. Part 2 and Appendix 2 have more information about the GCIO's role and the strategic context for shared ICT services.
1.9
Our main audit question was: Are the benefits expected from Infrastructure as a Service being achieved for organisations and the wider public sector?
1.10
We looked at:
- the suitability of the governance arrangements;
- aspects of Infrastructure of a Service's design;
- whether the GCIO clearly communicated Infrastructure as a Service's expected benefits;
- whether the GCIO regularly assesses and reviews progress towards the expected benefits; and
- whether the GCIO is using lessons from implementing Infrastructure as a Service to improve its implementation. This is especially important because the GCIO expected that using Infrastructure as a Service would increase organisations' confidence to use other shared ICT services, such as Telecommunications as a Service, and, eventually, public "cloud" services.4
1.11
When the GCIO did not have information specific to Infrastructure as a Service, we looked at evidence about all shared ICT services, such as governance arrangements.
What we did not audit
1.12
We did not look at:
- the procurement process that the GCIO used to select ICT providers to deliver Infrastructure as a Service;
- the contractual arrangements between the GCIO, organisations using Infrastructure as a Service, and ICT providers;
- the suitability of any technical services supplied by the ICT providers; and
- other shared ICT services.
How we carried out our audit
1.13
We analysed documents from the GCIO and other organisations involved in Infrastructure as a Service. We also analysed documents that are available online, such as Cabinet papers and general information about shared ICT services.
1.14
We talked to two or more senior individuals from each of six organisations using Infrastructure as a Service for different periods to understand their experience of using it, the effect it has had on their organisation, and their experience of working with the GCIO. We met with chief information officers, chief technical officers, and chief financial officers.
1.15
We interviewed staff from four organisations that were required to use Infrastructure as a Service5 and two organisations that chose to.6 We did this to see whether there were any differences in their comments.
1.16
We interviewed seven people from the GCIO who had important roles in managing Infrastructure as a Service.
1.17
We invited the three ICT providers to meet with us. We wanted to get their perspective on the changes that Infrastructure as a Service has made to their work and to their relationships with organisations, and whether the service is performing as planned. Two of the ICT providers accepted our invitation.
1.18
We wrote to selected organisations that are required to use Infrastructure as a Service (excluding district health boards7) but that had not yet started using it. We wanted to find out why they are not using it and whether there are any barriers to using it.
The structure of our report
1.19
In Part 2, we discuss why Infrastructure as a Service was established, how it operates, and how it is governed.
1.20
In Part 3, we discuss Infrastructure as a Service's benefits and whether organisations, ICT providers, and the GCIO consistently understand those benefits.
1.21
In Part 4, we discuss how the GCIO assesses and reviews Infrastructure as a Service's benefits, the extra information we looked at to get a deeper understanding of its benefits, and what the GCIO could do to better measure the benefits of all shared ICT services.
1.22
In Part 5, we discuss what the GCIO has done to identify and apply lessons from implementing Infrastructure as a Service to improve its broader implementation and management of changes to public sector ICT infrastructure.
1: ICT infrastructure includes an organisation's hardware (mainly physical servers), software, networks, data centres, facilities, and related equipment, which is used to develop, test, operate, monitor, manage, and support ICT services.
2: The Government Chief Information Officer is also the chief executive of the Department of Internal Affairs. They are supported in their specialist role by the Government Chief Information Office, a business unit in the Department of Internal Affairs. We use the term "the GCIO" to refer to both the Government Chief Information Officer and the business unit. Towards the end of our audit, the Government Chief Information Officer was renamed the Government Chief Digital Officer and the business unit was renamed the Government Chief Digital Office.
3: Shared ICT services are technology services available through the GCIO, which multiple organisations can use to support the delivery of their business aims. Infrastructure as a Service is one of more than 20 shared ICT services. Appendix 1 provides a list of these shared ICT services.
4: Public cloud services are applications, services, or resources that ICT providers make available to users through the Internet on demand.
5: Appendix 3 lists the organisations that are required to use Infrastructure as a Service.
6: So that we could include a variety of organisations in our sample, we considered organisation size, the type of work organisations do, and the sectors the organisations work in. We also considered the GCIO's advice on whether organisations were high, medium, or low users (based on consumption levels, which means the quantity of services an organisation buys) of Infrastructure as a Service.
7: We did not contact the district health boards because we knew that they were part of an unsuccessful joint project co-ordinated by NZ Health Partnerships Limited (NZHP) to adopt Infrastructure as a Service, which had delayed uptake. In 2016/17, NZHP worked with 12 district health boards to help them connect to their preferred ICT provider and with their planning to transition to Infrastructure as a Service.