UK's Cheshire Police tenders for whole new ERP system after Oracle Fusion went live with 'significant deficiency'
Did we say £11m? Contract value now ranges from £19m to, er, £190m!
Updated The police force for England's northern county of Cheshire is seeking a new ERP system in a deal worth up to £190m after a troubled launch of Oracle Fusion.
The contract notice from Cheshire Constabulary, on behalf of the Police and Crime Commissioner for Cheshire, is the latest instalment in a saga that could see the force replace its core system just 18 months after its Oracle Fusion solution went live following a three-year migration.
The notice said the police force was looking for a system to support HR, finance, procurement, payroll services, purchase to pay, and reporting and management information, among other features. It requires "a solution that has a self-service offering that is intuitive and user friendly"; one that is able to "meet the business needs and support integrated end-to-end processes"; and one that (it goes without saying) offers "exceptional value for money whilst reducing any risk".
Cheshire Police celebrates three-year migration to Oracle Fusion by lobbing out tender for system to replace it... one year laterREAD MORE
Since the initial prior information notice was published in April, the contract's value has ballooned from an estimated £11m to anything between £19m and £190m.
As The Register has already reported, the market engagement follows the creation of an Oracle-based Multi-Force Shared Service (MFSS) group system, set up in April 2012 between Northamptonshire Police and Cheshire Constabulary. Nottinghamshire Police joined in April 2015 and Civil Nuclear Constabulary in April 2016, with Capgemini as the services partner.
It was based on Oracle E-business suite, but prep work began for an upgrade around September 2016. Although an Internal Audit Plan [PDF] said the move to put finance on Oracle Fusion would take place in October 2018, it was delayed as potential partners began to drop out. Oracle Cloud Applications eventually went live on 1 April 2019, according to an audit. The report detailed the cost of the delay to the Multi-Force Shared Services as £1.02m.
But it turns out the initial experience with Oracle Fusion was not a happy one.
According to an Audit Advisory Committee report [PDF] of a 27 May 2020 meeting, there was a failure in the "segregation of duties conflicts in Oracle Fusion between IT security and finance duties".
Flagged as a "significant deficiency" by auditors at Grant Thornton, the problem meant 18 MFSS or Capgemini system administrator's accounts – service accounts that have the IT security manager role assigned to them – also had privileged access to the finance system.
"This breaches good practice to split these abilities," the committee report said, and could allow account control by the vendor to "change system configurations" meaning "there is a risk that system-enforced internal control mechanisms are bypassed through inappropriate use of administrative functionality."
"Further, where IT staff are given access to finance roles and privileges there is a risk that internal access to information assets and administrative functionality may not be restricted based on legitimate business need," the report added.
Meanwhile, IT general controls were also weak, including a "lack of periodic Oracle third party service assurance report review".
A further Audit Advisory Committee report [PDF] from a 29 July 2020 meeting noted the external auditor had explained that this "significant deficiency" is a "standard feature on all Oracle systems which is not ideal but very common".
It went on to conclude that the issues had been addressed "in conjunction with partners and suppliers".
The report also pointed towards the future procurement: "Work to consider the underpinning commercial arrangements at the expiry of current contractual agreements in late 2022 are now necessary and are commencing due to the complexity of these arrangements," it said.
The deadline for bidding in the new procurement is 20 November 2020.
Despite The Register's questions, the force has not made it clear whether it plans to replace Oracle's system with that of another vendor or will accept bids from others planning to support the system. But in a statement that perhaps betrays the force's true feelings about Oracle Fusion, the contract notice said it is now looking for "a solution that is fit for purpose for at least 20 years after implementation". ®
Updated at 10:50 on 14/10/20 to add
Cheshire Constabulary has been in touch to say: "Cheshire Constabulary currently uses Oracle Fusion ERP systems to fulfil the majority of its back office transactions."
It also maintained that: "The overwhelming majority of audit reports on these various elements of the system receive substantial assurance, and there are no major problems in this arena. Any problems raised have been quickly rectified.
"This contract was initially awarded to Capgemini (partnered with Oracle) for the Oracle E Business Suite platform in 2010 with a final Go Live date in 2013. The upgrade to Oracle Fusion took place on 2019, following an extension of the original contract."
The force said that since the contract is due to expire in November 2022, it had "now gone to tender for a replacement system, which will cover the majority of back office transactions. This is open to any system – whether ERP-based or not."
Responding to The Register's questions about the wide £19m to £190m contract value range, the constabulary said:
"The reason that the value of the contract is higher than the original estimate is due to the fact that the Constabulary is now looking at a potentially longer-term contract of up to 20 years – and not 10 as originally stated.
"In addition, as part of the process, a number of other organisations have also been named on the framework, meaning that the total value of the contracts drawn down from the framework could range from £19m to £190m depending on how many organisations decide to use the framework."