Unit4 handed police ERP deal after 'significant deficiency' found in Oracle Fusion system
Big Red product only went live in 2019, but commissioner is ready to ditch it
Cheshire Police has awarded mid-scale ERP vendor Unit4 a £3m two-year contract to replace a troubled Oracle implementation, which only went live on the latest Fusion software in 2019.
A simple procurement notice shows the police and crime commissioner for the English county issued a call-off contract via the Crown Commercial Services G-Cloud 12 Framework Agreement to award the vendor - which runs cloud-based applications on Azure - a deal including finance, purchase-to-pay, HR, and payroll services.
The brevity of the statement belies the circuitous route by which the police authority arrived at the decision.
The commissioner's Audit Advisory Committee report [PDF] of a 27 May 2020 meeting said the Oracle Fusion system, which went live in 2019 in the Oracle-based Multi-Force Shared Service (MFSS) group system, included "segregation of duties conflicts in Oracle Fusion between IT security and finance duties."
'Risk that internal access to information assets and administrative functionality may not be restricted based on legitimate business need'
Flagged as a "significant deficiency" by auditors at Grant Thornton, the problem meant 18 MFSS or Capgemini system administrator's accounts – service accounts that have the IT security manager role assigned to them – also had privileged access to the finance system. "This breaches good practice to split these abilities," the committee report said, and could allow account control by the vendor to "change system configurations," meaning "there is a risk that system-enforced internal control mechanisms are bypassed through inappropriate use of administrative functionality."
"Further, where IT staff are given access to finance roles and privileges there is a risk that internal access to information assets and administrative functionality may not be restricted based on legitimate business need," the report added.
Meanwhile, IT general controls were also weak, including a "lack of periodic Oracle third party service assurance report review," the auditors found.
A tender for a new system in October last year signalled the police authority's decision to part ways with the MFSS group system, set up in April 2012 between Northamptonshire Police and Cheshire Constabulary. Nottinghamshire Police joined in April 2015 and Civil Nuclear Constabulary in April 2016, with Capgemini as the services partner.
The tender followed a prior information notice launched in April last year.
Unit4 may be disappointed by the contract price – a piddling £3m compared with a potential £190m on the table.
The initial price is just for two years, which, unless the authority decides to jump to a third system in five years, is likely to be extended.
The contract notice put the value of the job at anything between £19m and £190m due to the maximum term being 20 years and other organisations taking part in the framework, the council explained last year. Its current contractual agreements for the Oracle system run out in late 2022.
Oracle has so far declined to comment. ®