Part 9: Information technology and procurement
Public entities are increasingly using information technology to carry out or support aspects of their business. This means that public entities need to procure information technology. Public entities are also increasingly using information technology to procure other goods and services.
Given the breadth, specialist nature, and fast pace of change in this area, we have not attempted to provide a comprehensive outline of it. Instead, in this Part, we provide:
- some policies and standards public entities may need to consider when implementing e-procurement (using information technology to procure other goods and services) that are additional to the policies and procedures in these guidelines; and
- reference to other guidance that public entities may wish to consider when procuring information technology.
E-procurement policy and standards
A public entity that implements e-procurement systems should ensure that any new procedures that are established meet the same legal and policy obligations that govern all government procurement. In addition, a public entity will need to ensure that it adopts additional policies and standards covering the different procedures and risks associated with e-procurement.
The additional areas that will need to be covered include:
- electronic invoicing;
- electronic records management;
- commodity classification;
- online security;
- authentication controls;
- access controls;
- audit trails; and
- business continuity.
Electronic invoicing (e-invoicing)
E-invoicing is the transmission and storage of invoices by electronic means, without the delivery of paper documents. A public entity's relevant policies and procedures will need to cover:
- the content of the invoice;
- the means of demonstrating that the invoice is for a genuine supply;
- the means for maintaining an audit trail, including arrangements for an auditor to access information;
- the content of credit notes, including how they will enable the original invoice to be identified;
- the means for ensuring the authenticity of the origin and integrity of the invoice;
- the decision on whether self-billing will be carried out (this is an arrangement where the public entity determines the value of goods or services supplied, raises the supplier's invoice, and forwards it to the supplier, with or separate from payment) and, if so, how self-billing will be controlled;
- the means for storing electronic invoices; and
- the decision on whether digital signatures are an accepted method of authentication for e-invoices, and the controls and audit trail that will be needed.
Electronic records management
Electronic records unlock content that was previously difficult to access in paper form, enable more effective sharing of information, and contribute to knowledge exchange. However, they need to be retained and maintained over the medium to long term, because the records are also an important tool for accountability.
Commodity classification is the assignment of a structured coding mechanism to goods or services that a public entity may wish to purchase.
The purpose of commodity coding is to make it easy to identify products or services that are similar in function, or related in some way, such as a mobile phone and a mobile phone cover. Coding is a tool that enables more accurate catalogue searching.
Systems interoperability is the smooth transition of data between systems in a public entity (for example, between an e-procurement system and a finance system), and externally (for example, between a buyer's e-procurement system and a supplier's electronic system).
Public entities need to ensure a method of data flow that will enable interoperability.
Before implementing any electronic procurement solution, public entities should assess all risks to information and services. This will determine the security levels required. With an e-procurement system, the higher the value or confidentiality of the transactions through the system, the higher the required security level.
The level of security a public entity chooses as being appropriate to e-procurement will affect a number of other security decisions, including:
- user identification, or verification of use by unique user identification;
- authentication, or validation (through password or digital certificate) that the user's identification belongs to the user who presented it;
- access control, or verification of the privileges of authenticated users;
- integrity, or verification that data does not change at any point in the process;
- non-repudiation, or verification of authorship and integrity of transactions – this authenticates the audit trail associated with the transaction; and
- confidentiality, or the prevention of access by unauthorised persons.
Any purchasing system must support authentication of users so that individual transactions can be traced back to the relevant person. Generally, this is by user name and password.
Alternatively, the authentication mechanism could use network logins or other directory services, while higher security requirements may demand token-based methods such as digital certificates, smartcards, or biometric devices. The latter options are based on the common security principle of requiring “something you have” (for example, a smartcard) as well as “something you know” (such as a password or personal identification number) to achieve a much higher degree of security.
Further guidance can be found in Authentication for e-government Best Practice Framework for Authentication.1
To ensure that users have access to the functions they need to do their jobs, an e-procurement system should incorporate a “roles-based” access control mechanism. This should allow a particular role to be assigned to each user of each application, and to determine which functional areas this role incorporates.
A robust e-procurement system should incorporate a comprehensive audit trail, with a record of who did what and when at various important stages of the purchasing process. The system should also allow internal control rules to be incorporated. For example, the person who approves a requisition must be different from the requisition originator. Setting out such principles in the purchasing application can be a useful countermeasure against possible fraud.
To protect historic data in the event of a system failure, or to allow a purchasing department to continue operating off-site in the event of a disaster, security arrangements should also include a business continuity plan. This should detail:
- precautions to prevent disasters from occurring, such as virus checking;
- physical security in the premises where the application is held;
- duplication of data on to multiple storage devices; and
- procedures to follow in the event of an unrecoverable disaster – for example, procedures for retrieving off-site backups or relocating to a ‘'warm recovery” server that contains all the public entity's historical data.
It is important to test continuity plans regularly.
Information technology procurement
The State Services Commission and the Treasury have issued Guidelines for Managing and Monitoring Major IT Projects. The guidelines cover strategic alignment, developing a business case, procurement, and project management. The guidelines are available on the State Services Commission website (www.ssc.govt.nz).
We published a report Governance and Oversight of Large Information Technology Projects in 2000.
In addition, the Information Technology Association of New Zealand has prepared the Information Technology Procurement Guidelines for organisations that are carrying out technology purchases.
The Industry Capability Network New Zealand has also issued a booklet series Understanding Public Sector Procurement Processes: A Suppliers Guide to the Procurement of ICT Goods and Services to assist suppliers of information and communications technology services in the public sector. Although the guidance is written from the supplier's perspective, public entities may still find it helpful.
1: State Services Commission (2004), www.e.govt.nz.