Feature story from the Netherlands: IT lifecycle management is not a one-off job but a continuous and cyclical process that affects the entire organisation

17.12.2023

The Netherlands Court of Audit (NCA) has been auditing digitalisation and the use of IT by the Dutch government since 1991. The government, like society in general, has become highly digitised in recent decades. Virtually all government processes and activities are now (supported) digitally. Properly functioning information systems are essential to implement government policy, introduce new laws and deliver reliable services to citizens and businesses. Managed and systematic maintenance of the IT landscape, also known as IT lifecycle management, plays a very important role. Important not only to avoid running unsupported IT and to upgrade it on a timely basis but also to respond to technological advances such as artificial intelligence (AI), quantum computing and the cloud.

Audit of IT lifecycle management

In 2014, the NCA audited the approach of the Tax Administration of the Netherlands (TA) to manage their outdated and complex IT systems. The TA is one of the Dutch government’s biggest executive agencies. We chose to audit the TA specifically for its size and heavy reliance on IT in its primary processes: collecting taxes in combination with their direct contact with citizens and businesses. One of our main conclusions was that there was insufficient insight into the IT landscape, the related risks and thus into the complexity and associated lifecycle stage of the IT systems. Poor insight is one of the possible reasons for the huge backlog in replacing outdated systems.

Five year later, in 2019, the NCA carried out a yearly government-wide audit of IT lifecycle management. We investigated whether there was a centralised insight into the management and maintenance of the IT systems at Dutch ministries. We again found that insight into the IT landscape was not always adequate. The CIOs of 5 of the 11 ministries we audited had a poor understanding of the condition of their IT. The assessment framework used for this audit was based on the framework used for the 2014 audit of the TA. The 2014 framework was brought into line with relevant standards and best practices of the internationally accepted COBIT, ITIL and ASL frameworks and modelled to the situation in the Dutch government. This resulted in the IT Lifecycle Management Assessment Framework (IT LCM Assessment Framework).

The IT LCM Assessment Framework builds on the 5 steps of the IT lifecycle management process, insight into the IT landscape and Deming’s PDCA cycle (Plan, Do Check, Act). IT lifecycle management is approached as a continuous, cyclical process of gaining insight, translating insight into plans (for maintenance, management and renewal), implementing the plans, monitoring their effect and adapting them where necessary. See the 5 steps in Figure 1.

Feature story pic1

Figure 1. The 5 steps of the IT lifecycle management process

An understanding of the lifecycle stage of the IT system is an important aspect of the insight. A commonly used method to gain this understanding is the Gartner TIME model, in which an organisation plots all its IT systems in one of the 4 quadrants (Tolerate, Invest, Eliminate or Migrate) to generate an insight into the technical condition and business value of the IT system. This insight can amongst others help the organisation to set priorities and make plans for adequate maintenance. See for an example Figure 2. We have adjusted the original TIME model to include the size of the IT systems. The size of the circles refers to the number of function points in the application. In general, the more function points, the more time is needed to maintain the application and with a higher complexity.

Feature story pic2

Figure 2. Example of the Gartner TIME model (adapted from Handreiking Verantwoord Vernieuwen)

Current challenges of the Tax Administration of the Netherlands

Since 2014, the TA has been working hard on implementing reliable lifecycle management of its IT landscape. Its insight into the current IT landscape has improved significantly. The TA can now decide which systems have to be and can be renewed and when. By taking a programmatic approach, it has also successfully reduced the number of legacy IT systems in recent years. Yet there are still formidable challenges, particularly regarding the updating and modernisation of its value added tax, salaries tax and income tax systems. These taxes are together good for a large proportion of the Netherlands’ tax revenues (€146 billion in 2022). The steady expansion and interconnection of the TA’s systems over the years have made updating far from straightforward. These key systems are needed year-round to process tax returns and cannot be simply turned off and on.

The TA is therefore facing a daunting challenge to replace and upgrade its legacy systems before serious continuity risks become manifest in the years ahead. And this is just the beginning. After replacing the legacy systems, modernisation, like management and maintenance, has to become a regular feature of the lifecycle management process. The TA will never finish cleaning up, replacing and renewing its IT systems because technology is continuously advancing. Well-organised and effective IT lifecycle management must prevent the TA from having to clear extensive IT backlogs again in the future.

IT Lifecycle management is subject to conditions

Like the TA, the Dutch ministries we audited in 2019 have significantly improved centralised insight into their IT landscapes in recent years. In 2022, only one CIO still had inadequate insight into the condition of their ministry’s IT. This is due in part to the Civil Service CIO System Decree 2021, which lays down in law the ministerial CIOs’ responsibilities for the effective and centralised organisation of IT lifecycle management. The NCA’s IT LCM Assessment Framework was designated a government-wide framework by the Dutch Central Government CIO in 2021.

That ministries and associated executive agencies such as the TA are improving their insight into IT landscapes is a positive development. As noted above, however, insight by itself is not enough, especially not in today’s world where organisations are having to adapt more quickly to new laws and regulations and changing political ambitions. Only modern IT systems can provide the necessary flexibility and agility. The organisations are setting themselves demanding technological goals, such as data-driven working methods, working with AI or with more complex algorithms and working in the cloud. All these ambitions call for an up-to-date and flexible IT landscape that can anticipate new IT advances. In other words, the IT lifecycle management process must become a fixed feature of the government’s operational management.

The challenge facing some central government organisations in the Netherlands is also one of prioritisation. Legacy systems have to be replaced, the IT landscape has to be sustainably renewed and its continuity has to be ensured. This calls for constant, multiyear planning with definite goals that take account of a possibly undesired side effect: the low-hanging fruit will be picked first and bigger, harder issues will be left on the shelf. IT lifecycle management also calls for other organisational arrangements, such as standardise: agreements for the uniform registration of the ministry’s IT-assets. In practice, it has proved difficult to centralise insight and not to compare apples and oranges. A second significant challenge identified by our audits are the financial aspects of IT lifecycle management. For instance, there must be appropriate multiyear management, maintenance, replacement and upgrading budgets and enough people dedicated to IT lifecycle management and related topics such as portfolio management and IT procurement. All these aspects, like IT lifecycle management itself, require continuous attention and by mutual agreement on standards. After all, IT lifecycle management is not a one-off job but a continuous and cyclical process that affects the entire organisation.

Appeal to other supreme audit institutions

The NCA greatly values knowledge sharing, also in the field of IT lifecycle management. We would like to know whether other SAIs recognise the importance of this subject. Next, that they also have this in their audit program in past, present or future and are keen to share their experiences with us. Feel free to contact us if you have any questions about our article.

 About the authors:

Hanna Heinen, Samuel Cárdenas Meijers and Xander Bordeaux are auditors at the NCA and have been auditing IT lifecycle management in the Netherlands’ central government for several years. They wrote this article in a personal capacity.