14 GDS has established strong controls over spending and service design. GDS reported that controls have reduced spending on IT by £1.3 billion over five years to April 2016. Digital expenditure of over £100,000 is subject to these controls. Our analysis shows that requests for approval for amounts of up to £1 million accounted for 47% of the time GDS staff spent on spending controls but only 1% of savings in 2015-16 (paragraphs 4.2 to 4.5, Figures 10 and 11).
15 GDS has not sustained its framework of standards and guidance. We found instances of overlapping guidance, for example blogs as well as service manuals being used to communicate guidance on contract management or the use of application programming interfaces. In some cases, guidance had been removed and web links broken. Standards were set as broad principles, leaving scope for interpretation and disagreement. GDS has not provided detailed guidance on how to implement standards in practice (paragraphs 4.7 to 4.9, 4.12 and Figure 12).
16 The combination of strict controls and uncertainty about guidance has made it difficult for departments to understand assurance requirements. Spending controls can play an important role in enforcing consistency and ensuring that departments adopt standards. However, it is difficult to understand the status of different forms of guidance, and departments told us it can be hard to anticipate how GDS will interpret their performance against standards. GDS is now introducing approvals and assurance mechanisms that consider departments' overall portfolios and reduce burdens from controls (paragraphs 4.2, 4.6 and 4.9).
17 Cabinet Office controls have helped to increase flexibility in departments' IT contracts. GDS has worked with the Crown Commercial Service to diversify the supplier base. GDS has also introduced frameworks such as G-Cloud and the Digital Services Framework, now replaced by the Digital Outcomes and Specialists framework, to improve contracting with small and medium-sized enterprises (SMEs). Government data show that up to November 2016, 64% of sales were to SMEs via the G-Cloud framework. However, most spending continues to be with large enterprises; in 2015-16, we found that they accounted for 94% of spending, one percentage point lower than in 2012-13 (paragraphs 4.11 to 4.14).
18 Take-up of Verify has been undermined by its performance and GDS has lost focus on the longer term strategic case for the programme. The current business case is based on reducing duplication or simplifying the way new services are developed. But Verify has been difficult for some people to use, departments have taken longer and found it more difficult to adopt than expected, and GDS has had to soften its approach to mandatory use. Nine of the 12 services using GOV.UK Verify can now be accessed using both Verify and a department's chosen way of allowing users to log-in to services. This parallel access undermines the current business case and risks creating confusion for service users. Verify presents a strategic opportunity to improve the way that personal data is used across government enabling better use of data, based on a single secure view of identity. But this strategic case has not been sufficiently developed, tested and communicated (paragraphs 4.19 to 4.28, Figures 13 and 14).