Agenda item

(To receive a report by Lucy Pledge (Head of Internal Audit and Risk Management) which details the audit work completed up to 15 February 2021; advises on progress of the 2020/21 plan (including planned work to June 2021); and raises any other matters that may be relevant to the role of the Audit Committee.  James Drury (Executive Director – Commercial and John Wickens (Assistant Director IMT and Enterprise Architecture) will also be in attendance)

The Principal Auditor presented the internal audit progress report, which detailed the audit work completed up to 15 February 2021; and advised on the progress of the 2020/21 plan, which would be completed by April 2021.  Progress on the actions arising from all audit reports in the plan was also detailed. 

The report referred to two items of limited assurance:  the ICT Network Infrastructure Security; and the ICT Business Continuity and Disaster Recovery.  The Executive Director – Commercial and the Assistant Director for IMT and Enterprise Architecture were in attendance to respond to questions on these two items. 

In response to a question on recruitment and staffing arrangements within the Audit Team, as detailed in the report, it was advised that Covid-19 had impacted on recent recruitment exercises with a reduced number of applicants.  There would be further recruitment in April 2021 to appoint to remaining vacancies and the use of agency staff would be a temporary measure.  It was advised that apprenticeships would be used within the Team as a 'grow your own' initiative.  It was confirmed that the Audit and Counter Fraud Teams worked in collaboration with pooled resources for specific pieces of work. 

In relation to the limited assurance reports, the following points were raised:

·         Reference was made to the statement on page 144 of agenda that IMT had no plans to put into effect more stringent data leakage prevention technologies as the business had not supported these technologies and would not commission them and the Council expected all staff to be able to share information beyond the Council with limited formality and technical constraints, therefore the Council was in effect accepting that risk, relying instead on the knowledge and judgement of staff.  The Assistant Director for IMT and Enterprise Architecture explained that data leakage prevention technologies were highly constraining on staff and for this reason some organisations, which had purchased these technologies, had ceased to use them.  Staff had received mandatory annual training on information assurance and had high levels of awareness.  It was further explained that the limited assurance did not relate to this particular finding. 

·         It was advised that within Office 365 there were some low level elements of data leakage prevention, and a decision would be made on their use at a later date.  Higher level data leakage prevention technologies would represent an additional cost.

·         Reference was made to page 143 of the agenda to the statement on starters, movers and leavers and timings for these issues to be resolved.  It was advised that there was a need to confirm the processes, using the appropriate technology, for starters, movers and leavers to ensure all relevant personnel in the organisation were informed.   It was confirmed that the transformation programme, of which the Corporate Leadership Team was aware, would address this issue.   

(Note:Ian Haldenby left the meeting at this point.) 

• The Committee recorded its thanks to IMT staff over the last year for their efforts in enabling at short notice working from home arrangements for over 4,000 members of staff. The Committee recognised that this had impacted on other routine work.

·         In response to a question on business continuity and disaster recovery, it was explained that the testing of some systems had not been implemented, as they would not now be appropriate as the Council would be continuing to migrate to more standardised IMT systems; and there would always be an impact on service from any testing.  This issue would be followed up by the Audit Team. 

RESOLVED

That the outcomes of Internal Audit's work be noted.