Agenda item

The Client Audit Manager of the Shared Internal Audit Service (SIAS) provided a summary of the SIAS Progress Report, specifically the delivery of the Audit Plan and key findings; Audit Plan amendments; critical and high priority recommendations and performance management. He said that 68% of the 2019/20 Audit Plan days had been delivered and 19 of the 30 projects had been completed to a draft stage.

The proposed amendment to the Audit Plan related to the audit of Homeless Reduction Act/Temporary Accommodation, which was due to start in January 2020. The proposal was that this audit be cancelled and deferred to the next plan, the reason being that an audit had been done in March 2019.

With reference to the critical and high priority recommendations detailed in the report, the Client Audit Manager said the recommendations on the CCTV and the IT Shared Services audits had all been implemented.

The Chairman said that cyber security was a very topical issue and asked whether the committee should be concerned about the delays in implementing the recommendations from the cyber security audit. The Client Audit Manager replied that whilst the recommendations on cyber security had been partially implemented, there had been delays; these would be monitored regularly and reported to the committee.  An industry survey had recently shown that Cyber security was one of the top three audit priorities; the IT industry was continually evolving and the committee should take the appropriate response by monitoring outstanding recommendations, as with other risks.

In response to the Chairman on whether Internal Audit was satisfied with the current state of cyber security at EHC, the Client Audit Manager said this was a high priority for officers and there was a pathway to fully implementing the audit recommendations, and this should continue to be monitored by Members.

Councillor A Curtis enquired if and how SIAS was keeping pace with developments in the IT industry and if there was enough confidence that cyber security was being adequately addressed, given that EHC did not fully control this environment. The Client Audit Manager advised that SIAS worked in partnership with BDO and SIAS used BDO to focus exclusively on relevant issues. There was also a history of local authorities working together on such matters and this was increasing. SIAS was acutely aware that the risk profile for local authorities was changing and where authorities worked in partnership, the focus was somewhat different, which was reflected in the audits which had been incorporated into the Audit Plan and reported to the Committee.

Councillor T Stowe asked why the assurance levels of the “Follow-up - S106 Spend Arrangements” and the “Follow-up – CCTV joint audit” were both noted as “Not Assessed”. The Client Audit Manager replied that these were both routine follow-up audits and assurance opinions were not given on follow up audits, where the emphasis was placed on the status of recommendations made at the original audit.

Councillor L Corpe referred to the updating of the Disaster Recovery Plan and enquired when this would be completed. The Client Audit Manager said the comments contained in the report were provided directly by service managers and indicated the current status of the plan. This was a high priority issue which would continue to be monitored and reported to the Committee.

Councillor A Curtis commented that there were a number of issues in the report which referred to updates on outstanding issues from officers and said these issues needed completion dates. The Scrutiny Officer said it must be very clear on what was needed and asked from officers. The Chairman said some issues had been outstanding for some time, e.g. cyber security, and these must be addressed.

Councillor A Curtis moved and Councillor A Alder seconded a motion that the recommendations in the report be approved.

After being put to the meeting and a vote taken, the motion was declared CARRIED.

RESOLVED – that (A) the Internal Audit Progress Report be noted;

(B)   the amendments to the Internal Audit Plan as at 27 December 2019 be approved;

(C)   the status of Critical and High Priority recommendations be noted; and

(D)   Members be provided with a cyber security update by officers as required.