Agenda item

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk which provided an update on Internal Audit’s latest progress with regard to service delivery, assurance provision and reviews completed was presented for the Committee’s consideration.

The Head of Audit and Risk highlighted the main points as follows –

•           That one audit review report was finalised during the period relating to IT Cyber Security which resulted in a Reasonable Assurance opinion (the Committee was provided with a copy of the full report).  Although the review concluded that overall the Council has a number of effective operational controls in place to manage the risk to cybersecurity and to prevent and reduce the impact to Council Services, systems and information of malicious, external attacks, it also identified that a lack of proactive monitoring of the extent and nature of current and emerging cyber threats faced by the Council could compromise success in this area. A total of five issues/risks were raised and an Action Plan to address those issues has been agreed with Management.

•           That one follow-up review was finalised during the period which was a third follow –up review of Logical Access and Segregation of Duties. A review of logical access and segregation of duties controls was undertaken initially as part of the Annual Internal Audit Plan in 2014/15; this resulted in a Red rating with 14 recommendations and one suggestion being made. A first follow-up review in January, 2015 again resulted in a Red rating and found that 12 recommendations remained outstanding. A second follow-up review took place in December 2017 which confirmed that 5 recommendations remained unaddressed. Consequently, this review resulted in a Limited Assurance opinion in accordance with the new audit approach. In December 2018, a third follow-up review was undertaken. This confirmed that from five issues/risks outstanding, two have been addressed and three - which relate to segregation of duties in Payroll - are in the process of being addressed.

The payroll section is currently undergoing a restructure. Once the Northgate project is finished, the new structure will be implemented. The first round of consultations on the new structure has just taken place and will progress during January, 2019. Once implemented in full, the Accountancy Service Manager is confident that this will address the remaining issues/risks originally raised. Although progress has been made, taking consideration of the results of the follow-up review, the assurance level of the report remains as Limited Assurance with a further follow-up planned for July, 2019.

•           That two reports with a Limited Assurance rating are scheduled for a follow-up review before the end of the financial year – Child Care Court Orders under the Public Law Outline and Payment Card Industry Data Security Standard Compliance. Both follow up reviews were in progress at the time of the drafting of the report and it can be confirmed that since writing the update the follow-up review of the Child Care Court Orders under the Public Law Outline audit has been finalised and has been raised to Reasonable Assurance.

•           That since the appointment of the two new Senior Auditors, work on the Internal Audit Operational Plan for 2018/19 (Appendix A to the report) has progressed well. However, given the length of these vacancies together with protracted investigations, significant follow-up work and the maternity leave of the third Senior Auditor, the Service’s target for undertaking 80% of the red and amber residual risks in the Corporate Risk Register will be difficult to achieve. To date, 35% of the red and amber residual risks have been covered and work in five other areas denoted as red and amber residual risks in the Corporate Risk Register is ongoing. Those areas are noted in the report. Work is also ongoing in three specific areas at the request of Heads of Service. The Service is also involved in two ongoing investigations which are both nearing their conclusion. Areas that are not addressed this year will be rolled forward into and prioritised in 2019.

•           That an independent Risk Management Health Check was undertaken by the Council’s insurers, Zurich Municipal (ZM) which focused on the six areas of risk management activity set out in paragraph 26 of the report. ZM concluded that risk management was at a Managed level within the five levels of maturity in the Performance Model used. This was largely as expected and an Action Plan is being developed to address all the observations/recommendations raised by ZM a summary of which is provided in the report.

The Committee considered the report and made points as follows –

•           The Committee noted with regard to the Intrusion Prevention System Rate of Attack diagram within the IT Cyber Security Report that a sharp increase in the rate of attack had occurred over the course of three days at the end of November, 2018. The Committee sought clarification of what this increase might indicate and whether the  source of attack was known.

The Committee was informed that foreign state actors can be at the source of cyber-attacks on public bodies and that they will seek to cover their tracks by conducting their activity under the guise of another country. Most UK public sector bodies experienced raised attack levels in the second half of  2018 which have been reported as resulting from a specific source country stepping up its cyber activities as part of the tensions in the period following the Salisbury incident. Cyber awareness training for all staff and Elected Members is being provided.

•           The Committee noted that at the time of the review 92% of staff with computer access had read and accepted the Information Security Policy meaning that 8% of staff had not done so thereby posing a risk to the Council. The Head of Audit and Risk said that the 8% could have included staff on sickness absence, holiday leave and maternity leave at the time of the review and that the percentage figure is likely to have reduced in the period since the review was conducted. The Internal Audit Service was of the opinion that 92% represented a reasonable level of compliance.

•           The Committee noted that the review highlighted that a lack of proactive monitoring of the extent and nature of current and emerging cyber threats could compromise success in this area which it found worrying. The Committee sought clarification of whether steps were being taken to rectify this shortcoming.

The Head of Audit and Risk said that the necessary data is available and is being monitored but not at Head of Service level; scrutiny and reporting arrangements need to be strengthened at this level, neither is there a specific post within the IT Service and structure that carries this responsibility with a number of posts sharing aspects of Cyber Security responsibilities meaning that proactive monitoring is unintentionally overlooked.

•           The Committee noted with regard to the third follow-up review of Logical Access and Segregation of Duties that after three years and three updates the assurance rating remains Limited. The Committee suggested that after this length of time the review may have lost relevance and that the potential to draw lessons from it is limited.

The Head of Audit and Risk said that although the audit was inherited from a previous period and a previous audit system, the segregation of duties is an important control to mitigate against the risk of fraud.

The Head of Function (Resources)/Section 151 Officer said that notwithstanding the specific controls have not been implemented to the satisfaction of the Internal Audit Service, there are other safeguards in place to ensure the accuracy and reliability of Payroll and to make certain that the Authority only pays employees that are actually at the Council and working for it. Whilst it is a reasonable control to put in place, the structure of the Payroll Team currently means that it cannot be implemented. Once the restructure is complete which will introduce a formal System Administrator to the team, the segregation of duties within the system can be implemented in a properly controlled way. Additionally, the Authority’s financial systems – including Payroll - are subject to audit by External Audit as part of the audit of accounts process. The Auditors therefore need to be assured that the information which the Payroll system generates is accurate and they will undertake systems controls checks to that end; no issues have been identified with the Payroll system by External Audit. However, achieving segregation of duties within what is a small team is inherently difficult. The Officer confirmed that the audit covered the segregation of duties across a range of systems with Payroll being the only system where there are issues outstanding due also to the fact that Payroll has been part of a lengthy improvement project which is seeking to integrate Payroll with part of the Human Resources system.

•           The Committee noted that the audit approach is now fully risk based; in light of this, it queried whether it is possible that some existing audits may drop off the plan as their risk status changes.

The Head of Audit and Risk said that the areas that are being carried forward into 2019 are all in the Corporate Risk Register.

It was resolved that having considered the information presented and the clarifications provided by Officers , the Audit and Governance Committee accepts and notes Internal Audit’s latest progress in terms of its service delivery, assurance provision, reviews completed, performance and effectiveness in driving improvement.

NO ADDITIONAL ACTION WAS PROPOSED