Agenda item

To present the report of the Internal Audit Manager.

The report of the Internal Audit Manager providing a further update on the Business Continuity and ICT Disaster Recovery audits with regard to progress on addressing the issues identified and completing the actions recommended as part of the audits was presented for the Committee’s consideration. Details of the Business Continuity and ICT Disaster Recovery second follow up audits were summarised in Appendices A and B to the report respectively.

The Internal Audit Manager reported as follows –

•           Business Continuity Arrangements Second Follow-up – as detailed in paragraph 2 of  Appendix A, the second follow up review identified that the two high rated recommendations outstanding at the time of the last review have been implemented in full. The remaining high rated recommendation relating to the need for building recovery management arrangements to be included in the Corporate Business Continuity Plan is assessed as partly implemented. As not yet fully implemented, the recommendation has been reiterated. The medium rated recommendation relating to training requirements to support the implementation of the Business Continuity Plan is assessed as fully implemented. In relation to the remaining medium rated recommendation that Services should ensure that business continuity and emergency planning arrangements are up to date and operational and that they are included within Service Delivery Plans, not all services have included Business Continuity within service plans and as such this part of the recommendation is therefore reiterated. Based on the findings of the second follow up review, it is assessed that the Council has demonstrated good progress in implementing the actions agreed to address the audit recommendations and that the level of assurance now provided in this area is Substantial. 

•           ICT Disaster Recovery Follow-up - as detailed in paragraph 2 of Appendix B, the second follow up review identified that one high rated recommendation relating to the need to produce, adopt and implement a comprehensive ICT Disaster Recovery Plan has been assessed as implemented for the purpose of the review. A second high rated recommendation has been assessed as having been implemented in the main part while with regard to the third high rated recommendation, there remains a need to incorporate testing of the system and data backups by services in the ICT Disaster Recovery Plan.  In relation to the remaining high rated recommendation in respect of formally documenting the responsibility for maintenance and monitoring of the environmental control and fire suppression systems within the data centres, a new recommendation has been made to the effect that responsibility for  managing and maintenance of the UPS and air conditioning system within ICT Data Centre is transferred to Property Services to be incorporated into the Buildings Management Plan. Based on the findings of the second follow up review, it is assessed that the Council has demonstrated reasonable progress in implementing the actions agreed to address the audit recommendations and that the level of assurance now provided in this area is Reasonable. 

The Committee noted that the two areas referred to have been the subject of the Committee’s attention for some time; it now welcomed the progress made on actioning the audit recommendations to  improve the control environment in both areas as evidenced in the update report, thereby reducing the risks identified in those areas.

It was resolved that the Committee is satisfied with the level of assurance provided as documented in the report regarding the actions taken in relation to Business Continuity and ICT Disaster Recovery.

ACTION ENSUING: The Committee to receive a final update on ICT Disaster Recovery in June 2017 to enable it to be satisfied that the residual actions have been completed.