Agenda item

Report by the Director of Finance and Support Services, and the Head of Southern Internal Audit Partnership.

That the Committee note the Internal Audit Progress Report (December 2020).

32.1     In response to the request made by the Committee at its meeting of 20 November 2020, the Committee received a verbal update from Stewart Laird, Interim Head of IT on Disaster Recovery Planning and IT Asset Management. 

32.2     Mr Laird provided an update on the two high priority outstanding actions in relation to Disaster Recovery.  The first was undertaking the delayed Disaster Recovery testing after the planned March/April 2020 test was put back because of the need to ensure the Council’s workforce could work from home during the first Covid lockdown.  Following the tests, lessons learned and revised documents had been implemented.  The second priority, an audit of the Disaster Recovery Battle Box, had led to revision of all information including priority systems in line with recovery priority and a move to store the Battle Box and some systems in the Cloud with more systems to follow.  Following this, Disaster Recovery had become less of a risk.

32.3     The Committee made comments including those that follow:

•  Questioned what would happen should a Cloud system fail – Mr Laird gave examples of the Cloud systems used where the prime data centre has multiple power sources and data back-up, plus a structure where information would move to (and is replicated at) a secondary site if there is failure at the primary site.  Regarding one-off services, the procurement process would include primary and secondary delivery solutions to include return to operations SLAs and KPIs, evaluation of set up and replication of data between the sites to ensure business continuity.

32.4     Mr Laird provided an update on IT Asset Management.  Regarding the management of Council’s laptops, desktop equipment, tablets and mobile phones, the Committee was advised that tagging of items and a review of Asset Management records, such as domain names and email accounts, had been undertaken which had clarified assets in use and their status.  The Committee was also advised that a change of technology in use for mobile phones had allowed the Council to ensure the tracking, security and, if necessary, the lockdown of mobile phones.  Mr Laird concluded that a robust framework for IT Asset Management had now been put in place.

32.5     The Committee made comments including those that follow:

•    Noted concerns raised by officers about the Mosaic system used by Children’s Services and queried plans to replace it – Mr Laird, stated that this separate to IT Asset Management, but advised the Committee that Mosaic would be hosted on behalf of the Council by the provider.  The database would be converted from Oracle to a sequel back-end system as predominantly used by other local authorities.  And, a realignment of the database scheme would be taking place to include reconfiguration of the information in the system including an end to end review of all performance reports on the system.

•    In relation to Corporate Risk 39, it was queried how much priority is given to IT security during procurement – Mr Laird advised that significant focus is given to IT security during procurement, and provided a number of examples.  The County Council’s other security measures include, but are not limited to, firewalls, proxy servers, scanning of incoming and outgoing data to ensure risk of malware and ransomware is detected before emails are delivered and filtering of website access.  Furthermore, the Committee was informed that significant focus is placed on education of staff which would be more rigid in future.

•    Queried why Corporate Risk 39 is now scored at 5/5 when it was at 4/5 only 4-years ago.  And whether this implied that the Council needed to do more or whether the risk should be reviewed – Mr Laird advised that the volume of cyber-crime and the level of sophistication had increased exponentially in the last 4 years, as highlighted by central government.  The Council had recognised and reflected on necessary changes of direction, implemented changes and recognised the need to leverage new technologies, and continually evolve the Council’s approach in order to mitigate risk, including business processes and the education of the workforce.

32.6     Mr Jeremy Hunt, Cabinet Member for Finance thanked officers for this work on IT security and noted the challenges from external sources, but advised that the higher risk status didn’t mean that that the Council had gone backwards but rather that it had often moved forward to combat risk.

32.7     Mr Laird provided an update on data storage and back-up.  Key back-up documentation and the approach to back-up, including replacement of magnetic tapes and risks regarding malware, had been reviewed and are in the process of being revised.  An identified risk regarding single point of failure has been addressed and had led to training of additional staff to carry out this work.  There would also be a move to a predominantly Cloud based system for back-up, although investment in a replacement unit is appropriate which would also be used in line with the new Cloud based system.

32.8     The Committee raised additional matters in relation to IT as follows:

•    Queried access to Zoom for members for use in their local work with communities – Mr Laird explained that the Council’s purchase of Microsoft Teams as its preferred platform for virtual conferencing was due in part to its document sharing facility.  Zoom had done much to improve its security.  The Council provides some Zoom licenses to certain staff who need it to work in partnership with other organisations using that system, e.g. social workers.  Access for members could be reviewed subject to demand, but it was highlighted that to provide a large number of licences would be cost prohibitive.

•    Further to the discussion regarding Corporate Risk 39, it was queried whether the Council’s current matrix for scoring risk is appropriate or if it should be recalibrated.  The Committee noted that it had discussed this previously.  The Committee discussed the need to allow for an increase if the risk is already scored at the top end of the matrix, however it concluded a recalibration exercise would be sufficient and that that inherent risk would need to to be taken into account, so consideration might be to define between risks.

32.9     The Committee considered a report by the Director of Finance and Support Services, and the Head of Southern Internal Audit Partnership (copy appended to the signed minutes).

32.10  Mr Pitman, Head of Southern Internal Audit Partnership, introduced the report and invited Ms Eberhart to address matters relating to the Council’s latest position.

32.11     Ms Eberhart advised the Committee that pressures on staff as a result of Covid-19 and the latest lockdown mean that it would be likely to be difficult to complete the entire Rolling Work Programme during 2020/21, particularly for Adults Services and Children and Young People’s Services, despite the ability of the internal audit team to participate.  The updated work programme would be revised by the end of the week, presented to the Executive Leadership Team and circulate a written update to the Chairman and on to the Committee once agreed, and brought to the Committee for consideration and discussion at the 8 March 2021 meeting.

32.12  Mr Pitman addressed other matters pertaining to the report there had been a notable reduction in the number of overdue audit actions.  Nine high priority items had been removed including all that were relevant to IT.  The Quality Assurance Framework for Adults Service would be expected to be signed off the following week.  Governance Compliance has also been cleared.  There were no limited assurances to note.  Regarding the Rolling Work Programme, this would be re-baselined, as noted in minute 32.11 above.

32.13  The Committee made comments including those that follow:

•    Noted that four of the high priority overdue actions are within the civil enforcement parking arrangements, which includes actions for the district and borough councils to resolve, and also queried the current situation of the overdue low and medium priorities revised, some of which have due dates that have already passed – Mr Pitman noted that Governance Compliance had been cleared.  Regarding legacy overdues, as previously raised by the Committee the Audit team had undertaken to prioritise, which had included the IT matters that had now been resolved. A refocus on this list would now be planned.

•    Queried the impact on the External Audit and whether further work would be required – Ms Eberhart advised that Mr Pitman’s opinion would given in July and considered by external audit.  Mrs Thomson, EY advised that internal audit largely feeds into the Annual Governance Statement which is then used by EY to complete work on the financial statements. EY and Internal Audit are in regular contact and would discuss any issues arising, although none were anticipated at the moment.

32.14  Resolved – That the Committee note the Internal Audit Progress Report.