Agenda item

To give consideration to a report which advised the Committee of the key outcomes from Internal Audit reports issued between November 2018 and April 2019.

Consideration was given to a report which set out the key outcomes of internal audit reports issued between November 2018 and March 2019. It was noted that, based on the outcomes of the audits undertaken, the Authority’s framework of governance, risk management and control was considered to be satisfactory overall.

For each of the reports issued the main points of concern were outlined together with the progress made or action taken to address those concerns. In addition the report also outlined examples of good practice.

Clarification was sought in relation to the following:

·         How often checks were made to confirm that the proposed management actions identified following the completion of an audit were actually completed?  It was explained that previously all actions were checked to ensure compliance but now the approach had been changed to concentrate only on medium and high risk items.  It was also acknowledged that further work was required;

·         A number of systems, such as the Ash Debtors System and Liquidlogic, were not supported by the Authority’s disaster recovery site.  It was explained that the Senior Leadership Team were currently looking at the Authority’s systems for disaster recovery.  It was suggested that a report be presented to a future meeting of the Committee which set out the plan for the removal of the risk;

·         The risk associated with some members of the Engie Finance Team having end to end privileges in relation to several payment systems.  It was explained that although it had been classed as a medium risk there was no evidence that anything untoward had occurred.  It was also explained that the system was in the process of being amended to remove the potential risk;

·         The systems in place to update access to ICT systems when people start working for or leave the Authority.  Reference was made to the templates in place which set out what happened when someone leaves the Authority including for example in relation to IT security.  It was explained that there were policies in place and if these were not followed the matter was referred to the appropriate Head of Service.  It was also explained that there had been a lot of work undertaken in relation to starters and leavers. It was suggested that a review of previous reports might be helpful in identifying any patterns or trends. 

It was suggested that managers be reminded that the Audit Committee regularly reviewed audit reports in relation to their service area.  It was also suggested that a report be presented to the Authority’s Senior Leadership Team which provided a picture of the frequency at which the same issues occurred following audit investigations.       

The Chief Internal Auditor advised members that future reports would be amended to highlight where action had been taken.

Resolved that (1) the opinion of the Chief Internal Auditor, that the framework of governance, risk management and control was satisfactory overall, be noted; and

(2) The key findings, good practice identified and the management action taken in response to Internal Audit Reports be noted.