Agenda item

This matter is the responsibility of the Portfolio Holder for Communications and Corporate Resources, Cllr Benet Allen.

Report Author: Alastair Woodland, Assistant Director, SWAP

This report summarises the work of the Council’s Internal Audit Service including progress against the audit plan and significant findings that have arisen since the last update in September 2022.

Alastair Woodland, Assistant Director from SWAP presented the report:

·       Quarterly update on the Internal Audit plan

·       Page 84 gives an update of the reviews completed since the last update in September. One limited assurance audit and one follow up audit but also worth noting there are some good levels of assurance in some key areas, e.g. substantial assurance in accounts receivable and also generation programme governance.

·       Page 87 The reviews to be delivered in quarters 3 and 4 have been agreed with senior management.  This will influence the annual opinion coming to the Committee in March 2023.

·       Page 89 Appendix B gives an overview of the audit plan to date, reviews that have been completed and the assurance ratings and recommendations.  

·       Page 92 table 2 – Local Government Reorganisation (LGR) forms part of the internal audit work this year. Price Waterhouse Coopers (PWC) are the main assurance provider but there are a number of support pieces of work being carried out by SWAP, mainly relating to IT and other key areas. One area is LGR risk management to ensure it is working effectively in LGR, and the other critical one is Business Continuity Planning (BCP) to make sure services are well prepared for vesting day.

·       Page 94 covers the limited assurance opinion for information security policy and awareness following cyber security framework review. Further work was needed on this area, and significant work has been undertaken in this area to improve the issues. 3 main areas - the information security framework has been updated and new policies and procedures have been approved relating to access control, acceptable use, information transfer and patch management. Training and awareness has improved with four dedicated information security training modules being devised.  In respect of information governance there is greater clarity on roles and responsibilities of individuals. Management have provided the update and because of these actions, controls in those areas should be improved.

·       Page 95 gives details of the Health and Safety follow up report.  The committee has had regular updates from officers and progress has been made in that area. The review highlights good progress in this area, reducing the risks to the authority.

During the debate, discussion took place around:

·       Whether the wording on page 94 was due to being so close to the new Council coming into place ‘since this activity is currently ongoing and hence information security (IS) arrangements are subject to change, it was agreed that it provided little value to the Council to start a new review’. It was confirmed that this was correct and that it is subject to change from 1 April 2023 due to new policies and procedures being created for the new authority.

·       How involved SWAP are likely to be with the new Unitary Council?  The Officer confirmed that SWAP will be very involved. The Audit Plan for the new Council is being drafted and will go before the Audit Committee at Somerset County Council (SCC) for approval in March 2023.  That will identity all the risk themed areas carried forward from this Council.  It was confirmed that there will still be great change over the next two or three years and that SWAP will have a role to play including keeping the Audit Committee involved.

·       Whether there is an update on the risk management and business continuity work being carried out as part of LGR work.  Currently the update report lists no opinion as they are in progress. The officer confirmed that the report on Risk Management had been issued today and that it had been as a result of a request from the programme director at the end of October to carry out the review. The audit work was carried out in November and there is nothing adverse coming out of the review, other than some minor areas for improvement.  Business Continuity Plans are being picked up in quarter 4 to ensure that services have plans in place for day 1 – 1 April 2023.  Services have been set a deadline of 15th January 2023 to complete those plans. 

·       Whether the Auditor was confident that the audits listed as in progress or not yet started would be completed during 2022/23, or if there is likely to be slippage.  The Officer confirmed that the work programme had been designed to ensure that all audits are completed by the end of February to feed into the annual opinion report which will come to the committee in March 2023. If work is still in train, an assessment will be made on the stage it is at and the value of it continuing post 1 April 2023, and whether to draw a line under it or limit it’s scope.  The officer confirmed that a number of the audits have moved forward since the report was written.

·       Whether any incomplete audits would hand over to the new Council so that the work can carry on post 1 April 2023.  The officer confirmed that it will depend on what it is. Work is ongoing to produce a completely new risk assessment which will feed into the Internal Audit Annual Plan and inform priority areas for review. Outcomes from the work in 2022/23 will feed into that risk assessment. The Plan will be discussed with the Senior Management Team before it goes to the SCC Audit Committee for approval in March 2023. 

The Committee resolved to note the progress made in delivery of the 2022-23 internal audit plan and significant findings since the previous update in September 2022.

(proposed by Cllr Janet Lloyd; seconded by Cllr Simon Coles)