Document 12928116
advertisement
Please Contact: Linda Yarham Please email: linda.yarham@north-norfolk.gov.uk Please Direct Dial on: 01263 516019 2 December 2013 A meeting of the Audit Committee of North Norfolk District Council will be held in the Committee Room at the Council Offices, Holt Road, Cromer on Tuesday 10 December 2013 at 2.00 pm Members of the public who wish to ask a question or speak on an agenda item are requested to arrive at least 15 minutes before the start of the meeting. It will not always be possible to accommodate requests after that time. This is to allow time for the Committee Chair to rearrange the order of items on the agenda for the convenience of members of the public. Further information on the procedure for public speaking can be obtained from Democratic Services, Tel: 01263 516047, Email: democraticservices@north-norfolk.gov.uk Sheila Oxtoby Chief Executive To: Mr N D Dixon, Mr B Jarvis, Mrs A Moore, Miss B Palmer, Mr R Reynolds and Mr D Young All other Members of the Council for information. Members of the Management Team, appropriate Officers, Press and Public If you have any special requirements in order to attend this meeting, please let us know in advance If you would like any document in large print, audio, Braille, alternative format or in a different language please contact us Chief Executive: Sheila Oxtoby Strategic Directors: Nick Baker and Steve Blatch Tel 01263 513811 Fax 01263 515042 Minicom 01263 516005 Email districtcouncil@north-norfolk.gov.uk Web site northnorfolk.org AGENDA 1. TO RECEIVE APOLOGIES FOR ABSENCE 2. PUBLIC QUESTIONS To receive public questions, if any 3. ITEMS OF URGENT BUSINESS To determine any items of business which the Chairman decides should be considered as a matter of urgency pursuant to Section 100B(4)(b) of the Local Government Act 1972. 4. DECLARATIONS OF INTEREST Members are asked at this stage to declare any interests that they may have in any of the following items on the agenda. The Code of Conduct for Members requires that declarations include the nature of the interest and whether it is a disclosable pecuniary interest. 5. (Page 1) MINUTES To approve as a correct record, the minutes of the meeting of the Audit Committee held on 17 September 2013. 6. AUDIT UPDATE AND ACTION LIST (Page 18) To monitor progress on items requiring action from the meeting of 17 September 2013, including progress on implementation of audit recommendations. 7. AUDIT COMMITTEE WORK PROGRAMME (Page 21) To review the Audit Committee Work Programme. (Page 22) 8. ANNUAL AUDIT LETTER 2012-13 9. PROGRESS REPORT ON INTERNAL AUDIT ACTIVITY, 1 SEPTEMBER TO 25 NOVEMBER 2013 (Page 29) (Appendix A – page 34; Appendix B – page 36) Summary: Conclusions: This report examines progress made between 1 September and 25 November 2013 in relation to delivery of the Annual Audit Plan for 2013/14, and includes abbreviated management summaries in respect of the audit reviews which have been finalised in the course of this period. A total of 6 audit assignments have been processed culminating in a mix of good and adequate assurances being awarded. Those areas in receipt of good assurances included Freedom of Information and Data Protection arrangements, Treasury Management, Control Accounts, Banking, the Asset Register, Budgetary Control and Journal Entries, whilst adequate audit opinions were given to Bank Reconciliations, Waste Management, Document Imaging and Workflow Application, the Revenues and Benefits Application – Civica and IT Security, Procurement and End User Controls. In the course of the twelve week period examined, a Computer Audit Needs Assessment was also performed confirming IT audit reviews which should be delivered as a matter of priority in future years. There have additionally been some changes to overall planned days for the year, in so far as the figure of 213 days approved by the Audit Committee on 19 March 2013 has now reduced to 186 days. This is due to the fact that the envisaged Phase 2 element of ad-hoc work requested by management in relation to the Revenues and Benefits service has not progressed as originally envisaged, and currently management are reexamining partnership arrangements with a view to securing savings and efficiencies from service delivery in the future. In addition, it has been agreed to defer the audit of Development Management to 2014/15 as there is still considerable work to be done to complete the Planning Peer Challenge Action Plan before a meaningful audit can be performed in this service area. Recommendations: It is recommended that the Committee notes the outcomes of the 6 audits completed between 1 September and 25 November where assurance levels have been given, together with in-year revisions made to the approved Annual Audit Plan for 2013/14 concerning the rescheduling of some reviews and the requirement, endorsed by management, to defer two pieces of work to 2014/15. Members also need to note that the outcomes of the Computer Audit Needs Assessment are being reported separately via a further report attached to this agenda, which elaborates on the blend of IT audits recommended in future years, and contains a copy of the amended Strategic Audit Plan which now reflects much of the detailed additional requirements that have been identified. Cabinet member(s): Wards: Contact Officer, telephone number, and e-mail: 10. All All Sandra King, Internal Audit Consortium Manager 01508 533863 scking@s-norfolk.gov.uk THE STATUS OF AGREED AUDIT RECOMMENDATIONS DUE FOR IMPLEMENTATION BETWEEN 1 APRIL AND 31 OCTOBER 2013 (Appendix C – page 55: Appendix D – page 56) (Page 51) Summary: This report provides an overview of progress made in implementing agreed audit recommendations due for completion in the first half of the financial year. Conclusions: Good progress has been achieved in relation to the completion of agreed Internal Audit recommendations. Recommendations: It is recommended that the Committee notes management action taken to date regarding the delivery of audit recommendations. Cabinet member(s): All Contact Officer, telephone number, and e-mail: 11. REVIEW OF THE OUTCOMES OF A RECENTLY PERFORMED COMPUTER AUDIT NEEDS ASSESSMENT AND ITS IMPACT ON THE STRATEGIC AUDIT PLAN FOR 2013/14 (Page 57) (Appendix E – page 60; Appendix F – page 78) Summary: Conclusions: Recommendations: Cabinet member(s): Wards: Contact Officer, telephone number, and e-mail: 12. Ward(s) affected: All Sandra King, Internal Audit Consortium Manager 01508 533863, scking@s-norfolk.gov.uk This report details the outcomes of the Computer Audit Needs Assessment exercise carried out during September 2013. The views of 2 key personnel within the authority, namely the Head of Customer Services and the IT Manager were canvassed to obtain an insight into what they believed were the overarching risks facing the IT environment at the Council, after which 2 separate analyses were performed by Deloittes’ Senior IT Audit Manager, with assistance from an IT Audit Manager. The first analysis reviewed auditable areas, representing the pivotal aspects of the IT environment at the Council, whilst the second analysis focused on the authority’s key applications and upcoming projects. Risk priority ratings were then used to compile a proposed Strategic Computer Audit Plan, which identified where computer audit expertise should be directed in future years (i.e. 2014/15 to 2016/17), along with the job budgets required to facilitate delivery of the range of assignments being put forward. A programme of computer audits has been formulated to address areas of risk identified in the course of discussion and review of the current position of the authority’s IT infrastructure, management of IT provisions generally and software applications currently in use. Proposed future review work will generate independent assessments as to the efficiency and effectiveness of the Council’s IT systems, procedures and operations. The Audit Committee is requested to note the findings of the Computer Audit Needs Assessment and approve the amended planned audit coverage for the period 2014/15 to 2016/17 as recorded in the amended Strategic Audit Plan. All All Sandra King, Internal Audit Consortium Manager 01508 533863 scking@s-norfolk.gov.uk CORPORATE RISK REGISTER Page 82 13. EXCLUSION OF THE PRESS AND PUBLIC To pass the following resolution, if necessary: “That under Section 100A(4) of the Local Government Act 1972 the press and public be excluded from the meeting for the following items of business on the grounds that they involve the likely disclosure of exempt information as defined in of Part I of Schedule 12A (as amended) to the Act.” Agenda item 5_ AUDIT COMMITTEE Minutes of a meeting of the Audit Committee held on Tuesday 17 September 2013 in the Committee Room, Council Offices, Holt Road, Cromer at 2.00 pm. Members Present: Committee: Mr N D Dixon (Chairman) Mrs A Moore Officers in Attendance: Chief Accountant, Internal Audit Consortium Manager, Civil Contingencies Manager, Regulatory Officer. Also in attendance: Aphrodite Antoniades, Phil Beecher (PriceWaterhouseCoopers) 14. Mr R Reynolds Miss B Palmer APOLOGIES Apologies for absence were received from Mr B Jarvis and Mr D Young. The Chief Financial Officer was unable to be present because of illness. 15. PUBLIC QUESTIONS None received. 16. ITEMS OF URGENT BUSINESS None 17. DECLARATIONS OF INTEREST Mrs A Moore declared a personal interest in the pension fund. 18. MINUTES The Minutes of the meeting of the Audit Committee held on 18 June 2013 were approved as a correct record. 19. APPOINTMENT OF VICE-CHAIRMAN It was proposed by Councillor R Reynolds, seconded by Councillor N D Dixon and RESOLVED That Miss B Palmer be appointed as Vice-Chairman of the Committee, subject to ratification by Full Council. 20. AUDIT UPDATE AND ACTION LIST Members were updated on progress on actions arising from the minutes of the meeting of 18 June 2013. Audit Committee 1 17 September 2013 Business Continuity The Civil Contingencies Manager gave a verbal update on Business Continuity work: Team BC Plans With regard to the issue identified in the action list, the Civil Contingencies Manager confirmed that the Head of Financials had completed this action and the team BC plan was in place and up to date. All team BC plans were in place except Revenue and Benefits. Draft plans were in place and awaiting final confirmation by the Team Manager. The Civil Contingencies Manager had created a new and much simplified version of the Business Impact Analysis and Business Continuity Team Plans, which would be easier for managers to understand and implement as it removed the duplication from the old versions of BIA and BCPs. These would be outlined at the next meeting of the Business Continuity Working Group and the new version of the team plans would be rolled out at annual review stage. Training The Civil Contingencies Manager reported that Business Continuity management training had taken place on 27th June and 3rd July 2013 to help managers deliver Business Continuity training to their staff. The aims of these sessions were to equip managers with an understanding and appreciation of Business Continuity and how to tailor this knowledge to their relevant service. This training was delivered by James Allison from WLP consultants, whose work included the compilation of an independent evaluation of the Business Continuity process at NNDC. The overall evaluation and summary is given below and the report is attached as an appendix to these minutes. “This is an excellent plan which meets its legislative obligations, but also far exceeds these minimum requirements. The flow diagrams in particular are excellent. It would be difficult to ever consider a plan to be perfect given that it is something which must constantly evolve. There are some areas for discussion highlighted. One of the main previous areas of weakness had been around training, but the training undertaken by WLP has clearly demonstrated management’s desire to address this concern. It is important now that NNDC build internally on the foundations laid by the WLP training. Overall, the plan gives a very solid basis from which to really try to embed BCP into the culture at NNDC”. A Business Continuity synopsis was published in The Briefing in June to further embed Business Continuity into the Council’s work, and in addition the Civil Contingencies Manager was working with the Human Resources Team to include a BC module into the new management training package. Disaster Recovery and Work Action Recovery site The Civil Contingencies Manager reported that this project was still on-going but had been delayed due to office moves, the reception project and the new help desk configuration. It was anticipated that the Disaster Recovery site would now be completed in late October. All data was in the process of being replicated from the Cromer office to the Fakenham site on a daily basis, and in the event of a total Audit Committee 2 17 September 2013 loss of the Cromer Office building it would take a small amount of reconfiguration work to gain access to the stored data. Incidents The Civil Contingencies Manager reported that there had been no major disruptions which required a Business Continuity response, however he had been heavily involved with the delivery of the Green Build event. Staff issues The Civil Contingencies staffing level was now back to full capacity since the appointment of Damien Woods in the Technical Administration role. The Committee expressed satisfaction with the progress which had been made on this matter and the Chairman commended the Civil Contingencies Manager for the work he had done since his appointment. It was agreed that the work had progressed to a point where it was no longer necessary for the Committee to receive regular reports on this matter. The Chairman suggested that an annual report would be appropriate. The Civil Contingencies Manager would submit additional reports if he considered there was a need to report matters to the Committee. Training Further training had been incorporated into the revised Work Programme. Annual Governance Statement It was considered that a flowchart was unnecessary as the Annual Governance Statement contained an overview of the framework and key sources of assurance which fed into it. Internal Audit The Constitution had been amended to include Internal Audit’s rights of access to all records, assets, personnel and premises. 21. AUDIT COMMITTEE WORK PROGRAMME Business Continuity could now be removed from the Work Programme. There was a duplication in the programme for March 2014 in respect of Internal Audit training and therefore the entry under PWC work could be removed. RESOLVED That, subject to the above amendments, the Work Programme be noted. 22. BUSINESS CONTINUITY A verbal update had been given by the Civil Contingencies Manager under Minute 20. Audit Committee 3 17 September 2013 23. PWC 2012/13 ANNUAL GOVERNANCE REPORT (ISA260) Aphrodite Antoniades and Phil Beecher presented the Annual Governance Report and drew Members’ attention to the following matters: a) b) c) d) e) f) g) h) i) j) k) l) m) n) Pensions related information had now been received and value for money work was now complete. The remaining key issues would be completed shortly. PWC had a centre of excellence for local government, which was a dedicated team of specialists to advise, assist and share best practice with audit teams. There were no issues identified in the work programme to report. Pensions liability – work was substantially complete but required a final review. The Council had a rolling programme to ensure that property, plant and equipment was revalued at least every five years. Assumptions were the responsibility of management but no issues had been found with regard to the reasonableness of the assumptions. Pensions liability was subject to significant change due to the adoption of CPI from RPI. No issues had been noted. There will be changes to IAS19 and new accounting standards will be adopted. There would not have been a major impact on the accounts if the new standards had already been adopted. No significant adjustments or errors had been found. There were very minor issues around roundings and technical disclosures. The estimates relating to the economic life of assets was found to be very accurate. No issues had been identified with regard to accruals. No issues had been identified with regard to pensions. PWC was not aware of any relationships which would impact on its independence. It provided no services to management and officers were rotated to ensure independence. The report was very positive and PWC was appreciative of the work the Council’s financial team had done. Aphrodite Antoniades and Phil Beecher then answered the Committee’s questions: a) b) c) d) Further explanation of IAS19 changes was given. Disclosure for the current year was the same as the previous year. The changes would come into effect next year. If it were in operation this year, pension liabilities would have increased by £329,000 which was not material. Pensions liability was increasing as there had been no change in the level of contributions from participants of the scheme or increase in funding from the Council. It was systematic of the financial climate in the country because of the increasing numbers of people living longer as opposed to decreasing assets. The Chairman considered that there was a need to look at this trend and the impact it would have in the longer term. PB suggested that more money had to be put into the scheme or a higher return achieved, but it was not within his remit to advise. AA agreed to provide benchmarking data with other authorities on this matter. Regarding risk of fraud, at AA’s request Members confirmed that they were not aware of any fraud. Cllr Moore queried the expected 4.5% return on assets which appeared to be high. This related to financial scheme assets, not all assets. It was the actuaries’ assessment of return on assets for the year and was about average for other authorities PWC had seen. Audit Committee 4 17 September 2013 e) f) It was assumed that the rate of increase in salaries would be 5.1% after 2015. For the next two years the rate would be 1%. The assumption would be revised going forward. Assumptions with regard to pensions were provided by actuaries which had been looked at by PWC’s own experts. RESOLVED That the Annual Governance Report be received and the letter of representation be signed. 24. ANNUAL REPORT OF THE MONITORING OFFICER 2012/13 The Monitoring Officer presented his Annual Report, which summarised the more important matters arising from his work from 1 April 2012 to 31 March 2013 and commented on other issues. One of the major issues dealt with was a change in the standards regime as a result of new legislation, which had the most impact on Parish Councils as they were now responsible for their own standards regime. There was no longer a mandatory requirement for local authorities to set up a Standards Committee although NNDC had decided to do so. A proactive approach had been taken by the Authority and there were plans to meet each Parish Council to explain the duties and offer assistance. There was a judicial review pending in the High Court as to whether a politically balanced Standards Committee was compliant with Articles 6 and 8 of the Human Rights Act. The Committee on Standards in Public Life had expressed concerns regarding weakness of the sanctions which could be imposed on councillors who breached the Code of Conduct. Formerly, it was possible to suspend and disqualify, but now there were no sanctions except censure, removal from Committees or removal from access to the authority’s resources. There had been a significant downturn in the number of reported cases and the Monitoring Officer considered that the weakness of sanctions could be a contributory factor. The Council’s Constitution had been revised and the new Constitution adopted in 2012. The Constitution would be kept under review and changes considered as and when necessary. This was a major part of the Monitoring Officer’s work. The Monitoring Officer answered Members’ questions. a) b) c) Cllr Mrs Moore asked how the number of complaints to the Ombudsman in 2012/13 compared with previous years. The Monitoring Officer agreed to forward this information to Cllr Moore. None of the complaints in 2012/13 had been investigated formally and there had been no findings of maladministration. The Authority had an average record in respect of complaints. The Monitoring Officer explained that whilst the Council was bound by its Standing Orders and the Public Procurement Regulations, there were some circumstances where it was not relevant to procure goods and services in accordance with these restrictions, such as when there was only one supplier who could supply the items due to a tie-up with an existing contractor, or only one tender was received. In such cases, the matter would be referred to the Monitoring Officer who determine whether or not procurement was acceptable. The weakness of sanctions was a concern. Whilst most Members would be concerned by having a complaint made against them, the sanctions were no Audit Committee 5 17 September 2013 deterrent for those with little regard for conduct and ethics. In the main, the light touch approach favoured by the Government was adequate but there was potentially a gap when dealing with major and deliberate misconduct. The situation was unlikely to change under the present Government; however a future government may wish to redress the balance. The Localism Act originally proposed eliminating the standards regime but some had been restored during its passage through Parliament. The Chairman referred to the time taken up by the District Council in investigating complaints in respect of Parish Councils prior to the change in regime. He was heartened that responsibility for investigation of these complaints now rested with the body being complained about. However, he expressed some reservations with regard to the outcome of some of the complaints due to lack of training and possible long term implications. RESOLVED That the report be noted. 25. LOCAL GOVERNMENT OMBUDSMAN ANNUAL REVIEW LETTER The Local Government Ombudsman Annual Review letter was noted. 26. LOCAL CODE OF CORPORATE GOVERNANCE AND ANNUAL GOVERNANCE STATEMENT 2012/13 The Corporate Governance framework was made up of the systems and processes, culture and values by which an organisation was directed and controlled. For local authorities this included how a council related to the community it served. The Local Code of Corporate Governance was a public statement of the ways in which the Council would achieve good corporate governance. It was based around six principles which were identified in the joint publication by the Chartered Institute of Public Finance and Accountancy (CIPFA) and the Society of Local Authority Chief Executives (SOLACE). The Annual Governance Statement had been prepared following a review of all the evidences available to the Council in seeking compliance with its Local Code. The arrangements set out in the Local Code of Corporate Governance and the Annual Governance Statement would allow the Council to move ahead with its corporate planning processes confident that it could address the issues of governance and risk. The report had already been considered by the Performance and Risk Management Board. The following comments were made: a) b) c) d) The Chairman considered that the report set out the structure of which Cllr Young had sought clarification, although not in the form of a flowchart. It set out the key principles and the evidence which supported them. Cllr Moore suggested that section 1.2 of Appendix B should be reworded to read “Provision of a complaints and compliments procedure …”. The Chairman considered that it would be helpful to include metrics in the appendix to support the evidence. Cllr Reynolds considered that arrangements should be made for Members to attend other Councils’ Scrutiny meetings. Audit Committee 6 17 September 2013 e) The Chief Accountant considered that in some cases demonstration of compliance with requirements was best practice. RESOLVED That the Annual Governance Statement and updated Local Code of Corporate Governance be approved. 27. 2012/13 STATEMENT OF ACCOUNTS This report presented the Statement of Accounts for 2012/13 for review by the Audit Committee prior to recommendation to Full Council for approval. The outturn position for the year had been reported to Members in June and had been used to inform the production of the statutory annual accounts for 2012/13. The Statement of Accounts for 2012/13 had been produced in accordance with the Code of Practice on Local Authority Accounting. The draft accounts were produced by 30th June and since then have been subject to external audit review. Prior to the meeting the Committee had received training on the Statement of Accounts. The presentation covered the following main points: a) b) c) d) e) f) g) h) i) j) The annual financial cycle, which explained the timeline for the processes which fed into the Annual Statement. An overview of the actions the Committee would be requested to take at this meeting. An explanation of the content of the Final Accounts and the Core Financial Statements. An explanatory foreword to the Accounts provided an easily understandable guide to the most significant matters reported in the accounts. The Core Financial Statements comprised a Movement in Reserves Statement, Comprehensive Income and Expenditure Statement, Balance Sheet and Cash Flow Statement. The Movement in Reserves Statement showed the movement during the year on reserves held by the Council. There were two types of reserve: i) Usable, eg. general and earmarked, which were funds built up to meet future likely or known liabilities. ii) Unusable, eg. the revaluation reserve. The Comprehensive Income and Expenditure Statement showed the “accounting” cost in the year of providing services. This had been prepared in accordance with Generally Accepted Accounting Practice (GAAP). Authorities raised taxation to cover expenditure in accordance with the regulations, which may differ from the accounting cost. The Balance Sheet showed the assets and liabilities of the Authority. The net assets were matched by “usable” and “unusable” reserves. The Cash Flow Statement showed the changes in cash and cash equivalents (assets that could easily be converted to cash, eg. bonds) of the authority during the year, and how the Authority generated and used cash and cash equivalents. Cash flows were classified as operating activities, investing activities or financing activities. Pensions: IAS19 was the accounting standard for employee benefits. Amendments had been adopted which would result in reclassification of costs/information and a requirement for more detailed disclosures. It was unlikely that this would have a material effect on the financial statements. Audit Committee 7 17 September 2013 k) l) Note 22 to the accounts related to Defined Benefit Pension Schemes, in which the Council participated, and gave details of the funding arrangements. The deficit had increased by £5.44m from March 2012 to £25,793m. This was explained by a change in the real discount rate between March 2012 and March 2013, which had increased the value of liabilities by 8%-12%. The impact of unfavourable financial assumptions had meant that the vast majority of employers had found their balance sheet had materially deteriorated from last year, although this had been partially offset by better than expected asset returns over the year. The deficit on the Local Government Scheme would be made good by increased contributions over the remaining working life of employees as assessed by the scheme actuary. Finance would only be required to cover discretionary benefits when pensions were actually paid. The total contributions expected to be made to the Local Government Pension Scheme by the Authority in the year to 31 March 2014 was £1.3m. Major movements in the accounts were highlighted. The Annual Governance Report presented by PWC (ISA260) for 2012/13 had raised no significant issues. PWC had found that “overall the draft financial statements provided to us were of a high quality and we recognise the work of the Finance Team in respect of this.” Local Government Pension Scheme liabilities were expected to have risen to £80bn from £38bn nationally in 2010/ IAS19 changes were not material to the accounts. Value for Money was subject to PWC internal review but an unqualified opinion was expected. The Committee discussed the Final Accounts. a) b) c) d) e) The Chief Accountant stated that the outstanding works to the accounts consisted of corrections to typographical errors. The accounts had been through rounding so there was consistency between the notes to the accounts and the accounts themselves. Any further changes would be immaterial. The Chairman referred to significant decrease in balance on the Movement in Reserves Statement. He wanted to be sure that there was a sufficient balance in the General Fund to meet any unknown liabilities which may arise. The capital receipts reserve had fallen due to the commencement of some of the planned capital projects. There would always be known expenditure, but also expenditure which had not been expected or where planned expenditure had not happened. Money could be rolled forward so it was not lost. The Committee had received training and had gained sufficient understanding to recommend to Council that the accounts be approved. RESOLVED That Full Council be recommended to approve the Statement of Accounts for 2012/13. Audit Committee 8 17 September 2013 28. AUDIT COMMITTEE SELF- ASSESSMENT OUTCOMES The Chartered Institute for Public Finance and Accountancy (CIPFA) “Toolkit for Local Authority Audit Committees” identified that it was good practice for Audit Committees to complete a regular self-assessment exercise and to assist this process, provided a checklist of operational requirements which it was recommended should be satisfied to ensure the Committee was performing effectively. The Internal Audit Consortium Manager’s report commented on the outcomes of a self-assessment exercise undertaken with members of the Audit Committee on 18 June 2013 and also summarised responses canvassed to the final section on Administration which were subsequently provided after the Committee meeting, noting that the overall findings arising from this exercise would be used to further inform the 2013/14 review of the Effectiveness of Internal Audit. All member feedback to the CIPFA checklist was included at Appendix D to the report, which recorded where compliance with recognised practice had been achieved, instances where there had been deviation and why this had been case, and those areas where additional enhancements were to be pursued to improve upon existing operational arrangements. In conclusion, undertaking a review of its performance against good practice had ensured that the Committee had properly assessed the way in which it discharged its duties. The recent review of its remit and effectiveness had been comprehensively handled and where non-compliances had been realised, the reasons had been recognised and confirmation then obtained as to how the Committee wished to manage these issues on a future basis. The Internal Audit Consortium Manager also thanked those Members who had supplied information regarding their skills and experience. This had confirmed that Members had a great deal of knowledge about finance and committee working generally, as well as indicating where there were some gaps where additional training would be helpful. With regard to concerns regarding the length of reports, the Internal Audit Consortium Manager would be considering how her reports could be summarised. Whilst there were some deviations noted to best practice guidance, these items had not adversely impacted on the effectiveness of the Committee and in the majority of cases, there were justifiable reasons for them. However, it was appreciated that further training would be beneficial to Members and provisions would therefore be put in place to complement the Committee’s work programme going forward. RESOLVED That the report be noted together with proposals to deliver member training which supported the Committee’s work programme 29. PROGRESS REPORT ON INTERNAL AUDIT ACTIVITY, APRIL TO AUGUST 2013 The report examined progress made between 1 April and 31 August 2013 in relation to delivery of the Annual Audit Plan for 2013/14, and included abbreviated management summaries in respect of the audit reviews which had been finalised in the course of this period. Adequate assurance levels had been awarded to the three audits completed in the first five months of the financial year. Audit Committee 9 17 September 2013 It was further noted that the Annual Audit Plan had been subject to some minor rescheduling; the timing of two assignments featuring in the plan had been revised. The Internal Audit Consortium Manager reported that a draft audit brief had been prepared in respect of IT security, procurement and end user controlst. Comment was also made concerning the revised timing of the audit of data transfer, governance and risk within Revenues and Benefits Services. This work had been deferred from Quarter 3 to Quarter 4 at the request of management and there was currently some uncertainty as to whether or not the audit was still required. Shared service arrangements with Kings Lynn and West Norfolk Borough Council were continuing to be explored and the audit was dependent on how these matters progressed. Cllr Mrs Moore stated that she had spoken to the Revenues and Benefits Services Manager. No decision had yet been made on the way forward. There was a problem with the quality of the broadband link but there was still hope that the systems could be made to talk to each other. RESOLVED That the outcomes of the three audits completed between 1 April and 31 August be noted, together with the minor amendments made to the Annual Audit Plan for 2013/14. 30. PROTOCOL FOR LIAISON BETWEEN INTERNAL AND EXTERNAL AUDITORS The Internal Audit Consortium Manager had discussed this item with the External Audit Manager and the only change needing to be made, concerned updating PWC contacts named within the document. It was therefore considered that there was little merit in producing a new Protocol. It was thus agreed that the existing protocol should continue to operate for the forthcoming year, but with some revision to PWC personnel named therein. The meeting ended at 3.30 pm. ______________________ Chairman Audit Committee 10 17 September 2013 Appendix to Audit Committee Minutes - 17 September 2013 Review of business continuity training and existing plan 11th July 2013 James Allison 11 Ventura House, Norwich Road, Watton, Norfolk, IP25 6JU Tel: 01603 740467 Mobile: 07833 545478 Email: james.allison@w-l-p.co.uk Anglia Business Growth Consultants Ltd, trading as WLP, is a private limited company. Registered in England & Wales No. 3260958. Registered office 11 Ventura House, Norwich Road, Watton, Norfolk, IP25 6JU. 11 Appendix to Audit Committee Minutes - 17 September 2013 Contents 1. Introduction ................................................................................................... 3 2. Business Continuity Plan - assessment grid .................................................... 3 3. Feeback from the training sessions ................................................................. 6 4. Acknowledgments ......................................................................................... 7 12 Appendix to Audit Committee Minutes - 17 September 2013 1. Introduction The purpose of this report is to reflect on a project completed for Richard Cook (RC) of North Norfolk District Council (NNDC) by James Allison (JA) of WLP. The principal aim of the work had been to deliver training sessions to the management team at NNDC to inform them about business continuity planning, identify their responsibilities in delivering this plan and to provide assistance to enable them to communicate the key points to the entire staff at NNDC. A total of four training sessions took place over two days (27th June and 3rd July 2013). In all, 31 members of staff took part. JA has provided RC with a copy of the PowerPoint slides used in the presentation for distribution amongst those staff if required. This report provides some feedback on the training sessions, along with an independent assessment of NNDC’s current business continuity plan (BCP) including some possible areas where this might be improved. 2. Business Continuity Plan - assessment grid The grid below is based on a best practice assessment grid (source: NORMIT). It is a high level tool, the purpose of which is not to give an in-depth analysis of NNDC’s BCP, but to identify any broad areas where there might be room for further development and improvement. Assessment Criteria 1 Is there an indication that the plan is part of a continuous process? Score (Out of 3) 2 Commentary The words within the plan, as well as the style, demonstrate that this is a programme rather than a project. Questions (with answers already discussed with RC): 13 where • Does it say who is responsible for review? [Maybe in the policy] • Does it give evidence of history of when plans (including parts of the plan) were tested / validated? [Future plan done but not included – this is WIP. Where exercises happen RC will document – keep as an electronic journal and then put a reference to it in the BCP Appendix to Audit Committee Minutes - 17 September 2013 itself so people know how to access.] • 2 Does the plan contain details and references to relevant guidance and legislation? 3 3 Is it documented that the plan forms part of a series of plans, or states its relationship to the plans of the emergency services or other key players outside the organisation? 3 Does the plan have a clear indication that it is endorsed and supported by the Chief Executive / Senior Manager? 3 4 Is there a schedule for future testing / validation? From the perspective of an outsider looking in, it would be useful to understand more about these other parts and how they are accessed Put a paragraph in to clarify difference between internal BCP and handling external crises It is clear and fulfils its requirements. However, it is expressed from the perspective of what it delivers to external stakeholders. From the perspective of achieving greater employee engagement, it might benefit from some additional narrative to stress also that it should encourage cross-team working; that it helps to protect the organisation’s on-going ability to provide services and therefore employment; that it provides a safer and more secure working environment for all employees. It was very positive that Nick Baker introduced in person the training sessions given by WLP. 5 Does the plan identify clear aim and objectives? 3 6 the plan Is unambiguous? and 2 It is very well written. It has been marked only as a ‘2’ because there is room to simplify it further, albeit maybe through selective communication of key parts to certain staff. Having a completely clear document is acknowledged to be a tough challenge as the subject matter is not linear. 7 Does the plan have regard for current Risk Assessments? 2 Probably something to be reviewed and drilled into in more detail when time allows. clear 14 Appendix to Audit Committee Minutes - 17 September 2013 8 Does the plan contain procedure for activation? 9 Are roles detailed? 10 a 3 responsibilities 3 Are the resources needed and sources identified, including their activation? 2 and It is a difficult balance to strike between having a plan which does not name individuals (gives job roles which is good practice), but in reality at the point at which an incident occurs staff are more likely to identify with an individual rather than a title. Question – is an electronic version of the plan available in the event of failure of NNDC’s computer systems e.g. Dropbox? Answer: All major job roles have a CD with it (and other BCP related matters on), as well as duty officer. 11 training Is documented? exercises 2 Total (out of 33) 28 and % rating (total multiplied by 3) It is important now to follow up on the training sessions delivered by WLP, ensure that managers communicate the message to all staff members and that ‘doing the right thing as a matter of routine’ becomes the culture at NNDC. By doing this and documenting it would enable this category to be scored as a ‘3’. 85% Overall evaluation This is an excellent plan which meets its legislative obligations, but also far exceeds these minimum requirements. The flow diagrams in particular are excellent. It would be difficult to ever consider a plan to be perfect given that it is something which must constantly evolve. There are some areas for discussion highlighted. One of the main previous areas of weakness had been around training, but the training undertaken by WLP has clearly demonstrated management’s desire to address this concern. It is important now that NNDC build internally on the foundations laid by the WLP training. Overall, the plan gives a very solid basis from which to really try to embed BCP into the culture at NNDC. Method Each element must be given a ranking score of one to three, three being the highest. The criteria for marking is as follows: 1 = Missing or totally inadequate to achieve the desired objective 15 Appendix to Audit Committee Minutes - 17 September 2013 2 = Lacks clarity, is ambiguous, does not identify mechanism or resources to meet the criteria or is clearly out of date 3 = Meets the required criteria Aesthetic observations There are a few small typos which are worth correcting: • p19 – delete space before ‘Economic development’ • p21 – typo ‘resources’ on vertical arrow Other observations • • Should NORMIT be added as an information source on p101? Should you consider putting some food and drink in the grab bag? 3. Feeback from the training sessions All attendees at the training sessions were asked to complete review questionnaires, all of which RC has a copy of. In general terms, the sessions seemed to be well received. There was an interactive session in the middle of each presentation where attendees were asked to discuss and document what they felt were ‘critical services’ and which services could afford to be given a lower priority in the event of a crisis. The level of input to these discussions was generally positive and constructive and almost everybody contributed, which gave an indication of a good level of engagement. In no particular order, key questions / comments which were noted from the sessions were as follows: • Q: Could we have a copy of the slides from the presentations? o A: Yes – JA has provided RC with a PDF version. • It might be a good idea to have some simple message boards put up around the building to reinforce key points e.g. what to do in the event that you spot a suspect package. • A number of staff commented verbally that the sessions had changed their view on BCP, made them understand the importance and general management value of the concept and that it had given them additional impetus to take action in their departments. • Some staff members expressed an interest in RC coming along to their team meetings periodically to help reinforce the message of the importance of BCP and to help address specific questions within departments. • It was noted that due to the relatively high level of restructuring which had gone on in recent times and people moving round the building as a result that this had added to the complexity of ensuring a consistent approach to communication over BCP. It was also noted though that in the HR system there are some new modules in the pipeline which might prove to be helpful with capturing information relevant to BCP. 16 Appendix to Audit Committee Minutes - 17 September 2013 • Whilst people agreed with the notion of trying to keep things as simple as possible, some people stated that not all forms were easy to navigate, particularly the Business Impact Analysis (BIA). • It was noted at the end of the sessions on the first day that not everyone was 100% clear on what they were expected to go away and do next. This was addressed for the sessions which took place on the 2nd day. In summary, the message was: o All attendees to familiarise themselves with the main BCP. o Identify the bits of the BCP which were key to them and their staff. o Communicate with their staff, in particular ensuring that a plan was in place so that they knew what to do when their manager was not there. • RC would revisit ‘Action Card 0’ with a view to making this more of a management tool e.g. adding a glossary of terms. • On the action cards, job roles are given rather than the names of individuals. Whilst everyone understood the reasons for this, it is still a barrier to clear communication with a wider audience. RC is going to look at this and investigate ways of having some kind of mechanism to link roles to people so that there is a simple way of staff knowing who to talk to in an emergency. • One person made the very valid point that, culturally, a sign of progress and employee engagement would be if staff began to push ideas on BCP back up the organisation, rather than traffic being one way (i.e. management briefing downwards). 4. Acknowledgments JA and WLP would like to thank RC and NNDC for the opportunity to work with them on this project. It has been a real pleasure to work with everybody involved and there has been an excellent level of input and quality of contribution from many members of staff at NNDC throughout the preparation and delivery of the project. 17 Agenda Item 6_ AUDIT COMMITTEE 17 SEPTEMBER 2013 – ACTIONS ARISING FROM THE MINUTES 1. Appointment of Vice-Chairman Ratification of Miss B Palmer’s appointment as ViceChairman of the Audit Committee. Linda Yarham/ Emma Denny Appointment ratified at Full Council on 18 September 2013. 2. PWC Annual Governance Report 2012/13 1. Benchmarking data for pensions liability to be provided. Aphrodite Antoniades Pensions benchmarking data supplied – copy attached. 2. The Committee authorised signature of the letter of representation. Karen Sly Done. 3. Annual Report of the Monitoring Officer 2012/13 Comparison of number of complaints to the Ombudsman in 1012/13 compared to other years to be supplied to Cllr A Moore. David Johnson 4. Local Code of Corporate Governance and Annual Governance Statement 2012/13 1. Appendix B, section 1.2 possible rewording. Karen Sly 2. Possible inclusion of metrics in the appendix to support the evidence. Karen Sly 3. Arrangements to be made for Members to attend other Councils’ Scrutiny meetings. Linda Yarham/Tessa Gilder-Smith No formal action - dates of other Councils’ Scrutiny meetings to be circulated so Members can attend if they wish. 5. Audit Committee Self-Assessment Outcomes 1. Training needs to be identified. Sandra King Training has already been programmed and will be extended to substitutes. 2. Consideration to be given to the length/repetitive nature of some reports. To be considered as part of Audit review. 18 All Pensions Liability in Councils in the region 180,000 160,000 140,000 North Norfolk District Council 120,000 Breckalnd District Council 100,000 Broadland District Council Great Yarmouth Borough Council 80,000 Kings Lynn and West Norfolk Borough Council 60,000 Norwich City Council South Norfolk District Council 40,000 20,000 2013 2012 2011 2010 2009 19 Pensions Liability in Nearest Statistical Neighbours* 300,000 North Norfolk District Council 250,000 West Dorset District Council East Devon District Council South Hams District Council 200,000 Teignbridge District Council South Lakeland District Council Torridge District Council 150,000 Isle of Wight Council North Devon Council 100,000 Rother District Council Chichester District Council Tendring District Council 50,000 East Lindsey District Council Suffolk Coastal District Council 2013 2012 2011 2010 2009 * Nearest Statistical Neighbours is a model developed by CIPFA to aid benchmarking between authorities with the most similar profile 20 Agenda Item 7 AUDIT COMMITTEE WORK PROGRAMME 2013 - 2014 JUNE 2013 SEPTEMBER 2013 DECEMBER 2013 MARCH 2014 PWC PWC 2012/13 Annual Governance report (ISA260) Annual Audit Letter (PWC) Protocol for liaison between internal and external auditors Internal Audit Annual Review of the Effectiveness of Internal Audit Annual Report and Opinion Status of agreed actions Undertake selfassessment NNDC Corporate Risk Register/ risk management framework Business Continuity Plan Review Quarterly Summaries of completed audits Audit Plan (PWC) Annual Grant Certification Report External Audit training for Committee Half yearly progress reports on the overall performance of the audit contract Quarterly Summaries of completed audits Report on follow-up work Computer Audit Audit Plan Corporate Risk Register Risk Management Framework Internal Audit training Statement of Accounts (+ informal training) Business Continuity Monitoring Officer’s Report Local Code of Corporate Governance and Action Plan – update and Annual Governance Statement 2012/13 – update 21 Agenda Item 8 www.pwc.co.uk North Norfolk District Council Annual Audit Letter 2012/13 Government and Public Sector October 2013 22 Agenda Item 8 Contents Code of Audit Practice and Statement of Responsibilities of Auditors and of Audited Bodies Introduction 1 Audit Findings 3 Final Fees 4 In April 2010 the Audit Commission issued a revised version of the ‘Statement of responsibilities of auditors and of audited bodies’. It is available from the Chief Executive of each audited body. The purpose of the statement is to assist auditors and audited bodies by explaining where the responsibilities of auditors begin and end and what is to be expected of the audited body in certain areas. Our reports and management letters are prepared in the context of this Statement. Reports and letters prepared by appointed auditors and addressed to members or officers are prepared for the sole use of the audited body and no responsibility is taken by auditors to any Member or officer in their individual capacity or to any third party. PwC Contents North Norfolk District Council 23 An audit is not designed to identify all matters that may be relevant to those charged with governance. Accordingly, the audit does not ordinarily identify all such matters. Agenda Item 8 Introduction The purpose of this letter We met our responsibilities as follows: This letter summarises the results of our 2012/13 audit work for members of the Authority. Audit Responsibility Results Perform an audit of the accounts in accordance with the Auditing Practice Board’s International Standards on Auditing (ISAs (UK&I)). We reported our findings to those charged with governance on 17 September 2013 in our 2012/13 Report to those charged with governance (ISA (UK&I) 260). On 19 September 2013 we issued an unqualified audit opinion. Report to the National Audit Office on the accuracy of the consolidation pack the Authority is required to prepare for the Whole of Government Accounts. We reported our findings to the National Audit Office on 19 September 2013. Form a conclusion on the arrangements the Authority has made for securing economy, efficiency and effectiveness in its use of resources. On 19 September 2013 we issued an unqualified value for money conclusion. We have already reported the detailed findings from our audit work to the Audit Committee in the following reports: Audit opinion for the 2012/13 financial statements, incorporating conclusion on the proper arrangements to secure economy, efficiency and effectiveness in its use of resources; Report to those charged with Governance (ISA (UK&I) 260); and Annual Certification Report (to those charged with governance). The matters reported here are the most significant for the Authority Scope of Work The Authority is responsible for preparing and publishing its Statement of Accounts, accompanied by the Annual Governance Statement. It is also responsible for putting in place proper arrangements to secure economy, efficiency and effectiveness in its use of resources. Our 2012/13 audit work has been undertaken in accordance with the Audit Plan that we issued in March 2013 and is conducted in accordance with the Audit Commission’s Code of Audit Practice, International Standards on Auditing (UK and Ireland) and other guidance issued by the Audit Commission. PwC 1 North Norfolk District Council 24 Agenda Item 8 Audit Responsibility Results Audit Responsibility Results Consider the completeness of disclosures in the Authority’s annual governance statement, identify any inconsistencies with the other information of which we are aware from our work and consider whether it complies with CIPFA / SOLACE guidance. There were no issues to report in this regard. Issue a certificate that we have completed the audit in accordance with the requirements of the Audit Commission Act 1998 and the Code of Practice issued by the Audit Commission. We issued our completion certificate on 19 September 2013. Consider whether, in the public interest, we should make a report on any matter coming to our notice in the course of the audit. There were no issues to report in this regard. Determine whether any other action should be taken in relation to our responsibilities under the Audit Commission Act. There were no issues to report in this regard. PwC 2 North Norfolk District Council 25 Agenda Item 8 We issued an unqualified audit report on 19 September 2013. Audit Findings Accounts We audited the Authority’s accounts in line with approved Auditing Standards and issued an unqualified audit opinion on 19 September 2013. Use of Resources We carried out sufficient, relevant work in line with the Audit Commission’s guidance, so that we could conclude on whether the Authority had in place, for 2012/13, proper arrangements to secure economy, efficiency and effectiveness in its use of resources. In line with Audit Commission requirements, our conclusion was based on two criteria: the organisation has proper arrangements in place for securing financial resilience; and the organisation has proper arrangements for challenging how it secures economy, efficiency and effectiveness. To reach our conclusion, we carried out a programme of work that was based on our risk assessment. We issued an unqualified conclusion. Annual Governance Statement Local authorities are required to produce an Annual Governance Statement (AGS) that is consistent with guidance issued by CIPFA/SOLACE. The AGS accompanies the Statement of Accounts. We reviewed the AGS to consider whether it complied with the CIPFA/SOLACE guidance and whether it might be misleading or inconsistent with other information known to us from our audit work. We found no areas of concern to report in this context. Whole of Government Accounts We undertook our work on the Whole of Government Accounts consolidation pack as prescribed by the Audit Commission. The audited pack was submitted on 19 September 2013. We found no areas of concern to report in this context. Certification of Claims and Returns We presented our most recent Annual Certification Report for 2011/12 to those charged with governance in January. We certified 4 claims worth £56,284,722. In 1 case a qualification letter was required to set out the issues arising from the certification of the claim. We will issue the Annual Certification Report for 2012/13 in December. PwC 3 North Norfolk District Council 26 Agenda Item 8 Final Fees Final Fees for 2012/13 We reported our fee proposals in our audit plan. Our actual fees for audit work performed under the Code of Audit Practice were in line with our proposals. Audit work performed under the Code of Audit Practice 2012/13 outturn 2012/13 fee proposal 2011/12 final outturn 74,350 74,350 118,750 36,0001 36,000 59,040 110,350 110,350 177,790 - Statement of Accounts - Conclusion on the ability of the organisation to secure proper arrangements for the economy, efficiency and effectiveness in its use of resources - Whole of Government Accounts Certification of Claims and Returns TOTAL 1 Our fee for certification of claims and returns is yet to be finalised for 2012/13 and will be reported to those charged with governance in December within the 2012/13 Annual Certification Report. PwC 4 North Norfolk District Council 27 Agenda Item 8 In the event that, pursuant to a request which North Norfolk District Council has received under the Freedom of Information Act 2000, it is required to disclose any information contained in this report, it will notify PwC promptly and consult with PwC prior to disclosing such report. North Norfolk District Council agrees to pay due regard to any representations which PwC may make in connection with such disclosure and North Norfolk District Council shall apply any relevant exemptions which may exist under the Act to such report. If, following consultation with PwC, North Norfolk District Council discloses this report or any part thereof, it shall ensure that any disclaimer which PwC has included or may subsequently wish to include in the information is reproduced in full in any copies disclosed. This document has been prepared only for North Norfolk District Council and solely for the purpose and on the terms agreed through our contract with the Audit Commission. We accept no liability (including for negligence) to anyone else in connection with this document, and it may not be provided to anyone else. © 2013 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. 130610-142627-JA-UK 28 Audit Committee 10 December 2013 Agenda Item No ____9___ Progress Report on Internal Audit Activity, 1 September to 25 November 2013 Summary: This report examines progress made between 1 September and 25 November 2013 in relation to delivery of the Annual Audit Plan for 2013/14, and includes abbreviated management summaries in respect of the audit reviews which have been finalised in the course of this period. Conclusions: A total of 6 audit assignments have been processed culminating in a mix of good and adequate assurances being awarded. Those areas in receipt of good assurances included Freedom of Information and Data Protection arrangements, Treasury Management, Control Accounts, Banking, the Asset Register, Budgetary Control and Journal Entries, whilst adequate audit opinions were given to Bank Reconciliations, Waste Management, Document Imaging and Workflow Application, the Revenues and Benefits Application – Civica and IT Security, Procurement and End User Controls. In the course of the twelve week period examined, a Computer Audit Needs Assessment was also performed confirming IT audit reviews which should be delivered as a matter of priority in future years. There have additionally been some changes to overall planned days for the year, in so far as the figure of 213 days approved by the Audit Committee on 19 March 2013 has now reduced to 186 days. This is due to the fact that the envisaged Phase 2 element of ad-hoc work requested by management in relation to the Revenues and Benefits service has not progressed as originally envisaged, and currently management are reexamining partnership arrangements with a view to securing savings and efficiencies from service delivery in the future. In addition, it has been agreed to defer the audit of Development Management to 2014/15 as there is still considerable work to be done to complete the Planning Peer Challenge Action Plan before a meaningful audit can be performed in this service area. 29 Audit Committee Recommendations: 10 December 2013 It is recommended that the Committee notes the outcomes of the 6 audits completed between 1 September and 25 November where assurance levels have been given, together with in-year revisions made to the approved Annual Audit Plan for 2013/14 concerning the rescheduling of some reviews and the requirement, endorsed by management, to defer two pieces of work to 2014/15. Members also need to note that the outcomes of the Computer Audit Needs Assessment are being reported separately via a further report attached to this agenda, which elaborates on the blend of IT audits recommended in future years, and contains a copy of the amended Strategic Audit Plan which now reflects much of the detailed additional requirements that have been identified. Cabinet member(s): Wards: Contact Officer, telephone number, and e-mail: 1. All All Sandra King, Internal Audit Consortium Manager 01508 533863 scking@s-norfolk.gov.uk Background 1.1 The Accounts and Audit Regulations 2011 require that the Council must undertake an adequate and effective internal audit of its accounting records and of its system of internal control in accordance with the proper practices in relation to internal controls. To assist the authority with fulfilling this responsibility, this Activity Report seeks to build on the findings of the previous Progress Report provided to members in September 2013, examining further progress made with regards to progressing assignments featuring in the approved Annual Internal Audit Plan for 2013/14, which was endorsed by the Audit Committee on 19 March 2013. 1.2 The Public Sector Internal Audit Standards which came into affect on 1 April 2013 also require that this Committee receives regular communications regarding Internal Audit’s performance in relation to the Annual Audit Plan. This report thus aims to meet this requirement and ensure that independence and objectivity (Standard 1100) are maintained. 2. Amendments to the Annual Audit Plan 2.1 Since we last reported on the status of the Annual Audit Plan and provided members with details regarding two minor amendments to timings of audits 30 Audit Committee 10 December 2013 there has been further developments whereby the audit days for delivery in year have been amended from 213 days to 186 days. The audit of Revenues and Benefits Services – Data Transfer, Governance and Risk, which was carried forward from 2013/14 was initially deferred to Quarter 4, from an original planned date of October 2013. It has now become apparent that this needs to be further postponed to 2014/15 as the Council is currently reviewing the options available regarding the future arrangements for delivery Revenues and Benefits Service, exploring a range of partnership options to release more operational savings and efficiencies. The review of Development Management, previously timetabled to take place in Quarter 4 of 2013/14, has also had to be taken out of the Annual Audit Plan, because the Planning Peer Challenge Action Plan has not advanced as intended. The delayed appointment of a new Head of Planning has resulted in a need to revise the timing of a proposed management restructure within the service, plus a detailed review of current policies, processes and procedures. Thus, performing the audit in February 2014 is now too early to be both constructive and informative to management; hence a decision has been taken to suspend our input to the middle of June 2014. By then, a new staffing structure will have been finalised and updated working practices have had an opportunity to become embedded, enabling Internal Audit to subsequently evaluate the quality of amended service provisions. 2.2 The previously reported rescheduling of planned work within the current year and the updated timetable for undertaking 2013/14 audit assignments is noted in Appendix A to this report. 3. Delivery of Programmed Audit Work in accordance with the Revised Annual Audit Plan 3.1 As demonstrated in Appendix A, 138 days of programmed work had been completed at the time of writing this report. This figure equates to 74% of revised audit planned days earmarked for completion in 2013/14. The status of individual audits can be summarised thus: Six assignments have been completed and final reports issued where audit assurance levels have been generated – these apply to Audit Nos. NN/14/04 Waste Management, NN/14/06 Freedom of Information and Data Protection, NN/14/07 Accountancy Services, NN/14/13 Document Imaging and Workflow Application, NN/14/14 OPENRevenues Revenues and Benefits Application and NN/14/15 IT Security, Procurement and End User Controls. A Computer Audit Needs Assessment has been subject to final reporting and is examined in greater detail in a subsequent report attaching to this Committee agenda. The audit fieldwork is under way for NN/14/09 Sundry Debtors. 4. Outcomes of Work Undertaken 31 Audit Committee 10 December 2013 4.1 With reference to work completed between 1 September and 25 November 2013, as mentioned above, of the 6 separate reviews finalised during this period where audit opinions have been forthcoming, their corresponding management summaries have been attached at Appendix B to the report. 4.2 In the case of the Waste Management audit (Audit No. NN/14/04), we have been able to give an adequate assurance level to operational arrangements, which is consistent with the audit opinion provided the last time this area was examined, with four medium and one low priority recommendations being made. Two of the medium recommendations have been raised to ensure that contract variations are approved by Kier and the Council, and that a contractual risk register should be in place and subject to regular review by both the Council and Kier. A further two medium priority recommendation have been raised in which the Council needs to notify Kier of the requirements to ensure that details of payments are completed in full for garden waste and that the monthly reconciliation undertaken is subject to independent review and any discrepancies are investigated promptly. 4.3 With reference to the Freedom of Information (FOI) and Data Protection (DP) audit (Audit No. NN/14/06) a good assurance opinion was provided as the system and processes of internal control were deemed to be sound in managing the risks associated with FOI and DP. This assurance level also shows an improvement in controls since the last time the area was reviewed, when it was awarded an adequate assurance. No recommendations were raised as a result of the audit and a number of sound controls have been noted. 4.4 Upon completion of our review of Accountancy Services (Audit No. NN/14/07) we have been able to give multiple assurances in the same way that we did upon completing our review of key controls when undertaking work to support the preparation of the Annual Governance Statement in 2012/13. However, on this occasion, our audit has covered the relevant financial systems in a far more detailed manner and as a consequence of our evaluation of arrangements; we have been able to consider the full range of assurances before applying good assurances to 6 of the 7 elements examined. This clearly demonstrates that the internal control environment is strong with regards to Treasury Management, Control Accounts, Banking, the Asset Register, Budgetary Control and Journal Entries – General Ledger Maintenance. We did note that an additional action was required to further enhance the Asset Register system but felt that this did not undermine the good assurance that we considered applicable. The other area – Bank Reconciliations received an adequate assurance following scrutiny of provisions in place. We found some issues with the timeliness of certain reconciliations, caused by staff availability to perform these tasks. The Head of Finance has provided contextual information as to how reconciliations came to be delayed and confirmed that this will not be a problem going forward. 4.5 In relation to the Document Imaging and Workflow Application audit (Audit No. NN/14/13) and OPENRevenues Revenues and Benefits Application audit (Audit No. NN/14/14) an adequate assurance opinion has been provided upon conclusion of both audits. The two systems are integrated and the outcomes of 32 Audit Committee 10 December 2013 each audit need to be considered alongside each other. In total five recommendations were made; 3 of a medium priority and two of a low priority. The medium priority recommendations related to the need to ensure that new accounts are prompted to change their passwords on first use (as this is initially system set) and subsequently every 60 days thereafter, to ensure that the Business Continuity plan currently in review is finalised and that the available auditing parameters are reviewed. 4.6 Finally the audit of IT Security, Procurement and End User Controls (Audit No. NN/14/15) was awarded an adequate assurance level, which is consistent with the audit opinion provide the last time the area was reviewed. Eight recommendations have been raised, with five of these carrying a medium priority rating. These recommendations relate to utilising the new service desk application for asset management, tagging and logging of IT assets and reconciliation of decommissioned assets and to ensure that all mobile phone users sign the policy and that laptop encryption is undertaken. 4.7 Members should note that all audits finalised in this period have received a positive assurance, i.e. good or adequate and that all audit reports issued so far in the current financial year, have resulted in positive assurances being awarded, which emphasises that the systems of internal control evaluated to date, have been found to be working effectively and efficiently. 5. Conclusion 5.1 Good progress has been made with the delivery of the Audit Plan to date; positive assurances have been awarded and all other work scheduled is on track as expected. 6. Recommendation 6.1 That members note the outcomes of the six completed audits where audit opinions have been provided and revisions made to assignments featuring in the Annual Audit Plan for 2013/14. Appendices attached to this report: Appendix A – Review Work delivered in accordance with the Annual Audit Plan for 2013/14 Appendix B – Abbreviated Management Summaries of Completed Audit Assignments Appendix B (1) NN/14/04 Waste Management Appendix B (2) NN/14/06 Freedom of Information and Data Protection Appendix B (3) NN/14/07 Accountancy Services Appendix B (4) NN/14/13 Document Imaging and Workflow Application Appendix B (5) NN/14/14 OPENRevenues Revenues and Benefits Application Appendix B (6) NN/14/15 IT Security, Procurement and End User Controls 33 Appendix A Review Work delivered in accordance with the Annual Audit Plan for 2013/14 Frequency of Audit Coverage Original Days Planned Revised Days Planned Days Delivered Scheduling 3-yearly 19 19 19 April 3-yearly 8 8 8 June NN/14/03 Private Sector Housing - Disabled Facilities Grants Car Parking and Markets 2-yearly 16 16 16 July NN/14/04 Waste Management 2-yearly 18 18 18 August NN/14/05 Tourism and Economic Development 3-yearly 10 10 NN/14/06 Freedom of Information and Data Protection 3-yearly 8 8 8 September January October NN/14/07 Accountancy Services 2-yearly 17 17 17 October Audit No. Description of Audit PLANNED SYSTEMS AUDIT WORK Environmental Health Services NN/14/01 NN/14/02 Status Assurance Level applicable Summary Report Details presented to Members Adequate 17 September 2013 Adequate 17 September 2013 Adequate 17 September 2013 Adequate 10 December 2013 Complete Final Report issued 13 November 2013 Good 10 December 2013 Complete Final Report issued 21 November 2013 See below 10 December 2013 Complete Final Report issued 16 July 2013 Complete Final Report issued 8 August 2013 Complete Final Report issued 20 August 2013 Complete Final Report issued 14 October 2013 Treasury Management Control Accounts Banking Asset Register Budgetary Control Journal Entries Bank Reconciliations Good Good Good Good Good Good Adequate NN/14/08 Revenues and Benefits Services - Data Transfer, Governance and Risk Ad-hoc 5 0 0 October Quarter 4 Audit deferred to 2014/15 at the request of management NN/14/09 Sundry Debtors 2-yearly 10 10 5 November Audit brief issued and fieldwork underway. NN/14/10 NN/14/11 Work to Support the AGS Receipt, handling and banking of remittances and tourist information centres Annually 2-yearly 15 12 15 12 NN/14/12 Development Management 3-yearly 22 0 0 February Annually 8 168 8 141 4 95 67% Systems Audit Follow Up TOTAL PLANNED SYSTEMS AUDIT WORK January January 34 Audit deferred to 2014/15 at the request of management 2 x 6-monthly validation Audit No. Description of Audit PLANNED COMPUTER AUDIT WORK Document Imaging and Workflow NN/14/13 Application Frequency of Audit Coverage Original Days Planned Revised Days Planned Days Delivered Scheduling 4-yearly 10 10 10 July September NN/14/14 Revenues and Benefits Application Civica 3-yearly 13 13 13 September NN/14/15 IT Security, Procurement and End User Controls 2-yearly 13 13 13 October NN/14/16 Computer Audit Needs Assessment 3-yearly 5 5 5 October September Annually 4 45 4 45 2 43 96% 213 186 138 74% Computer Audit Follow Up TOTAL PLANNED COMPUTER AUDIT WORK TOTAL PLANNED WORK 35 Status Assurance Level applicable Summary Report Details presented to Members Complete Final Report issued 25 October 2013 Adequate 10 December 2013 Complete Final Report issued 28 October 2013 Adequate 10 December 2013 Complete Final Report issued 14 November 2013 Adequate 10 December 2013 N/A 10 December 2013 Complete Final Report issued 26 September 2013 2 x 6-monthly validation Appendix B(1) Report No. NN/14/04 – Final Report issued 14 October 2013 Audit Report on Waste Management Audit Scope The scope of the audit covered the effectiveness and efficiency of controls operating around: Contract and Payments; Contract and Service Monitoring; and, Kier Systems and Controls. Assurance Opinion Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Rationale supporting the award of the opinion The system of internal control is, overall, deemed adequate in managing the risks associated with Waste Management that fall within the scope of this audit. The level of assurance has remained the same since the previous audit undertaken for this area. The assurance opinion has been derived as a result of four medium and one low priority recommendations having been raised. Specific focus was placed upon the processes adopted by Kier in relation to the receipt of payment, recording and reconciliation of bulky and garden waste. Two recommendations have been raised in this control area in relation to the requirement to note all payment reference details alongside records to provide a sufficient audit trail, to investigate discrepancies where they arise, to ensure independent review of reconciliations, and to ensure that the integrity of the data is protected. Interfaces now occur between the Kier Whitespace Powersuite system and the Council’s M3 system to allow for data to be transferred between the two. Issues have been noted within the interface with the Environmental Services Officer undertaking a review to ascertain the anomalies and to identify methods of rectifying these. A recommendation has not been raised as interface errors are notified to the Council through M3 as and when they occur. Positive Findings We have acknowledged the following areas where sound controls are in place and operating consistently. Invoices received by Kier on a monthly basis are approved and reviewed by the Environmental Services Officer prior to payment. They are supported by evidence where rates are variable or dependent upon activity. Two-weekly meetings are held between Kier and the Council in order to address operational and other issues raised. KPIs have been documented and agreed between both parties with a template of the main KPIs to be updated each year. These are in line with the corporate objectives and efforts have been made to make the KPIs meaningful and practical. This also had been addressed by Kier on the Annual Improvement Plan with an updated KPI template for 2013/14 agreed in the quarterly meeting in May 2013. 36 The system used for the recording of garden and bulky waste payments is spreadsheet-based. This does mean that the data can be manipulated and that there is no audit trail in respect of additions, amendments or deletions made. We were advised by the Environmental Services Manager, who also manages the services for Kings Lynn and West Norfolk Borough Council (KL&WNBC) that KL&WNBC has a system which records garden waste payments that does provide the requisite audit trail lacking in North Norfolk’s case. Consideration should be given as to whether this can be used for North Norfolk District Council as it would improve on current controls. Control weaknesses to be addressed During our work we have identified the following areas where we believe that the processes / arrangement within Waste Management would benefit from being strengthened, and as a result of these findings medium priority recommendations have been made. Contract and Payments Variation notices should be approved by both parties; Kier and the Council. In four cases it was found that these had not been approved by the Contractor which could mean that these variations are not enforced or costed in line with expected arrangements. Contract and Service Monitoring A contractual risk register should be in place detailing risks along with mitigation plans and be subject to regular review by both Kier and the Council. Nevertheless, we identified a risk st register within the Operational Service Plan from when the contract commenced on 1 of April 201. That was found to be too vague and generalised, not reflecting the real risks sourcing from the contract with Kier and had also not been updated since inception. Kier Systems and Controls Details of payments should be noted within the Garden Waste spreadsheet record. It was noted that some customers/payments within the spreadsheet record of Garden Waste payments were not supported by a reference for the payment. This makes it difficult to identify receipt of all payments before services are provided. The monthly reconciliation undertaken by Kier should be subject to documented independent review with discrepancies identified within the reconciliations are not promptly investigated. Discrepancies were noted within the reconciliations of February 2013 and July 2013. These were positive variances of £3,988.12 and £1,572.32, respectively, in that the bank statement displayed a higher level of income than that expected. This does mean that there could be errors within Kier’s records for garden waste payments and customers. 37 Summary of the adequacy and effectiveness of controls Area of Scope Adequacy and Effectiveness Assessments Contract and Payments Contract and Service Monitoring Kier Systems and Controls Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low Green Amber 0 1 0 Green Amber 0 1 1 Green Amber 0 2 0 0 4 1 Total High Priority Recommendations No high priority recommendations have been raised as a result of this audit. Management Responses Management have accepted the recommendation raised. 38 Appendix B(2) Report No. NN/14/06 – Final Report issued 13 November 2013 Audit Report on Freedom of Information and Data Protection Audit Scope The scope of the audit covered the effectiveness and efficiency of controls operating around: Data Protection; and Freedom of Information. Assurance Opinion Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Rationale supporting the award of the opinion The system and processes of internal control are, overall, deemed to be sound in managing the risks associated with FOI and DP that fall within the scope of this audit with no issues of concern arising and hence no recommendations being raised. The Council has demonstrated compliance with statutory guidance in administering FOI and DP requirements. The level of assurance has improved since the previous audit undertaken for these areas, acknowledging that the scope of the legal services review was wider than coverage of FOI and DP hence the level of improvement is reflected with forward direction of travel indicator. Positive Findings We have acknowledged the following areas where sound controls are in place and operating consistently. Policies and procedures for administering FOI requests and the eight core principles of DP are in place having been reviewed in June 2013. Detailed within are the responsibilities of officers at both service and corporate level. The Council has renewed its annual registration with the ICO until August 2014. Similarly, the expiration date for the Electoral Registration Officer for North Norfolk District Council was renewed until October 2014. Heads of service through their annual self-assessment assurance statements confirm compliance with FOI and DP principles. Where in one case, a head of service indicated only partial agreement, due to lack of training on FOI and DP, training sessions were subsequently arranged with webinars and extracts published in the monthly issue of “The Briefing”. Data is disposed of safely in confidential waste bins and security arrangements are embedded within the Council’s ICT Security Policy. A Publication Scheme is in place complying with the FOI Act 2000 having been reviewed in February 2012 with the next scheduled review due in February 2014. FOI requests are recorded and reported to the Corporate Leadership Team (CLT) with the key performance indicators (KPIs). FOI requests are also recorded on the Intranet. We established that FOI requests are responded to in accordance with the 20-day statutory requirement. Exemptions and partial non-disclosures are fully justified. No appeals or requests for reviews had been made to since April 2013. 39 The Council has an annual Public Sector Network (PSN) compliant certificate effective from 13th August 2013 which complies with the regulations set out by the Cabinet Office. The PSN allows the Council to transfer revenues and benefits data and electoral registration data securely. Control weaknesses to be addressed During the period April to June 2013, the Council exceeded the 20 day target for responding to FOI subject access requests in 12 out of 100 cases. Eight related to requests within the revenues and benefits service area and the delays occurred despite reminders having been issued by the Legal Assistant to respond to these requests. The matter was referred to the Head of Legal Services and measures put in place, with effect from September 2013, for the Legal Assistant to assist with addressing such requests with outcomes on performance being monitored by the CLT. As such, no recommendation is considered necessary. Summary of the adequacy and effectiveness of controls Adequacy and Effectiveness Assessments Area of Scope Data Protection Freedom of Information Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low Green Green 0 0 0 Green Green 0 0 0 0 0 0 Total High Priority Recommendations No high priority recommendations have been raised as a result of this audit Management Responses No recommendations have been raised as a result of this audit therefore no management responses have been required. 40 Appendix B(3) Report No. NN/14/07 – Final Report issued 21 November 2013 Audit Report on Accountancy Services Audit Scope The scope of the audit covered the effectiveness and efficiency of controls operating around: Treasury Management; Control Accounts; Banking; Bank Reconciliations; Asset Register; Budgetary Control; and Journal Entries - General Ledger Maintenance. Assurance Opinion We have provided two separate Assurance Opinions, in particular a good assurance audit opinion to reflect the control environment around treasury management, control accounts, banking, asset register, budgetary control and journal entries and an adequate assurance audit opinion to reflect an issue with controls in respect of bank reconciliations. Treasury Management, Control Accounts, Banking, Asset Register, Budgetary Control and Journal Entries Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Limited Assurance Adequate Assurance Good Assurance Bank Reconciliations Unsatisfactory Assurance Rationale supporting the award of the opinion Treasury Management, Control Accounts, Banking, Asset Register, Budgetary Control and Journal Entries The systems and processes of internal control are, overall, deemed good in managing the risks associated with treasury management, control accounts, banking, asset register, budgetary control and journal entries that fall within the scope of this audit, representing good practice with administering these functions. The level of assurance has improved since the previous audit undertaken for these areas hence the direction of travel indicator showing improvement. One low priority recommendation has been raised in respect of populating the asset register; this did not however prevent manual reconciliations from being undertaken and does not therefore detract from the overall good assurance rating. Bank Reconciliations The system of internal control is, overall, deemed adequate in managing the risks associated with bank reconciliations. The assurance opinion has been derived as a result of one medium 41 priority recommendation being raised upon conclusion of our work in relation to the need to complete timely reconciliations, i.e. monthly. Positive Findings We have acknowledged the following areas where sound controls are in place and operating consistently. Treasury Management Investments are undertaken in line with the CIPFA requirements and the Treasury Management Strategy approved by the Council. All Counterparties are fully utilised taking into account the imminent cash flow requirements of the Council. Control Accounts Control account reconciliations are undertaken in a timely fashion and independently reviewed and signed off. Banking Bank charges (commission charges, tariffs), agreed with the Co-operative Bank, are checked and verified to the Council’s records. The Council is also putting measures in place for contingency banking arrangements with other Norfolk councils with Barclays Bank should its current bankers fail. This is seen as good practice following recent publicity regarding the Co-operative Bank’s current financial position, with Moody’s having recently downgraded its credit rating to Caa1 (speculative grade). Budgetary Control The Council’s budget is set in accordance with an agreed timetable and formally approved. Budget monitoring reports are produced in a timely manner and budget holders attend regular meetings with group accountants to monitor their budget. Journal Entries Journal transfers are authorised above £100k with supporting documentation retained in each case. There is a pre-existing issue whereby we have recommended previously that all journals should be authorised. However, management have in the past accepted the risks with this level of control and continue to do so. Control weaknesses to be addressed During our work we have identified the following areas where we believe that the processes / arrangements for bank reconciliations would benefit from being strengthened and as a result of this one medium priority recommendation has been made. Bank Reconciliations Bank reconciliations should be undertaken on a monthly basis to confirm both the Council’s and the bank’s records agree and to allow for prompt and thorough investigation of any imbalances. Issues with the timeliness of bank reconciliations were raised in the previous report on Accountancy Services (NN1205) and in the previous report on the Work to support the Annual Governance Statement 42 (NN1311) with recommendations made in both reports and reported by management as having been implemented on both occasions. We also believe further enhancements could be made in respect of: Asset Register Although we established that the asset register had been manually reconciled to the general ledger, more work is still required to update the register to facilitate automatic reconciliations now that the technical issues with the Forge Asset Register system have been resolved. We have therefore made a low priority recommendation for the data to be input on to the Forge Asset Register, although as the risk of undetected errors is mitigated through the manual reconciliation process, the low priority rating of this recommendation does not detract from the overall Good Assurance in this area. Summary of the adequacy and effectiveness of controls Area of Scope Adequacy and Effectiveness Assessments Treasury Management Control Accounts Banking Bank Reconciliations Asset Register Budgetary Control Journal Entries Adequacy of Controls Effectiveness of Controls Green Green Green Green Green Green Green Amber Green Amber Green Green Green Green Total High Priority Recommendations No high priority recommendations have been raised as a result of this audit Management Responses Management have accepted the recommendation raised. 43 Recommendations Raised High Medium Low 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1 1 Appendix B(4) Report No. NN/14/13 – Final Report issued 25 October 2013 Audit Report on Document Imaging and Workflow Application Audit Scope The audit covered: Access Controls; Document Imaging Process; Data Processing and Document Routing; Data Output; Interfaces; Management Trails; and Support Arrangements and Maintenance. This report should be read in conjunction with NN1414 – OPENRevenues Revenues and Benefits Application as the application is an integrated Document imaging, workflow and Revenues & Benefits application. . Certain recommendations made there will also apply here and are not being duplicated for that reason. This applies specifically to Access Controls. Assurance Opinion Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Rationale supporting the award of the opinion The system of internal control is adequate in managing the risks associated with the CIVICA document imaging and workflow application. Two recommendations have been raised, one of which is a medium priority. It relates to the need to ensure that all user accounts in the application have a password expiry date configured to ensure that the initial temporary password is changed immediately on first using the account and that the documented procedure is updated to reflect this change. Positive Findings We found that the Council has demonstrated the following points of good practice as identified in this review: User Acceptance Testing processes include the development of tailored test scripts that relate to the specific changes to be implemented and include related processes that are deemed to be dependent on those changes being implemented successfully, but are not specifically changing themselves; There are processes in place to monitor user account activity, with accounts found to be dormant being investigated and disabled where it is appropriate to do so; The scanning operation is segregated from other Council areas, with the exception of the counter area, which serves walk-in customers and which scans related documentation while they wait where required; and As part of the indexing process, every scan is compared to its original to help ensure the quality of the scan is adequate before being indexed. 44 Control weaknesses to be addressed During our work we have identified the following area(s) where we believe that the processes / arrangement within the CIVICA document imaging and workflow application would benefit from being strengthened, and as a result of these findings a medium priority recommendation has been made as follows: An historic password expiry date should be added to a new user account and the related documented procedure that describes the process to be followed when setting a new user account up should also be updated to reflect this change. This will help to ensure that all new accounts have their password changed on first use and subsequently thereafter as per the 60 day password change policy. Summary of the adequacy and effectiveness of controls Adequacy of Controls Effectiveness of Controls Access controls Document imaging process Data Processing and Document Routing Data Output Amber Amber High 0 Medium 1 Low 0 Green Green 0 0 0 Amber Amber 0 0 1 Green Green 0 0 0 Interfaces Management Trails Support Arrangements and Maintenance Green Green 0 0 0 Green Green 0 0 0 Green Green 0 0 0 0 1 1 Area of Scope Adequacy and Effectiveness Assessments Total Recommendations Raised High Priority Recommendations No high priority recommendations have been raised as a result of this audit Management Responses Management have accepted the recommendation raised. 45 Appendix B(5) Report No. NN/14/14 – Final Report issued 28 October 2013 Audit Report on OPENRevenues Revenues and Benefits Application Audit Scope The audit examined the following aspects of the Application: Access Controls; Data Input; Data Processing; Data Output; Interfaces; Management Trails; Backup and Recovery; and Support Arrangements and Change Controls. This report should be read in conjunction with NN/14/13 – Document imaging and workflow due to the fact that OPENRevenues is an integrated Document imaging, workflow and Revenues and Benefits application. Certain recommendations made there will also apply here and are not being duplicated for that reason. This applies specifically to Access Controls. Assurance Opinion Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Rationale supporting the award of the opinion The system of internal control is adequate in managing the risks associated with the CIVICA OPENRevenues application. Three recommendations have been raised, two of which are a medium priority. They relate to the need to ensure that the Business Continuity Plan currently being reviewed is completed as soon as possible and to conduct a review of the available auditing functionality, with a view to implementing those that are deemed to be of value. The assurance level also takes account of the recommendation raised in the aforementioned audit (NN/14/13) to ensure that all user accounts have a password expiry date configured to ensure that the initial temporary password is changed immediately on first use and that the procedures are updated to reflect this. Positive Findings We found that the Council has demonstrated the following points of good practice as identified in this review: Adequate input check controls are in place; Adequate restrictions are in place for controlling access to the application’s master data; and Adequate test checking controls that help to ensure the accuracy of data being entered into the application are in place. Control weaknesses to be addressed During our work we have identified the following area(s) where we believe that the processes / arrangement within the CIVICA OPENRevenues application would benefit from being 46 strengthened, and as a result of these findings medium priority recommendations have been made. The Business Continuity Plans currently in review, should be completed, agreed and tested periodically, which will help to ensure that priority services can be restored as per Business requirements, following an incident. Available auditing parameters should be reviewed, which will help to ensure adequate recordkeeping is in place to record key changes in the application. This does not affect other audit trail functionality that records user activity from an operational perspective via the diary note function. Summary of the adequacy and effectiveness of controls Area of Scope Adequacy and Effectiveness Assessments Access Controls* Data Input Data Processing Data Output Interface Controls Management Trails Backup and recovery System Support and change controls Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low Amber Amber 0 0 0 Green Green 0 0 0 Green Green 0 0 0 Green Green 0 0 0 Amber Amber 0 0 1 Amber Amber 0 1 0 Amber Amber 0 1 0 Green Green 0 0 0 0 2 1 Total * Recommendations for this section can be found in report reference NN/14/13 – Document imaging and workflow application as it is integrated with Revenues and Benefits. High Priority Recommendations No high priority recommendations have been raised as a result of this audit Management Responses Management have accepted the recommendations raised. 47 Appendix B(6) Report No. NN/14/15– Final Report issued 14 November 2013 Audit Report on IT Security, Procurement and End User Controls Audit Scope The audit looked at the following areas: ICT Security Policies; Access Controls to Council Offices and Sites; Practices for the securing of IT Hardware; Hardware Asset Lifecycle Management; Health and Safety; Inventory Recording and Asset Numbering; Hardware Decommissioning; IT Procurement (Hardware and Software); Use and backup of local drives; Mobile Device Security and Encryption; User Training; and End User controls. Assurance Opinion Unsatisfactory Assurance Limited Assurance Adequate Assurance Good Assurance Rationale supporting the award of the opinion The system of internal control is adequate in managing the risks associated with IT Security, Procurement and End User Controls. Eight recommendations have been raised, five of which are medium priority. They relate to a need to strengthen internal asset management processes by leveraging the benefits provided by the new Service desk application, implementing appropriate asset tagging and monitoring processes (both of which are areas where only partial implementation of previous recommendations has been noted), implementing robust processes for reconciling assets sent for destruction with the destruction certificates, having all mobile device users sign off a mobile device policy in the same way as is currently being implemented for members and ensuring that where Council data can be stored on a laptop device, the storage medium is encrypted. Positive Findings We found that the Council has demonstrated the following areas where sound controls are in place and operating consistently: There is an IT Security Policy in place that all users are required to sign off before being granted access to the network. The audit noted that it is about to undergo a complete review to help ensure that it remains relevant to the Council’s IT Security policy needs and to contain the relevant aspect of IT security that are appropriate for such a document; Unused IT equipment is being held securely either within the IT department or in a separate, secured facility; 48 There is a documented purchasing policy contained within the IT Security Policy and a wider, Corporate Procurement Policy published on the Council’s website; and Users are prevented for installing their own software, including screensavers. Control weaknesses to be addressed During our work we have identified the following area(s) where we believe that the processes / arrangement within IT Security, Procurement and End User Controls would benefit from being strengthened, and as a result of these findings medium priority recommendations have been made: Management should leverage the new service desk application’s asset management functionality to strengthen internal asset management processes; All relevant IT assets should be tagged to identify them as Council property and logged appropriately. A regular review of the IT asset inventory should also be put in place; The hardware decommissioning processes should be enhanced so that a reconciliation of the decommissioned assets confirmed by the destruction certificate can be conducted against internal records. The service desk application should be able to assist with this; All mobile device users should be required to sign off a mobile device policy in the same way as Members currently do. This will help to demonstrate that staff are being made aware of their responsibilities in relation to their use of a Council funded mobile device.; and Laptops should have their storage medium encrypted to reduce the risk of data loss. 49 Summary of the adequacy and effectiveness of controls Area of Scope Adequacy and Effectiveness Assessments ICT Security Policies Access Controls to the Council’s Offices & sites Practices for the securing of IT hardware Hardware Asset Lifecycle Management Inventory Recording and Asset Numbering Hardware Decommissioning Hardware/Software Procurement Mobile Device Security and Encryption User Training Health and Safety End User Controls Use and Backup of Local Drives Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low Green Green 0 0 0 Green Green 0 0 0 Green Green 0 0 0 Amber Amber 0 1 0 Amber Amber 0 1 0 Amber Amber 0 1 0 Green Green 0 0 0 Amber Amber 0 2 1 Green Amber Green Green Amber Green 0 0 0 0 0 0 0 1 0 Amber Amber 0 0 1 0 5 3 Total High Priority Recommendations No high priority recommendations have been raised as a result of this audit Management Responses Management have accepted the recommendations raised. 50 Audit Committee 10 December 2013 Agenda Item No_____10______ The Status of Agreed Audit Recommendations due for Implementation between 1 April and 31 October 2013 Summary: This report provides an overview of progress made in implementing agreed audit recommendations due for completion in the first half of the financial year. Conclusions: Good progress has been achieved in relation to the completion of agreed Internal Audit recommendations. Recommendations: It is recommended that the Committee notes management action taken to date regarding the delivery of audit recommendations. Cabinet member(s): Ward(s) affected: All All Sandra King, Internal Audit Consortium Manager 01508 533863, scking@s-norfolk.gov.uk Contact Officer, telephone number, and e-mail: 1. Background 1.1. In accordance with agreed internal audit review and reporting cycles, we revisit the status of audit recommendations on a 6-monthly basis and last presented our findings in this area to the Audit Committee on 18 June 2013, concentrating on the period October 2012 to March 2013, and thus providing a year end position for the 2012/13 financial year. 1.2. This report now seeks to provide an update on the status of audit recommendations following recent verification work performed during October / November 2013, which examined the level of activity concerning the delivery of audit recommendations falling due between 1 April and 31 October 2013. 1.3. The process used to monitor the status of recommendations during this period has remained unchanged from that previously reported, i.e. recommendations are input on the TEN performance system at the time the final audit report is issued, and managers are then required to provide progress reports as recommendations approach their agreed implementation dates. At the end of the reporting period, the Deloitte auditors next visit services to confirm there is supporting evidence to demonstrate the completion of audit recommendations and undertake some selective review work to verify that appropriate action has been initiated by management. 51 Audit Committee 10 December 2013 2. Overall Position 2.1. The number of outstanding recommendations, listed per audit, is identified at Appendix C to this report. A summary of the current, and previously reported positions, is shown in the table below: Status of Recommendation for the period 1 April to 30 September 2012 High Medium Low Total % Complete 0 25 6 31 43.0 Partly Implemented 0 8 2 10 13.9 Outstanding 0 12 6 18 25.0 Unable to confirm status 0 7 6 13 18.1 Total 0 52 20 72 Status of Recommendation for the period 1 October 2012 to 31 March 2013 High Medium Low Total % 0 48 24 72 85.7 Outstanding 0 10 1 11 13.1 Unable to confirm status 0 1 0 1 1.2 Total 0 59 25 84 Complete Partly Implemented Status of Recommendation for the period 1 April 2013 to 31 October 2013 Complete High Medium Low Total % 0 30 16 46 78.0 1 10 2 13 22.0 1 40 18 59 Partly Implemented Outstanding Unable to confirm status Total 52 Audit Committee 10 December 2013 Key: H – High priority: A fundamental weakness in the system that puts the Council at risk. To be addressed as a matter of urgency, within a 3-month time frame wherever possible, or, to put in place compensating controls to mitigate the risk identified until such a time as full implementation of the recommendation can be achieved. M – Medium priority: A weakness within the system that leaves the system open to risk. To be resolved within a 4 - 6 month timescale. L – Low priority: Desirable improvement to the system. To be introduced within a 7 - 9 month period. 2.2. Members attention is drawn to the following findings made in the course of our latest audit follow up exercise: There is one high priority recommendation which is currently outstanding; detail of this can be found at Appendix D to this report. Management has explained why there has been a delay in completing this agreed action. There have essentially been staff resourcing issues which have been impacting on the Council’s ability to process new Housing and Council Tax Benefit claims and amendments in a timely manner. As a consequence, it has proved necessary to apply a revised date of 31 March 2014 to address this recommendation, thereby ensuring that the matter is resolved in year. Committee will note that the recently reported improvement in management responses has continued. At the close of 2012/13, we established that there were no recommendations where we were unable to confirm their current status, as management had provided updates in all relevant cases. With reference to completed recommendations, we are still able to confirm that a high percentage is being cleared within agreed timeframes set by management. Looking at 3 successive 6-month periods, it is pleasing to report that the percentages being achieved have been extremely positive over the last 12 months, with 78% noted for the period April to October 2013, and 85.7% for the preceding 6-months, whereas a much lower quota was being achieved between April and September 2012. The number of outstanding recommendations however is beginning to increase again after affecting just 13.1% of all recommendations due in the 6month period leading up to year end. Latest findings show that this figure has risen to 22% but is still below the percentage recorded for April to October 2012/13, i.e. 25%. With reference to those recommendations currently found to be outstanding, we have established that 10 of the 12 recommendations carry a medium priority rating, whilst 2 have a low priority rating, and 1 carries a high priority rating, as already mentioned above. Appendix C contains more information about the service areas where these recommendations still need to be progressed. 53 Audit Committee 10 December 2013 Committee’s attention is additionally drawn to the fact that of the 36 recommendations agreed with management following completion of 2013/14 audit assignments, 22 of these have yet to reach the dates set for their clearance, see Appendix C for the audit areas to which these refer. The recommendations are split between 13 medium priority and 9 low priority. It is additionally recognised that although the 22 recommendations alluded to above have future processing dates, until such time as they are actioned, they represent wide ranging weaknesses in the Council’s overall control environment, and these items together with those recommendations currently reported as outstanding (one of which is at a significant level) leave the authority open to risk whilst unresolved. 3. Conclusion 3.1 Good progress is being made in relation to the completion of agreed Internal Audit recommendations. 4. Recommendation 4.1 It is recommended that the Committee notes management action taken to date regarding the implementation of audit recommendations. Appendices attached to this report: Appendix C: Summary of Agreed Internal Audit Recommendations as at 31 October 2013 Appendix D: Outstanding High Priority Systems Audit Recommendation as at 31 October 2013 54 Summary of Agreed Audit Recommendations at 31 October 2013 Implemented Reference NN1016 NN1102 NN1112 NN1203 NN1209 NN1213 NN1304 NN1305 NN1306 NN1307 NN1308 NN1309 NN1310 NN1311 NN1312 NN1401 NN1402 NN1403 NN1404 Description Housing and Council Tax Benefits Private Sector Housing Development Management, Building Control and Land Charges Waste Management Contract Sports Halls/Centres Parks and Open Spaces Procurement Partnerships Leisure Complexes Council Tax and NNDR Payroll and HR Housing and Council Tax Benefits Exchequer Services Work to Support AGS Corporate Governance and Risk Management Environmental Health Private Sector Housing Car Parking and Markets Waste Management Assurance Level Adequate Adequate Network Infrastructure, Security and Telecommunications Data Consistency DR, Backup and Server Room Controls ABS eFinancials Application Document Imaging and Workflow CIVICA Revs and Bens IT Security, Procurement & End User Controls COMPUTER AUDIT TOTALS Unable to confirm status L H M L 3 1 1 2 1 6 2 Limited Adequate Adequate Adequate Adequate Adequate Adequate 25 1 1 2 3 2 15 2 1 9 2 0 0 0 1 4 1 5 1 0 1 55 12 0 0 1 0 0 0 0 1 0 L 1 1 1 0 2 0 1 0 1 1 1 0 0 2 0 0 0 4 1 0 M 1 1 1 2 2 H Total Audit Recommendations to be actioned 1 0 1 2 1 2 Not yet due to be implemented 1 0 1 4 Total Outstanding 1 1 Adequate Limited Adequate Adequate Adequate Adequate Adequate Limited Adequate Limited Adequate N/A Adequate Adequate Adequate Adequate Adequate SYSTEMS AUDIT TOTALS NN1117 NN1215 NN1315 NN1316 NN1413 NN1414 NN1415 H Outstanding M Appendix C 0 0 0 0 1 0 1 1 1 2 3 1 1 1 1 0 2 0 1 0 1 1 1 0 0 4 3 0 4 5 4 21 1 2 5 1 1 3 8 5 0 1 0 0 2 3 6 Appendix D - Outstanding High Priority Systems Audit Recommendation as at 31st October 2013 Audit Reference NN1309 - Housing and Council Tax Benefit Recommendation 1 - New claims and amendments should be dealt with promptly Responsible officer Louise Wolsey Revenue and Benefits Services Manager 56 Original Priority Deadline Level Current Response 30/06/2013 High OUTSTANDING Revised deadline Processing of benefits - is not within targets. Recruitment and training is ongoing to fill posts that become vacant. We are currently looking at another alternative to fill recent vacancies. This will be revisited during AGS work. 31/03/2014 Audit Committee 10 December 2013 Agenda item no______11_____ Review of the Outcomes of a recently performed Computer Audit Needs Assessment and its impact on the Strategic Audit Plan for 2013/14 Summary: This report details the outcomes of the Computer Audit Needs Assessment exercise carried out during September 2013. The views of 2 key personnel within the authority, namely the Head of Customer Services and the IT Manager were canvassed to obtain an insight into what they believed were the overarching risks facing the IT environment at the Council, after which 2 separate analyses were performed by Deloittes’ Senior IT Audit Manager, with assistance from an IT Audit Manager. The first analysis reviewed auditable areas, representing the pivotal aspects of the IT environment at the Council, whilst the second analysis focused on the authority’s key applications and upcoming projects. Risk priority ratings were then used to compile a proposed Strategic Computer Audit Plan, which identified where computer audit expertise should be directed in future years (i.e. 2014/15 to 2016/17), along with the job budgets required to facilitate delivery of the range of assignments being put forward. Conclusions: A programme of computer audits has been formulated to address areas of risk identified in the course of discussion and review of the current position of the authority’s IT infrastructure, management of IT provisions generally and software applications currently in use. Proposed future review work will generate independent assessments as to the efficiency and effectiveness of the Council’s IT systems, procedures and operations. Recommendations: The Audit Committee is requested to note the findings of the Computer Audit Needs Assessment and approve the amended planned audit coverage for the period 2014/15 to 2016/17 as recorded in the amended Strategic Audit Plan. Cabinet member(s): Wards: All All Contact Officer, Sandra King, Internal Audit Consortium Manager 57 Audit Committee telephone number, and e-mail: 10 December 2013 01508 533863 scking@s-norfolk.gov.uk 1. Background 1.1 In accordance with the Audit Strategy and Annual Audit Plan for 2013/14, approved by the Audit Committee on 19 March 2013, Deloittes were instructed to carry out a new Computer Audit Needs Assessment on behalf of the Council during October 2013. The work was then brought forward to September 2013. The last exercise of this type was undertaken in 2010/11, and had culminated in the extraction of a prioritised list of computer audit reviews to be rolled out over a 3-year timeframe encompassing the financial years 2011/12 to 2013/14. Hence, specified computer audit coverage has then needed to be revisited this year, in order to develop another 3-year programme of audit coverage pertaining to IT related matters. 1.2 Although the Annual Audit Plan for 2013/14 made available 45 days of computer reviews, after consultations with management, it was appreciated that this level of IT orientated audit focus was not sustainable going forward due to the costs involved and the need to generate savings for the authority in relation to Internal Audit Services generally, thus the computer audit allocation per year for 2014/15 onwards was cut to 34 days. Deloittes’ Senior IT Audit Manager working in conjunction with an IT Audit Manager were made aware of the reduced resources when completing the latest Computer Audit Needs Assessment and have taken this limiting factor into account in the course of developing a schedule of audits for delivery in future years. Planned computer audit proposals, plus a lengthy reserve list of audits were compiled in consequence and agreed with key Council staff prior to the Assessment Report being finalised. 2 Outcomes of the Computer Audit Needs Assessment 2.1 No changes were sought to computer audit coverage timetabled for 2013/14 – much of which had already been scheduled with management.at the time of undertaking this assessment. These provisions were however restated for continuity purposes in the Assessment Report. 2.2 The Computer Audit Needs Assessment (as attached at Appendix E) singled out 10 audits for completion over the next 3 years, alongside a further Assessment, required in 2016/17 to set another programme of IT reviews for successive years. Whilst the new cycle of work has outlined computer audit activity up to 2016/17, it is important to note that the current Internal Audit Services Contract comes to an end in September 2014, so the blend of future audits may well change again, depending on the Internal Audit Service delivery model that the Council seeks to 58 Audit Committee 10 December 2013 adopt from that point forward. 2.3 Having identified the composition of computer audits required in ensuing years, there is also an on-going need to revisit agreed actions arising from previous audit work to confirm progress made to address internal control weaknesses and/or introduce enhancements to existing operational arrangements. Hence, the Strategic and Annual Computer Audit Plans contained within the Assessment Report, continue to advocate that follow up work is undertaken twice yearly and corresponding provision has thus been made year-on-year to permit this. 3. Conclusion 3.1 The Computer Audit Needs Assessment ensures that specialist computer audit input is being properly targeted and thus used to best advantage. The use of resources in this way will ensure that areas at risk within the Council’s IT environment are examined in an appropriate order of priority. 4. Recommendation 4.1 The Audit Committee is requested to note the findings of the Computer Audit Needs Assessment and approve the amended planned audit coverage for the period 2014/15 to 2016/17 as recorded in the amended Strategic Audit Plan at Appendix F. Appendices attached to this report: Appendix E – The Computer Audit Needs Assessment Report Appendix F – Amended Strategic Audit Plan – April 2013 to March 2016 59 Appendix E COMPUTER AUDIT NEEDS ASSESSMENT AND STRATEGIC PLAN North Norfolk District Council NN/14/16 – Final Report 26th September 2013 60 North Norfolk District Council CONTENTS SECTION PAGE 1. INTRODUCTION 1 2 AUDITABLE AREAS 1 3. PRIORITISATION CRITERIA 2 4. METHODOLOGY 2 5. RISK ASSESSMENT APPROACH 2 6. COMPUTER AUDIT PRIORITY ANALYSIS 4 7. ANNUAL COMPUTER AUDIT ACTIVITY PLANS 6 APPENDIX 1 CANA METHODOLOGY Computer Audit Needs Assessment and Strategic Plan 61 12 1. INTRODUCTION We are pleased to present our Computer Audit Needs Assessment and Strategic Plan for North Norfolk District Council. We believe that such an assessment is a vital component of the planning process and allows direction of audit effort towards areas of risk within the IT environment that are of specific importance to the Authority. Our approach reflects our philosophy that the computer audit function should be seen as a constructive management tool that provides useful advice to management on the efficiency and effectiveness of systems, procedures and operations. This approach has been successfully introduced across a wide range of our clients including those in the Public Sector. The following sections give further details of how our assessment has been conducted and the conclusions we have reached. 2. AUDITABLE AREAS We assess the risk in terms of a number of audit areas so that audit types are distinguished by different audit risk objectives, e.g. Applications, Management issues and Infrastructure. The nature of auditable areas differs between audit types, e.g. for an application audit the auditable area can be within a specific installation, for Management and Infrastructure audits it can be Council wide, departmental, outsourced, or some combination of these, and impact on a variety of corporate risks. These areas were discussed with the interviewees to establish their views on the inherent risk of each of the audit areas, and previous audit reports were reviewed to identify areas of weaknesses which were identified. It is important to note that although audits are planned separately, so that the appropriate criteria can be applied to each type of audit, it may be appropriate to combine audits for the purposes of execution. Where this is in the best interest of the Council, synergy between audits has and will be sought. The following notes set out the ground rules and the proposed definitions of units for each of the audit types. Ground rules As far as practicable, the audit types have been divided so that the auditable areas: are comparable with each other - significance analysis is ineffective if unlike units are compared, e.g. comparing an existing system with a project; represent logical groupings which will result in an efficient use of audit resources; reflect the reporting lines within the organisation so that any issues raised have immediate relevance to an identified management team and the channels for communicating findings are clear; provide a reasonably homogeneous population, especially as regards size there should not be extremely large or extremely small audit units in the same population; and are of manageable size. 1 62 3. PRIORITISATION CRITERIA This section sets out the approach used for determining priorities. A significance analysis was performed, which took account of both the risk and the possible consequence of a breakdown in controls. The detailed methodology factors are shown below. 4. METHODOLOGY Assessment Categories The Risk Assessment model takes account of four assessment categories to produce a risk index for each auditable area. The auditable area is scored in each category using assessment criteria to gauge the degree of risk or materiality associated with the particular area. The table below summarises the four assessment categories and what each is intended to measure. Assessment Category Measure Corporate Importance – Objectives/Priorities Corporate materiality Corporate Sensitivity – Impact Political materiality Inherent Risk Inherent vulnerability Control Risk Control effectiveness The full definition for each category and the scoring criteria are described in Appendix 1. 5. RISK ASSESSMENT APPROACH Auditable areas In order to identify the auditable areas and establish the areas of risk or specific importance within the Council, we adopted an approach involving discussion and review of the current position. Information was gathered by completing the Computer Audit Needs Assessment matrix with two selected officers within the Council. These individuals are identified below. Name Title Janet Hodgett Head of Customer Services Helen Mitchell IT Manager In addition to the input from Council personnel to the needs assessment matrix, the following information was also included: review of the available information within the current Internal Audit Strategy; background information obtained from previous audits and our discussions to date with the Council; professional judgement after careful consideration of the key risks to the Council with the above officers; and, review of current and previous computer audit plans and local strategic issues facing the Council. 2 63 This has resulted in auditable areas being classified into four bands according to their significance. These bands have been used to determine the priority and frequency of audits to be undertaken. Band Very High (VH) is the highest and contains the systems identified as of most significance to the organisation, and Band Low (L) the least significant. Those in the higher bands will normally be audited more frequently and to a greater depth than those in the lower bands, unless special requirements arise as a result of specific management concerns about an area. Assessment of Needs The Needs Assessment is based on an audit analysis of 40 discrete auditable areas which together are considered to comprise the key aspects of the IT environment within the Council. A separate analysis was also carried out to complement these areas to determine the Council’s key applications and upcoming projects, which have also been incorporated into the Needs assessment. 3 64 6 COMPUTER AUDIT PRIORITY ANALYSIS Table 1 PROPOSED STRATEGIC COMPUTER AUDIT PLAN FOR 2013/14 TO 2016/17 FROM STRATEGIC COMPUTER AUDIT NEEDS ANALYSIS AUDITABLE AREA Risk Last 13/14 14/15 Audited Other Computer Audit Needs Assessment (CANA) 5 Follow ups 4 4 Infrastructure Network Infrastructure VH 2010/11 7 Network Security VH 2010/11 8 Virus Protection/Spyware H 8 Firewalls M 7 IT Security, Procurement and End User H 2009/10 13 Controls Telecoms/VoIP M Management Issues Business Continuity H 2011/12 Software Licensing H 2010/11 Information Governance (DP & FoI) VH Applications Revenues & Benefits – CIVICA OpenRevs VH 2010/11 13 EDRM for Revs & Bens (CIVICA) M 2009/10 10 Register of Electors (eXpress) H Cashiers (Paye.net) M Total 45 34 15/16 16/17 4 5 4 13 7 6 10 7 34 12 34 Where possible a number of audits where there is a crossover in scope have been consolidated to provide efficiencies. Some areas of scope are covered as part of a number of audits and therefore have not been included as a separate audit. When scheduling the proposed timetable for auditing specific areas, the date the areas was last audited, together with the assurance opinion provided at that time has been considered. Additionally, timescales were discussed to identify if there were any factors that might affect the timing of the audit that should be considered, for example new or improved system/process to be implemented. The table below shows that fifteen areas have been put into reserve as, although deemed important, they have a lower risk score, have been recently audited with the last audit opinion Adequate or higher, use established software solutions or are time dependent. For example, the Helpdesk/Service Desk audit is awaiting the implementation of an ITIL-based service desk application, the timing of which is not yet known and the change control & release management is dependent on this implementation. 4 65 Table 2 RESERVE AUDITS AUDITABLE AREA Management Issues Helpdesk/Service Desk Change Control & Release management* Incident & Problem Management* Configuration Management* Programme Management Infrastructure Virtualisation Wide Area Network (WAN) Wireless Networks Exchange and Email Applications Planning, Building Control Environmental Health (M3) Choice-based Lettings (Locator) Licensing (M3) GIS (Cadcorp) BACS transfer system (ALBACS) Risk Days M H M M M 7 7 7 7 7 M M M M 10 6 7 7 M M M M M M 10 10 10 10 10 10 * The timing of these audits are relative to the implementation of the new helpdesk/service desk which will impact on how these areas are managed. 7. ANNUAL COMPUTER AUDIT ACTIVITY PLANS Table 3 Annual Computer Audit Plan 2013/14 AUDITABLE AREA Other Follow up of audit recommendations Computer Audit Needs Assessment (CANA) Infrastructure IT Security Applications Revenues & Benefits – CIVICA OpenRevs EDRM for Revs & Bens (CIVICA) Total Risk Days 4 5 H 13 VH M 13 10 45 The above extract (Table 3) from the Strategic Computer Audit Needs Analysis (Table 1) shows that, in addition to the Computer Audit Needs Assessment that is being reported in this report, three areas are due for review as part of the 2013/14 Audit Plan. These reviews are: IT Security, Procurement and End User Controls IT Security, procurement and End User Controls are central to the effective management of the Council’s systems and data throughout its lifecycle. For example, the Governance of the IT service and the creation and communication of relevant policies and procedures and how legacy systems are managed to help ensure that data is no longer present before being decommissioned. This area was last audited in 2009/10 and resulted in an Adequate assurance level being given. This audit will look at IT Security and includes the following: 5 66 ICT Security Policies; Practices for the securing of IT Hardware; Hardware de-commissioning; Mobile Device Security (USB Drives, Mobile Devices); and Encryption. EDRM for Revenues and Benefits (CIVICA) The Document imaging application is used by Revenues and Benefits and is a key resource in delivering an effective service to the residents of the District and was highlighted as a key application during the de-brief following the initial analysis. The Comino system, previously in use for 10 years, has recently been replaced by the CIVICA Interactive Window Workflow solution, which has facilitated the streamlining of customer interaction across the Revenues and Benefits team. Any weaknesses in the application controls could have a significant impact on the Council’s ability to deliver an effective service and depending on the type of weakness could see the Council in breach of legislative requirements. The areas covered in this audit will include: Access Controls; Document Imaging Process; Data Processing and Document Routing; Data Output; Interfaces; Management Trails; and Support Arrangements and Change Controls. Revenues and Benefits Application: CIVICA OpenRevs The Civica application is the Council’s Revenues and Benefits application, which is used for the collection of Council Tax and National Non Domestic Rates (NNDR), and the administration of Housing Benefits. With the introduction of localised support schemes in April 2013, and the potential for existing systems to be developed to support locally approved schemes, this application has been selected to be reviewed in the current year. The areas covered in each of these modules include: Access Controls; Data Input; Data Processing; Data Output; Interfaces; Management Trails; and Support Arrangements and Change Controls (specifically in relation to the introduction of the localised support scheme). 6 67 Computer Audit Needs Assessment: A Computer Audit Needs Assessment (CANA) takes into account the current infrastructure and IT requirements at the Council to help develop a strategic, risk based Audit plan to cover the next three years. This report is the output from the CANA. Table 4 Annual Computer Audit Plan 2014/15 AUDITABLE AREA Other Follow up of audit recommendations Infrastructure Network Infrastructure Network Security Virus Protection/Spyware Firewalls Total Risk Days 4 VH VH H M 7 8 8 7 34 The above extract (Table 4) from the Strategic Computer Audit Needs Analysis (Table 1) shows that five areas are due for review as part of the 2014/15 Audit Plan, with the Network Infrastructure and Network Security being combined into one audit. These reviews are: Network infrastructure and Security The network infrastructure enables users to connect to servers and equipment, which is not directly connected to their own physical PC or workstation. This could be on the next desk (as in printers), other rooms, other buildings or even other countries depending on the type of network. The review will look at how the Council’s network is accessed, how it is supported and monitored and how the network is secured against unauthorised access. As part of the audit we will use a Computer Audit Tool called SekChek to look at the Network Server Operating System (O/S) configuration and logical access controls. These areas were last audited in 2010/11 with a Limited assurance being given. Virus Protection/Spyware Computer viruses can infect the Council’s IT systems from a number of sources including downloads from the internet and e-mail attachments to a user bringing in infected portable media. The result of an infection could range from temporary annoyance due to an increase in processing to the complete shutdown and corruption of the network. The recent trend has also been for systems to be infected with Spyware that are programs that can cause re-direction to internet sites or the monitoring of users internet habits. Virus and Spyware controls are designed to protect the Council’s systems from such threats and this audit will look that the controls in place to protect the Council from this risk. This audit has previously been on the reserve list, although is now deemed to be an area that should be included within the Plan. Firewalls The primary objective of a firewall is to control the incoming and outgoing network traffic by analysing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. As this is an area that has not previously been 7 68 audited at the Council, it has been selected for scrutiny in this plan. The audit will look at the Council’s firewalls in the following areas of management responsibilities: Topology and resilience; Firewall configuration settings; Change controls; and Security validation tests. Table 5 Annual Computer Audit Plan 2015/16 AUDITABLE AREA Other Follow up of audit recommendations Management Issues Business Continuity Software Licensing Information Governance (DP & FoI) Applications Register of Electors (eXpress) Total Risk Days 4 H H VH 7 6 10 H 7 34 The above extract (Table 5) from the Strategic Computer Audit Needs Analysis (Table 1) shows that five areas are due for review as part of the 2015/16 Audit Plan. These reviews are: Business Continuity The audit will look at the Council’s Business Continuity arrangements. Business Continuity is the foundation, which will help the Council continue operations in the event of a disaster or significant incident affecting Council staff, premises or systems. Business Continuity concentrates on the user end of the recovery process and is also a key requirement of the 2004 Civil Contingencies Act. In previous years this audit has been undertaken in conjunction with Disaster Recovery, however, as Business Continuity is not an IT responsibility (but should inform the Disaster Recovery requirements) they are now undertaken as separate audits so responsibility is no longer distorted between the two. This area was last audited in 2011/12 and received a Limited assurance grade, which has resulted in a new review being planned for the 2015/16 audit year to allow remedial work to be completed. Software Licensing A Software Licensing audit assesses the adequacy and effectiveness of Software Licensing and Management within the Council. The previous Software Licensing audit was conducted in 2010/11 and attracted an Adequate audit opinion. As such, it has been scheduled for scrutiny again in 2015/16. The purpose of this audit is to provide high level assurance over a number of key activities and services both within ICT and the Council and includes: Software Policies; Software Inventory; Security of Software; 8 69 Software Copyright; and Software Licensing Procurement Information Governance (Data Protection & Freedom of Information) This audit will look at the Data Protection and Freedom of information arrangements in place within the Council. These areas have traditionally been included within other audits at a high level and have now been chosen for a more detailed review. Register of Electors (eXpress) eXpress is the application used by the Council to help manage election records, including the annual canvas process. As this area has not previously been audited at the Council, it has been selected for review during the 2015/16 audit year. The audit will be a reduced scope application audit and look at the following aspects: Access Controls; Data Processing; Interfaces; Management Trails; and Support Arrangements and Change Controls. Table 6 Annual Computer Audit Plan 2016/17 AUDITABLE AREA Other Computer Audit Needs Assessment (CANA) Follow up of audit recommendations Infrastructure Telecoms/VoIP Applications Cashiers (PAYE.NET) Total Risk Days 5 4 M 13 M 12 34 The above extract (Table 6) from the Strategic Computer Audit Needs Analysis (Table 1) shows that three areas, together with a Computer Audit Needs Assessment, are due for review as part of the 2016/17 Audit Plan. These reviews are: Computer Audit Needs Assessment A Computer Audit Needs Assessment (CANA) takes into account the current infrastructure and IT requirements at the Council to help develop a strategic, risk based Audit plan to cover the next three years. Telecoms/VOIP Telecommunications is one the means by which the Council communicates internally and with its customers. Voice over IP (VOIP) is a technology that helps provide efficiencies by using the data network to provide voice communications. The audit will therefore look at how the telecoms/VOIP network is managed and administered to maintain voice communications whilst protecting the Council from excessive costs or 9 70 abuse of the facility. The Council is planning to implement an updated Telecoms infrastructure and the audit has been placed in this year to allow that work to be completed and will include an area on benefits realisation. Cashiers (PAYE.NET) Cashiers System used by the Council is the PAYE.NET application. This system is used for income management and is therefore an important system for the Council to manage payments. The audit will look at the following aspects of the Application: Access Controls; Data Input; Data Processing; Data Output; Interfaces; Management Trails; Backup and Recovery; and Support Arrangements and Change Controls. 10 71 APPENDIX 1 Governance-based COMPUTER Audit Needs Assessment Methodology Assessment Categories The Risk Assessment model takes account of four assessment categories to produce a risk index for each auditable area. The auditable area is scored in each category using assessment criteria to gauge the degree of risk or materiality associated with the particular area. The table below summarises the proposed four assessment categories and what each is intended to measure. Assessment Category Measure A Corporate Importance – Objectives/Priorities Corporate materiality B Corporate Sensitivity – Impact Political materiality C Inherent Risk Inherent vulnerability D Control Risk Control effectiveness The full definition for each category and the scoring criteria are described overleaf. 11 72 Assessment Process Assessment was based on professional judgement after careful consideration of the key risks to the Council with the IT Manager and Director of Finance, Property and IT, a review of current and previous computer audit plans and local strategic issues facing the Council. The following steps were followed in performing the risk assessment: Step Action 1 Select the Application/Operating System and Corporate Controls to be risk assessed, to ensure a clear and unambiguous understanding of the area under review. This is normally called the Auditable Area 2 Select the most appropriate assessment criterion and therefore the score in each assessment category 3 Record the scores. 4 Compute the risk index by reference to the following section Calculation of the Audit Risk Index Internal Audit risk is the product of risk and materiality. In valuing materiality it is appropriate to add the constituent assessments of Corporate Importance and Corporate Sensitivity to generate a Materiality Factor on a scale of 100. Total Risk is the product of inherent and control risk. For the purposes of simplicity in this model Inherent Risk is assessed on a scale of 5-10 and Control Risk on a scale of 2-10. The minimum Risk Factor is produced by multiplying these components is therefore 10% (2 x 5). The Audit Risk Index for each auditable area is, therefore, the Materiality Factor multiplied by the Risk Factor. Results of the Audit Risk Assessment The structured list of auditable areas with illustrative assessment scores is reported in Appendix C. The Appendix further summarises the scores to give the Risk Factor and Materiality Factor and the resultant Audit Risk Index. The list of auditable areas is then ranked by reference to the Audit Risk Index and grouped as high, medium or low priority. The top third are considered to be high priority, the next medium priority, and the bottom third low priority. 12 73 Internal Audit Risk Assessment Matrices A Corporate Importance This aspect considers the effect on a Council of any inability to achieve management defined service objectives should the system or process fail. This aspect also takes into account the financial exposure or materiality of the area. The consequential impact, either directly or indirectly, on other systems and processes is also relevant to the assessment. Overall it is a measure of the extent to which the Council depends on the correct running of the system to achieve its strategic objectives. Score Risk to Department, Corporate and/or Service Objectives Operational Risk Exposure Financial Risk Exposure 10 Negligible impact on achievement of service objectives. This would still be achieved with minimum extra cost or inconvenience. or Minor inconvenience or Under 2% of total operating income or net assets. 20 Service objectives only partially achievable without compensating action being taken or reallocation of resources. or Difficult to recover or Between 2% and 10% of operating income or net assets. 30 Unable to achieve service objectives without substantial additional costs or time delays or adverse effect on achievement of national targets / performance indicators. or Permanent loss of data or Between 10% and 30% of operating income or net assets. 40 Unable to achieve service objectives resulting in significant visible impact on service provision such as closure of facilities. or Unable to restore system or Between 30% and 50% of operating income or net assets. 50 Unable to achieve service objectives, resulting in inability to fulfil corporate obligations. or Council unable to function or Over 50% of total operating income or net assets 13 74 Internal Audit Risk Assessment Matrices B Corporate Sensitivity This aspect takes into account the sensitivity / confidentiality of the information processed, or service delivered by the system, or decisions influenced by the output. It also assesses any legal and regulatory compliance requirements. The measure should also reflect any management concerns and sensitivities. Score Risk to Public Image Risk of Adverse Publicity 10 Negligible consequences 20 Some public embarrassment but no damage to reputation or standing in the community or 30 Some public embarrassment leading to limited damage 40 50 Risk to Accountability Risk of non-legal Compliance or No regulatory requirements Information would be of interest to local press or Minimal regulatory requirements and limited sensitivity to non-compliance or Information would be of interest to local MPs or Modest legal regulatory requirements Loss of credibility and public confidence in the service concerned or Incident of interest National Press to or Incident potentially leading to the dismissal or resignation of the responsible functional manager or Extensive legal and regulatory requirements with sanctions for noncompliance Highly damaging to reputation of the Council with immediate impact on public confidence or Incident of interest to the External Audit and government agencies or Incident potentially leading to the resignation or dismissal of a Chief Officer or Possible court enforcement order for non-compliance and 14 75 Internal Audit Risk Assessment Matrices C Inherent Risk This aspect considers the inherent risk of the system, service, process or related assets to error, loss, irregularity, inefficiency, illegality or failure. The particular service sector, nature of operations and the pace of change will also affect the level of inherent risk. Similarly the relative complexity of the system will influence the inherent risk or error. The inherent vulnerability of a system, service or process cannot be altered, only mitigated by the quality of controls considered in section D. Score Inherent Risk – Vulnerability Risk of Error due to System Complexity 5 Low vulnerability Simple system with low risk of error 6 Medium or low inherent risk or 7 Medium vulnerability or 8 Medium to high inherent risk or 10 Highly vulnerable or Moderately complex system with medium risk of error Complex system with high risk of error Risk resulting from Pace of Change or No changes planned or Limited changes planned with reasonable timescale or Moderate level of change over medium term or Significant level of change with restricted timescale or Extensive changes with short timescale planned Risk to Asset Security or Undesirable low value assets not at risk of fraud or loss or Highly desirable assets exposed to high risk of fraud or loss 15 76 Internal Audit Risk Assessment Matrices D Control Risk This aspect assesses the level of control risk based upon the results of past audits of the control environment under review. This aspect also takes into account of the operating history and condition of systems and processes and knowledge of management controls to minimise exposure to risk. CRSA and extensive Control Risk Workshops under the leadership of the Council’s Risk Manager could support evaluation. Score History of Risk Management Success Management Risk and Control Environment Condition of Risk Management Controls 2 No history of control weakness or There is effective risk management in place and adequate controls operated by risk-aware management or Effective controls and robust attitude to the management of all material risks. Embedded risk management culture 4 No history of significant weakness or Good management risk and control environment or Stable system with history of reliability and controls. Risk management issued considered regularly. 6 No high risk issues outstanding from the previous audit/investigation/best value/external review or No knowledge of management risk and control environment or Risk management and controls not validated. 8 Some significant problems were identified and are known to be outstanding from the previous audit/review or Some significant concerns have been expressed by management (through Controls Risk Workshops) or Technical health of system of risk management and controls in doubt. 10 Major weaknesses in risk management and controls were identified and are known to be outstanding or Major concerns have been expressed by management (through Controls Risk workshops) or Obsolete system with history of problems and ineffective control. Little or no work undertaken on risk management. system 16 77 Appendix F North Norfolk District Council - Amended Strategic Audit Plan - April 2013 to March 2016 Description of audit Audit Days Delivered 2012/13 Strategic risk Reference Assessed audit risk Frequency of coverage 2013/14 2014/15 2015/16 Days planned Days planned Days planned ANNUAL OPINION AUDITS Review of Corporate Governance and Risk Management arrangements 9 Work to support the preparation of the Annual Governance Statement Follow up previous systems audit recommendations 003 (CR), 005 (CR) High 2-yearly 8 10 Very High Annual 15 10 15 8 Annual Not applicable 8 8 8 001 (CR), 004 (CR), 015 (CR) High 2-yearly 17 009 (CR) High High 2-yearly 2-yearly 12 High 2-yearly 20 High Ad-hoc request by management High 2-yearly 20 5 High 2-yearly FUNDAMENTAL FINANCIAL SYSTEMS Head of Finance Accountancy services - control accounts, banking, bank reconciliation, asset management / capital expenditure, budgetary control and treasury management Creditors - ordering and payments and insurance Receipt, handling and banking of remittances, tourist information centres, etc 15 Council Tax and NNDR 20 Housing benefit/CTB Revenues and Benefits Partnership - Data Transfer, Governance and Risk 20 2.5 011 (CR), 012 (CR), 015 (CR) 011 (CR) Sundry Debtors 2-yearly 17 13 12 10 10 Head of Organisationation Development Payroll, human resources and officers expenses 19 003 (CR), 005 (CR), 006 (CR) 78 19 Page 1 of 4 North Norfolk District Council - Amended Strategic Audit Plan - April 2013 to March 2016 Description of audit Audit Days Delivered 2012/13 Strategic risk Reference Assessed audit risk Frequency of coverage 2013/14 2014/15 2015/16 Days planned Days planned Days planned OTHER SYSTEMS AUDIT Head of Economic and Community Development Tourism & Economic Development Foreshore & coastal management / Coastal Protection Homelessness and Housing Strategy 15 Affordable Housing Initiatives/ Home Options 002 (CR) 010 (CR) Medium Medium High 3-yearly 3-yearly 2-yearly 010 (CR) Medium 3-yearly Medium 3-yearly 004 (CR) High 2-yearly 004 (CR), 010 (CR) Medium 3-yearly 007 (CR) Medium 3-yearly Medium 3-yearly Medium 3-yearly Private Sector Housing - Disabled Facilities Grants (to be undertaken in conjunction with Broadland Council) & discretionary improvement grants Localism and Communities - including focus on Community Right to Bid 10 10 14 10 8 10 Head of Development Management & Head of Economic and Community Development Development Management includes planning applications, planning enforcement, s106 agreements, Community Infrastructure Levy and Land Charges 22 Head of Assets and Leisure & Head of Economic and Community Development Partnerships 7 10 Head of Assets and Leisure & Head of Environmental Health Parks and Open Spaces, plus Woodland Management 10 Head of Customer Services Media and Communications 005 CR) 79 10 Page 2 of 4 North Norfolk District Council - Amended Strategic Audit Plan - April 2013 to March 2016 Description of audit Audit Days Delivered 2012/13 Strategic risk Reference Assessed audit risk Frequency of coverage 2013/14 2014/15 2015/16 Days planned Days planned Days planned OTHER SYSTEMS AUDIT Head of Environmental Health Waste Management including contract / agreement monitoring, income collection and monitoring, refuse collection, street cleansing, recycling, clinical waste, abandoned vehicles and grounds maintenance Environmental Health Services includes emergency planning, food safety, environmental protection, pest control, dog warden, licensing and pollution control High 2-yearly 18 Medium 3-yearly 19 Medium Medium 3-yearly 3-yearly Medium High 3-yearly 2-yearly 18 Head of Assets and Leisure Sports Halls/Centres & Sports Development Leisure Complexes, Other Sports, Arts & Entertainment, including Pier Pavilion Property services Car parking & markets 10 19 001 (CR) 12 10 12 16 16 Head of Organisational Development Elections and Electoral Registration Performance management, corporate policy and business planning including annual action plans 10 Medium 3-yearly 12 015 (CR) High 2-yearly 10 008 (CR) Medium 3-yearly Low 5-yearly 8 Medium 3-yearly 10 Head of Legal Freedom of Information and Data Protection 8 Business Manager (Corporate and Democratic Services) Democratic Services - Member Services, Training, Allowances and Expenses Head of Finance Procurement 12 Ad Hoc Procedural Review 2 TOTAL DAYS PER ANNUM FOR SYSTEMS AUDIT 009 (CR) 178.5 163 80 191 156 Page 3 of 4 North Norfolk District Council - Amended Strategic Audit Plan - April 2013 to March 2016 Description of audit Audit Days Delivered 2012/13 Strategic risk Reference Assessed audit risk Frequency of coverage 2013/14 2014/15 2015/16 Days planned Days planned Days planned 4 4 4 COMPUTER AUDIT Head of Customer Services Follow up of previous computer audit recommendations 4 Annual Not applicable Computer audit needs assessment 5 Infrastructure Network Infrastructure Very High 2-yearly 7 Network Security Very High 2-yearly 8 High 3-yearly 8 Medium 4-yearly 7 Medium 4-yearly Virus Protection / Spyware Firewalls Management Issues Project Management 7 IT Security, Procurement and End User Controls 008 (CR) Very High 2-yearly 013 (CR) Very High 2-yearly Business Continuity High 3-yearly Software Licensing High 3-yearly 6 Very High 2-yearly 10 Data Centre, Back Up, Disaster Recovery 10 Information Governance (Data Protection and Freedom of Information) 13 7 Application Systems Cedar Financial Application 9 Document Imaging - Civica (Revenues and Benefits) Revenues and Benefits - Civica OpenRevs Cash Receipting Application 012 (CR) 8 Register of Electors (eXpress) TOTAL DAYS PER ANNUM FOR COMPUTER AUDIT TOTAL AUDIT DAYS PER ANNUM High 3-yearly Medium 4-yearly 10 High 3-yearly 13 High 3-yearly High 3-yearly 7 38 45 34 34 216.5 208 225 190 81 Page 4 of 4 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 Corporate Risk Register 2013 – Reported to PRMB 18 October 2013 (includes changes) (References e.g. (CC) 077 – refer to TEN system) Summary Register Ref. Risk Current Score Target Score 015 Central Government Funding 25 12 Karen Sly (Head of Finance) NEW Downgrading of Co-op Bank 20 15 Karen Sly (Head of Finance) 002 Coastal Erosion 20 12 Brian Farrow (Coastal Engineer) 010 Housing Delivery 16 8 Nicola Turner (Housing Team Leader – Strategy) 011 Shared Services (failure to deliver) 16 8 Steve Blatch (Corporate Director) 003 Transformation Agenda 16 8 Sheila Oxtoby (Chief Executive) 001 Property Assets (the condition of)/ Asset Management 12 9 Head of Assets and Leisure 012 Localised Council Tax Support Scheme 12 9 Louise Wolsey (Revenues and Benefits Manager) 005 Organisational Restructuring (potential instability) 12 8 Sheila Oxtoby (Chief Executive) 007 Partnerships (potential failure) 9 6 Karen Sly (Head of Finance) 009 Procurement (lack of value for money) 9 3 Karen Sly (Head of Finance) 008 Information (loss of) 8 4 Helen Mitchell (ICT Manager) 013 Operational Disruption 6 6 Richard Cook (Civil Contingencies Manager) 82 Officer 1 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Impact x Likelihood = Total 3. Consequence of risk happening 015(C R) Central Government Funding and Savings (CC)077 - Policy work 1. Uncertainty about the Council receiving adequate funding from central government through the Formula Grant and/or other targeted funding stream. (CC)078 - Lobbying Central Government 2. Uncertainty around funding streams creates difficulties in financial planning for the medium to long term. The freezing of Council Tax has meant a focus on tax base growth for Council Tax Income growth. The new Local Government funding regimes including localised Council tax and retained business rates increases a further uncertainty and risk in terms of year on year funding. Changes to the New Homes Bonus from 2015/16 with the introduction of top-slicing. Savings not achieved as originally forecast. 3. The Corporate Plan may not be delivered to the identified timescales. The level of service currently provided would be at risk especially some of the discretionary service areas. Score Action (to achieve target (with score) and Date for controls) action to be completed Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer (CC)083 - Project Management Plans (CC)088 Regular monitoring system of the impact of the business rates retention and the localised council tax support system compared to the government start-up funding methodology. (CC)079 - Medium Term Financial Strategy/update – latest forecast presented in September 2013 Workstreams identified for delivery over the medium term (CC)081 - Corporate Planning / Service Planning (CC)082 - Budget Process / Budget Monitoring including updates on savings 5x5=25 4x3=12 Delivering the Vision Karen Sly – Head of Finance Utilisation of the New Homes Bonus grant within the base budget from 2014/15 (reported to Full Council May 2013) Approval of the Council Tax Support Scheme for 2014/15 – September 2013 83 2 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Impact x Likelihood = Total 3. Consequence of risk happening NEW Score Action (to achieve target (with score) and Date for controls) action to be completed Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer Downgrading of Co-op Bank 1. Moody‟s (credit rating agency) have downgraded the Co-op‟s credit rating to Caa1 (speculative grade). Organisations with this grade, have a history of defaults, with 27% failing to meet their financial obligations within three years of receiving the rating. The Co-op Group reported heavy losses in the first half of the year having written off £496m of bad loans, mostly due to Britannia Building Society which merged with the Co-op bank in 2009. The Bank reported losses of £781.5m after tax. A re-capitalisation plan has been agreed involving £1.0 billion capital injection from the parent and £500m debt restructuring. This involves bondholders accepting shares in exchange for their bonds. Without the debt exchange the Co-op will not remain a going concern, and may become insolvent and go into liquidation. Overnight funds kept to a minimum within the Co-op Public Sector Reserve Account (previously we had a limit of £500,000). Commencement of joint tender process (with other Norfolk authorities) for banking contract (which expires in March 2015) earlier than would have normally. Alternative banking facility has now been set up Regular monitoring of position with Treasury Advisors Notification received from The Co-operative Bank regarding intention to withdraw from Local Authority Banking. 5x4 = 20 5x3=15 Delivering the vision Karen Sly Head of Finance 2. If this happens it would not be able to provide banking services to the Council. 3. The Council could not collect its income or make any payments and would be unable to 84 3 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Score Action (to achieve target (with score) and Date for controls) action to be completed Impact x Likelihood = Total 3. Consequence of risk happening Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer carry on its day to day business in the short term until alternative banking arrangements can be put into place. Depending on the time the security of payments/cash „in transit‟ could be at risk. 002(C R) Coastal Erosion - (the effects of) 1. Lack of Government funding to maintain coast defences and / or to support local compensation claims 2. Coastal erosion and blight of coastal settlements through loss of public and private infrastructure and assets. The Council has devoted significant resources to pursuing sustainable answers to coastal management issues. There is a considerable Health and Safety context here which serves to increase the reputational risk for the Council at the same time. 3. Increased coastal erosion through loss of defences presents a reputational risk to the authority in the eyes of local communities and direct loss of Council owned assets / infrastructure which are fundamental to the district's tourism offer and therefore the economic well-being of the district. Loss of (CC)002 - The Pathfinder Project Coast monitoring CC)004 - The Shoreline Management Plan Control of coastal management schemes through procurement and regular checking. (CC)005 - Repairs & Maintenance Programme (revenue budgets) (CC)006 - Procurement practices (CC)008 – Health & Safety checking and monitoring – Implemented 5x4=20 (CC) 011 - Cromer Sea Defence Works - A project designed to upgrade coast protection measures for Cromer for the next fifty years. 4x3=12 Coast, Countrysi de and Built Heritage Brian Farrow Coastal Engineer (CC)010 - DEFRA funding of capital schemes – Implemented (CC)012 - Coastal Monitoring 85 4 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Score Action (to achieve target (with score) and Date for controls) action to be completed Impact x Likelihood = Total 3. Consequence of risk happening Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer confidence in respect of business investment and residential property market; blight of properties in erosion zone; direct loss of tourism assets and infrastructure promenades, beach chalets, cafés, public toilets, car parks etc.; loss of tourism income / employment. (CC)055 - Enhance Housing Association delivery, Local Investment Strategy proposes provision of loan to assist with lack of / cost of finance. Housing Delivery 010(C R) 1. A combination of lack of developer confidence because of recession / weak financial markets and pressure on public finances meaning reduced availability of grant funding for affordable housing provision. Inability to secure planning permission for provision of affordable housing. 2. A challenge over the Council's ability to provide a target number of affordable homes and not having a 5 year land supply. 3. Increased housing need and reputational risk in non-delivery of key corporate priority. (CC)048 - Use of capital (CC)049 - Partnership work with Registered Providers (CC)050 - Local Investment Plan (CC)051 - Local Development Framework (LDF) policies (CC)052 - Internal planning protocol (CC)053 - Increased Focus – Implemented (CC)054 – Housing Strategy discussion document (2010) 86 4x4=16 Identified partner to work with Council and Housing Associations to bring forward affordable (and market) housing schemes in a way which reduces upfront costs to Housing Associations. First phase of schemes identified. 4x2=8 Housing and Infrastruc -ture Nicola Turner Housing Team Leader Strategy (CC)056 - Development plan - affordable housing 5 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Score Action (to achieve target (with score) and Date for controls) action to be completed Impact x Likelihood = Total 3. Consequence of risk happening Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer provision. Ongoing forward development plan needs attention to ensure ongoing pipeline of affordable housing schemes. New Housing Development Officer post (1 year fixed term contract) recruited to and post holder starts on 3 June 2013. Post will be responsible for developing a new pipeline of affordable housing schemes. 011(C R) Shared Services plans - (failure to complete) (CC)057 - Project Management Group 1. A combination of the potential for an incomplete implementation, in addition for Revenues and Benefits service, this project is being undertaken against a back cloth of the Coalition Government's intention to introduce Universal Credit from 2014 and the detailed changes in the shape and detail of Council Tax support and the Business rates retention (CC)058 - Improved staff communication Further discussions/ consideration of options around shared services (links to Transformation Agenda risk also). 4x4=16 (CC)059 - Formulation of a detailed plan 4x2=8 Consideration of shared service proposals and business cases. Delivering the Vision Steve Blatch, Corporat e Director (CC)060 - Dedicated risk assessment completed 87 6 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Score Action (to achieve target (with score) and Date for controls) action to be completed Impact x Likelihood = Total 3. Consequence of risk happening Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer scheme 2. A failure to fully implement shared services proposals could occur 3. Reputational damage, reduce staff morale, financial impact to current and ongoing budgets. 003(C R) Transformation Agenda/Business Transformation Work (CC)014 - Training, learning & policy initiatives - Implemented 1. It is clear that there is urgency about change in local government driven by the current financial pressures and the ambition to ignite community engagement. Authorities need to ensure they are positioned to respond to the changes and challenges facing them. (CC)015 - Strategies at political and officer level 2. The risk is that in moving to a new agenda so quickly there is no basic framework within which the new arrangements can be undertaken. 3. Vision and action may not be fully supported by a sound assessment and a solid understanding of policy implications at national and local level. Further discussions/ consideration of options around shared services IT transformation work that is currently being undertaken. (CC)016 - Reporting - New legislation and consultation (CC)017 - Network development 4x4=16 (CC)018 - Maintain technical competence (CC)079 Medium Term Financial Strategy Approval of the Business Transformation Programme (November 2013 Cabinet) 88 Financial strategy workstreams that are ongoing Appointment of a Head of Business Transformation to deliver the programme 2x4=8 Delivering the Vision Sheila Oxtoby Chief Executiv e Delivery of workstreams as included in the programme. 7 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Impact x Likelihood = Total 3. Consequence of risk happening Property assets - (the condition of)/ Asset Management 001(C R 1. A lack of investment and sound decisionmaking. 2. Deteriorating property assets may lead to a loss of revenue and possible legal liability. 3. The Council does not achieve value for money from its investment and/or possible legal liabilities either directly or through its leasing arrangements. This scenario is detrimental to the local tourism economy as well as damaging to local communities contributing to a lack of community pride and possible increase in vandalism. The capital tied up in assets cannot be released to support wider Council initiatives and income streams are not maximised. 012(C R) Score Action (to achieve target (with score) and Date for controls) action to be completed Condition surveys carried out with full reports being written and forward maintenance plan compiled. Impact x Likelihood = Total Corporate Objective / Service Priority (CC)007 - Implement asset management software. 4x3=12 3x3=9 Delivering the Vision Duncan Ellis – Head of Assets and Leisure Delivering the Vision Louise Wolsey Revenue and Benefits Services Manager (CC)013 - Asset Management Plan Localised Council Tax Support Scheme on-going 1. Localised council tax support came into operation in April 2013, funding for the scheme has been reduced and will continue to reduce in line with the Council‟s overall funding. There are some protections (of (CC)079 Medium Term Financial Strategy – approved 89 Officer (CC)001 - Work on repairs and maintenance schedules (CC)003 - The introduction of a property risk assessment and inspection regime (CC)009 - Effective team resourcing Target Score 4x3=12 Monitoring of the scheme. 3x3=9 8 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Score Action (to achieve target (with score) and Date for controls) action to be completed Impact x Likelihood = Total 3. Consequence of risk happening individuals) within the scheme but most households will be required to pay Council Tax when they have been previously entitled to 100% benefit. scheme for 2014/15 2. This risk initially covered the implementation of the scheme, however it is now focused on the operation of the scheme and collection of charges. Risk of the scheme are that payments of council tax will not be received as planned and an increasing demand for discretionary housing payment. Collection monitoring. Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer Funding for Parish Councils for the scheme. Decision on funding for parish and town councils for 2014/15. 3. Collection of council tax will impact on all authorities (not just NNDC as the billing authority), whilst some element of the impact on the collection fund has been taken into account in the 2013/14 budget, the full extent will depend on the actual performance in the year. 005(C R) Organisational Restructuring - (potential instability) 1. The ineffective management of change. 2. Following the changes at strategic level and the emergence of the new Corporate Leadership and Management Teams, Heads of Service will be reviewing their areas to ensure that structures are aligned to service (CC)021 - Effective staff communication – regular updates, briefing and CE update emails. (CC)022 - Effective Member 90 Implement the outcomes of the Planning Peer Review 4x3=12 Individual staff support Review by Joint Staff Consultative Committee 2 x 4 =8 Delivering the Vision Sheila Oxtoby Chief Executiv e 9 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Score Action (to achieve target (with score) and Date for controls) action to be completed Impact x Likelihood = Total 3. Consequence of risk happening delivery and organisational priorities. engagement 3. A lack of understanding of the proposals, low staff morale and resistance to any changes proposed. (CC)023 – Strengthen the Communications Strategy Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer Learning and Development Programme (CC)024 - Monitor the impact (CC)025 - Provide team building activity (CC)026 - Provide training/mentoring 007 (CR) Partnership/s - (potential failure) 1. Failure to engage appropriately and/or commit resources 2. The organisation is involved in some key partnerships which may have the potential to become ineffective. There is a need to engage appropriately with and commit resources (staff, finances, actions) to key partnership structures. 3. Failure of partnerships to deliver stated objectives / outcomes. Non-delivery of key outcomes leading to reputational risk to Council. Regular review of Outside bodies and no new partnerships entered into unless reported through Cabinet. (CC)033 - Monitoring of partnerships arrangements (CC)036 - Annual review process of partnership operations. 3x3=9 2x3=6 Delivering the Vision Karen Sly Head of Finance (CC)035 - Clarify Members' roles 91 10 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Score Action (to achieve target (with score) and Date for controls) action to be completed Impact x Likelihood = Total 3. Consequence of risk happening 1. The current financial climate, recent resourcing issues causing an absence of a focus for this work, together with a reduction in the available accountancy resources going forward increases the risk of a lack of continuous improvement in this area. 2. Following the development of the procurement toolkit and the large scale exercise for Waste procurement there has been an absence of focus on procurement which has led to a risk that the Council will not achieve value for money procuring the goods and services it uses. (CC)043 - Procurement Strategy, (CC)044 - Procurement Framework, (CC)045 - Joint procurement protocol, Impact x Likelihood = Total (CC)047 - A procurement evaluation. To reevaluate the current procurement arrangements, strengthen the procurement tool kit and provide a greater degree of self-service. Procurement - (lack of value for money) 009(C R) Target Score 3x3=9 Corporate Objective / Service Priority Officer 3x1=3 Delivering the Vision Karen Sly, Head of Finance 4x1=4 Delivering the Vision Helen Mitchell ICT Manager (CC)046 - Advice for external suppliers. 3. The Council may not achieve value for money. 008(C R) Information - (loss of) 1. Lax security - Information may be lost, mislaid or stolen Increased use of mobile technology such as I Pads etc. 2. There exists an inherent potential for the loss of organisational information at any security level. ICT is responsible for ensuring electronic data is secure (in conjunction with (CC)037 - Information Management Strategy, (CC)038 - Implement data security protocols on mobile devices 4x2=8 (CC)039 - ICT Security Policy 92 11 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 No 1. Cause of risk Existing controls 2. Description of risk or potential event Impact x Likelihood = Total 3. Consequence of risk happening system owners who control access to their databases), 3. Information may be inappropriately used. Fraud or data corruption may occur. Systems may suffer damage. The Council's reputation may be harmed. 013(C R) Score Action (to achieve target (with score) and Date for controls) action to be completed Target Score Impact x Likelihood = Total Corporate Objective / Service Priority Officer (CC)040 - ICT Monitoring (CC)041 - Data Protection training - Implemented (CC)042 - Code of Connection compliance Operational disruption - (significant event) 1. Both the National and Community Risk Registers have more information regarding the risk of specific events (e.g. Pandemic) occurring. (CC)066 - Response & Recovery Planning 2. Any Internal or external event that has a significant impact on the ability of the Council to deliver services. (CC)067 - Continuity Planning 3. a) Loss of staff for 'usual' service delivery b) Loss of premises c) Loss of key partners/suppliers d) Loss of infrastructure services A reduction in the ability of the Council to deliver services, possibly at a time of increased demand from the community. (CC)068 - Complete critical services' BCPs. (CC)085 – Corporate Business Continuity key role training Implemented 93 3x2=6 3x2=6 Delivering the Vision Richard Cook Civil Continge ncies Manager, Steve Hems Head of Environm ental Health 12 Agenda item 12 Audit Committee December 2013 Corporate Risk Register October 2013 Guide to Scoring: Impact Impact Type Catastrophic 5 Objectives The key objectives in the Corporate Plan will not be achieved. Financial Impact (Loss) Over £1m Critical 4 One or more Key Objectives in the Corporate Plan will not be achieved. £400K - £1m Moderate 3 Marginal 2 Negligible 1 Significant impact on the success of the Corporate Plan. Some impact on more than one Service. Insignificant impact on more than one Service. £200K - £400K £10K - £200K £0-10K Likelihood Probability Very High 5 Over 90% High 4 60 - 90% Moderate 3 40 - 60% Timing Within six months This year Next year Likelihood Low 2 10 - 40% Probably within 15 years Very Low 1 below 10% Probably over 15 years Risk Score The Risk Score is calculated by multiplying the likelihood against the impact e.g. taking a likelihood of 4, which is classified as “High”, and multiplying this against an impact of 2, which is classified as “Marginal”, giving a risk score of 8. Risk Level Score High Between 16 and 25 Medium Between nine and 15 Low Between one and eight 94 13
