Document 12928158
advertisement
Management Summaries of Completed Audit Assignments Appendix D (1) Report No. NN/12/12 – Final Report issued 17 April 2012 Audit Work to Support the Annual Governance Statement (AGS) No audit opinion is provided in respect of this audit, as only key controls relating to individual systems are reviewed. Key Controls Testing There are a number of key controls applying to the Council’s core financial systems that require annual scrutiny by Internal Audit, all such coverage having been agreed with External Audit beforehand to ensure that they too can place reliance on this work to support their evaluation of the organisation’s financial statements and accounts. In accordance with the agreed Internal Audit Plan for 2011/12, a number of these material systems have already been subject to detailed individual audits during the second half of the financial year, with the overarching key controls scrutinised and reported on in detail at the conclusion of each piece of work. This current audit has effectively followed up agreed recommendations arising from this earlier work and depending on when the detailed systems reviews were originally carried out has then ensured further top up testing has been performed, so that we have satisfactorily sampled activity in relation to the financial year as a whole and not just a part of it. During this particular audit, we have also reviewed key controls in the material systems that have not previously been subject to in-depth audit coverage as part of the approved Annual Audit Plan for 2011/12. Key controls were found to be operating in most areas reviewed. Where weaknesses were noted in respect of key controls covered through systems reviews conducted during 2011/12, cross-reference has been made to the recommendations contained in those reports as appropriate and management may wish to consider their implications when completing the AGS. As a result of our year end work, we have raised three recommendations. The first two carry medium priority ratings and call for the timely completion and review of the creditors control account reconciliations, plus Council Tax and NNDR cash reconciliations. The low priority recommendation identified a need to initiate sample checking of Council Tax and NNDR processing. Assurance Statement and AGS statement Process and Review Assurance statements are issued to managers to provide assurance over the areas of their responsibility. Administration of the assurance statement process is undertaken by the Policy and Performance Officer. Testing of the process for the issue and receipt for assurance statements during 2011/12 highlighted no issues. Findings of the assurance review are presented to Cabinet on an annual basis. Management Responses Management have disagreed with one recommendation raised: Recommendation 3: Regular Sample Checking for NNDR Processing (Low Priority Rating) Sample checks should be undertaken on a sample of Council Tax and NNDR processing. Rationale supporting Recommendation 3: Regular sample checking of Council Tax and NNDR processing helps provide assurances that records are accurate and helps identify errors, omissions and areas where additional staff training may be required. It also acts as a deterrent against inappropriate activity. Council Tax sample checks are not currently undertaken, although the Council Tax Team Leader is advised of any issues identified within processing. This was a decision made by the Head of Revenues in order to make available resources more efficient within the service. We were informed by the Business Rates Team Leader that sample checks are not undertaken on NNDR processing due to the low turnover of staff and the fact that all staff are extensively trained when they join the team. This control was found to be satisfactory during the previous audit Work to Support AGS – (NN/11/13). In the absence of a comprehensive sample checking process for NNDR, there is an increased risk that errors, omissions or inappropriate activity may remain undetected, which could result in financial loss, failure to comply with legislative requirements and/or reputational damage. Management Responses As a low priority, it remains a matter of judgement that resources can be better deployed elsewhere within the Revenues Service. Appendix D (2) Report No. NN/12/13 – Final Report issued 19 March 2012 Audit Review of Parks and Open Spaces Audit Opinion Adequate Assurance given Rationale supporting award of opinion The audit work carried out by Internal Audit indicated that: • While there is a basically sound system of internal control, there are weaknesses, which put some of the client’s objectives at risk. • There is evidence that the level of non-compliance with some of the control processes may put some of the client’s objectives at risk. • The level of assurance is based on the fact that three medium and one low priority recommendations have been raised. Summary of Findings Income Annual income is received from the Forestry Commission for contributions towards the management of Bacton Woods, including the Woodland Improvement Grant. Although income posted to the e-financials system is reconciled to paying in book receipts, inconsistent and inadequate methods for receipting and recording income for sales at Holt Country Park (including wood sales), tickets for events, and parking permits were identified, resulting in an inability to confirm that all income due had been correctly accounted for. Secure arrangements exist over the physical security of income at Holt Country Park. Inadequate arrangements were identified over the issuing and accounting for season tickets relating to parking permits for Holt Country Park. This included the absence of pre printed, sequentially numbered permits and weaknesses over stock controls and actual permits issued. Maintenance and Health and Safety A Memorandum of Agreement is in place between the Council and the Forestry Commission for the management of Bacton Woods. The Council holds management responsibilities for other parks and woodland areas (including Holt Country Park) which is documented within management plans for each site. The Council has a public liability and fidelity insurance policy with Zurich Municipal. The current policy runs until 30th April 2012. However, we found that the fidelity insurance limit for cash holdings, as detailed in the policy with Zurich Municipal, had been exceeded during busier times over the course of the year. Events run by the Council are primarily aimed at family and schools audiences and therefore do not require the need for a formal licence to be issued, although they are monitored by the Council should the need arise. Risk assessments for each event run by the Council are undertaken and are formally documented. Inspection programmes are documented and undertaken monthly for each of the parks and woodland areas the Council manages. Monitoring of Events and Management Plans Monitoring of events is undertaken through performance indicators. Management plans for 2007-27 exist for each of the parks and woodland sites the Council manages. They contain ‘short term’ (five years) and ‘long term’ strategies. Each of the management plans is now in the ‘long term’ strategy phase, although they have not been revisited to determine whether they are still relevant and or require updating. Performance Information The Council has two performance measures relating to parks and open spaces; Green Flag status for Holt Country Park, and the number of events held during the year. Holt Country Park was awarded the nationally recognised Green Flag, awarded by the Forestry Commission, for 2010/11. The application process for 2011/12 is currently in progress. Data collection methods exist for each performance measure, which are monitored through the Council’s performance management system (TEN). Risk Management Risks relating to parks and opens spaces are monitored through the Leisure and Culture service area on a six monthly basis in line with the Council’s Risk Management Strategy. One risk has been identified relating to the parks and opens spaces area; ‘LC004 Grounds Maintenance, change of contractor’. Mitigating controls are in place help reduce the impact and likelihood of risks having an adverse impact on departmental objectives. The following number of recommendations has been raised: Adequacy and Effectiveness Assessments Area of Scope Adequacy of Controls Income Maintenance and Health and Safety Monitoring of Events and Management Plans Performance Information Risk Management Effectiveness of Controls Recommendations Raised Green Amber High 0 Green Amber 0 1 0 Green Amber 0 0 1 Green Green 0 0 0 Green Green 0 0 0 0 3 1 Total High Priority Recommendations No high priority recommendations have been raised as a result of this audit. Management Responses Management have agreed all recommendations raised. Medium 2 Low 0 Appendix D (3) Report No. NN/12/14 – Final Report issued 4 April 2012 Audit Review of Business Continuity Audit Opinion Limited Assurance given Rationale supporting award of opinion The audit work carried out by Internal Audit indicated that: • There are weaknesses in the system of internal controls such as to put the client’s objectives at risk. • The audit was conducted in the style of a Health Check and thus, recommendations have been raised to help strengthen controls and help mitigate against risks where the controls were seen to be weak. • As there are a number of areas where work is required, a Limited Assurance level has been applied, although it is acknowledged that Council management recognise the weaknesses that are currently present. • This report is designed to assist the Council in progressing their work on Business Continuity to a good/leading practice level. Summary of Findings Management Commitment The audit noted good evidence of ongoing management commitment. This is particularly evident concerning the audit committee setting an action plan for the ongoing management of Business Continuity. The “top level” (Corporate) Business Continuity Plan contains a senior management foreword statement that supports the need for adequate Business Continuity, although there have been very recent senior management changes that have not yet been reflected within the statement. A recommendation on this has been raised. Establishment of a Service Resumption Planning Team There is a Business Resumption team in place, managed by the Civil Contingencies Manager role. This role was found to contain relevant Business Continuity responsibilities within its job description. There is also an assistant role within the team. The structure is such that this team acts as a coordination function to guide and support the service area teams in drafting their own Business Recovery Team Plans. Infrastructure Assessment The Business Continuity function has established various management forums that manage Business Continuity on an ongoing basis. The primary forum is the Business Continuity Working Group, which is made up of representation from across the Council, with the smaller service areas sharing their representation. There is a general weakness around inventory management in that there has not been any recent work to review existing inventory records of assets that would be used should a business continuity event arise. Inventories include keeping records of software, hardware, network topologies, utilities, procedure and software manuals and so on. Records of these should also be kept within the team plans. Recommendations on these weaknesses have been raised. Risk Analysis There is a risk analysis process in place; although the team plan templates that are used for this are not consistent. For example, sample testing of recently updated team plans noted that not every plan contained a specific Business Impact Analysis. A recommendation on keeping the templates consistent has been raised. Establishment of Priorities for Recovery The sampled team plans were all found to contain indication of recovery priorities. Definition of Requirements for Recovery In the 2009 version of the “top level” Business Continuity Plan, there is a high level list of priority systems. This list was as a result of a fact finding exercise known as “Mexican Wave”. The list does not contain recovery timescales against each of the listed systems and so it was not obvious what the actual priorities were. A recommendation to add relevant timescales to an updated “critical functions list” has been raised. The Business Recovery Plan There has been a fully documented top level Business Continuity Plan in place for some time, which has also been supported by team based plans, although the presence of these plans has been variable. There is good evidence to suggest that Business Continuity Management is being closely managed, although this has only started relatively recently. Training The fact that Business Continuity Management has only recently been restarted means that relevant training has not yet received adequate attention. A recommendation to draft, agree and implement relevant staff and supplier training has been raised. Testing of the Business Recovery Plan There is no formally documented Business Continuity test plan, although it was noted that management had used the recent November 2011 strike day as a possible disaster scenario. The strike day was used as an opportunity for a desktop exercise that asked every service manager to answer a questionnaire about the effects of the strike on their areas and what lessons (if any) were being learnt. This helps to demonstrate control, which should be continued in the form of further desktop exercises, pilot team physical exercises, with occasional building wide exercises built in. A recommendation on this has been raised. Maintaining and Updating the Plan As work on reviving the Business Continuity Plan has only recently been reinstated, there has been little need to look at this aspect. Ideally, the recent desktop exercise should be built into the top level and relevant team plans, although this work should be in place on an ongoing basis as well. A recommendation on this has been raised. Insurance The audit noted that there is good insurance coverage in place, although the plans do not currently include details on how to use the insurance and what authority levels are in place to make claims on the policies. A recommendation on this has been raised. The following number of recommendations has been raised: Adequacy and Effectiveness Assessments Area of Scope Adequacy of Controls Effectiveness of Controls Management Commitment Establishment of a Service Resumption Team Infrastructure Assessment Risk Analysis Establishment of Priorities for Recovery Definition of Requirements for Recovery The Business Recovery Plan Training Testing of the Business Recovery Plan Maintaining and Updating the Plan Insurance Amber Amber High 0 Medium 2 Low 0 Green Green 0 0 0 Amber Amber 0 3 0 Amber Green Amber Green 0 0 1 0 0 0 Amber Amber 0 1 0 Green Green 0 0 0 Amber Amber Amber Amber 0 0 1 1 0 0 Amber Amber 0 1 0 Amber Amber 0 1 0 0 11 0 Total Recommendations Raised High Priority Recommendations No high priority recommendations have been raised as a result of this audit Management Responses Management have disagreed with one recommendation raised: Recommendation 4: Network Topology (Medium Priority Rating) The Business Continuity Plan should include a current Communications and Network topology diagram included as part of the systems inventory, which should be updated on a regular basis. Rationale supporting Recommendation 4: The inclusion of a relevant topology diagram will help to ensure that relevant priority systems can be recovered in a timely basis. The Business Continuity Plan does not contain a relevant topology diagram as part of the systems inventory. There is an increased risk that relevant systems cannot be recovered in a timely manner. Management Responses Adds no benefit to systems recovery process. Appendix D (4) Report No. NN/12/16 – Final Report issued 1 May 2012 Audit Review of Content Management Audit Opinion Adequate Assurance given Rationale supporting award of opinion The audit work carried out by Internal Audit indicated that: • While there is a basically sound system of internal control, there are weaknesses, which put some of the Council’s objectives at risk. • Although four Medium Priority recommendations have been raised, a number of controls were found to be in place and operating effectively. Recommendations have been raised to help strengthen these controls to a good/leading practice and help mitigate against risks where the controls were seen to be weak. • As there have been no significant control weaknesses identified within each area of the audit, we have been able to provide an adequate level of assurance. Summary of Findings Web Content Management Strategy There is a formally documented Web Strategy covering the period 2011-15. This has been supported by a documented action plan to deliver the Council’s Corporate Plan for 2012/13, which puts the Internet “at the heart of all we do”. The Council’s website was found to be consistently structured and easy to navigate. It uses the general style of many local government websites by listing the key services in a sidebar, all of which lead to the relevant service home page, with further pages linked from there. Policies and Procedures The audit noted that there are documented policies and procedures that are provided to content authors and owners as part of their initial training and ongoing support. There are good access controls in place that restrict content owners and authors to their respective service area pages. Roles and Responsibilities The audit noted good controls in this respect, although there is evidence to suggest that the site is not being updated in a timely manner (e.g. the recent senior management reorganisation that went live on February 1st 2012 was not updated on the relevant website pages until two weeks later) although the home page contained a new item related to the change in January 2012. A specific recommendation on this has not been raised on this occasion, although a more general recommendation regarding the insertion of “last update” dates has been raised below. The audit also found that the roles and responsibilities documents did not contain specific restrictions on the use of potentially copyright material (e.g. images and text downloaded from other websites and inserted into updated content on the Council site). A recommendation on this has been raised. Change Control The Council uses Red Dot for its content management. It records version histories of every page within the website ‘project’, which can be consulted whenever investigation of a page’s history is required. The user’s name is included within these records. To support this, there are good access controls in place that limit a user’s ability to change content without review. There is a weakness in that the age of a page’s content is not shown (e.g. by the use of a “Last updated” statement followed by the date of the last update). There are also weaknesses concerning the accuracy of the content, which has also been raised above, and in “Performance Management” below. Business Continuity There is a documented communications team plan that supports the corporate plan, although both are dated 2009, which means that a review of the plans is required. Another recent audit has noted that there is renewed activity at a corporate level to bring the Council’s Business Continuity arrangements to a current best practice standard, although a recommendation has been raised here concerning the need to update the team plan to coincide with the corporate work. Performance Management The Council uses Sitemorse and Webtrends to monitor its website. Sitemorse conducts weekly audits on a random set of 500 pages and sends a summary email to the Communications Department setting out its findings. The audit looks at the website’s W3C1 compliance and the quality of the content, especially where its code and dead links to other content is concerned. Webtrends is an analytics tool used to monitor activity across the site in terms of visits to and from the site and keeps records of visit numbers. It includes a dashboard facility to provide summary data at a glance. The audit noted that these tools are not routinely monitored, although reviews are conducted when time allows. Currently, this is an infrequent activity. A recommendation to review the monitoring processes has been raised. 1 W3C – World Wide Web Consortium – an organisation working to make the Web accessible to all users (despite differences in culture, education, ability, resources, and physical limitations) The following number of recommendations has been raised: Adequacy and Effectiveness Assessments Total Area of Scope Adequacy of Controls Effectiveness of Controls Recommendations Raised Web Content Management Strategy Policies and Procedures Roles and Responsibilities Change Control Business Continuity Performance Management Green Green High 0 Medium 0 Low 0 Green Green 0 0 0 Amber Amber 0 1 0 Amber Amber 0 1 0 Amber Amber 0 1 0 Amber Amber 0 1 0 0 4 0 High Priority Recommendations No high priority recommendations have been raised as a result of this audit. Management Responses Management have agreed all recommendations raised. Appendix D (5) Report No. NN/12/18 – Final Report issued 27 April 2012 Audit Review of Electoral Registration Audit Opinion Good Assurance given Rationale supporting award of opinion The audit work carried out by Internal Audit indicated that: • There is a sound system of internal control designed to achieve the client’s objectives. • The control processes tested are being consistently applied. • This opinion resulted from the two low priority recommendations raised. Summary of Findings Register Completeness and Accuracy A timetable is in place for the update of the Electoral Register. Electors are reminded of the requirement to update their details in the event of any changes to their circumstances. A canvassing period is undertaken in line with statutory requirements. A canvass form exists which advises residents to update their residency status and to notify of any voter preferences. The public is advised of the date it needs to be resident at the property for inclusion on the 1st December register. This date is set in law for the 15th October and is referred to as the ‘residential date’. Rolling registration forms are received at any stage throughout the year and new electors will appear on monthly updates of the register from December to September. The Council employs canvassers to manually deliver canvass forms and to revisit properties on two further occasions where the forms have not been returned. Canvassers are paid depending upon the number of forms returned. Canvassers are required to produce worksheets of the properties they have visited. Canvass forms in respect of the annual canvass review are processed and independently checked. System controls also exist to automatically ensure that forms are independently checked. Rolling registration forms received intermittently, outside of the annual canvass, are not consistently checked. Spot checking is undertaken on updates to the register, although this level of check could not be substantiated. The register is updated in the event of deaths of the electorate. Register Security The Council uses the eXpress system to update the Electoral Register. eXpress update system is restricted to officers with a business need. Access to the Access to the data or paper version of the register is restricted to those who are statutorily eligible to receive the register and those who have provided a written request. Passwords are in place for the data register which are issued following confirmation that the register has been received by the approved recipient. Canvasser Payment Authorisation, Coding and Recording Canvassers are recruited on an annual basis with appointment based on those previously used, including existing staff and those known to be reliable. Canvassers are paid in line with agreed rates and are paid based upon the number of canvass forms returned to the service. All payments had been made in line with agreed rates and are processed through the payroll system. Claim forms for expenses were confirmed to have been correctly completed and properly authorised. Guidance exists for canvassers in discharging their roles and responsibilities during the canvass period. Register Sales Income Income is received for sales of the Electoral Register and Certificates of Residence. Applications are made in writing and sales made in line with statutory and locally approved rates. However, in one case, a certificate of residency request had not been received in writing and no fee had been received. All income was found to have been appropriately receipted. Income is primarily received through the Council’s cash receipting arrangements; this area having been covered previously in the audit of Remittances - NN/12/07. Performance Information Performance measures are in place for the service although none of these directly relate to Electoral Registration. The service is required to issue statistical data relating to the canvass period and to complete and return a self assessment form to the Electoral Commission. Data collection arrangements were confirmed to be robust with figures being verified against source data from the eXpress electoral register update system. Risk Management Service risks have been identified relating to Electoral Registration and are documented on the TEN Performance Management System. Risks are monitored and updated on a twice yearly basis. The following number of recommendations has been raised: Adequacy and Effectiveness Assessments Area of Scope Adequacy of Controls Effectiveness of Controls Recommendations Raised High Medium Low Register Completeness and Accuracy Green Amber 0 0 1 Register Security Green Green 0 0 0 Canvasser Payment Authorisation, Coding and Recording Green Green 0 0 0 Register Sales Income Green Amber 0 0 1 Performance Information Green Green 0 0 0 Risk Management Green Green 0 0 0 0 0 2 Total High Priority Recommendations No high priority recommendations have been raised as a result of this audit. Management Responses Management have agreed all recommendations raised. Appendix D (6) Report No. NN/12/20 – Final Report issued 22 May 2012 Audit Review of Remote Access Audit Opinion Adequate Assurance given Rationale supporting award of opinion The audit work carried out by Internal Audit indicated that: • While there is a basically sound system of internal control, there are weaknesses, which put some of the Council’s objectives at risk. • Although two Medium Priority recommendations have been raised, a number of controls were found to be in place and operating effectively. Recommendations have been raised to help strengthen these controls to a good/leading practice and help mitigate against risks where the controls were seen to be weak. • As there have been no significant control weaknesses identified within each area of the audit, we have been able to provide an adequate level of assurance. • This system has not previously been audited, so there is no comparison possible with previous findings. Hence no direction of travel indicator can be given. Summary of Findings Policies and Procedures – The audit noted good controls in place in this respect. There was an ICT Security Policy in place, and less than 12 months old at the time of the audit, which includes a section on remote access. All remote access users are required to sign off an acknowledgment to comply with relevant aspects of the ICT Security Policy when they apply for remote access. This process also requires the signed approval of their line manager. Remote Access Monitoring – The remote access infrastructure automatically logs all remote access attempts, including what the user accessed (e.g. email). The duration of each access session is also logged. Such data is made available to line management to allow them to review the remote access activities of their staff. This system is configured such that line management can only review the data relevant to their respective teams. However, it was noted that this system has fallen into disuse which has also led IT staff not to ensure that new data is uploaded to the reporting system on a timely basis. A recommendation to refresh management knowledge about the system and what it can do for them, and to ensure that new data is uploaded into the system on a timely basis has been raised. Remote Access Change Control – There is an agreed change control process that must be followed, although there has been limited need to use it. Network Protection – The Council has implemented an EAP Netilla implementation that typically presents the remote access user with an encapsulated environment that isolates the home PC (or other relevant device not issued by the Council) from the Council’s network. This is designed to prevent the download or upload of data to and from the Council and also means that endpoint risks are reduced. However, it was found that certain staff (for example, members) can use Outlook Web Access, which allows the download and upload of emails and attachments. These connections undergo Anti Virus scanning at the Exchange server, although are not subject to other available scans such as Spam filters. Smartphone access is similarly weak. A recommendation to strengthen controls has been raised. Access Controls – The remote access user is presented with a desktop environment that mirrors what they can see when they use their office machine. Sample testing also suggested that there are good controls regarding the process for applying to use the remote access facilities. The connections also require the use of two-factor (Vasco) authentication. The following number of recommendations has been raised: Adequacy and Effectiveness Assessments Area of Scope Policies and Procedures Remote Access Monitoring Remote Access Change Control Network Protection Access Controls Adequacy of Controls Effectiveness of Controls Recommendations Raised Green Green High 0 Amber Amber 0 1 0 Green Green 0 0 0 Amber Amber 0 1 0 Green Green 0 0 0 0 2 0 Total High Priority Recommendations No high priority recommendations have been raised as a result of this audit. Management Responses Management have agreed all recommendations raised. Medium 0 Low 0
