PART ONE
ITEM NO.
REPORT OF THE
DIRECTOR OF CORPORATE SERVICES
To the: Corporate Services Lead member Briefing
On:
Monday 17th May 2004
TITLE: INTERNAL AUDIT ACTIVITY SEPTEMBER TO MARCH 2004
RECOMMENDATIONS:
The Lead Member is asked to note the contents of the report.
EXECUTIVE SUMMARY:
The purpose of the report is to inform the Lead Member of Internal Audit
activity in the period September 2003 to March 2004.
BACKGROUND DOCUMENTS:
Various reports and supporting working papers
ASSESSMENT OF RISK:
Internal Audit projects are managed within the Unit’s risk based audit
protocols aimed at giving assurance regarding the management of the City
Council’s key business risks.
THE SOURCE OF FUNDING IS:
Existing revenue budget.
LEGAL ADVICE OBTAINED:
N/A
FINANCIAL ADVICE OBTAINED:
N/A
CONTACT OFFICER:
Andrew Waine - Audit Manager 0161 793 3357
WARD(S) TO WHICH REPORT RELATES:
Various
KEY COUNCIL POLICIES:
N/A
DETAILS:
Report details are contained in the table below.
COMMITTEE SUMMARY
CORPORATE SERVICES
SUBJECT
ACCOUNTS PAYABLE 2002/3
REF
2327/CS/03
AIMS AND OBJECTIVES
Internal Audit undertakes a review of the purchasing and accounts payable systems on an
annual basis. The objective of the review is to provide management with an independent
appraisal of the adequacy of controls in the key functional processes within the purchasing and
accounts payable systems. The review was undertaken using payments and information
obtained relating to the financial year 2002/3.
The results of the review are not only subject to internal scrutiny but also subject to external
scrutiny by the Audit Commission under the managed audit arrangements. The Audit
Commission seeks to ensure that controls are in place to prevent:



Incorrect payments being made
Incorrect accounting/poor budgetary control
System failure.
Testing undertaken during this review sought to ensure that there were adequate controls in
place to mitigate these risks and that the controls were operating effectively.
AUDIT OPINION
It is agreed that the introduction of the new financial systems in April 2000 has represented a
significant change to working practices. The testing undertaken for this audit review has
highlighted the issues that have already been raised and documented within the last audit
report, for which discussions have been held with management and recommendations have
now been agreed.
The audit found that most of the key risks are adequately controlled. Only two key controls
require attention, relating to the control of cheques and contingency plans in the event of an IT
failure.
MANAGEMENT RESPONSE
All recommendations made were agreed.
COMMITTEE SUMMARY
CORPORATE SERVICES
SUBJECT
BACKUP AND RECOVERY
REF
2461/CS/03
AIMS/OBJECTIVES
The focus of our review concentrated on the backups taken by Desktop Services and
Computer Services (both part of Corporate Services IT Net). Desktop Services are responsible
mainly for the Microsoft platforms used to support shared file servers and Salford Intranet and
Internet sites. Computer Services provide support for the mainly Unix based servers supporting
major applications such as Council Tax, SAP and Carefirst.
The objective of the audit was to determine the controls over the following risks:
 Completeness of the backup schedule
 Integrity of the backup process
 Efficiency and effectiveness of the recovery process
We did not review the backup processes utilised by other units e.g. Education or Development
Services. Neither did we review the backing up of Education’s application servers by Desktop
Services.
MAIN CONCLUSIONS AND RECOMMENDATIONS
Provision of a backup function across Salford City Council (SCC) is well established and covers
all the major servers and applications. Important files are taken off site at key points in the
processing cycle to guard against major disasters.
Key recommendations:





The responsibility for backing up servers should be brought under the control of a single
team
Backup and recovery procedures should be brought together in a single document, which is
reviewed at least annually
Server commissioning and de-commissioning checklists should be created, completed and
reviewed to ensure changes to asset records, backup schedules, and security
arrangements are complete and timely
A cost benefit analysis of the advantages of standardising on common backup technology
should be undertaken
An unobtrusive case capable of providing shock and weather protection should be
purchased for the transport of tapes to and from Minerva House
MANAGEMENT RESPONSE
Management has agreed the 8 recommendations made, and have agreed to action between
now and September 2004.
COMMITTEE SUMMARY
CORPORATE SERVICES
SUBJECT
CAPITAL BUDGET MONITORING
REF
2503/CS/03
AIMS AND OBJECTIVES
The purpose of this report was to review the process for the preparation and monitoring of the
capital budget. This included a review of the various processes used to manage capital projects
within each Directorate.
The agreed terms of reference were to assess the risks and controls associated with:
 The processes used to produce the capital programme and budget.
 The processes used in individual departments for monitoring capital expenditure.
 The project monitoring processes within departments.
And comment on the robustness of these processes and make recommendations for
improvement where appropriate.
AUDIT OPINION
Good practice is followed in that:


CIPFA advice is followed in preparing and monitoring capital budgets, with the following
exceptions:
 Life-cycle costs are not considered,
 There is no requirement that a timetable be prepared for completion of the various
elements of a scheme,
 There is no formal system for a post implementation review of a sample of individual
projects.
Expenditure is well controlled against budgets, but the officers dealing with it rely on their
own records rather than using the information available from the core financial management
information system (SAP).
MANAGEMENT RESPONSE
The audit recommendations have been accepted and agreement has been reached that the
following action will be taken:

Life cycle costs will be estimated for all proposed schemes where it is appropriate and
feasible.

The timetables for completion of schemes will be more comprehensive as from the 2004/05
programme and a full range of key dates will be recorded for the 2005/06 capital
programme.

A sample of non-grant-aided schemes will be reviewed after completion to confirm that the
system continues to operate as intended.
COMMITTEE SUMMARY
CORPORATE SERVICES
SUBJECT
CITIZEN COMPUTER SYSTEM
REF
2462/CS/03
AIMS/OBJECTIVES
The aim of the audit was to determine the degree of control over the following risk areas:
 System Management
 System Development

There are plans to further develop Citizen and link other Council Computer systems, with the aim of
enhancing the services provided to the public.
MAIN CONCLUSIONS AND RECOMMENDATIONS
The audit has concluded that the risks relating to System Management and System
Development are reasonably well controlled. Recommendations have been made to improve
the degree of control over the current system and ensure that future developments are equally
well controlled.
The current resource levels for the Citizen system are adequate to maintain the system and
develop it at a slow pace. However, if it is the intention to expand the use of Citizen to enable it
to become a key element of the Council’s ‘Think Customer’ strategy, then the resources are
inadequate.
The procedures for backing up the Citizen development server are inadequate. This server is
backed up locally and not via the standard procedures, as used by Desktop Services e.g.
Veritas. The backup tapes are stored next to the server in a plastic box and not in a secure
remote off site location.
The procedures controlling changes to the Citizen software were found to be inadequate. This
could result in changes being made that are not agreed with the users. The current procedures
do not formally document change requests, prioritise them in terms of importance, and agree in
detail the work required, or allow the client to sign off the work when completed .
Main recommendations:
 The staffing and resources available for development of the Citizen application should be
reviewed
 A system administrator should be appointed and trained
 The training program should be properly resourced
 A formal system of recording requests for change to Citizen should be implemented
MANAGEMENT RESPONSE
Management in Salford Direct and ITNet have agreed all the recommendations and they will be
actioned between now and 31 March 2004.
COMMITTEE SUMMARY
CORPORATE SERVICES
SUBJECT
DESKTOP SERVICES STRATEGY AND SERVICE
REF
2409/CS/03
AIMS/OBJECTIVES
The objective of the audit was to determine the controls over the following risks:
 IT strategy and vision
 Service delivery
 Customer focus and support
The audit assignment commenced in August 2003 and was conducted through discussions
with the Director of Corporate Services, Assistant Director Operations & Support, Desktop
Services Manager and selected managers and staff in the following Directorates:
 Community & Social Services
 Education & Leisure
 Corporate Services
MAIN CONCLUSIONS AND RECOMMENDATIONS
Desktop Services has a lack of any clear communication plan to ensure that vision, strategies
and proposals are properly communicated at the right time to the right people across the
Authority. Whilst the relationship with some Directorates is good, with others it is weaker and
will require significant effort to improve.
There are a number of significant issues that require action:







Revisit the IT strategy to bring up to date and align with the key pledges and Directorate
priorities
Implement a succession policy to minimise the risk of service interruption through loss of key
staff
Carry out a GAP analysis of skills amongst Desktop staff to identify areas for development
Develop and implement change management controls for Desktop staff to follow for internal
projects
Consider making Desktop Services the sole provider of IT equipment for the whole of the
Authority
Define and communicate a communications strategy between Desktop and its customers,
which should also include regular meetings between IT staff at all levels and Directorate staff
Develop and introduce a new process for recording and measuring customer satisfaction to
ensure that representative feedback is received
MANAGEMENT RESPONSE
Management agreed to implement all 10 audit recommendations without reservations, though
not all will be actioned within the Desktop Services unit.
COMMITTEE SUMMARY
CORPORATE SERVICES
SUBJECT
E-GOVERNMENT PROGRAMME
REF
2455/CS/03
AIMS/OBJECTIVES
The audit assessed the degree of control over the following categories of risk, threatening the
management of the E-Government Programme:



Programme Management
Communication and Information Management
Meeting Business Needs

Note: The audit focused on the work of the Programme Manager and E-Government Services Team,
but also covered Directorate activities, where this was found to be practicable.
MAIN CONCLUSIONS AND RECOMMENDATIONS
In Internal Audit's opinion, the E-Government Programme has successfully built on the
achievements of the Information Society and Pathfinder Projects. The audit has identified that
governance procedures, capacity building measures and change management products, such
as BPR/Project Management methodologies, have become more embedded within the cultures
of Salford Advance, Programme management and the Directorates. The audit has also
identified that great strides have been made in implementing technical solutions, which
enhance the Council's ability to meet Government targets and information requirements for
service e-enablement, as measured again BVPI 157. They also help the Council to achieve its
own vision for organisational transformation.
However, testing of specific governance controls, e.g. elements within the Salford Method of
PRINCE 2 project management methodology, has revealed concerns about their effectiveness,
in terms of practical application. Concern must also be expressed about the effectiveness of
controls related to the promotion of e-government solutions, in terms of covering the key risks
related to meeting business needs, bringing about culture change and improving services to
the public. In other words, controls are in place, but Programme Management has recognised
that these will require enhancing and strengthening, if the levels of commitment to and take-up
of e-government solutions are to be improved within the Directorates.
Main recommendations:
 Lack of corporate commitment and support from senior manager and Councillors, both
strategic and financial, should be addressed
 The Programme Manager should report to the Cabinet briefing meeting on a quarterly
basis, on progress against the plan and BVPI 157, together with corporate working issues
and risks. This group should act as the Programme Board Executive
 A review should be undertaken of the use of the Salford Method of Prince 2, at Programme
level and within the individual projects
 E-government should become a strategic part of the Leaders’ Front Line Service Review
MANAGEMENT RESPONSE
Management has agreed all the recommendations and they will be actioned between now and
April 2004.
COMMITTEE SUMMARY
CORPORATE SERVICES
SUBJECT
LOANS AND INVESTMENTS
REF
2325/CS/03
AIMS AND OBJECTIVES
The aim and objective of this audit was to identify the risks and associated controls in respect
of the following processes: Determine Dealing Requirements
 Negotiating Deals
 Make and Receive Payments
 Maintain Diary
 Logotech Computer System.
The audit was conducted through discussions with the Accountant and the Assistant Group
Accountant who are responsible for the section, in addition to examining the documentation
held by the section. The documentation reviewed related to the 2002/03 financial year.
AUDIT OPINION
The review found that the controls in place are operating efficiently and are well executed by
the loans officers.
There are only two areas where improvements to existing controls are required:Record of Checking Deal Tickets and Confirmations
When confirmation notes are received, they are matched to the deal ticket and checked fro
accuracy. Currently, the officer undertaking the check does not sign the forms to verify that this
check has been undertaken.
Logotech Passwords
Although Logotech passwords are changed and had been changed prior to the audit
commencing, they are not changed on a frequent basis. The recommendation was agreed in
the previous audit report, issued February 2002, but has still not been implemented. Actioning
this recommendation would reduce the risk of unauthorised access to the system.
MANAGEMENT RESPONSE
Both recommendations were accepted and implementation dates agreed by management.
COMMITTEE SUMMARY
CORPORATE SERVICES
SUBJECT
PROCUREMENT AND DISPOSAL OF IT EQUIPMENT
REF
2382/CS/03
AIMS/OBJECTIVES
The aim of the audit was to determine the degree of control over the following risk areas:
 Corporate Procurement of IT equipment
 Directorate Procurement of IT equipment
 Corporate Disposal of IT equipment
 Directorate Disposal of IT equipment
The audit examined the situation regarding Community and Social Services, as an example of
procurement using the Corporate procedures and Environmental Services as a variant from
the standard.
MAIN CONCLUSIONS AND RECOMMENDATIONS
The audit has concluded that the risks relating to both Corporate and Directorate procurement
are reasonably well controlled. However risks relating to the disposal of IT equipment are less
well controlled, e.g. no formal guidelines relating to disposal were identified during the audit.
There are a number of issues that require action:





Asset / stock management controls in Desktop Services are unsatisfactory and are
approximately 12 months out of date
Consider giving Desktop Services the mandate to be the sole provider of IT equipment for
the whole Authority
A Corporate policy on disposal of equipment should be prepared and distributed to all
Directorates
Minutes of meetings between Directorate Client Liaison Officers (CLO) and IT should be
taken
Directorates should prepare and issue guidance to their CLO to aid them discharging their
duties
MANAGEMENT RESPONSE
Management in the 3 Directorates visited in the audit agreed to implement all 13 audit
recommendations. The recommendation to make Desktop the sole provider of IT equipment is
to be put to Directors.
COMMITTEE SUMMARY
CORPORATE SERVICES
SUBJECT
SOFTWARE DEVELOPMENT
REF
2358/CS/03
AIMS/OBJECTIVES
The aim of the audit was to determine the degree of controls over the following risk areas:
 Personnel / succession
 Operational / procedural
 Technical
 Security / resilience
 Organisational
The audit focused on the development work of the S.D. Team, but took into account the fact
that other functions within IT Net and Salford Advance are involved in software development,
e.g. the E-Government Team.
MAIN CONCLUSIONS AND RECOMMENDATIONS
Software development is delivered by 2 teams within IT – Salford Advance and IT Net Software
development. This has created some differences in standards, development tools and methods
of design and management. However, in both teams, substantial assurance can be given on
the level of controls that exist.
To conclude, the review has established that risks relating to the day-to-day operation of the IT
Net software development function are reasonably well covered, and that progress is being
made to iron out weaknesses. In terms of the higher-level risks currently threatening the S. D.
Team, management has formally identified these and included them in the Business Plan, but
there is much work to be done to move the Team forward, given the challenging environment
in which it will have to operate.
There are a number of recommendations to improve the existing arrangements:





Implement handover procedures for work when staff leave
Adoption and rollout of a formal system to manage development standards
Software Development management should be fully involved in the feedback from and
assessment of the pilot for the "mini" version of the Salford Method
PSO and Software Development management need to establish a system for assessing the
relative priorities of developments/projects being undertaken by the Team, at any given
moment in time
Within IT Net and Salford Advance, a number of teams are undertaking development work.
It is suggested that steps be formally taken to establish whether this situation, or any
proposed situation for the future, has or is likely to result in duplication of effort on systems
or standards etc
MANAGEMENT RESPONSE
Management agreed to implement all 5 audit recommendations. All of these have action dates
in September 2003 to start the dialogue, though it is accepted that the implementation of actual
changes may take place after that.
COMMITTEE SUMMARY
CORPORATE SERVICES
SUBJECT
MANAGEMENT OF THE UNIX SERVER
ENVIRONMENT
REF
2420/CS/03
AIMS/OBJECTIVES
The aim of the audit was to determine the degree of control over the following risk areas:
 Hardware - performance and resilience
 Software - integrity and security
 Information - data integrity and security
 People – succession and personnel issues
The review focused on the risks related to the role of Computer Services, rather than those of
Desktop Services or the Directorate application managers, e.g. it covered threats to data
integrity arising from an insecure Unix environment, rather than from an insecure network or
application environment.
Assessment of control over security risks was aided by the use of an audit computer tool kit,
originally provided by the Audit Commission.
MAIN CONCLUSIONS AND RECOMMENDATIONS
The completion of this audit appraisal has led us to the general opinion that the Unix server
environment is well managed by the Computer Services Team. The Team contains a good
balance of experienced staff and newer staff, who have been or are being trained up in
relevant technical aspects of Unix. The audit review has established that the Team operate
satisfactory controls to mitigate most of the key risks elated to the aspects covered in the audit.
However, both IT Net and Computer Services management have recognised the need for a
credible disaster recovery plan for the Computer Centre, which includes the Unix environment,
and have started to formulate such plan. Furthermore, tests undertaken during the review
using the audit tool kit, indicate that there could be possible security vulnerabilities in some or
all of the Council's Unix configurations. However, the tool kit did report that a number of
common security loopholes had been closed. It should also be noted that the audit has not
covered controls built into user applications or the communications network, which could act
as a form of "safety net" for potential Unix vulnerabilities.
There are a number of significant issues that require action:



Computer Services management should formalise an investigation into the performance
monitoring tools available
A schedule of disaster recovery "restore" tests should be drawn up to ensure that such tests
are undertaken periodically in respect of each Unix installation
Computer Services should critically examine the results reported by the audit tool kit, as
summarised at Appendix 1 and discussed in detail with the Deputy Service Manager
MANAGEMENT RESPONSE
Management agreed to implement all 3 audit recommendations, over timeframes from end of
Dec 2003 to end of October 2004.