Agenda item

Updating of Strategic and Annual Audit Plans for 2012/13 (Agenda item 9)

Report of the Head of Internal Audit.


These Plans reflect the outcomes of a recently performed Computer Audit Needs Assessment.




In a response to a request from the Corporate Management Team to revisit the computer audit needs assessment from 2010/11, the Head of Internal Audit confirmed that this work had now been completed and the strategic and annual audit plans updated in consequence.  The new assessment had a doped a slightly revised approach.  The auditable areas had been split into two separate analyses.  The first analysis reviewed 36 potential discrete auditable areas, whilst the second focused on the authority’s key applications and upcoming projects.  Further to this, a new methodology for IT back up arrangements had been incorporated.


In reference to the reviews for the cash receipting applications and the Revenues and Benefits Electronic Document Record Management System, there had been an acceptance that these reviews should still go ahead, but that the remaining 21 planned days should be allocated to a review of Network Infrastructure and Security.  This work would commence in early March 2013.


The latest Computer Audit Needs Assessment covered the period 2012/13 to 2015/16 and this contained a suggested programme of work for two financial years - 2014/15 and 2015/16 which extended past the term of the Internal Audit Services Contract which expired in September 2014; therefore, future audits could change dependent on the service delivery model that the Council adopted from that point forward.


Mr Ludlow queried Table 1 under Section 6 of Appendix 1 (page 35 of the agenda) and asked why the Council had three very high risk items last audited in 2009 that were not going to be audited again until 2015/16.  He was of the opinion that high risk items should be monitored every year.  The Head of Internal Audit explained that Deloitte’s cycle of review was such that very high risk items were earmarked for two yearly reviews, high risk systems should be subject to three year examination and medium risk areas warranted a four yearly scrutiny.  Further to this, the assessment had been based on current risks and hence, when previously audited, the auditable areas might well have carried a different risk rating at that time, which explained why some of the intervals between reviews were longer than one might have expected.  Computer audit coverage was also subject to financial constraints i.e. funding available to sanction delivery of the relevant audits put forward and this factor also played a key part in the scheduling of work.  Mr Ludlow felt that the high risks should be swapped to the timeframe of the medium risks.   Members were informed that the Director of Commissioning, the Assistant Director of Finance and the Head of Internal Audit had considered Deloitte’s computer audit proposals and collectively agreed that they represented a reasonable balance of computer audits for completion in the next four years.


Mrs Jolly asked if these assessments would be affected by the move to Norfolk County Council. The Head of Internal Audit explained that the move had been taken into account when developing the coverage, and there had also been discussion with the Principal Audit Client Manager at Norfolk County Council regarding the scoping of Breckland audits to avoid any duplication of work.


In conclusion the Chairman was well aware of how shared services could affect the way that these assessments would be reported in future; in his opinion it was going to be much more difficult.




1)     the findings of the Computer Audits Needs Assessment be noted; and


2)     the amended Strategic Audit Plan for 2012/13 to 2014/15, the reworked Annual Audit Plan for 2012/13 and the updated Summary of Internal Audit Coverage for 2012/13 be approved.


Supporting documents: