Status Report - Outstanding Internal Audit Recommendations (Agenda item 5)
- Meeting of Additional Meeting, Governance and Audit Committee, Friday, 20th December, 2013 10.00 am (Item 65.)
Report by the Internal Audit Consortium Manager.
This additional meeting had been arranged to enable the Committee to get a better understanding from officers for why a number of their audit recommendations were still outstanding.
The purpose of the report was to inform Members as to the progress made in implementing audit recommendations falling due in the first half of the financial year. The report provided a commentary on management updates provided during this period and the outcomes of recent audit verification work.
The Internal Audit Consortium Manager introduced Alexandra Tsampasian, an Auditor from Deloittes who had carried out audit verification work in November 2013.
The Council was in the process of building a new Performance Management site which was due to go live in 2014. However, whilst this initiative was on-going, all audit recommendations that required action and/or comment from management on their latest status, in order to inform Quarter 2 follow up work, had been obtained by the Performance Team, who had liaised with all the relevant responsible officers, after which the Deloitte auditors verified responses provided when on-site on 14 and 15 November 2013. This report therefore drew upon the latest information that could be extracted from Performance Plus as at the end of Quarter 2, regarding systems and computer audit recommendations, which had target dates for completion occurring between 1 April and 30 September 2013. The overall position of the number of outstanding recommendations were highlighted at paragraph 3.2.1 and attached at Appendix 1. However, since the publication of the report, it had been confirmed that the cumulative position for completed recommendations had increased by 3 to 41 (i.e. 46.1% of the total due to be processed) and accordingly, the total number of outstanding recommendations had decreased to 48 (i.e. 53.9%). It was noted that the 3 completed had been high priority computer audit recommendations. These were not included in the 8 outstanding high priority recommendations reported at the end of 2012/13, as at that time they had yet to reach their target implementation dates set. Of the 8 outstanding recommendations noted at 31/03/13, 2 had been completed and those remaining included:
- Asset Management (BRK/11/06) x 1 – relating to maintenance and street lighting contracts
- Internet and Email (BRK/12/17) x 1 – relating to the need to ensure that firewalls were included within the routine network backup.
- Procurement (BRK/13/02) x 4 – relating to procurement knowledge, the contracts register, purchase ledger analysis and the Glass Bottle Bank Collections contract.
In addition to the above, there were a further 5 high priority recommendations reported as outstanding for the first time to the Audit Committee and these were summarised as follows:
- Environmental Services (BRK/13/05) x 1 – relating to ensuring that a timetable was put in place to set out timeframes for undertaking inspections of high hazard sites.
- Network Infrastructure and Security (BRK/13/11) x 4 – relating to system privileges, certain rights only being granted to system administrators, a review of accounts with administrator privilege and a review of the accounts with passwords that never expire. With reference to the first 3 recommendations, management had indicated that these had been completed; however, evidence had not been made available to verify this. In relation to the fourth recommendation, there had been a trial in resetting passwords which had presented some issues and the options for roll out were currently being explored.
Aside from the high priority recommendations, there were a total of 40 (34 medium and 6 low priority) recommendations which remained outstanding as at 30 September 2013.
Updates from Officers who had been unable to attend the meeting were circulated and Members were provided with the following information:
- BRK/11.04 – Procurement
BRK/11.04.07: Retention of Procurement Documentation - Officer update December 2013: This was clearly defined under 4B Contract Standing Orders within the Constitution. As the Constitution was currently under review, Officers would ensure this was picked up and remained within the Constitution. This message would be reinforced in any future training.
The Assistant Director of Finance explained that the process of realigning the Constitution for both Council’s was still ongoing but should be completed in the New Year. As far as training was concerned, the current guidelines would have to be reinforced. The Vice-Chairman asked if individual managers would be responsible for checking their own records. Cllr Wassell felt that the responsibility should lie with the Portfolio Holders and Managers and there should be a mechanism in place to ensure that documented evidence was maintained.
Cllr Canham suggested that a further column should be added to the Outstanding Audit Recommendations chart called ‘renewable end date’. In response to a question about how the dates were set, the Internal Audit Consortium Manager explained that the dates were not imposed; further discussions were had with Managers before any implementation dates were set initially or after original target dates had slipped. Mr Ludlow felt that the reasons for lateness should be explained within the report. The Chairman agreed as it would provide a much better audit trail at year end. Members’ attention was drawn to paragraph 3.2.12 of the report and it was asked if these updates were reported to Portfolio Holders. Cllr Wassell said that there had not been any direct communication to Portfolio Holders but it had since been agreed that the audit report would be extended as such. Mr Ludlow reminded the Committee that this particular issue had been on-going for over a year. The Internal Audit Consortium Manager advised that circulation would be expanded to Portfolio Holders. In response to a question raised with reference to completion of a review of Contract Standing Orders, which had an original completion date of 31/03/11, Members were advised the delay to date had been due to the ongoing Constitutional Review, which was now expected to be resolved in 6 to 9 months time. The Assistant Director of Finance pointed out that the third part of the Constitution, the delegations, should be completed by the end of next month which would enable the officer to include achievable end dates. The Chairman said that end dates were very important on all these outstanding recommendations as well as reasons why the dates had not been achieved. The Internal Audit Consortium Manager advised that the next round of audit follow up work (verifying work) would be mid January and a potential update could be provided at the next meeting of the Committee in February.
- BRK/11.10 - Council Tax & NNDR
BRK/11.10.13: Review & Write- Off Aged Debt – Officer Update: Historical debt was being reviewed and where it was deemed uncollectable was written off – the priority remains recovery of collectable debt and so the review of debt was always ongoing. The number of old outstanding cases where it was deemed no recovery was possible had substantially reduced – Recommend that this item be removed.
The Chairman asked where Write-offs appeared in the report. The Assistant Director of Finance explained that write-offs were reported to the relevant Portfolio Holder under his delegations. Cllr Nairn asked what the criteria was before the debt was written off. Members were informed that there were various criteria and all were included in the Debt Management and Recovery Policy; however, the main reason was ‘no trace’ where work by tracing agencies and bailiffs had been exhausted. Cllr Canham asked if the larger debts were sold off to a debt recovery company. The Assistant Director explained that all would go through to the Bailiffs. Mr Stevens felt that the Audit Committee should be made aware of the scale of the debt. Mr Ludlow explained that this was identified in the Annual Accounts.
- BRK/13.15.01: Formalise Process for New Partner Take-on – Officer update: Waveney and Suffolk Coastal database transfers had been completed – comprehensive project planning led to successful conversion and data transfer – PRINCE2 methodology would be used in future and full project plan agreed with software suppliers as was the case with Waveney & Suffolk Coastal – Recommend closure.
- BRK/13.15.02: ARP Risk Management Arrangements – Officer update: Strategic review, awaiting information to conclude – Recommend that Risk Register is reviewed/developed for Joint Committee in June 14, irrespective of status of strategic review, and then report to Joint Committee 6 monthly thereafter.
- BRK/12.01: Environmental Planning & Building Control
BRK/12.01.01: Contract Monitoring Board – Updating Terms of Reference – Officer update: This was one area where Shared Services had been of benefit. The Contract Monitoring Boards arrangements had changed and it was now meeting monthly. The Terms of Reference should be completed by 31 March 2014; therefore, new contract arrangements should be implemented by 1 April 2014.
BRK/12.01.02: Validating KPI Data and Self Monitoring Arrangements – Officer update (in response to a question): The programme of validation checks to confirm the accuracy of data provided by Capita Symonds had been introduced but there was not any mechanism in the contract that validated the figures. It was suggested that a mechanism should be incorporated in future contracts.
- BRK/12.06: Culture & Leisure
BRK/12.06.01: Refresh Dual Use Agreements – Officer update – Swaffham was moving to Academy Status and discussions were ongoing with Norfolk County Council. Maintenance issues were ongoing. The next meeting between the three parties was being held at the end of January 2014.
- BRK/12.13: Change Control and Corporate Governance
BRK/12.13.01: Code of Conduct and Data Protection Act - Officer update – Managers employed by South Holland District Council with dual responsibility for the management of Breckland Council Services had been sent the Breckland Code of Conduct and IT Policies for signing.
Mr Ludlow was disappointed that this matter was still ongoing. Cllr Nunn said that he had heard a great deal about management change and felt that there should be some transitional resistance incorporated and retained for future employees. Cllr Wassell said that he would find out what the handover process involved. Mr Stevens thought that this was a piece of work that could have been completed much sooner as all it involved was a few signatures. Cllr Wassell said that this should be an urgent item for Portfolio Holders and Senior Managers. Members were informed by the ICT and Customer Services Manager that following a recent change to ICT processes, a policy would now be automatically sent to all new users. Cllr Canham felt that all outstanding issues should be brought to the attention of the Chief Executive in future. The Chairman stated that the focus had been on making the partnership work now Officers needed to focus on the processes. Cllr Nairn felt that slippage was seemingly becoming habitual. The Assistant Director of Finance advised that there would always be some matters that were continually outstanding such as the Constitution but these would be included on the audit tracker and monitored through the performance system.
- BRK/13.04: Payroll and Human Resources
BRK/13.04.04: Return to Work Interviews – Officer update HR had identified the iTrent system provided by Midland HR and it had been clarified that the system would have the functionality to easily report on whether back to work interviewed were being completed as required, as well as automatically informing managers that the interviews were required. This would be a significant improvement on the current process and would enable the HR Team to evidence that return to work interviews were taking place and enable them to retain all back to work interviews on the employees electronic record.
- BRK/11.06: Asset Management
BRK/11.06.09: maintenance and Street Lighting Contracts – Officer update – This was in relation of footway street lighting. Meetings with Town Councils had been had and proposals had been made.
Mr Needham, the Clerk of Dereham Town Council was in attendance and stated that the issue was who was responsible for footway lighting. Attleborough & Swaffham Town Councils had already taken on responsibility but the remaining towns had not. He said that reactive maintenance was currently being undertaken by Norfolk County Council on behalf of Breckland Council not on behalf of the Town Councils but said that he would be happy to discuss and negotiate such a transfer as he knew of many assets which no-one was taking responsibility for. Cllr Wassell said that his understanding was that Breckland Council did not own the said street lights and this matter had been going on for a very long time. Mr Ludlow pointed out that this issue had been a high priority recommendation for 3 years. The Chairman explained that there were other issues involved such as council tax and special expenses. Mr Ludlow wanted to know when this project was due to finish. Members were informed that no specific date had been set. Mr Ludlow advised that this would be mentioned in its own right in the Annual Governance Statement but a decision of who was taking on responsibility for these footway lights was required otherwise it would be ongoing for evermore. Cllr Wassell pointed out that the negotiations with towns were still ongoing. The Building Services Manager pointed out that a response was expected from one of the towns in January 2014.
- BRK/13.05: Environmental Health
BRK/13.05.08: Inspection Timetable and BRK/13.05.09: Contaminated land Progress Reports – Officers response – a timetable had been completed and a progress report had been received. Recommend that BRK/13.05.08 and BRK/13.05.09 be removed.
Mr Ludlow wanted to know if three years was a realistic timescale. The Assistant Director of Commissioning said that he would investigate this concern to make sure that three years was appropriate.
- BRK/13.07: Work to Support the Preparation of the Annual Governance Statement
Officer update: These two low priority recommendations in relation to ARP would be updated by Quarter 3.
- BRK/10.20: IT Security, Procurement and End User Controls
Officer update: It was noted that overall the number of audit recommendations had decreased since previously reported and a further six had been cleared/implemented since the publication of the report.
BRK.12.17.05: Firewall Backups – Breckland Council was now a year into the agreement with Norfolk County Council and in regard to the firewall backup, BT was currently on site. The work in relation to BRK/12.17.04, 05, 06 and 07 would be completed in January 2014.
BRK/13.11.08: Accounts with Administrator Privilege – this review would be completed in February 2014.
BRK/13.11.09: Accounts with passwords that never expire – many of these were councillors that had left. A review would be conducted in January 2014.
The Chairman acknowledged that there had been problems in relation to IT issues during the changeover to the new supplier and he asked if there were any issues that remained with the previous supplier. Members were informed that it was mainly processes that had caused the problems and most of the audit recommendations would eventually ‘drop off’ over time. Cllr Canham queried BRK/13.11.18, Water Leak Protection. The ICT & Customer Services Manager explained that this was in relation to the air conditioning system which was not high priority. Mr Ludlow asked if there were any resource issues. Members were informed that it depended on the type of work involved; there were a few issues that could potentially take longer but there were also quite a few that were classed as quick wins. The ICT & Customer Services Manager pointed out that out of the 19 Medium Priority recommendations, 8 had been completed and most of the remaining recommendations were in progress. Mr Ludlow felt that it would help if there was a little more commentary included in future, plus dates.
- BRK/13.12: Comino ERDM Application
BRK/13.12.03: Systems Admin Security Profile – no update could be provided but an appropriate response would be sought.
- BRK/14.13: Telecoms/VOIP Management
BRK/14.13.04: Mitel Password Controls – this work was still on-going.
The meaning of DISA, a question that was asked at the previous meeting was explained. The Internal Audit Consortium Manager advised that DISA was short for Direct Inward System Access.
Further updates would be brought to the February meeting as requested.
The report was otherwise noted.
- BRK Status of Audit Recommendations Report (02 12 13), item 65. PDF 95 KB
- Appendix 1, item 65. PDF 74 KB
- Apendix 2, item 65. PDF 124 KB
- Restricted enclosure View the reasons why document 65./4 is restricted