Agenda item

Report of the Corporate Director Resources (Section 151 Officer) Clare James, presented by the Audit and Risk Manager.

The Corporate Director Resources (S151 Officer) submitted a report for the committee to consider the Internal Audit Annual Report for 2022/23 (1 April 2022 – 31 March 2023) and review the progress in relation to risk management activity.

The Audit and Risk Manager introduced the report. She explained that this report was produced to meet the requirements of the PSIAS and the Accounts and Audit Regulations (2015). The report set out the progress made and the work carried out in relation to internal audit and risk management in the year 2022/23. Based on the outcome of the work, it would allow her to make an overall opinion in relation to internal control, risk management and the governance processes across the council. This would then be used as a key piece of evidence in the completion of the Annual Governance Statement.

She highlighted to members that pages 87-107 of the agenda pack detailed the reports completed in house by the Audit Team during 2022/23. For some of the work completed, no reports were issued but an opinion on the controls in these areas was given for the purpose of the overall annual audit opinion. She told members that copies of these reports could be found on the Internal Audit page on the Councillor Portal for the new members of the committee.

She also brought to the attention of members all the other work undertaken during 2022/23 detailed on pages 108 - 113.

She explained to members that the internal control system was a key element to the report, which could be found at page 114 of the agenda pack. In accordance with the Accounts and Audit Regulations, she was required to form an opinion on the adequacy and effectiveness of the council’s internal control environment, based on the work completed during 2022/23. Pages 115-116 explained the opinions given to each piece of work completed as well as a summary of her annual audit opinion. She told members that only one piece of work had been given a minimal opinion, which related to the Theatres, and a further three areas of work were given a limited opinion. She reassured members that work would continue on these areas until the opinion was improved. One piece of work was still in progress, and two pieces of work had not yet been started and would be included in the 2023/24 audit plan.

The CIA said that with the exception of the work on the theatres and the procurement breach which had occurred in 2022, there had only been one other significant issue raised in her opinion, which related to the delay of the l sign-off of the 2020/21 and 2021/22 accounts. 

Following all the work detailed in the report, it was her overall opinion that reasonable assurance could be given on the adequacy and effectiveness of the council’s governance and risk management processes. This meant that generally, there was a sound system of internal control, governance and risk management and that controls were in place and were generally being applied consistently. Recommendations had been made and these would improve the control environment.

The Audit and Risk Manager summarised the risk management progress report. She said that it comprised of the management of the council’s strategic, operational and ICT risks. A strategic risk workshop had taken place in January 2023 and was attended by the Corporate Management Team and the then-Chair of the committee; she added that the new Chair was expected to attend these future workshops. Risks preventing the achievement of the council’s business plan objectives were identified and rated, and the results of the workshop were included within the agenda pack at page 119. A copy of the risk register could be found on the Councillor Portal.

Operational risk workshops were also held following the strategic risk workshop, with each service identifying new risks that could prevent the achievement of their service plan objectives. The risk registers were not provided as part of this report, but a copy can be found on the councillor portal.

The ICT risk register was also included in the agenda pack at page 123, and was reviewed quarterly, with the last review occurring on 2 May 2023.  The next review was scheduled for 1 August 2023.

Councillors raised the following questions around:

·        How often the risk registers were updated and uploaded onto the Councillor Portal;

·         Whether the council operated server back-ups as a control for ICT risks;

·         ICT/cybersecurity reserves;

·         Whether cybersecurity was the council’s biggest risk;

·         Whether fines for data breaches were included as part of the reserves;

Officers responded to the questions raised by members.

It was explained that the risk registers were updated quarterly, with a six monthly exercise for the operational risks. Depending on the actions for each risk, they had key implementation dates and were monitored through the GRACE system.

In relation to the ICT risks, it was explained that regular back-ups were completed. The Corporate Director Resources added that a report had been published recently that focused on improving the off-site storage solution, in the event of a cyberattack. She also explained that the ICT reserve was not just for cybersecurity. However it was a comfort knowing there was a reserve in place with an associated five year plan for how the council would spend it to keep pace with changing technology. In order to maintain a certain level within the reserve, a top-up was scheduled for year-end which would come to committee in the autumn. The Corporate Director Resources explained this was a key risk, and gave details to members of the last cyberattack ten years prior. It wasn’t the biggest risk, but was one of the key risks and was on the strategic risk register.

In terms of providing for fines for data breaches, it was not typical for local authorities to do this, unless there was an ongoing case. The Information Commissioner’s Office had recently acknowledged that fining local authorities could be seen as a punitive measure and may be considered a waste of public money and were actively moving away from this approach.

The committee considered the report.