Agenda item

(Report of the Internal Audit Manager)

Ms Rebecca Neill (Internal Audit Manager) presented the Internal Audit Progress Report for Quarter 2 which highlighted work done to the end of September 2020.  As advised to the committee previously, there had been a delay in the section’s ability to undertake audit work due to council services needing to concentrate on the response to Covid-19.  Ms Neill said this had impacted on the plan, follow-ups and KPI’s and she stated that a summary of work and performance was detailed at Appendix 1 and performance against the new suite of KPIs which was at section 5.  She explained that using the new approach to clear the backlog of audit recommendations and managers as well as the committee having greater visibility of what was outstanding, meant there was a marked progress but there was still work to do.  Ms Neill stated that she was confident that a vast improvement would be seen by February’s meeting.

In terms of follow-up, Ms Neill stated that the only item to highlight was the GDPR follow-up report which had again received limited assurance.  She explained this committee had the option to call-in the ICT Manager and Head of Service to February’s meeting if they felt it appropriate.  She said that a follow-up audit was currently being undertaken and also that some context was necessary as the ICT Manager concerned had been deeply involved in the council’s Covid response.  She stated that she was hopeful of a more positive progress report from this follow-up.  Ms Neill therefore suggested that if the follow-up remained limited assurance again at this second stage, the committee might want to invite the ICT Manager and Head of Service to February’s committee meeting to discuss further.  Discussions took place around this item and it was felt that waiting until February’s meeting was too much of a delay and that the GDPR risk, in conjunction with the risk from the remote working audit (reporting that not all council laptops were encrypted and this was noted as a risk since 2017), assurances were needed as soon as possible.  It was agreed that as the actions were due to expire on 31 October 2020 that the responsible manager should provide a “Position Statement” to all the committee members as soon as possible, which could then decide if a special meeting should be arranged to discuss these risks.  This was noted.

As a level of comfort, Ms Neill advised that there had been no data breaches, no specific issues nor irregularities associated with these risks identified.

The proportion of returns of Customer Satisfaction Surveys was queried and Ms Neill was able to report that the number had increased significantly and was now 13 returned out of 18.  She said that the team had simplified the process, and this seemed to be improving the returns received.  The Covid-19 Flash Audits were discussed.  Members were conscious that the welfare and mental health of staff needed to be monitored as it was known a lot of staff had worked many extra hours during the first lockdown and should not be asked to do it again in a second one.  Ms Neill said this was part of the productivity flash audit remit which was due to be undertaken shortly.

The Audit team were thanked by the committee members.  To achieve 39% of the Audit Plan for the first half year despite the circumstances and to be confident of achieving 90% by the year end was remarkable.  All members of the Audit team were congratulated.

RESOLVED: The Report was reviewed and noted, and it was agreed that the responsible Head of Service and managers would provide a Position Statement as soon as possible in respect of the GDPR Audit and the unencrypted laptops risk.