Agenda item

A.     21/22 Internal Audit Annual Report

B.     Performance Report – Summary Internal Controls Assurance (SICA)

C.      Internal Audit Service Reports:

a.      Business Continuity

b.      Safeguarding and Prevention

c.      Governance and Risk

d.      Recruitment

P Lazenby noted that the overall internal audit gave a 'reasonable' opinion of the service. This meant he was content that there was sufficient assurance in place in respect of the identified controls that were reviewed and that the plan has been substantively completed with minimal restriction of scope or access.

A breakdown of the assurance levels were provided; the majority lied within reasonable, a minority of substantial and 2 were limited. Those that were 'limited' were already known areas of concern to the council and related to planning enforcement and waste management. P Lazenby drew attention to the summary of recommendations. There are governance issues where policies and procedures need to be kept up to date. A summary of progress was at page 17-18 of the report. 5 of the 6 substantial areas are in the financial operations side of activities at the Council. P Lazenby noted delivery was all against a backdrop of Covid and represents a good level of response from the organisation. He welcomed questions from the committee.

N Howcutt said the committee may have noted there were a few reports that were either cancelled or delayed. He advised that 3 out of the 4 reports had already been or were in the process of being undertaken in this financial year and will be coming to this committee very soon. The other point for members to note was the 3 urgent priority one recommendations that came up in the internal audit reports this year have already been implemented from management relate primarily to the waste service and the SLT (Senior Leadership Team) have gone through the recommendations with the service to make sure they’ve all been fully accepted, implemented and compliance has been created. From that perspective SLT have taken a very firm stance with any of those priority one recommendations.

Councillor Symington noted there had been a shift in assurances and questioned if this was due to the pandemic or if there were other factors involved. P Lazenby suggested the movement in assurances was partly down to the pandemic however it was against another year when the pandemic was already in place. He said it was worth noting that areas that are audited frequently are the ones that will tend to perform well in the audits, whereas the areas that are audited once every few years tend to not perform as well. He added he was keen to alter and develop the audit process for the finance areas to make improvements. 

Councillor Symington queried why P Lazenby's working days were 20 short of what had been budgeted for. P Lazenby explained the shortfall in days had been rolled forward to the forthcoming year.

Councillor Silwal asked if reasonable assurances from previous years were left or continued to be worked on. P Lazenby advised all of the assurances have recommendations and those are profiled on the root cause indicator section which is included in the committee reports. There are regular follow up’s that get reported through this committee to review the progress using SICA (Statement of Internal Controls Assurance). He summarized that recommendations must to be actioned in a timely manner and he takes a dim view on recommendations that remain outstanding for too long with no reasonable explanation of why that delay occurred.

P Lazenby said he would go through each report in the order in which they’re presented in the agenda and take questions before moving to the next report.

Safeguarding and prevention report

This report has reasonable assurance and examines the council's self-assessment and associated action plan required by Hertfordshire Adult Safeguarding Board. The adequacy of the council safeguarding related training and awareness was also considered. The policy here was out of date and training was out of date for 30% of the sample looked at; this was despite escalations and reminders that operate automatically through the system. Management responses were reasonable for that but P Lazenby did remain a little concerned that they didn’t fully provide assurance that escalation would necessarily resolve the underlying problem, particularly given that some of that training had been out of date for a while and there’s no consistent obligation on contractors to comply with safeguarding practices; but that was for less than £75,000.

Business continuity and pandemic response

This is a reasonable assurance and looks at the overarching response to Covid-19 in terms of business continuity arrangements and plans, and business impact analysis. There were a number of recommendations detailed in the report. There is also a recognized need to develop and introduce a programme of disaster recovery and business continuity planning test drill exercises. Staff training in IT security is also needed for remote workers.

P Lazenby advised that responses from management were reasonable throughout and gave him a sense of competence that these would be actioned in a reasonable manner.

Councillor Townsend drew attention to recommendation 8 which was due on 30^th May. He questioned whether this had been completed or not and if not what was the timetable for resolution. B Trueman responded he had presented some options to SLT on immutable backups that cannot be affected by ransomware of any other kind of invasion and although the actual implementation is outstanding work, it is expected to happen in the next 4-6 months.

Councillor Symington asked what was being done about the additional risk of employees taking their laptops and confidential data home. B Trueman advised that the Information Security Team Leader was accountable for the remote working policy and he sits within the legal team rather than the ICT team. He agreed there were risks involved in employees taking laptops home but mostly relate to the environment rather than the device as the device has lots of controls and measures in place. Councillor Symington suggested it was a training issue. B Trueman replied that the Information Security Team Leader regularly puts council staff through cybersecurity training which now includes the recognition of the additional risks of working remotely.

 The Chairman queried if the progress report was still taking place in June. B Trueman confirmed it will happen before the end of June.

Governance and risk management audit

P Lazenby highlighted this report had reasonable assurance and looked at the management and controls of the council's business and risk maps. This audit is fundamental to the way the organisation works and the way the audit committee should work. There were a number of recommendations which were detailed in the report. This report looked at how the corporate risk register was presented as this didn't include inherent risks or cross reference the council's objectives and the movement in risk score wasn't presented on from one quarter to the next. The review of the quarter 3 ORR for housing and finance indicated some concerns as to how risk was presented. There were risks as well related to recruitment and retention. Two corporate risks were selected from the CRR and it was noted there was limited alignment between the updates and the scores.

P Lazenby highlighted that the way the risks are presented needs to be clear and transparent and the objective needs to be clear. Management responses were very comprehensive and included appropriate actions. They also gave a sense of assurance those actions would take place swiftly and are reviewing the underlying root causes of these observations.

Councillor Townsend said he had spoken before about the challenges engaging with the risk register and suggested that the process isn’t working quite right. As a consumer of these reports for a number of years, he has always found it very challenging to engage with despite the officers doing a tremendous job of trying to articulate the information in terms of the policy framework. His general feeling when reading these reports was ‘what in legislation is forcing us to go through these hoops’ because he sensed that risk management was a popular process in the 1990’s and 2000’s but questioned whether it was doing us any good these days. He was hoping to see the SLT in touch with all the risks on a day-to-day basis and feel confident that they’re managing them.

N Howcutt added that risk management is imperative to the organisation. If the council were not aware of the risks and weren’t managing them then the problems would come about quickly. If we’re on top of risk management and mitigation there isn’t a huge amount of inherent risk from a financial perspective and would need less reserves. It is imperative that the golden thread links in terms of the KPIs, the corporate plan, strategic risks and operational risks, which are currently under review. The Cabinet, OSC chairs, the audit committee chair and leader of the opposition undertook a workshop last week to start the review process from top to bottom and the corporate leadership team had a separate workshop where they started bottom to top; the idea is to make sure they meet but if they don’t they need to discuss why not. This will help with the strategic risk review and ensure that the operational risk in the KPI’s flow.

N Howcutt added that In Phase provides a great dashboard but needs development.

Councillor Symington queried why the corporate risk register was presented to the audit committee and operational risk registers were presented to the overview and scrutiny committees. She suggested that although it may be good practice that this happens, it created a problem and embedded a disconnect. N Howcutt advised there were 6 strategic risks and over 40 operational risks. The strategic risks are reported at director level and consider the impact across the whole organisation. The overview and scrutiny committees cover the operational risks because they know their service areas and so can deal with those risks and feed-back. He said the disconnect was the reports don’t link which operational risk feeds into which strategic risk but that will change going forward.

Councillor Symington then asked if risk appetite was a political decision by the administration or an operational decision by the officers. P Lazenby replied typically those discussions start at the top of an organisation.

Recruitment

This report had the lowest number of recommendations and has reasonable assurance. This looked at the effectiveness of controls over the recruitment process which is a new process and also looked at the selection policy. The medium recommendation is in relation to temporary recruitment where the policy/framework agreement was out of date.

The Chairman asked if the HR (Human Resources) checklist had been updated. M Rawdon confirmed it had been.