Agenda item

To confirm the minutes of the previous meeting and consider the actions

Councillor Silwal said he asked a couple of questions at the last meeting but they hadn’t been included in the minutes.

T Angel said she would review the recording and update the minutes if applicable. She advised she would email Councillor Silwal to confirm any changes. Action.

Councillor Riddick noted the word ‘reasonable’ used numerous times in the minutes. He suggested the term could mean different things to different people and would like to see us being more specific.

P Lazenby advised that the word reasonable was a generally accepted term within the audit community and most audit firm’s use reasonable as one of the benchmark standards. Generally it means that the audit is unable to provide absolute assurance in respect of the area that’s reviewed. Sometimes that is because of a limitation of scope, sometimes because there’s a limitation on the time that has been awarded in order to delve into the underlying risks and so they can only provide a reasonable standard of assurance. He explained that the level underneath reasonable was limited assurance and that means they have concerns to the level that they feel the underlying objective in relation to that area that they’re looking at might be undermined. The level above was substantial assurance and that means they raise barely any recommendations. Reasonable assurance is somewhere in between those areas and whilst it does cover a wide range, it does so with a reasonable degree of direction from the audit industry.

Councillor Tindall asked if members could be provided with a list of terms and descriptions used by the audit industry to help them form a better understanding.

P Lazenby advised there was a description of every level of assurance on every audit report that comes through this committee as well as on the annual report. He said he was more than happy to provide members with further details if they need it. 

Councillor Riddick drew attention to the last sentence of the minutes under safeguarding and prevention. He questioned why contractors under £75,000 didn’t comply with safeguarding standards.

N Howcutt explained we have different procurement regulations for different values of contracts; when a contract is less than £75,000 we don’t monitor whether the contractors are abiding by their legislative health and safety requirements. That doesn’t mean they’re not abiding by them, but because of the volume of contracts we have under £75,000 it’s almost impossible for us to understand if they are. They are still expected to follow all the legislative health and safety requirements and that is included in the contract that they sign.

Councillor Riddick explained his email address had recently been subject to a cyber-attack. He felt this may have been part of a pattern as the email circulated was identical to one that had been circulated impersonating the previous Mayor. He asked if there was anything we could do to tighten up security for incidents like these.

N Howcutt replied that was something for them to take away and discuss with ICT who would have been investigating what had happened. He advised that cybercrime was very repetitive and the methodology will be used over and over again on multiple people and organisations, which is how they make money. We have updated a lot of our cyber software this year and have also had a review done by internal audit in the last 12 months on our cyber defence systems. We’re also part of the Public Sector Network (PSN) accreditation as well which means we have to pass certain safety barriers to get on to that. He summarised that as an organisation we do what we can but cybercrime is becoming more prevalent and the public sector and local authorities are being attacked more and more. 

P Lazenby added that TIAA and many other audit or specialist firms do offer services such as penetration testing and services where they will email your organisation to see who clicks on links, whether individuals save and download things, they will set up names that look like the email is from an authoritative source so you can see how people react and then a report would be produced at the end of it. This testing usually allows an organisation to embed learning in a proactive way. He highlighted that it wasn’t a cheap service, but it depends how an organisation prioritises its resources and risks.

Councillor Silwal said when he had received scam emails before the ICT team have just advised to block the sender and delete the email. He queried if there were any other actions that needed to be taken.

N Howcutt suggested that was something to discuss with ICT. He referred to the penetration project P Lazenby had mentioned and advised that ICT had recently undertaken one of these projects. Lessons had been learned from it and have formed part of the most recent cyber updates.

It was proposed that the approval of the minutes would be deferred until the next meeting. This was agreed by the committee.

There were no outstanding actions to discuss.