Mr Paul Rock, Head of Internal Audit, Fraud and Risk presented the Internal Audit and Anti-Fraud progress report. Mr Rock said the report provided an update on the progress against the delivery of the 2019/20 and 2020/21 Annual Audit Plan and highlighted any significant issues since the last report to the Audit Committee in November 2020.

Mr Rock referred to the draft reports and said the Local Community Fund report pending from 2019/20 audit workplan had been completed. He said good progress had been made in the implementation of agreed management action set out in Table 2, with 100% of high priority actions being fully or partially implemented. He said at this stage he’d be giving an overall ‘limited assurance’ however there were twenty plus reports in the pipeline and from initial indicators, he could forecast a better balance between the assurance categories of limited, reasonable and substantial.

Mr Rock referred members to paragraph 3.11 of the report and said he was pleased with the results from the first perception survey of Internal Audit’s role. He said although there were areas which required improvement, he’d be working on this to achieve better outcomes. Regarding Anti-Fraud work, he said the pandemic had limited what could be done, however the team was working on Blue Badge misuse and with the Cabinet Office in relation to the Transliteration pilot. Mr Rock also informed members the Whistleblowing Policy and Anti-Fraud and Corruption strategy had been updated.

The Chair thanked Mr Rock for his report before inviting the Officer to address their individual reports which had received ‘limited’ assurances following Internal Audit’s assessments.

Corporate Governance

Mr Will Tuckley, Chief Executive said a substantial amount of work had been undertaken to improve Corporate Governance such as the lifting of the MCHLG intervention, which had led to significant improvements. Mr Tuckley said despite this, he was disappointed with the internal audit findings of ‘limited’ assurance. He said since 2019 work to improve the strategic direction of governance had taken place and the Corporate Code for Governance had been reviewed. Check and balances were in place to ensure this is discussed at Corporate Leadership Team Board (CLT) and is presented to the Audit Committee for review and comment. He said the action plan for Corporate Governance is combined with the internal audit outcomes and the recommendations from the Grant Thornton report. He said it was vital that this sat at the heart of what the Council does.

In response to questions from Members the following was noted:

·         Mr Tuckley acknowledged the CIFPA report referred to in the independent review and the work commissioned to Grant Thornton in 2017 ought to have been part of the corporate priorities of the CLT Board. He said reports commissioned should be owned by the CLT Board such as the work on the accounts and going forward this would certainly be the case.

·         The Mayor added he concurred with Mr Tuckley that commissioned reports should be the priority of the CLT Board and said it was important Members were aware of the reports. He said attendance by senior managers to robustly defend or implement changes from internal audit reports must be taken seriously, if the organisation was to move forward.

o   ACTION: The Chair requested reports commissioned by the CLT Board be shared with the Audit Committee. The Chief Executive agreed this ought to happen. Mr Paul Rock to circulate the referenced reports.

PCI and DSS Compliance

Mr Roger Jones, Head of Revenue Services said the ‘limited’ assurance related to the absence of a policy document stating how credit and debit card payment data is taken and stored securely. He said PCI and DSS compliance was dealt with by a third party - Capita, so there was no issue with the process. Mr Jones said they were hoping to have a policy document in place by April 2021.

In response to questions from Members the following was noted:

·         Capita are required to submit a compliance certificate to say they are compliant. They must pass the yearly accreditation process to confirm the data stored by them is secure.

IR35 - Management and Control of Off Payroll Engagement

Ms Amanda Harcus, Divisional Director for Human Resources and OD and Mr Hitesh Jolapara, Interim Divisional Director for Finance, Procurement and Audit commented on the IR35 return.

Ms Harcus said progress had been made since the internal audit report in August 2020. She said they had a clear outline plan and were working through the recommendations. She said fewer workers were engaged outside of the IR35 arrangements, with regular reviews taking place. Mr Jolapara added Finance and HR colleagues were working jointly on this and an update had been provided to Mr Rock. He said compliance of the IR35 return was a devolved compliance model, but supply and checks were taking place. He said the guidance on the intranet had been updated, with training seminars commencing in February 2021.

In response to questions from Members the following was noted:

·         Ms Harcus stated IR35 was now widely accepted. However there had been occasions when people who had applied for interim roles wanted to work outside of IR35. In those instances, HR have had conversations with the managers and employees to resolve this. Ms Harcus said there were a few roles, because of their independent nature, that fell outside of IR35 however the introduction of Addecco and Matrix software had resulted in better controls. Ms Harcus said the e-learning modules would also be updated and refreshed.

·         In response to how many people were still self-employed, Ms Harcus confirmed 26 people were working outside of IR35. She said since the introduction of IR35 the number had dropped.

Management of Appointeeships and Deputyships

Mr Kevin Bartle, Interim Corporate Director for Resources and Ms Denise Radley, Corporate Director for Health Adults and Community provided an update regarding this limited assurance report.

Mr Bartle said it was clear this area required attention and as such an improvement plan was in place to ensure the recommendations made were followed through. He said resource had been an issue but a new member of staff in the Strategic Finance team within the Health, Adults and Community Directorate would be overseeing the improvement plan. Mr Bartle said he hoped to report back within the next few months on the progress made.

Ms Denise Radley added she was confident the issues highlighted within the report would be addressed quickly. She said the Office for Public Guardian had provided positive feedback in relation to the service. She said a medium priority in relation to financial documents from clients had been corrected with a simple checklist reminding staff to check for this when completing paperwork.

In response to questions from members the following was noted:

·         Ms Radley said she could not fully answer why or how the issues identified within the limited assurance report had occurred but recognised this was a sensitive area involving vulnerable people. She said she was confident the issues could be easily put right, stating the annual external check undertaken by the Office of Public Guardian had provided positive feedback. Mr Rock said the internal report was a snapshot of a period in time and therefore the report was not suggesting this was a historic long entrenched problem.

Cyber and Network Security

Mr Adrian Gorst, Divisional Director for IT provided a detailed response to the limited assurance report. He said the audit report helped to identify the weaknesses in cyber and network security, thus assisting in tailoring the new contract when services are returned in-house from the 1^st April 2021.

In reference to the recommendations Mr Gorst said he expected the number of privileged user accounts to drop by 80% when the service returned in-house. He said IT were looking to introduce the government endorsed Cyber Security programme, which was free to local authorities and would ask HR to add this to their list of mandatory training courses that all staff must complete.

In respect to Windows 7 machines, Mr Gorst said that most staff had been migrated to Windows 10, however they had tracked 26 machines that were operating on the old application. He said they were speaking to users to find out why they had not come forward to receive new laptops. There were three legacy software applications that needed to be migrated to new servers, which he hoped would be completed by the end of March 2021. Mr Gorst said they were reliant on their strategic partner in relation to procedures for managing major incidents, however they had worked with them to identify weaknesses and had started to rewrite procedures.  Mr Gorst said they had had their annual government security review and were compliant with the PCN certificate for the next year.

In response to questions from members the following was noted:

·         Councillor Edgar asked why the Government accreditation scheme had not picked up the issues that were identified in the internal audit report. Mr Gorst said the government accreditation followed a list of prescribed checks, whereas the internal audit team were directed to look at risks based on local knowledge based on working with the strategic partner for several years. Mr Gorst added that IT were also undertaking quarterly check themselves and meeting monthly to ensure cyber security is appropriate. He said this had taken on importance following the cyber-attack on Hackney Council. 

·         In response to what lessons had been learnt from the Hackney attack, Mr Gorst said he was in regular contact with Hackney and was a member of the London Information Security Network, from which a great deal of intelligence had been received. Mr Gorst said a simple mistake had led to the attack which had resulted in the systems not running or data being lost. Mr Gorst said this is the reason why backups are now encrypted and are stored at separate geographic locations.

·         Mr Gorst continued stating it was imperative to move the shared drives to Microsoft Teams and was pleased 90% of this work had been achieved. He said the next step would be to conduct a series of test to see if data had been backed up and how it can be retrieved. He said collective thinking was required on how the Council would function if there was a prolonged period where IT systems were not available. Mr Gorst said he was working with the Civil Contingency Board to address this.

Following on from the presentations, general questions regarding the report were asked.

·         With regard to the perception survey, Mr Rock said he knew of one other Council that had adopted a similar approach. He said the aim of the survey was to set a baseline so that he could plan his strategy and improvement around the areas identified. He said the comments provided were insightful because there was a tendency for auditors to look back and comment upon what had happened before rather than help improve governance, risk management and controls on what the organisation was working on presently. He said he had spoken with the Interim Corporate Director of Finance and would be working with other Directorates as part of the finance improvement plan.

·         In relation to the number of responses received, Mr Rock said 34 responses were received out of 100 people the survey was sent to.  

·         Mr Rock confirmed Cabinet Members and the Mayor received final internal audit reports, which was now standard practice.

The Audit Committee RESOLVED to:

1.    Note the contents of this report and the overall progress and assurance provided, as well as the findings/assurance of individual reports; and

2.    Approve the Council’s Whistleblowing Policy and the Anti-Fraud and Corruption Strategy.