To consider the report of the Head of Audit, Risk and Assurance in respect of progress made against the audit plan.
50.1 The Audit Risk and Assurance Group Manager summarised the contents of the report. The purpose of the report was to inform Members of the Internal Audit activity progress in relation to the approved Internal Audit Plan 2021/22. She stated that she wanted to provide assurances to the Committee that since the IT Cyber Incident, work had continued and that assistance had been provided to the Finance and various other teams within the Council.
50.2 Councillor Pullen pointed to page 6 of the report, which referenced an investigation into an individual who was undertaking a second paid job outside the Council on top of working for the Authority. He asked what the situation was in regard to City Council staff working second jobs and whether it was a HR or Audit issue. The Internal Auditor replied that with that particular case, the reason it was highlighted as a potential fraud issue was because the employee in question was alleged to have been working a second job, whilst on full time sick leave in their capacity as an employee at the City Council.
50.3 In response to a further question from Councillor Pullen, the Internal Auditor confirmed that City Council employees could have a second job outside of the Council and reiterated the reasons as to why that particular case was investigated.
50.4 In response to a question from Councillor Wilson regarding how they were assisting Council services in response to the Cyber Incident, the Internal Auditor stated that, at the start of the Cyber Incident, work around processes were put in place, that they were currently undertaking a data exercise and that they had been liaising and working with the finance team. The Audit Risk and Assurance Group Manager added that since January, they had temporarily suspended their work due to the understanding of the position the Council was in. She added that they had been in contact with officers from Revenues and Benefits weekly.
50.5 Councillor Wilson stated that his concern was that the controlled environment that existed before the Cyber Incident would be compromised and confirmed that he was reassured by the points made by the Internal Auditor and Audit Risk and Assurance Group Manager. He stated that it was his assumption that dealing with the Cyber Incident was taking up a lot of officer time. He said that some items contained in the year’s programme would have to rolled over into the next financial year. He stated that he believed that the Community Infrastructure Levy (CIL) and Section 106 should be looked at as a priority. He noted that he could not see anything in relation to Recyclables in the plan.
50.6 The Internal Auditor noted that regarding Recyclables, a draft report had been written but it was on a drive that was currently inaccessible. He said that once access to the sever had been restored, that report would be completed.
50.7 In response to a question from Councillor Wilson regarding whether it was feasible that some instances of fraud would be missed owing to the fact that they could not currently benefit from biennial data matching administered by the Cabinet Office, the Audit Risk and Assurance Group Manager stated that whilst the Cabinet Office had placed some restrictions on data matching (which was currently being reviewed) they had been working directly with officers to support localised data matching where possible. She confirmed that once the Cabinet Office had lifted restrictions, full data matching could reoccur. The Internal Auditor added that the data used for data matching was historical so that it would still be there once systems were operational again.
50.8 In response to a further question from Councillor Wilson, the Internal Auditor confirmed that data could be retrospectively uploaded.
50.9 In response to a question from Councillor Pullen regarding why the Climate Change Strategy’s activity status was deferred, the Internal Auditor stated that they did not believe they could complete the Climate Change Strategy plan for the year ending 21/22. This was predominantly caused by the Cyber Incident. He stated that the plan was for it to be completed by 22/23 and that he believed that the Climate Change Strategy was already being written.
50.10 Councillor Pullen noted that the target for the Climate Change strategy to be completed was Q3 in 22/23. He asked how they could audit a plan that did not exist. In response, the Internal Auditor stated that the targets were flexible so the report could be completed earlier. He added that discussions had taken place with officers as to what could be included in the strategy.
50.11 In response to a further question from Councillor Pullen, the Internal Auditor stated that he had spoken to the Climate Change Manager and that the CLS report would be used as a baseline report on which the Climate Change Strategy Report would build.
RESOLVED that: - the Audit and Governance Committee:
(1) Accept the progress against the Internal Audit Plan 2021/22; and
(2) Accept the assurance opinions provided in relation to the effectiveness of the Council’s control environment (comprising risk management, control and governance arrangements).