Agenda item

Internal Audit Progress Report


Jaina Mistry (SWAP Principal Auditor) (JM) told Members that the latest progress reported set out work done since the last meeting:  three pieces of work had been finalised, two with reasonable and one with substantial assurances.  As requested, an update was attached, listing all outstanding recommendations and those completed.  Since publication, two other recommendations relating to ICT had been completed, and a third one was almost complete, awaiting further evidence.

In response to Member questions, JM confirmed that:

-          the reason why the report states that SWAP needs to focus on areas where the organisation requires assurance and the need for a more flexible, risk-based plan is because risk isn’t always evident when the audit plan is agreed at the beginning of the financial year.  If a risk emerges – through another council or nationally, for example – SWAP discuss with senior finance officers whether to investigate the area, and senior officers sometimes bring forward issues to look at.  The core work – finance, governance, risk management, performance – is always included in the plan, with audit of operational areas more subject to change;

-          if specific investigations are added, these will be identified and highlighted in the cover report to ensure Members of Audit Committee are aware;

The Executive Director for Finance, Assets and Regeneration gave the practical example of the 2020-21 audit plan, which had to adapt to cover COVID, lockdown, central government announcements, £50m business grants, test and trace, energy rebates and more, none of which were included in the plan but all of which needed to be audited, and were subsequently reported to the committee. 

In response to further questions, JM stated that:

-          on the Agreed Actions report, extended end dates have been agreed for the Emergency Planning and Health and Safety Fire Risk Assessments actions.  Work continued on the others marked as ‘ongoing’;

-          the term ‘agreed’ in the Status column meant that the particular service area had agreed with the audit recommendation and date by which it should be implemented. SWAP usually give a month’s grace before looking for evidence that the work has been undertaken;

-          the risk from climate change wasn’t built specifically into the risk management draft report, which was more of a risk maturity assessment, but climate change would be the subject of two different audits – the first being a strategic assessment, with an operational audit later on.

The Chair asked why, if the role and responsibilities of internal audit was to help the organisation to achieve its objectives as stated in the report, Members don’t see the business plan and objectives linked to the audit workplan.  With a finite number of days for audit, relating its work to key objectives of the council would seem a good idea. In response, the Executive Director for Finance, Assets and Regeneration said that the corporate plan sets out the council’s overriding objectives with all the various strategies linked to a risk-based approach and looked at as a whole.  The corporate strategy sets out main objectives but in challenging financial times, we may need to accept some risk in achieving the desired outcomes, for many reasons.  CBC is a risk-aware authority, and this is taken into account when policies and strategies come forward to Council.

In response to two final Member questions, JM stated that:

-          the Cyber Security – Incident Management audit 44560 was now complete;

-          ICT – Vulnerability Management carried some sensitivities and was therefore redacted, but was listed as a Priority 2 recommendation – to be dealt with as quickly as possible but not considered a major weakness.  As with all the agreed actions, SWAP will continue to ensure the recommendations are followed through. 

The Chair confirmed that no vote was required, and that the contents of the report had been considered by Members.



Supporting documents: