Agenda item

Summary of the proceedings during which the Press and Public were excluded. 

(This is a fair summary of the proceedings and there are no exempt minutes.)

The Committee considered the Internal Audit Progress Report 31 October 2016 to 28 February 2017.

In the ensuing debate, the following principal points were raised:

·         There were a number of audit reports that remained at the draft stage, would these audits be completed within the life of this Council? Garry Rollason responded that internal audit had completed all its work and the reports were now with managers for comments and completion of an action plan. The outcomes would be reported to the next meeting of the Committee

·         Peter Bishop. Director of COaCH welcomed the internal audit reports on IT Access controls and IT infrastructure security. He highlighted the complexity of the current IT arrangements with out of date hardware, software and policies which was why a major investment had begun, a new digital strategy agreed by Cabinet in September 2013 and new partnering arrangements. However officers had not been complacent and many of the issues highlighted in the audit reports had already been identified and were being addressing. The Council had already integrated best practice policies to raise the standards of IT security and access

·         Alan Barber, ICT Infrastructure and Security Architect commented that a number of the issues raised by the audit reports had been known for some time and were being actively worked upon    

·         In response to a query, Peter Bishop commented that the risk associated with unused accounts in Frameworki was small given the other levels of security measures that would need to be breached to allow access to the system

·         Were officers confident that the assurance level of any future audit of IT access controls would improve? Dawn Brant, ICT Commercial and Contracts Manager commented that she was confident that the changes made to the security procedures meant that the organisation was able to identify and address issues straight away

·         Alan Barber outlined those areas requiring improvement identified by the audit work, that were not previously known to officers

·         What was the reason for the issues identified at the time of the audit not being addressed? Alan Barber responded that the need to move information to new servers had been a complex and time-consuming operation. The audit was a snap shot in time and since then plans have been introduced to address issues identified. Dawn Brant added that the Council was constantly responding to changes in technology to ensure that it was not left vulnerable to cyber-attack. The security advice of Hewlett Packard (HP) was particularly valuable in this respect    

·         Were the issues associated with 3^rd party contracts as a result of difficulties with contractual arrangements or weaknesses in the Council's IT systems? Peter Bishop responded that it was a combination of both. The Council had identified that its IT policies and procedures were out of date and had proactively upgraded and brought best practice processes and policies recommended by SOCITM (SOCITM was a society for IT practitioners in the public sector). They helped Public Sector organisations network, provided consultancy, and produced research into how the Public Sector could save money and innovate despite budget cuts and ultimately deliver effective digital technology and service. They also advocated to the government in the interests of public sector IT), and the audit had been against these new polices which were more robust and challenging. In terms of how we would achieve a high standard it was always necessary to find a partner organisation to provide the necessary expertise to upgrade the Council's IT systems. A 12-18 month transformation plan had been agreed with HP. However the implementation had taken longer than anticipated. The matter had been addressed contractually with HP

·         In response to a query, Peter Bishop indicated that he was confident that with the introduction of new processes, procedures and monitoring, and the issues identified by the audit work would be addressed. Garry Rollason added that the Internal Audit work had been carried out at the end of 2016. It was recognised that the issues identified were being addressed. A decision had yet to be made as to whether a follow-up audit would take place

·         Garry Rollason queried whether the IT audit reports should be published in full or redacted to address any potential security issues. Alan Barber indicated that he would redact the reports accordingly prior to publication. It was agreed that the redacted reports be published

·         In response to a query, Peter Bishop confirmed that there had not been any breaches in security as a result of issues raised in the audit reports.

RESOLVED that:

a)    The Internal Audit Progress Report be noted; and

b)    Reports be brought to the October 2017 and March 2018 meetings on IT Access Controls and IT Infrastructure Security.