To report progress against the Internal Audit Plan 2023/24 for the third quarter of 1 October until 31 December 2023 and the resulting level of assurance from the planned work undertaken, and to provide an update to members on the resourcing situation within the Internal Audit team.
Minutes:
Members considered the progress against the Internal Audit Plan 2023/24 for Quarter 3, with an update on the resourcing situation within the Internal Audit Team, presented by David Thacker, Interim Internal Audit Manager.
Members made comments and asked questions as follows:
· Councillor Christy referred to Section 2.3 regarding the cyber security audit and asked how this is progressing as within the past couple of months there has been an increase in cyber attacks in the public and private sector with some authorities shutting down because of this? David Thacker responded that he is personally undertaking this audit and he is trying to finalise it now with the Head of ICT, it is more in relation to the governance angle and he is confident with the protections the Council has in place and that the Council is going beyond what it needs to do, with the National Cyber Centre Essentials report passed with flying colours and the firewall having been upgraded. He stated the biggest weakness is users which is normal so training needs to be improved and the understanding of what staff can do.
· Councillor Booth referred to the lack of a Publication Scheme, but he is sure the Council must have had one at some point so is it saying it was not on the website and it has just dropped off over time? Amy Brown responded that the information has always been there on the website but it has not been pulled together, there is a reference to a Publication Scheme on the website so it has existed at some point and she is not aware when it was removed or why but every piece of information that is required to be published by the Council has always been published. She stated that a central page has now been created which lists everything from the model Publication Scheme and puts the links here for people to access the information on other pages on the website so it was the entry point that was missing to easily navigate to the different places where the information was contained. Councillor Booth stated that the information was buried basically. Amy Brown responded not on purpose but this new entry point makes it abundantly clear to people what they need to click on to find it. Councillor Booth asked is it possible that when the website was refurbished that this is when this got lost? Amy Brown stated that this might have been possible because there was reference on the page to its existence and some authorities have printed the model Publication Scheme but this Council has tried to thread it all through so that under each heading there is the specific link to the policy but she is unable to definitely say why or when it got removed but it was a very easy task to rectify as all the information existed on the website.
· Councillor Booth referred to future governance as the same could happen again if the Council changed the website so are officers going to undertake bi-annual checks to make sure it is all in place? Amy Brown responded that this is a good suggestion and it could be treated like a policy so that it is added to the register of policies with a review date. David Thacker added that from an audit point of view outstanding issues would be looked at and followed up so there is tracking that audit would undertake and it would be revisited from a risk-based point of view as well.
· Councillor Booth referred to a lack of formal training and awareness on FOIs and asked is the issue that staff do not know that it is a FOI request they are receiving and how to deal with them? David Thacker responded that from the audit sampling a lot of it came down to an understanding of what constituted a request then the resources to undertake it, prioritisation and getting the information from the relevant service. Amy Brown added that that FOIs are primarily dealt with by Member Services via an FOI account, with colleagues being reasonably good at recognising when they receive requests for information but it does not always come through FOI and there has been a process of training within FOI over the last couple of years and upskilling within the team to be able to recognise and apply exemptions and to provide support to the services that are responsible for responding to these requests. She stated that part of the training that needs to happen is to identify ‘champions’ within the different services to recognise requests, knowing what exemptions can be applied and potentially creating some capacity to respond to them as sometimes the issue is the resource to be able to deal with a huge request which can be resource intensive. Amy Brown added that there is the need to get better at recording that it is completely acceptable for the Council to request an extension in certain circumstances, which may make the results more compliant than they currently do. Councillor Booth made the point that if there are new starters, is it part of their induction and do they know who to refer to as it may be a new concept to them. Amy Brown agreed and that is something that is being looked at to be included in inductions as there is a module on GDPR but it is wider than this and the time is also right now to look at refreshing and reviewing the training that staff have had in the past.
· Councillor Booth referred to larger requests and asked for clarification that is there not an exemption that if the request is going to take so many hours that it can be declined and is this ever used as he acknowledges that there may be spurious requests as well and how are these dealt with? Amy Brown responded that they do try but to be able to say that something is vexatious or manufactured to deliberately create disruption to the Council is quite a high bar as set against this is the legislative requirement and the guidance which means the Council should try and be as obliging as possible. She stated that requests have to be taken at face value and if at face value the request creates some issues for the Council it will be dealt with but largely the requests are legitimate, there is a 19 hour cut off but different people have different views on this as well because some people will take it that if it is going to take more than 19 hours you provide nothing at all but this Council looks and says what can be provided in 19 hours or works with the person who is requesting the information to try and get them to narrow down their parameters. Amy Brown stated that there are a few requests each year that generate a huge amount of information but it is legitimate and it probably will not take 19 hours but even 5-6 hours out of somebody’s 20 working day deadline that was not expected can have an impact and that is why it is the intention to develop the champions and a better support network. Peter Catchpole added that the complaints process is changing also so the LGO are currently out for consultation to make it a lot slimmer so where this Council operates a three stage process it is likely to be a two stage so synergies are being looked at between complaints and these sorts of requests. He stated that a report is brought on how services are performing on FOIs to Management Team so visibility of this area is much improved, with the number of FOIs seeming to go up each year, with the Council generally dealing with them very well but it is about making more people aware and not just relying on a few people all the time. Councillor Booth stated that he understands that a lot more lobbying groups are making requests to obtain information and he recognises that it takes up a lot of resources.
Peter Catchpole referred to staffing and that Internal Audit has been very difficult to recruit to, with the previous Audit Manager being at the Council for 22 years but when she did leave some fresh pair of eyes came in, which has helped enormously. He stated that the Council is out for advert, which has been undertaken before and was not successful, and he is also having discussions with other neighbouring authorities, who are equally having similar problems, in relation to potential consortiums or sharing resource, with many of things being run in parallel and the committee will be kept updated.
Members noted the activity and performance of the Internal Audit function.
Supporting documents: