Agenda item

Risk Based Internal Audit Plan 2024/25

To approve the internal audit plan and resources for the forthcoming year. 

Minutes:

David Thacker presented the Risk Based Internal Audit Plan 2024/25.

 

Members asked questions, made comments and received responses as follows:

·         Councillor Christy stated that there does not appear to be any audits which focus on ICT security and given recent cyber attacks which have been reported he asked David Thacker for his view. David Thacker stated that cyber security appears on the list for the current audit year, and he is just about to finalise a report on cyber security with the Head of ICT and an update will be provided to the committee at the meeting in July. Councillor Christy asked whether an audit on cyber security can be undertaken more frequently, and David Thacker stated that it is something that he can follow up and he added that it was question of resources, however, he needs to ascertain from the Corporate Management Team whether cyber security should be included as a key fundamental annual audit. David Thacker added that being aware of the training is a key aspect and to ensure that all staff undertake annual cyber training because users are the most vulnerable to cyber-attacks. He explained to the committee that the work of audit is adaptable and if an issue arises it can be added onto the programme of audits and, if necessary, it can be audited annually.

·         Councillor Booth explained that with regards to the reactive work that can be undertaken there are only 20 days for contingency which are shown in the audit plan which, in his view, does not appear to be sufficient time and effectively only enough time for one extra audit. He made the point that members have previously recommended that more contingency time should be factored into the audit plan, but he interprets from the report that the audits shown need to be undertaken to provide the levels of assurance that are needed at the current time. David Thacker explained that it is necessary to ensure that a good breadth of coverage is included which is based on factors which include the alignment to the Council plan. He made the point that the role of audit is where value can be added and he explained that he has changed the number of days per audit to ensure that auditors have enough time to conduct a comprehensive risk-focused audit. David Thacker made the point that best practice from internal audit planning comes down to not setting a rigid 12 month plan as things can change and, therefore, it is a flexible plan and it can be reviewed again in 6 months. David Thacker explained that the plan before committee has been agreed by the Corporate Management Team as a good coverage, but flexibility is key.

·         Councillor Booth stated that he has always said that the plan should be adaptive and not set in stone so that it can be amended as necessary. He asked whether the contract monitoring of highways has been considered as he has raised concerns previously with regards to street lighting in the past and he recalls that should have been undertaken last year. David Thacker explained that he has spoken to Mark Greenwood, Head of Assets and Projects, regarding this and it has been agreed that this will be reviewed in the forthcoming municipal year and likely to be in quarter 2. Councillor Booth asked whether that could be seen as being too soon as it is his understanding that the street lighting provider is currently being reviewed with an imminent decision being made and he questioned whether it will provide enough time to obtain an understanding on how a new contract is operating if the provider could be changing. David Thacker agreed to provide feedback to Councillor Booth as the work of audit needs to align with the work being undertaken by the Transformation Team so that it is not disruptive for the services and the work is either undertaken in tandem or as far apart as possible.

 

The committee acknowledged the Internal Audit resources and noted the draft Internal Audit Plan for 2024/25.

Supporting documents: