Agenda item

Audit Recommendation Tracker

Report by the Chief Executive, (attached).

Minutes:

The Head of Resources addressed the committee in relation to the Audit Recommendation Tracker (circulated previously), with the following:

 

·         Table A showed progress classifications on 13 items, 15 DR, 15 HN (CBL), 16 BCM, 16 PL, 17 ITAM, 17 RM & CG, 17 CS, 17 SRR, 17 L, 17 G, 19 E&ES, 19 GDPR, and 19 CG & RM

·         Table B showed recommendation 17 PO 01 as completed which had been a review of car park processes and procedures

·         Table C showed six recommendations requesting target date extensions these were; 15 DR 05, 15 DR 06, 16 BCM 07 testing strategy, 17 CS 02 Network Security, 17 RM&CG 02 Service risk registers and 17 SRR 08 Information sharing

·         There were two Disaster Recovery recommendations that had been on the tracker for some considerable time and had recently been put to test quite considerably under the Covid-19 pandemic

·         The IT Business manager had made the request for the extension on 15 DR 05 to the end of December 2020

·         The second recommendation 15 DR 06 had a request for extension to March 2021

·         16 BCM 07 testing strategy in relation to business continuity would be a large area of work with a greater threat from cyber-attacks due to the increased numbers of staff working from home remotely.  The extension requested for this was to June 2022

·         17 CS 02 Network security needed work carried out in relation to the whole suite of firewalls, this work tied in with the business continuity plan and the extension being sought was to the end of December 2020

·         17 RM&CG 02 completeness of service risk registers the majority of service areas had completed before the Covid-19 situation but for those still outstanding a short extension of June 2020 was requested

·         17 SRR 08 Information sharing this was around Customer Relationship Management system and how violence and aggression markers were shared the online form needed to be built and so  the requested extension was until 31st July 2020

·         Table D showed there were no outstanding audit recommendations if Committee were minded to allow extensions requested

·         Table E showed one outstanding annual governance recommendation 14 AGS 02 which linked in with the disaster recovery plans already mentioned

 

In response to a question on the requested extension date of June 2022 for testing the strategy in relation to business continuity being correct and whether it should be completed earlier the Head of Resources gave the following response:

 

·         The requested extension date of June 2022 was correct

·         Plans had been in place for a number of years but the recent Covid-19 situation had shown the need for constant evolvement of plans

·         Time was needed to be taken to ensure the plans were right as we still were not back to full service delivery

·         Associated risks were to be picked up from testing carried out

 

In response to whether there was a need for a completion date on an area that was constantly evolving and changing and where a completion date seemed to be an unobtainable goal, the Chief Executive responded that it was constantly under review and in light of recent events we needed to go back over the plans and update for lessons learned over the last few months.

 

The Head of Resources added that this originally was picked up in 2016 when our plans were fairly light and thus the recommendations were now probably out of date.  Going forwards it was anticipated that the Devon Audit Partnership would review these arrangements.

 

In response to a suggestion from the Chair on whether it would not be better to remove the items from the tracker and place on the work programme to be reported on every six months, the Chief Executive and Head of Resources agreed this would be a good solution.

 

In response to a question, the Chief Executive agreed that where a request to extend the completion date when nought percent had been completed that the appropriate officer be requested to provide an update to the Committee.

 

RESOLVED, that:

(a)  The internal audit recommendations 15 DR 05, 15 DR 06 and 16 BCM 07 be removed from the Audit Recommendation Tracker, and an item be placed on the Governance Committee Work Programme of Business Continuity commencing from September 2020 and again January 2021 and on a six monthly reporting basis, thereafter, and

(b)  That the relevant Senior Officer present a draft report to the Committee on Business Continuity and attend future meetings of the Committee with updates on progress

(c)  That the Audit Recommendation Tracker be noted.

 

Supporting documents: