The purpose of the report was to provide Members of the Committee with a position statement on progress made against the audit work included and approved within the Internal Audit Risk Based Plan 2022-23.

The Internal Audit Plan for 2022-23 was submitted to the Governance and Audit Committee for consideration and approval on 22nd June 2022. The Plan outlined the assignments to be conducted which would provide sufficient coverage to provide an opinion at the end of 2022-23.

The Plan was flexible to allow for changing circumstances and events that may occur, such as requests to respond to new issues that may emerge.

Progress made against the approved Plan for the period 1st April 2022 to 31st March 2023 is attached at Appendix A. This details the current status of each planned review, the audit opinion, and the number of any high, medium, or low priority recommendations that have been made to improve the control environment.

It should be noted that some reviews listed have no audit opinion, for example advice and guidance and Governance and Audit Committee/ Corporate Management Board (CMB) reporting. This is because the audit work conducted in respect of these items is planned but the nature of the work does not lead to testing and the formation of an audit opinion, although in some instances recommendations are made.

Appendix A illustrates that a total of seventeen audits have been completed with an audit opinion whilst a further six audits have been issued as draft. Feedback is awaited from the service departments in respect of the management action plans for these draft audits and once received the reports will be finalised. In addition, ten audits are under review with the draft audit reports due to be issued imminently. Therefore, it is estimated that the audit opinion of thirty-three audits will feed into the overall annual audit opinion for 2022-23.

Based on the assessment of the strengths and weaknesses of the areas examined through testing of the effectiveness of the internal control environment the audit opinions for the seventeen audits are as follow: five have been given substantial assurance, eleven reasonable assurance and one audit has been given an audit opinion of limited, that is only limited assurance can be placed on the current system of internal control.

This last one was in respect of a primary school and details are included within the report, but the key issues were in respect of governance arrangements. This audit was undertaken in October 2022. Although some strengths were identified, it was noted that the school was significantly affected by the pandemic and key issues were found. These were in respect of the Governing Body which had failed the statutory requirement to meet termly during the 2021/22 academic year due to Membership and attendance issues making it non quorate. As a result, there was no evidence that some key issues such as budget and policies had been reviewed and agreed by the Governing Body. There were also issues identified in respect of the school’s private fund.

All the recommendations made at this school have been agreed and another audit visit will be undertaken to ensure that progress is being made and the identified risks are mitigated.

Appendix A also identifies the audits that have not been completed during 2022/23. Of these, two have commenced and are being carried forward whilst a further nine did not start but will be considered in the 2023/24 plan. One audit was not undertaken and will not be included in the 2023/24 plan, this was a review of grant schemes from Welsh Government which were allocated during and after the pandemic.

Appendix A identifies that to date forty-one medium priority and forty-nine low priority recommendations have been made to improve the control environment. The implementation of these recommendations is monitored to ensure that the identified and agreed improvements are being made.

As reported during the year the Regional Internal Audit Service (RIAS) has successfully recruited new audit staff during 2022-23 but as previously highlighted, the new staff have not had an impact on the current resource available to deliver the internal audit plan due to the support and training that has been required. The plan was compiled assuming a full establishment and although SWAP Internal Audit Services have assisted, nine planned audits have not been undertaken during 2022/23.

However, it is estimated that thirty-three audits will be completed with audit opinions. These, together with other sources of assurance such as external assessment reports from Care Inspectorate Wales, Estyn and our own controlled risk self-assessments completed by all schools, will provide a level of coverage that is sufficient to allow the Head of Internal Audit to provide an opinion on the Council’s arrangements for internal control, governance and risk management arrangements throughout 2022- 23.

Referring to the issue of cyber security, a Member highlighted that in his other professional work he had visited a number of large European companies over the last year, and they are terrified at the moment, especially around the issue of ransomware. He noted this could have a potentially existential impact on the Council, which means that if we were to be hit by one of these, we could, for example, have all our officers not being able to open up their laptops. He cited the example of Maersk, the big container shipping firm, which had to shut down its business for two months. If we had to shut down all those services for even a week, then the impact would be devastating.

The major vector for this is Russian hacking and unfortunately the ransomware and associated attacks are not specific, so they can be targeting one company, but actually they hit everybody else. The Member was concerned that we may be hit as a casualty outside the actual targets of Russian hackers.

He requested that cyber security work be assigned the highest level of priority because this risk is both extremely likely and also extremely high impact. It is the one thing that would close the Council.

The Chairperson noted that the Council should not wait for an audit on this matter if it is of that importance. He was confident it was already on the agenda of the management team. He hoped that this could be picked up again through one of the scrutiny committees and the management team because local authorities have been hit and it is vital to ensure that systems are robust enough to deal with whatever comes into the authority. He noted that if an IT specialist were at the meeting, they would acknowledge that BCBC was attacked 10/15/20 times a day. But he did not think it was a matter for the committee.

In response, the Chief Officer - Finance, Performance & Change, made two points: firstly, by way of reassurance, an external review had been completed and the feedback needed to be considered to determine if the Council needs to take any action with regards to this matter. Secondly, the committee is due to receive the updated corporate risk assessment in June and the way this has been done recently is to do a deeper dive into one or two of the issues at the committee because it brings the issues alive for Members. It would be appropriate to do a deeper dive into cyber security at the next meeting and our IT staff could be invited to attend.

The Chairperson suggested that apart from officers being present at the meeting, the Cabinet Member with responsibility for IT could also attend so Members understand the issue in the round.

Moving on, a Lay Member requested that some sort of prioritisation over the audits and also the number of days allocated to them, is assigned.

In respect of the discussion about cyber security and IT, he wondered about its current risk profile. He noted it was just a matter of time until something happens and then what would be the reaction plan. It was necessary to be able to just pick it up and run with it. He thought it would help to see the risk register at the next committee.

Coming back to the overall plan, he noted that nine particular audits had not been conducted as a result of resource issues, and he questioned if any sort of reconciliation in terms of the days lost through vacancies, sickness etc had been conducted.

The Deputy Head of RIAS responded to observations about cyber security by noting that the 2022-23 plan refers to work undertaken in respect of cyber security as ‘under review’, that is an audit had been undertaken on vulnerability and patch management and once reviewed a draft report will be issued, and an opinion will be put into the 2022-23 overall plan. It should also be noted that cyber security as well as an ICT audit programme will be on the plan for 2023-24.

She also noted that the service had one qualified IT auditor, and another had commenced training.

In respect of the nine outstanding audits, there were a number of reasons why they could not be conducted, including resources, service requests and timing issues. SWAP had covered some work, but the outstanding audits will be included in the 2023-24 plan.

The Chairperson referred back to the point made by the Lay Member about prioritisation. He noted that if an audit was high priority in 2019-2020 and it is still high priority then clearly this should be included in the 2023-24 audit plan.

Another Member highlighted the issue of self-awareness and a capacity for self-assessment is key in being able to conduct an audit.

A Member asked about the references to fraud/ error/ irregularity and the meaning of the empty box against ‘Irregularity Investigations - Reactive work where suspected irregularity has been detected.’ 

The Deputy Head of RIAS explained that they allocate some days in case there are investigations that come forward during the year. In that case there were days assigned to a particular issue about Accuracy of Data & Caseloads. It was not a specific audit but an investigation.

Recommendations were made to improve the control environment. There were two medium and one low recommendation made as a result of that work.

Another Member asked how the decision was made not to do the nine audits.

The Head of RIAS confirmed this was a decision by Internal Audit Management who would then inform the CMB. On occasions, they postpone an audit to accommodate service managers. Sometimes they have higher priorities than receiving an audit and the service tries to understand and accommodate that. There are also occasions when there is not the resource to undertake the work.

In terms of the planning process, the service does identify whether an audit is high, medium, or low risk and that would be shown in the plan. He noted they would provide more information about how they prioritise audits when the committee receives the plan for 2023-24 in June. On occasions a high priority audit gets postponed to the following year and then an annual risk assessment is conducted in terms of the planning process to make sure those are covered first.

In response, the Chairperson noted that when the list of audits to be conducted in 2023-24 comes forward in June, if there are any matters which have been outstanding for a number of years and they are still a priority, the Committee ought to say that those audits should be done that year. An audit review is an opportunity and not a threat. The team conducting the audit could pick up some very valid points that contribute to enhanced performance and service delivery.

RESOLVED:

That Members of the Committee noted the content of the report and the progress made against the 2022-23 Internal Audit Risk Based Plan.